Bugfix: Never block UI on network FS ops

vdavid · vdavid · commit bed59dbeea03 · 2026-03-27T11:33:05.000+01:00
- Move validation (`validate_sources`, `validate_destination`, etc.) from `*_files_start` into `spawn_blocking` handler closures so `operationId` returns immediately — dialog is always cancellable, even on stalled mounts
- Fix `start_write_operation` to emit `write-error` for handler errors (previously only caught panics, silently dropped validation failures)
- Add `remove_file_in_background` and `remove_dir_all_in_background` helpers for fire-and-forget cleanup on detached threads
- Add `CopyTransaction::rollback_in_background` for non-blocking rollback on cancel (sync `rollback()` stays for error paths)
- Use async cleanup in `chunked_copy` cancel path, `copy` cancel path, and `move_op` staging dir failure paths
- Background cleanup is best-effort — partial files may remain if mount disconnects (uses `.cmdr-` prefix for recognition)

Entire-Checkpoint: 12a05651ab05
diff --git a/apps/desktop/src-tauri/src/file_system/write_operations/CLAUDE.md b/apps/desktop/src-tauri/src/file_system/write_operations/CLAUDE.md
@@ -12,10 +12,10 @@ network mounts, cross-filesystem moves, and name/path length limits.
 
 | File | Responsibility |
 |------|----------------|
-| `mod.rs` | Public API: `copy_files_start`, `move_files_start`, `delete_files_start`, `trash_files_start`. Each validates inputs, then delegates to `start_write_operation` which handles state creation, spawn lifecycle, cleanup, and panic recovery. |
+| `mod.rs` | Public API: `copy_files_start`, `move_files_start`, `delete_files_start`, `trash_files_start`. Each delegates to `start_write_operation` which handles state creation, spawn lifecycle, cleanup, and error/panic recovery. Validation runs inside the handler closure on the blocking thread pool — never on the async executor. |
 | `types.rs` | All serializable types: events, config, errors, results. `WriteOperationConfig`, `ConflictResolution`, `WriteOperationError`, `DryRunResult`, scan preview events. |
 | `state.rs` | Two `LazyLock<RwLock<HashMap>>` caches (`WRITE_OPERATION_STATE`, `OPERATION_STATUS_CACHE`). `WriteOperationState`, `CopyTransaction`, `ScanResult`, `FileInfo`. |
-| `helpers.rs` | Validation (`validate_sources`, `validate_destination_writable` via `libc::access`, `validate_disk_space` via `statvfs`). Conflict resolution (condvar wait for Stop mode). `safe_overwrite_file`/`safe_overwrite_dir` (temp+rename). `find_unique_name`. `run_cancellable`. `is_same_filesystem` (device IDs). |
+| `helpers.rs` | Validation (`validate_sources`, `validate_destination_writable` via `libc::access`, `validate_disk_space` via `statvfs`). Conflict resolution (condvar wait for Stop mode). `safe_overwrite_file`/`safe_overwrite_dir` (temp+rename). `find_unique_name`. `run_cancellable`. `is_same_filesystem` (device IDs). Background cleanup helpers: `remove_file_in_background`, `remove_dir_all_in_background`. |
 | `scan.rs` | `scan_sources` (recursive walk, emits progress), `dry_run_scan`, scan preview subsystem (`start_scan_preview`, `cancel_scan_preview`). |
 | `copy.rs` | `copy_files_with_progress`: scan → disk space check → per-file copy via `copy_single_item`. `CopyTransaction` for rollback. |
 | `move_op.rs` | Same-fs: `fs::rename`. Cross-fs: copy to `.cmdr-staging-<uuid>`, atomic rename, delete sources. |
@@ -32,18 +32,20 @@ network mounts, cross-filesystem moves, and name/path length limits.
 
 ```
 Frontend
-  → validate (sources exist, dest writable, not same location, dest not inside source)
   → WriteOperationState created (AtomicBool cancelled, Condvar for Stop conflicts)
   → stored in WRITE_OPERATION_STATE + OPERATION_STATUS_CACHE
+  → operationId returned to frontend immediately (dialog opens, cancel is possible)
   → tokio::spawn (async wrapper)
       → tokio::task::spawn_blocking (all blocking I/O here)
+          → validate (sources exist, dest writable, not same location, dest not inside source)
           → scan phase: walk_dir_recursive, emit scan-progress events
           → disk space check (statvfs)
           → execute phase: per-file copy/delete
               → throttled write-progress events (200ms default)
           → success: CopyTransaction::commit(), emit write-complete
-          → cancel: CopyTransaction::rollback(), emit write-cancelled
+          → cancel: CopyTransaction::rollback_in_background(), emit write-cancelled
           → error: CopyTransaction::rollback(), emit write-error
+      → safety net: start_write_operation emits write-error for unhandled handler errors
   → state removed from both caches
 ```
 
