Friendly, provider-aware error pane for listing failures

- Replace raw "I/O error (os error 60)" with structured `ErrorPane` that shows a warm title, plain-language explanation, provider-specific suggestions, and collapsible technical details
- Two-layer Rust mapping: 37 macOS errno codes → `FriendlyError` (Transient/NeedsAction/Serious categories), then path-based enrichment for 19 cloud/mount providers (Dropbox, Google Drive, OneDrive, iCloud, MacDroid, macFUSE/SSHFS, VeraCrypt, and more)
- Provider detection uses `~/Library/CloudStorage/` prefixes, `~/Library/Mobile Documents/`, specific `/Volumes/` paths, and `statfs` `f_fstypename` for FUSE mounts
- `VolumeError::IoError` now carries `raw_os_error: Option<i32>` so errno survives the `From<std::io::Error>` conversion
- `streaming.rs` propagates `VolumeError` directly (instead of wrapping in `std::io::Error`) and builds `FriendlyError` at the emission site
- Frontend `ErrorPane.svelte` replaces both `PermissionDeniedPane` and the raw error div. Category-based visual tone, markdown rendering via `snarkdown`, retry button with attempt history for transient errors, "Open System Settings" for permission denied
- E2E testability: `inject_error()` on `Volume` trait behind `playwright-e2e` feature flag, with Playwright tests for transient/needs-action/a11y
- Removed `@lottiefiles/dotlottie-svelte` (only consumer was deleted `PermissionDeniedPane`)

Author: vdavid

CHANGELOG.md

@@ -12,8 +12,7 @@ The format is based on [keep a changelog](https://keepachangelog.com/en/1.1.0/),
 - Striped rows setting — alternating row shading in Full and Brief view modes, auto-adapts to light/dark mode
   ([faa2534](https://github.com/vdavid/cmdr/commit/faa2534))
 - MTP per-file copy progress and mid-file cancellation — progress callback on every USB chunk, instant cancel via USB
-  SIC abort (~300ms instead of draining the full stream)
-  ([ac5ec4d](https://github.com/vdavid/cmdr/commit/ac5ec4d),
+  SIC abort (~300ms instead of draining the full stream) ([ac5ec4d](https://github.com/vdavid/cmdr/commit/ac5ec4d),
   [a66adf6](https://github.com/vdavid/cmdr/commit/a66adf6))
 
 ### Fixed

apps/desktop/coverage-allowlist.json

@@ -59,7 +59,7 @@
     "file-explorer/network/NetworkBrowser.svelte": { "reason": "Network component, needs Tauri integration" },
     "file-explorer/pane/PaneResizer.svelte": { "reason": "Mouse drag UI component, difficult to unit test" },
     "file-explorer/network/NetworkLoginForm.svelte": { "reason": "Network component, needs Tauri integration" },
-    "file-explorer/pane/PermissionDeniedPane.svelte": { "reason": "Simple UI component" },
+    "file-explorer/pane/ErrorPane.svelte": { "reason": "UI component, logic tested in error-pane-utils.test.ts" },
     "file-explorer/pane/VolumeUnreachableBanner.svelte": {
       "reason": "UI banner component, depends on Tauri commands"
     },

apps/desktop/package.json

@@ -39,7 +39,6 @@
     "@crabnebula/tauri-plugin-drag": "^2.1.0",
     "@leeoniya/ufuzzy": "^1.0.19",
     "@logtape/logtape": "^2.0.4",
-    "@lottiefiles/dotlottie-svelte": "^0.9.8",
     "@lucide/svelte": "^0.577.0",
     "@tauri-apps/api": "^2.10.1",
     "@tauri-apps/plugin-dialog": "^2.7.0",
@@ -48,7 +47,8 @@
     "@tauri-apps/plugin-process": "^2.3.1",
     "@tauri-apps/plugin-store": "^2.4.2",
     "@tauri-apps/plugin-updater": "^2.10.0",
-    "@tauri-apps/plugin-window-state": "~2.4.1"
+    "@tauri-apps/plugin-window-state": "~2.4.1",
+    "snarkdown": "2.0.0"
   },
   "devDependencies": {
     "@crabnebula/tauri-driver": "^2.0.9",

apps/desktop/src-tauri/src/commands/file_system.rs

@@ -922,6 +922,23 @@ fn emit_synthetic_entry_diff(app: &tauri::AppHandle, entry_path: &Path, parent_p
     }
 }
 
