Transfer driver: bound async closures with Pin<Box<dyn Future + Send>>

- `drive_transfer_serial_async` previously used `AsyncFnMut(...)` bounds. The driver's own `#[tokio::test]`s passed, but production callers compile inside `tokio::spawn` and fail the Send check: `AsyncFnMut`'s HRTB-bound `CallRefFuture<'a>` is not provably Send for all `'a` when the closure body captures `&Arc<...>` or similar refs (rust-lang/rust#100013-class).
- Switched the three closure bounds to `for<'a> FnMut(...) -> Pin<Box<dyn Future<...> + Send + 'a>>`. `+ Send` on the boxed trait object is what makes the driver's awaiting-this-future state Send. Driver loop body unchanged (each closure call is still `.await`-ed in sequence).
- Migrated all 18 async tests from `async ||` syntax to explicit `Box::pin(async move { ... })`. Bodies unchanged; only the closure wrappers changed. Added 3 type aliases (`FetchFut`, `ResolveFut`, `TransferFut`) so the test closures stay readable.
- Added `driver_future_is_send_across_spawn` regression test: runs the driver call through an explicit inner `tokio::spawn` boundary that captures an outer `Arc` by ref, which is the smallest setup that reproduced the original failure ("Send is not general enough"). Compiles and passes under the new bound.
- Updated the driver's doc comment and the colocated `CLAUDE.md` to capture the rationale.
- 30 tests pass (29 existing + 1 new). No production callers touched.

Author: vdavid

apps/desktop/src-tauri/src/file_system/write_operations/CLAUDE.md

@@ -219,6 +219,9 @@ exits, partial files or staging directories may remain on disk. These use the `.
 **Decision**: Volume copy pipeline uses `OperationEventSink` trait instead of `tauri::AppHandle`
 **Why**: Decouples the copy/move orchestration from the Tauri framework. `TauriEventSink` wraps AppHandle for production; `CollectorEventSink` stores events for test assertions. Enables testing `copy_volumes_with_progress` end-to-end (multi-file copy, cancellation, conflict resolution, progress tracking) without a Tauri runtime. Currently only the volume copy/move path is migrated; local copy/delete/trash still use AppHandle directly (to be migrated during the async Volume refactor).
 
+**Decision**: `drive_transfer_serial_async` bounds its closures as `for<'a> FnMut(...) -> Pin<Box<dyn Future<...> + Send + 'a>>`, not `AsyncFnMut(...) -> T`.
+**Why**: Production callers live inside `tokio::spawn(async move { ... })` (see `volume_copy::copy_between_volumes`), so the driver's returned future must be `Send`. `AsyncFnMut`'s HRTB-bound `CallRefFuture<'a>` is not provably `Send` for all `'a` when the closure body captures `&Arc<...>` or similar refs — the compiler emits "implementation of Send is not general enough" because it can't discharge `for<'a> CallRefFuture<'a>: Send` (rust-lang/rust#100013-class). The explicit boxed-future shape moves the Send obligation inside the per-call return type, where it's discharged at each call site, and `+ Send` on the trait object is what makes the driver's awaiting-this-future state Send. The M2 step 0 prototype used `async ||` + `AsyncFnMut` and passed the driver's own `#[tokio::test]`s; the bug only surfaced when M3 migration started wiring real callers and the spawn-boundary Send check ran. `transfer_driver_tests.rs::driver_future_is_send_across_spawn` pins the contract by routing the driver call through an explicit `tokio::spawn` boundary.
+
 **Decision**: `transfer_driver.rs` ships as two sibling entry points (sync + async), not one generic-over-AsyncFnMut-or-FnMut driver. Conflict resolution lives in the driver for the async path, in the closure for the sync path.
 **Why**: `copy_files_with_progress_inner` is sync inside `spawn_blocking`; the three volume ops are async. A single generic driver would either force the sync path through a `Pin<Box<dyn Future>>` per source (allocation per call, no real benefit since the I/O is sync) or use a trait so gnarly that the closures stop reading as straight-line transfer code. Two siblings share `TransferContext`, `TransferOutcome`, `TransferLoopOutcome`, and `build_pre_skip_set` / `emit_progress_and_status` helpers — the duplication is small. For conflict resolution: local-FS conflicts surface mid-flight at parent directories inside `copy_single_item` (a file blocking `create_dir_all`), which the driver can't pre-detect via top-level `dest.get_metadata`; so the sync driver delegates conflict resolution to the closure entirely. Volume ops have only top-level conflicts that always reduce to `resolve_volume_conflict`, so the async driver owns that dispatch (uniform shape across all 3 volume ops, exactly what we want to deduplicate). The data-safety contract (closure never invoked for pre-skipped / resolved-as-Skip / post-cancel) is enforced in both shapes by the driver's loop structure and pinned by `transfer_driver_tests.rs`. See `docs/specs/transfer-driver-refactor-plan.md` § "Design decisions" and § "Concurrent driver scope" for the full rationale; the concurrent path stays inline in `copy_volumes_with_progress` (1-of-4 abstraction not worth its weight).
 