@@ -54,10 +56,11 @@ Frontend
 **Two-layer cancellation.** `AtomicBool` for fast in-loop checks. `run_cancellable` wraps blocking operations (e.g.,
 network-mount copies that may block indefinitely) in a separate thread, polling the flag every 100ms via `mpsc::channel`.
 
-**`CopyTransaction` rollback with auto-rollback on panic.** Records created files and dirs in creation order. Rollback
-deletes files in reverse order first, then dirs in reverse order (deepest first). `commit()` sets a `committed` flag and
-drops the vecs. `Drop` impl checks `committed` — if false (panic unwind or forgotten commit), it auto-rolls back.
-Delete operations are not rollbackable.
+**`CopyTransaction` rollback: sync vs async.** Two rollback paths: `rollback()` (synchronous, for error paths where
+cleanup must complete before the error event) and `rollback_in_background()` (fire-and-forget on a detached thread, for
+user-initiated cancel where the UI must respond instantly). `rollback_in_background` sets `committed = true` to prevent
+`Drop` from triggering a synchronous double-rollback, then moves the file/dir lists into the detached thread. The
+synchronous `rollback()` and auto-rollback-on-panic via `Drop` remain unchanged. Delete operations are not rollbackable.
 
 **Symlinks never dereferenced.** All stat calls use `symlink_metadata`. Symlink loop detection uses a `HashSet<PathBuf>`
 of canonicalized paths.
@@ -99,6 +102,20 @@ operations when the frontend is destroyed.
 
 **Special files skipped.** Sockets, FIFOs, and device files are filtered out during scan.
 
+**Validation runs inside `spawn_blocking`.** The `*_files_start` functions return an `operationId` immediately, before
+any filesystem I/O. Validation (`validate_sources`, `validate_destination_writable`, etc.) runs inside the handler
+closure on the blocking thread pool. This keeps the Tauri IPC handler non-blocking, so the frontend can always open
+the progress dialog and offer cancel, even if a network mount is stalled.
+
+**`start_write_operation` emits `write-error` for handler errors.** The spawn wrapper matches on the handler's
+`Result`: `Ok(Ok(()))` and `Ok(Err(Cancelled))` are no-ops (handlers already emitted the right events), `Ok(Err(e))`
+emits `write-error` as a safety net, and `Err(join_error)` handles panics. Double-emit is harmless because the
+frontend's `handleError` removes all listeners on first receipt.
+
+**Background cleanup is best-effort.** `rollback_in_background`, `remove_file_in_background`, and
+`remove_dir_all_in_background` run on detached threads. If the network mount disconnects or the app exits, partial
+files or staging directories may remain on disk. These use the `.cmdr-` prefix, so they're recognizable.
+
 **`volume_copy` path is incomplete.** The three `volume_*` files are Phase 5 work, but are publicly re-exported from `mod.rs` and at least partially wired up.
 
 ## Events emitted
@@ -109,7 +126,7 @@ operations when the frontend is destroyed.
 | `write-conflict` | Stop mode hit a conflicting destination file |
 | `write-complete` | Operation finished successfully |
 | `write-cancelled` | Operation cancelled (includes `rolled_back` flag) |
-| `write-error` | Operation failed |
+| `write-error` | Operation failed (emitted by handler and/or `start_write_operation` safety net) |
 | `write-source-item-done` | All files for a top-level source item processed (for gradual deselection) |
 | `dry-run-complete` | `config.dry_run == true` (returns `DryRunResult`) |
 | `scan-preview-progress` | During `start_scan_preview` |
diff --git a/apps/desktop/src-tauri/src/file_system/write_operations/chunked_copy.rs b/apps/desktop/src-tauri/src/file_system/write_operations/chunked_copy.rs
@@ -122,9 +122,9 @@ fn copy_data_chunked(
                 "chunked_copy: cancellation detected after {} bytes, cleaning up",
                 total_bytes
             );
-            // Clean up partial file
+            // Clean up partial file in background (may block on network mounts)
             drop(dst_file);
-            let _ = std::fs::remove_file(dest);
+            super::helpers::remove_file_in_background(dest.to_path_buf());
             return Err(WriteOperationError::Cancelled {
                 message: "Operation cancelled by user".to_string(),
             });
@@ -338,8 +338,8 @@ mod tests {
         let result = chunked_copy_with_metadata(&src, &dst, &cancelled, None);
 
