Bugfix: SMB upgrade no longer races mDNS in dev

- In dev, `network.firstTriggerDone` is `false`, so launch-time mDNS is gated off. When macOS auto-remounts an SMB share at login, `volumes::watcher::try_upgrade_smb_mount` fired before mDNS had discovered the host, so `statfs`'s IP couldn't be mapped to a hostname. Keychain credentials keyed by hostname (`smb://naspolya/share`) missed, and we prompted for credentials the user had already saved a few seconds before mDNS warmed up.
- Both upgrade entry points (`commands::network::upgrade_to_smb_volume` and the FSEvents watcher path) now call `network::ensure_mdns_started` (idempotent, no-op if `network.enabled` is off) and use the new `resolve_ip_to_hostname_with_wait` (polls 100ms up to 1500ms, only for private-range IPv4 — Tailscale/public IPs skip the wait).
- Added a runtime `network::NETWORK_ENABLED` flag (mirrors `network.enabled`) so BE paths can short-circuit cleanly when the user disabled networking, instead of needlessly polling.
- Unit tests cover the three short-circuits (non-private IP, disabled, timeout fallback).
- The wait fails open: if mDNS never warms, the existing IP-only Keychain lookup still runs.

Author: vdavid

apps/desktop/src-tauri/src/commands/network.rs

@@ -8,7 +8,7 @@ use crate::network::{
 
 use crate::network::smb_upgrade::{
     UpgradeError, UpgradeResult, friendly_server_name, get_keychain_password, register_smb_volume,
-    resolve_ip_to_hostname, try_smb_upgrade,
+    resolve_ip_to_hostname_with_wait, try_smb_upgrade,
 };
 
 /// Gets all currently discovered network hosts.
@@ -353,7 +353,7 @@ pub async fn mount_network_share(
 /// Called from the "Connect directly for faster access" UI action.
 #[tauri::command]
 #[specta::specta]
-pub async fn upgrade_to_smb_volume(volume_id: String) -> Result<UpgradeResult, String> {
+pub async fn upgrade_to_smb_volume(volume_id: String, app_handle: tauri::AppHandle) -> Result<UpgradeResult, String> {
     use crate::file_system::get_volume_manager;
     #[cfg(target_os = "macos")]
     use crate::volumes::get_smb_mount_info;
@@ -387,9 +387,14 @@ pub async fn upgrade_to_smb_volume(volume_id: String) -> Result<UpgradeResult, S
         info.username
     );
 
+    // Kick mDNS off so IP → hostname resolution has a shot before we hit the
+    // Keychain. Idempotent; no-op if already running or `network.enabled` is off.
+    crate::network::ensure_mdns_started(app_handle);
+
     // Try to get credentials from Keychain. The mount source has the IP, but Cmdr
-    // stores Keychain credentials keyed by hostname (from mDNS). Try both.
-    let hostname = resolve_ip_to_hostname(&info.server);
+    // stores Keychain credentials keyed by hostname (from mDNS). Try both. Briefly
+    // wait for mDNS to warm up so we don't prompt for creds the user already saved.
+    let hostname = resolve_ip_to_hostname_with_wait(&info.server, std::time::Duration::from_millis(1500)).await;
     let display_name = friendly_server_name(&info.server);
     let creds = get_keychain_password(&info.server, hostname.as_deref(), &info.share).await;
 
@@ -452,6 +457,7 @@ pub async fn upgrade_to_smb_volume_with_credentials(
     username: Option<String>,
     password: Option<String>,
     remember_in_keychain: bool,
+    app_handle: tauri::AppHandle,
 ) -> Result<UpgradeResult, String> {
     use crate::file_system::get_volume_manager;
     #[cfg(target_os = "macos")]
@@ -475,7 +481,11 @@ pub async fn upgrade_to_smb_volume_with_credentials(
         )
     })?;
 