+// ============================================================================
+// E2E test support (feature-gated)
+// ============================================================================
+
+/// Injects a listing error into an in-memory volume so the next `list_directory` call
+/// returns a `VolumeError::IoError` with the given errno. The error is cleared after
+/// one use, enabling retry testing.
+#[cfg(feature = "playwright-e2e")]
+#[tauri::command]
+pub fn inject_listing_error(volume_id: String, error_code: i32) -> Result<(), String> {
+    let volume = get_volume_manager()
+        .get(&volume_id)
+        .ok_or_else(|| format!("Volume `{}` not found", volume_id))?;
+    volume.inject_error(error_code);
+    Ok(())
+}
+
 /// Expands tilde (~) to the user's home directory.
 pub(crate) fn expand_tilde(path: &str) -> String {
     if (path.starts_with("~/") || path == "~")

apps/desktop/src-tauri/src/commands/ui.rs

@@ -39,10 +39,7 @@ pub fn show_file_context_menu<R: Runtime>(
 /// The `shortcut` is the user's configured shortcut in frontend format (e.g. "⌃⌘C"),
 /// or empty string if no shortcut is configured.
 #[tauri::command]
-pub fn show_breadcrumb_context_menu<R: Runtime>(
-    window: Window<R>,
-    shortcut: String,
-) -> Result<(), String> {
+pub fn show_breadcrumb_context_menu<R: Runtime>(window: Window<R>, shortcut: String) -> Result<(), String> {
     let app = window.app_handle();
     let accelerator = frontend_shortcut_to_accelerator(&shortcut).unwrap_or_default();
     let menu = build_breadcrumb_context_menu(app, &accelerator).map_err(|e| e.to_string())?;

apps/desktop/src-tauri/src/file_system/listing/streaming.rs

@@ -14,6 +14,10 @@ use std::time::Duration;
 use crate::benchmark;
 use crate::file_system::listing::caching::{CachedListing, LISTING_CACHE};
 use crate::file_system::listing::sorting::{DirectorySortMode, SortColumn, SortOrder, sort_entries};
+use crate::file_system::volume::VolumeError;
+use crate::file_system::volume::friendly_error::{
+    FriendlyError, enrich_with_provider, friendly_error_from_volume_error,
+};
 use crate::file_system::watcher::start_watching;
 
 // ============================================================================
@@ -68,6 +72,8 @@ pub struct ListingCompleteEvent {
 pub struct ListingErrorEvent {
     pub listing_id: String,
     pub message: String,
+    /// Structured error info when available. `None` for internal errors (task panics).
+    pub friendly: Option<FriendlyError>,
 }
 
 /// Cancelled event payload
@@ -141,6 +147,7 @@ pub async fn list_directory_start_streaming(
     // Clone values for the spawned task
     let listing_id_for_spawn = listing_id.clone();
     let path_owned = path.to_path_buf();
+    let path_for_error = path.to_path_buf();
     let volume_id_owned = volume_id.to_string();
     let app_for_spawn = app.clone();
 
@@ -180,17 +187,22 @@ pub async fn list_directory_start_streaming(
                     "listing-error",
                     ListingErrorEvent {
                         listing_id: listing_id_for_cleanup,
-                        message: format!("Task failed: {}", e),
+                        message: "Something went wrong while reading this folder".to_string(),
+                        friendly: None,
                     },
                 );
+                log::error!("Listing task panicked: {}", e);
             }
             Ok(Err(e)) => {
-                // Function returned an error (like volume not found, permission denied)
+                // Function returned an error (volume not found, permission denied, I/O, etc.)
+                let mut friendly = friendly_error_from_volume_error(&e, &path_for_error);
+                enrich_with_provider(&mut friendly, &path_for_error);
                 let _ = app_for_error.emit(
                     "listing-error",
                     ListingErrorEvent {
                         listing_id: listing_id_for_cleanup,
                         message: e.to_string(),
+                        friendly: Some(friendly),
                     },
                 );
             }
@@ -225,7 +237,7 @@ fn read_directory_with_progress(
     sort_by: SortColumn,
     sort_order: SortOrder,
     dir_sort_mode: DirectorySortMode,
-) -> Result<(), std::io::Error> {
+) -> Result<(), VolumeError> {
     use tauri::Emitter;
 
     benchmark::log_event("read_directory_with_progress START");
@@ -260,7 +272,7 @@ fn read_directory_with_progress(
     // Get the volume from VolumeManager
     let volume = crate::file_system::get_volume_manager()
         .get(volume_id)
-        .ok_or_else(|| std::io::Error::new(std::io::ErrorKind::NotFound, format!("Volume not found: {}", volume_id)))?;
+        .ok_or_else(|| VolumeError::NotFound(format!("Volume not found: {}", volume_id)))?;
 