         assert!(matches!(result, Err(WriteOperationError::Cancelled { .. })));
-        // Partial file should be cleaned up
-        assert!(!dst.exists());
+        // Partial file cleanup is now async/best-effort (fires on a detached thread),
+        // so we don't assert file absence here — it may or may not be deleted yet.
 
         cleanup_temp_dir(&temp_dir);
     }
diff --git a/apps/desktop/src-tauri/src/file_system/write_operations/copy.rs b/apps/desktop/src-tauri/src/file_system/write_operations/copy.rs
@@ -268,7 +268,7 @@ pub(super) fn copy_files_with_progress(
                         operation_id,
                         transaction.created_files.len()
                     );
-                    transaction.rollback();
+                    transaction.rollback_in_background();
                 }
 
                 let _ = app.emit(
diff --git a/apps/desktop/src-tauri/src/file_system/write_operations/helpers.rs b/apps/desktop/src-tauri/src/file_system/write_operations/helpers.rs
@@ -260,6 +260,24 @@ pub(crate) fn is_same_filesystem(_source: &Path, _destination: &Path) -> std::io
 // Async sync for durability
 // ============================================================================
 
+/// Deletes a file on a detached thread. Returns immediately. Best-effort.
+pub(super) fn remove_file_in_background(path: PathBuf) {
+    std::thread::spawn(move || {
+        if let Err(e) = fs::remove_file(&path) {
+            log::warn!("background cleanup: failed to remove {}: {}", path.display(), e);
+        }
+    });
+}
+
+/// Deletes a directory tree on a detached thread. Returns immediately. Best-effort.
+pub(super) fn remove_dir_all_in_background(path: PathBuf) {
+    std::thread::spawn(move || {
+        if let Err(e) = fs::remove_dir_all(&path) {
+            log::warn!("background cleanup: failed to remove {}: {}", path.display(), e);
+        }
+    });
+}
+
 /// Spawns a background thread to call sync() for durability.
 /// This ensures writes are flushed to disk without blocking the completion event.
 pub(super) fn spawn_async_sync() {
diff --git a/apps/desktop/src-tauri/src/file_system/write_operations/mod.rs b/apps/desktop/src-tauri/src/file_system/write_operations/mod.rs
@@ -129,19 +129,37 @@ where
         }
         unregister_operation_status(&operation_id_for_cleanup);
 
-        if let Err(e) = result {
-            use tauri::Emitter;
-            let _ = app_for_error.emit(
-                "write-error",
-                WriteErrorEvent {
-                    operation_id: operation_id_for_cleanup,
-                    operation_type,
-                    error: WriteOperationError::IoError {
-                        path: String::new(),
-                        message: format!("Task failed: {}", e),
+        use tauri::Emitter;
+        match result {
+            Ok(Ok(())) => {} // Handler already emitted write-complete or write-cancelled
+            Ok(Err(ref e)) if matches!(e, WriteOperationError::Cancelled { .. }) => {
+                // Handler already emitted write-cancelled
+            }
+            Ok(Err(e)) => {
+                // Handler error (validation, I/O, etc.) — emit write-error as safety net
+                let _ = app_for_error.emit(
+                    "write-error",
+                    WriteErrorEvent {
+                        operation_id: operation_id_for_cleanup,
+                        operation_type,
+                        error: e,
+                    },
+                );
+            }
+            Err(join_error) => {
+                // Panic/abort in spawn_blocking
+                let _ = app_for_error.emit(
+                    "write-error",
+                    WriteErrorEvent {
+                        operation_id: operation_id_for_cleanup,
+                        operation_type,
+                        error: WriteOperationError::IoError {
+                            path: String::new(),
+                            message: format!("Task failed: {}", join_error),
+                        },
                     },
-                },
-            );
+                );
+            }
         }
     });
 