-    let hostname = resolve_ip_to_hostname(&info.server);
+    // Kick mDNS off so we can save credentials keyed by hostname (not raw IP)
+    // when the user picks "remember".
+    crate::network::ensure_mdns_started(app_handle);
+
+    let hostname = resolve_ip_to_hostname_with_wait(&info.server, std::time::Duration::from_millis(1500)).await;
     let display_name = friendly_server_name(&info.server);
 
     let result = try_smb_upgrade(
@@ -694,6 +704,7 @@ pub fn ensure_network_discovery_started(app_handle: tauri::AppHandle) {
 #[tauri::command]
 #[specta::specta]
 pub fn set_network_enabled(enabled: bool, app_handle: tauri::AppHandle) {
+    crate::network::set_network_enabled_flag(enabled);
     if !enabled {
         crate::network::mdns_discovery::stop_discovery();
         crate::network::clear_discovered_hosts(&app_handle);

apps/desktop/src-tauri/src/lib.rs

@@ -464,6 +464,11 @@ pub fn run() {
             font_metrics::init_font_metrics(app.handle(), "system-400-12");
             font_metrics::load_all_metrics_from_disk(app.handle());
 
+            // Sync the runtime `network.enabled` flag from settings so BE-side upgrade paths
+            // can gate themselves correctly (default `true`).
+            #[cfg(any(target_os = "macos", target_os = "linux"))]
+            network::set_network_enabled_flag(saved_settings.network_enabled.unwrap_or(true));
+
             // Start mDNS network discovery only for returning users who've already answered the
             // OS Local Network prompt at least once. Fresh installs stay quiet at launch. The
             // frontend calls `ensure_network_discovery_started` lazily on first user network

apps/desktop/src-tauri/src/network/CLAUDE.md

@@ -46,6 +46,11 @@ lifecycle:
 - **`network.firstTriggerDone`** (boolean, default `false`, hidden): tracks whether we've already performed a gated
   network action. Persisted across launches.
 
+The runtime mirror of `network.enabled` lives in `network::NETWORK_ENABLED` (`AtomicBool`). `lib.rs::setup` seeds it
+from the persisted settings; `commands::network::set_network_enabled` keeps it in sync with the live toggle.
+`network::is_network_enabled()` is the runtime accessor; BE-side upgrade paths check this before kicking off mDNS or
+waiting on hostname resolution.
+
 At startup, mDNS starts only if `network.enabled && (firstTriggerDone || smb-e2e feature)`. On a fresh install,
 `firstTriggerDone == false` so we stay quiet and the macOS "Cmdr wants to find devices on local networks" prompt
 doesn't fire at app launch.
@@ -160,4 +165,14 @@ convention) and passes it as an explicit mount point to `NetFSMountURLSync`. The
 - **Mount URL must include port when non-standard**: `mount_share_sync` builds `smb://server:port/share` for non-445 ports. The port is passed as a separate parameter through `mount_share` → `mount_share_sync`, not embedded in the server string (embedding it would cause `build_smb_addr` to double the port: `localhost:10480:10480`). `SmbMountInfo.port` extracts the port from `statfs` mount source for upgrade paths.
 - **Strip `.local` from addr for smb2**: `smb2::Connection::connect()` extracts `server_name` from the addr string and uses it in UNC paths. Passing `"foo.local:445"` creates `\\foo.local\IPC$` which some servers reject. The `build_addr` helper in `smb_connection.rs` handles this.
 - **Manual hosts always set `hostname`**: The share listing pipeline guards on `host.hostname` being truthy. `create_network_host` always sets `hostname` (to the address, even for IPs) so manual hosts flow through the pipeline correctly.
+- **SMB upgrade waits briefly for mDNS to warm**: When macOS auto-remounts an SMB share at login, FSEvents fires before
+  mDNS has discovered the host, so `statfs` gives us an IP but the host map is empty. Stored Keychain credentials are
+  keyed by mDNS hostname (`smb://naspolya/share`), not by IP, so a sync IP→hostname lookup misses and we'd prompt the
+  user for credentials they already saved. The upgrade path now (a) kicks off mDNS via `network::ensure_mdns_started`
+  before resolving and (b) calls `smb_upgrade::resolve_ip_to_hostname_with_wait` which polls the discovered-host map
+  every 100ms up to 1500ms for private-range IPv4. Non-private IPs (Tailscale, public DNS) skip the wait — mDNS won't
+  help there. The wait fails open: if mDNS never warms, the IP-only Keychain lookup still runs. Only relevant in dev,
+  where `network.firstTriggerDone == false` keeps mDNS off at launch; prod users hit this once on the very first install
+  but never afterwards. Both entry points are covered: `commands::network::upgrade_to_smb_volume` (manual "Connect
+  directly") and `volumes::watcher::try_upgrade_smb_mount` (FSEvents auto-upgrade).
 - **`statfs` can return mDNS service names instead of IPs**: When macOS auto-reconnects an SMB mount on login, `statfs.f_mntfromname` may contain `//user@Naspolya._smb._tcp.local/share` instead of `//user@192.168.1.111/share`. These service names are not DNS-resolvable. `resolve_server_address()` in `commands/network.rs` detects these (by checking for `._tcp`/`._udp`) and resolves them to IPs via `get_discovered_hosts()`. All upgrade paths (startup, mount-time, manual) go through this resolution. Similarly, `friendly_server_name()` extracts the display name (e.g., `Naspolya`) for UI display.