apps/desktop/src-tauri/src/file_system/write_operations/transfer_driver.rs

@@ -102,7 +102,9 @@
 )]
 
 use std::collections::HashSet;
+use std::future::Future;
 use std::path::{Path, PathBuf};
+use std::pin::Pin;
 use std::sync::Arc;
 use std::time::Instant;
 
@@ -521,15 +523,24 @@ pub(super) enum ConflictDecision {
 ///    e. If Proceed, invoke `transfer_one` with the resolved dest path.
 /// 3. Return `PostLoopIntent::Completed` if the loop drained without incident.
 ///
-/// # Why `async ||` (Rust 2024 syntax) is required
+/// # Closure-bound shape: boxed future, not `AsyncFnMut`
 ///
-/// The M2 step 0 prototype proved that the older `|ctx| async { ... }` form
-/// returns an async block that borrows the closure's `&mut` captures, which
-/// `AsyncFnMut` rejects ("returns an `async` block that contains a reference
-/// to a captured variable, which then escapes the closure body"). The
-/// `async ||` form ties the returned future to `&mut self` of the closure
-/// call, which is what `AsyncFnMut` actually expects. The codebase is on
-/// edition 2024 so the syntax is available.
+/// Each closure returns `Pin<Box<dyn Future<...> + Send + 'a>>` rather than
+/// being bound as `AsyncFnMut(...) -> T`. The explicit boxed-future shape is
+/// load-bearing for production callers: the driver's returned future must be
+/// `Send` so callers can `tokio::spawn` it, and `AsyncFnMut`'s HRTB-bound
+/// `CallRefFuture<'a>` is not provably `Send` for all `'a` when the closure
+/// body captures `&Arc<...>` or similar refs (rust-lang/rust#100013-class).
+/// The `+ Send` on the boxed future moves the Send obligation inside the
+/// per-call return type, where it's discharged at each call site.
+///
+/// `transfer_driver_tests.rs::driver_future_is_send_across_spawn` pins this:
+/// the driver call must compile inside a `tokio::spawn(async move { ... })`,
+/// which fails under `AsyncFnMut` and passes under the boxed-future shape.
+///
+/// The driver loop is still single-threaded (one `.await` per closure call
+/// in sequence); only the FUTURE returned by each call needs `Send`. The
+/// closure itself doesn't need to be `Send`.
 #[allow(
     clippy::too_many_arguments,
     reason = "Driver wraps the full per-iter context; bundling adds ceremony without removing parameters"
@@ -551,9 +562,17 @@ pub(super) async fn drive_transfer_serial_async<DestMetaFetcher, ConflictResolve
     mut transfer_one: TransferOne,
 ) -> TransferLoopOutcome
 where
-    DestMetaFetcher: AsyncFnMut(&Path) -> Option<u64>,
-    ConflictResolver: AsyncFnMut(ConflictDecisionInput<'_>) -> Result<ConflictDecision, WriteOperationError>,
-    TransferOne: AsyncFnMut(TransferContext<'_>) -> Result<TransferOutcome, WriteOperationError>,
+    DestMetaFetcher: for<'a> FnMut(&'a Path) -> Pin<Box<dyn Future<Output = Option<u64>> + Send + 'a>>,
+    ConflictResolver: for<'a> FnMut(
+        ConflictDecisionInput<'a>,
+    ) -> Pin<
+        Box<dyn Future<Output = Result<ConflictDecision, WriteOperationError>> + Send + 'a>,
+    >,
+    TransferOne: for<'a> FnMut(
+        TransferContext<'a>,
+    ) -> Pin<
+        Box<dyn Future<Output = Result<TransferOutcome, WriteOperationError>> + Send + 'a>,
+    >,
 {
     let mut files_done = 0usize;
     let mut bytes_done = 0u64;