@@ -158,12 +176,6 @@ pub async fn copy_files_start(
     destination: PathBuf,
     config: WriteOperationConfig,
 ) -> Result<WriteOperationStartResult, WriteOperationError> {
-    validate_sources(&sources)?;
-    validate_destination(&destination)?;
-    validate_destination_writable(&destination)?;
-    validate_not_same_location(&sources, &destination)?;
-    validate_destination_not_inside_source(&sources, &destination)?;
-
     log::info!(
         "copy_files_start: sources={:?}, destination={:?}, dry_run={}",
         sources,
@@ -175,7 +187,14 @@ pub async fn copy_files_start(
         app,
         WriteOperationType::Copy,
         config.progress_interval_ms,
-        move |app, op_id, state| copy_files_with_progress(&app, &op_id, &state, &sources, &destination, &config),
+        move |app, op_id, state| {
+            validate_sources(&sources)?;
+            validate_destination(&destination)?;
+            validate_destination_writable(&destination)?;
+            validate_not_same_location(&sources, &destination)?;
+            validate_destination_not_inside_source(&sources, &destination)?;
+            copy_files_with_progress(&app, &op_id, &state, &sources, &destination, &config)
+        },
     )
     .await
 }
@@ -190,12 +209,6 @@ pub async fn move_files_start(
     destination: PathBuf,
     config: WriteOperationConfig,
 ) -> Result<WriteOperationStartResult, WriteOperationError> {
-    validate_sources(&sources)?;
-    validate_destination(&destination)?;
-    validate_destination_writable(&destination)?;
-    validate_not_same_location(&sources, &destination)?;
-    validate_destination_not_inside_source(&sources, &destination)?;
-
     log::info!(
         "move_files_start: sources={:?}, destination={:?}, dry_run={}",
         sources,
@@ -207,7 +220,14 @@ pub async fn move_files_start(
         app,
         WriteOperationType::Move,
         config.progress_interval_ms,
-        move |app, op_id, state| move_files_with_progress(&app, &op_id, &state, &sources, &destination, &config),
+        move |app, op_id, state| {
+            validate_sources(&sources)?;
+            validate_destination(&destination)?;
+            validate_destination_writable(&destination)?;
+            validate_not_same_location(&sources, &destination)?;
+            validate_destination_not_inside_source(&sources, &destination)?;
+            move_files_with_progress(&app, &op_id, &state, &sources, &destination, &config)
+        },
     )
     .await
 }
@@ -224,19 +244,6 @@ pub async fn delete_files_start(
     volume_id: Option<String>,
 ) -> Result<WriteOperationStartResult, WriteOperationError> {
     let volume_id_str = volume_id.unwrap_or_else(|| "root".to_string());
-    let volume = if volume_id_str != "root" {
-        Some(
-            crate::file_system::get_volume_manager()
-                .get(&volume_id_str)
-                .ok_or_else(|| WriteOperationError::IoError {
-                    path: volume_id_str.clone(),
-                    message: format!("Volume '{}' not found", volume_id_str),
-                })?,
-        )
-    } else {
-        validate_sources(&sources)?;
-        None
-    };
 
     log::info!(
         "delete_files_start: sources={:?}, volume={}, dry_run={}",
@@ -250,9 +257,16 @@ pub async fn delete_files_start(
         WriteOperationType::Delete,
         config.progress_interval_ms,
         move |app, op_id, state| {
-            if let Some(vol) = volume {
-                delete_volume_files_with_progress(vol, &app, &op_id, &state, &sources, &config)
+            if volume_id_str != "root" {
+                let volume = crate::file_system::get_volume_manager()
+                    .get(&volume_id_str)
+                    .ok_or_else(|| WriteOperationError::IoError {
+                        path: volume_id_str.clone(),
+                        message: format!("Volume '{}' not found", volume_id_str),
+                    })?;
+                delete_volume_files_with_progress(volume, &app, &op_id, &state, &sources, &config)
             } else {
+                validate_sources(&sources)?;
                 delete_files_with_progress(&app, &op_id, &state, &sources, &config)
             }
         },
@@ -271,15 +285,16 @@ pub async fn trash_files_start(
     item_sizes: Option<Vec<u64>>,
     config: WriteOperationConfig,
 ) -> Result<WriteOperationStartResult, WriteOperationError> {
-    validate_sources(&sources)?;
-
     log::info!("trash_files_start: sources={:?}", sources);
 