apps/desktop/src-tauri/src/network/mod.rs

@@ -42,12 +42,45 @@ use crate::ignore_poison::IgnorePoison;
 use log::debug;
 use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
+use std::sync::atomic::{AtomicBool, Ordering};
 use std::sync::{Mutex, OnceLock};
 use tauri::{AppHandle, Emitter};
 
 pub use mdns_discovery::start_discovery;
 pub use smb_client::{AuthMode, ShareListError, ShareListResult};
 
+/// Runtime mirror of the `network.enabled` setting. Default `true` matches the
+/// settings default. `lib.rs::setup` updates this from the persisted settings;
+/// `commands::network::set_network_enabled` keeps it in sync with the live toggle.
+static NETWORK_ENABLED: AtomicBool = AtomicBool::new(true);
+
+/// Updates the runtime `network.enabled` flag. Call from app setup (after loading
+/// settings) and from the live-toggle command.
+pub fn set_network_enabled_flag(enabled: bool) {
+    NETWORK_ENABLED.store(enabled, Ordering::Relaxed);
+}
+
+/// Returns whether networking is enabled. Used by BE-side upgrade paths to decide
+/// whether they're allowed to kick off mDNS or wait for hostname resolution.
+pub fn is_network_enabled() -> bool {
+    NETWORK_ENABLED.load(Ordering::Relaxed)
+}
+
+/// Idempotently starts mDNS discovery if `network.enabled` is on. Safe to call
+/// from any BE-side upgrade path that needs hostname resolution from the mDNS
+/// cache. No-op if discovery is already running or the user has disabled
+/// networking.
+///
+/// Unlike `commands::network::ensure_network_discovery_started`, this does NOT
+/// re-trigger `upgrade_existing_smb_mounts` — it's meant for paths that ARE the
+/// upgrade flow and just need the mDNS daemon up to resolve IP → hostname.
+pub fn ensure_mdns_started(app_handle: AppHandle) {
+    if !is_network_enabled() {
+        return;
+    }
+    start_discovery(app_handle);
+}
+
 /// Whether a host was discovered via mDNS or added manually by the user.
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, specta::Type)]
 #[serde(rename_all = "snake_case")]

apps/desktop/src-tauri/src/network/smb_upgrade.rs

@@ -139,6 +139,64 @@ pub(crate) fn resolve_ip_to_hostname(ip: &str) -> Option<String> {
     None
 }
 
+/// Returns true if `ip` is a literal IPv4 address in a private range (RFC 1918 or
+/// link-local 169.254/16). mDNS can only help for those: public/VPN/Tailscale IPs
+/// won't show up in the local mDNS cache, so there's no point waiting on them.
+///
+/// Returns `false` for non-IP strings (hostnames), since `resolve_ip_to_hostname`
+/// only matches discovered hosts by exact IP.
+pub(crate) fn is_private_ipv4(ip: &str) -> bool {
+    use std::net::Ipv4Addr;
+    let Ok(addr) = ip.parse::<Ipv4Addr>() else {
+        return false;
+    };
+    addr.is_private() || addr.is_link_local()
+}
+
+/// Like `resolve_ip_to_hostname`, but waits briefly for mDNS to populate the
+/// discovered-host cache when the lookup misses on the first try. Solves the
+/// startup race where macOS auto-remounts an SMB share, FSEvents fires before
+/// mDNS has had time to find the host, and `statfs`-derived IP-only Keychain
+/// lookups miss the credentials we have keyed by hostname.
+///
+/// Only waits for private-range IPv4 addresses (where mDNS is plausible) and only
+/// if `is_network_enabled()`. Otherwise returns whatever the immediate sync
+/// lookup gave us. Polls every 100ms up to `timeout`. The caller is responsible
+/// for kicking off discovery via `network::ensure_mdns_started` before calling
+/// this; the wait alone won't start the daemon.
+pub(crate) async fn resolve_ip_to_hostname_with_wait(ip: &str, timeout: std::time::Duration) -> Option<String> {
+    // Fast path: already in the cache.
+    if let Some(hostname) = resolve_ip_to_hostname(ip) {
+        return Some(hostname);
+    }
+    // No point waiting for non-private IPs (Tailscale, public DNS, etc.) or when
+    // networking is disabled by the user.
+    if !is_private_ipv4(ip) || !crate::network::is_network_enabled() {
+        return None;
+    }
+
+    let poll_interval = std::time::Duration::from_millis(100);
+    let start = std::time::Instant::now();
+    while start.elapsed() < timeout {
+        tokio::time::sleep(poll_interval).await;
+        if let Some(hostname) = resolve_ip_to_hostname(ip) {
+            log::debug!(
+                "Resolved IP {} to hostname {} after waiting {:?}",
+                ip,
+                hostname,
+                start.elapsed()
+            );
+            return Some(hostname);
+        }
+    }
+    log::debug!(
+        "Couldn't resolve IP {} to a hostname via mDNS within {:?}; proceeding without",
+        ip,
+        timeout
+    );
+    None
+}
+
 /// Resolves a server address from `statfs` to a connectable address.
 ///
 /// `statfs` can return different formats depending on how the mount was created:
@@ -236,3 +294,97 @@ pub(crate) async fn get_keychain_password(
     .ok()
     .flatten()
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use std::time::Duration;
+
+    #[test]
+    fn is_private_ipv4_recognizes_rfc1918_and_link_local() {
+        assert!(is_private_ipv4("10.0.0.1"));
+        assert!(is_private_ipv4("192.168.1.111"));
+        assert!(is_private_ipv4("172.16.5.7"));
+        assert!(is_private_ipv4("169.254.1.2"), "link-local should count");
+    }
+
+    #[test]
+    fn is_private_ipv4_rejects_public_and_special() {
+        assert!(!is_private_ipv4("8.8.8.8"));
+        assert!(!is_private_ipv4("100.64.0.1"), "Tailscale/CGNAT not private");
+        assert!(!is_private_ipv4("127.0.0.1"), "loopback not private");
+        assert!(!is_private_ipv4("naspolya"), "hostnames return false");
+        assert!(!is_private_ipv4(""));
+        assert!(!is_private_ipv4("::1"), "IPv6 currently returns false");
+    }
+
+    /// `resolve_ip_to_hostname_with_wait` must return immediately (no polling)
+    /// when the IP isn't a private-range IPv4 — Tailscale/public DNS won't show
+    /// up in mDNS so there's nothing to wait for.
+    #[tokio::test]
+    async fn wait_helper_returns_immediately_for_non_private_ip() {
+        let start = std::time::Instant::now();
+        let result = resolve_ip_to_hostname_with_wait("8.8.8.8", Duration::from_millis(500)).await;
+        let elapsed = start.elapsed();
+        assert_eq!(result, None);
+        assert!(
+            elapsed < Duration::from_millis(50),
+            "expected fast path (< 50ms), took {:?}",
+            elapsed
+        );
+    }
+
+    /// `resolve_ip_to_hostname_with_wait` must short-circuit when the runtime
+    /// `network.enabled` flag is off, even for a private IP — mDNS isn't running
+    /// so polling would just burn the timeout.
+    #[tokio::test]
+    async fn wait_helper_short_circuits_when_network_disabled() {
+        let prev = crate::network::is_network_enabled();
+        crate::network::set_network_enabled_flag(false);
+
+        let start = std::time::Instant::now();
+        let result = resolve_ip_to_hostname_with_wait("192.168.1.111", Duration::from_millis(500)).await;
+        let elapsed = start.elapsed();
+
+        // Restore before assertions so other tests aren't poisoned by panics.
+        crate::network::set_network_enabled_flag(prev);
+
+        assert_eq!(result, None);
+        assert!(
+            elapsed < Duration::from_millis(50),
+            "expected fast path (< 50ms), took {:?}",
+            elapsed
+        );
+    }
+
+    /// Times out gracefully when no host ever shows up in the cache (and falls
+    /// back to `None` so the caller can use IP-only Keychain lookup).
+    #[tokio::test]
+    async fn wait_helper_times_out_gracefully() {
+        // Ensure network is "enabled" so we exercise the polling path.
+        let prev = crate::network::is_network_enabled();
+        crate::network::set_network_enabled_flag(true);
+
+        // Use a unique private IP that no test has ever populated, so the cache
+        // miss is deterministic.
+        let timeout = Duration::from_millis(300);
+        let start = std::time::Instant::now();
+        let result = resolve_ip_to_hostname_with_wait("10.255.255.254", timeout).await;
+        let elapsed = start.elapsed();
+
+        crate::network::set_network_enabled_flag(prev);
+
+        assert_eq!(result, None);
+        assert!(
+            elapsed >= timeout,
+            "should have polled until timeout; elapsed {:?}",
+            elapsed
+        );
+        // Generous upper bound — single poll interval slack.
+        assert!(
+            elapsed < timeout + Duration::from_millis(250),
+            "shouldn't blow past timeout by much; elapsed {:?}",
+            elapsed
+        );
+    }
+}