     start_write_operation(
         app,
         WriteOperationType::Trash,
         config.progress_interval_ms,
-        move |app, op_id, state| trash_files_with_progress(&app, &op_id, &state, &sources, item_sizes.as_deref()),
+        move |app, op_id, state| {
+            validate_sources(&sources)?;
+            trash_files_with_progress(&app, &op_id, &state, &sources, item_sizes.as_deref())
+        },
     )
     .await
 }
diff --git a/apps/desktop/src-tauri/src/file_system/write_operations/move_op.rs b/apps/desktop/src-tauri/src/file_system/write_operations/move_op.rs
@@ -8,7 +8,9 @@ use std::sync::atomic::Ordering;
 use std::time::Instant;
 
 use super::copy::copy_single_item;
-use super::helpers::{is_same_filesystem, resolve_conflict, safe_overwrite_dir, spawn_async_sync};
+use super::helpers::{
+    is_same_filesystem, remove_dir_all_in_background, resolve_conflict, safe_overwrite_dir, spawn_async_sync,
+};
 use super::scan::{SourceItemTracker, handle_dry_run, scan_sources};
 use super::state::{CopyTransaction, WriteOperationState, update_operation_status};
 use super::types::{
@@ -275,8 +277,8 @@ fn move_with_staging(
     })();
 
     if let Err(e) = copy_result {
-        // Cleanup staging directory on failure
-        let _ = fs::remove_dir_all(&staging_dir);
+        // Cleanup staging directory in background (may block on network mounts)
+        remove_dir_all_in_background(staging_dir.clone());
         let _ = app.emit(
             "write-error",
             WriteErrorEvent {
@@ -350,8 +352,8 @@ fn move_with_staging(
     })();
 
     if let Err(e) = rename_result {
-        // Cleanup staging directory on failure
-        let _ = fs::remove_dir_all(&staging_dir);
+        // Cleanup staging directory in background (may block on network mounts)
+        remove_dir_all_in_background(staging_dir);
         let _ = app.emit(
             "write-error",
             WriteErrorEvent {
diff --git a/apps/desktop/src-tauri/src/file_system/write_operations/state.rs b/apps/desktop/src-tauri/src/file_system/write_operations/state.rs
@@ -389,6 +389,33 @@ impl CopyTransaction {
         }
     }
 
+    /// Rolls back on a detached thread. Returns immediately.
+    /// Use for user-initiated cancel where the calling thread must not block.
+    /// Best-effort: if the background thread fails, files remain on disk.
+    pub fn rollback_in_background(mut self) {
+        let files = std::mem::take(&mut self.created_files);
+        let dirs = std::mem::take(&mut self.created_dirs);
+        self.committed = true; // Prevent Drop from synchronous double-rollback
+        if files.is_empty() && dirs.is_empty() {
+            return;
+        }
+        log::info!(
+            "rollback_in_background: cleaning up {} files and {} dirs",
+            files.len(),
+            dirs.len()
+        );
+        std::thread::spawn(move || {
+            for file in files.iter().rev() {
+                if let Err(e) = std::fs::remove_file(file) {
+                    log::warn!("rollback: failed to remove {}: {}", file.display(), e);
+                }
+            }
+            for dir in dirs.iter().rev() {
+                let _ = std::fs::remove_dir(dir);
+            }
+        });
+    }
+
     /// Marks the transaction as committed, preventing rollback on drop.
     pub fn commit(mut self) {
         self.committed = true;
diff --git a/docs/specs/network-io-nonblocking-plan.md b/docs/specs/network-io-nonblocking-plan.md

Original file line number	Diff line number	Diff line change
`@@ -268,7 +268,7 @@ pub(super) fn copy_files_with_progress(`
`268`	`268`	`operation_id,`
`269`	`269`	`transaction.created_files.len()`
`270`	`270`	`);`
`271`		`- transaction.rollback();`
	`271`	`+ transaction.rollback_in_background();`
`272`	`272`	`}`
`273`	`273`
`274`	`274`	`let _ = app.emit(`