apps/desktop/src-tauri/src/stubs/network.rs

@@ -353,7 +353,7 @@ pub enum UpgradeResult {
 /// Upgrades an SMB volume to use direct smb2 (stub: returns error).
 #[tauri::command]
 #[specta::specta]
-pub async fn upgrade_to_smb_volume(_volume_id: String) -> Result<UpgradeResult, String> {
+pub async fn upgrade_to_smb_volume(_volume_id: String, _app_handle: tauri::AppHandle) -> Result<UpgradeResult, String> {
     Ok(UpgradeResult::NetworkError {
         message: "Direct SMB connection not supported on this platform".to_string(),
     })
@@ -367,6 +367,7 @@ pub async fn upgrade_to_smb_volume_with_credentials(
     _username: Option<String>,
     _password: Option<String>,
     _remember_in_keychain: bool,
+    _app_handle: tauri::AppHandle,
 ) -> Result<UpgradeResult, String> {
     Ok(UpgradeResult::NetworkError {
         message: "Direct SMB connection not supported on this platform".to_string(),

apps/desktop/src-tauri/src/volumes/watcher.rs

@@ -232,9 +232,22 @@ fn try_upgrade_smb_mount(volume_path: &str) {
         return;
     };
 
+    // Kick mDNS off here (idempotent, no-op if already running or if
+    // `network.enabled` is off). In dev mode `network.firstTriggerDone` is
+    // typically `false`, so the launch-time mDNS gate doesn't fire and
+    // hostname resolution would otherwise miss when macOS auto-remounts an
+    // SMB share at login. See `network::smb_upgrade::resolve_ip_to_hostname_with_wait`.
+    if let Some(app) = APP_HANDLE.get() {
+        crate::network::ensure_mdns_started(app.clone());
+    }
+
     let mount_path = volume_path.to_string();
     tauri::async_runtime::spawn(async move {
-        let hostname = crate::network::smb_upgrade::resolve_ip_to_hostname(&info.server);
+        let hostname = crate::network::smb_upgrade::resolve_ip_to_hostname_with_wait(
+            &info.server,
+            std::time::Duration::from_millis(1500),
+        )
+        .await;
         let creds =
             crate::network::smb_upgrade::get_keychain_password(&info.server, hostname.as_deref(), &info.share).await;
         let (username, password) = match &creds {