     // Read directory entries via Volume abstraction
     // Use polling-based cancellation to remain responsive even when filesystem I/O blocks
@@ -310,14 +322,15 @@ fn read_directory_with_progress(
             Ok(result) => break result,
             Err(mpsc::RecvTimeoutError::Timeout) => continue,
             Err(mpsc::RecvTimeoutError::Disconnected) => {
-                return Err(std::io::Error::other(
-                    "Directory listing thread terminated unexpectedly",
-                ));
+                return Err(VolumeError::IoError {
+                    message: "Directory listing thread terminated unexpectedly".into(),
+                    raw_os_error: None,
+                });
             }
         }
     };
 
-    let mut entries = entries_result.map_err(|e| std::io::Error::other(e.to_string()))?;
+    let mut entries = entries_result?;
     let read_dir_time = read_start.elapsed();
     benchmark::log_event_value("read_dir COMPLETE, entries", entries.len());
 

apps/desktop/src-tauri/src/file_system/volume/CLAUDE.md

@@ -11,6 +11,7 @@ Every file system operation (listing, copy, rename, delete, indexing, watching)
 | File | Role |
 |---|---|
 | `mod.rs` | `Volume` trait, `VolumeScanner`, `VolumeWatcher`, `VolumeReadStream` traits, `MutationEvent` enum, shared types (`VolumeError`, `SpaceInfo`, `CopyScanResult`, `ScanConflict`, `SourceItemInfo`) |
+| `friendly_error.rs` | User-facing error messages. See [Friendly error system](#friendly-error-system) below. |
 | `manager.rs` | `VolumeManager` — thread-safe `RwLock<HashMap>` registry; supports a default volume |
 | `local_posix.rs` | `LocalPosixVolume` — real filesystem; delegates listing to `file_system::listing`, indexing to `indexing::scanner`, watching to `indexing::watcher` (FSEvents), copy scanning via `walkdir`. Uses `libc::statvfs` FFI for space info. |
 | `mtp.rs` | `MtpVolume` — MTP device storage; synchronous `Volume` trait bridged to async MTP calls via `tokio::runtime::Handle::block_on`. Gated with `#[cfg(any(target_os = "macos", target_os = "linux"))]`. |
@@ -71,6 +72,99 @@ Both paths check the `network.directSmbConnection` setting (global `AtomicBool`)
 warning and the volume stays as `LocalPosixVolume`. The "Connect directly" UI action (`upgrade_to_smb_volume` command)
 provides a manual upgrade path.
 
+## Friendly error system
+
+`friendly_error.rs` turns raw OS errors into warm, actionable messages so the user feels supported when something goes
+wrong. This is one of Cmdr's UX differentiators: where other file managers show "I/O error: Operation timed out (os
+error 60)", we show a friendly title, a plain-language explanation, and provider-specific advice ("This folder is managed
+by **MacDroid**. Here's what to try: ...").
+
+### Philosophy
+
+**The user should never feel alone with a broken state.** Every error message should feel like the app is putting its
+hand on the user's shoulder and saying "Here's what happened, and here's what you can do." We go above and beyond: we
+detect which cloud provider or mount tool manages the path, and tailor the suggestion to that specific app. A timeout on
+a Dropbox folder gets different advice than a timeout on an SSHFS mount.
+
+Power users also need the raw details (errno name, code) for debugging or bug reports. These are available in a
+collapsible "Technical details" section, never hidden but never in your face either.
+
+### Architecture
+
+Two-layer mapping, both in this file:
+
+1. **`friendly_error_from_volume_error(err, path)`** — maps `VolumeError` variants and macOS errno codes (37 codes) to a
+   `FriendlyError` with category (Transient/NeedsAction/Serious), title, explanation, suggestion, and raw detail.
+2. **`enrich_with_provider(error, path)`** — detects 19 cloud/mount providers from path patterns and `statfs` filesystem
+   type, then overwrites the suggestion with provider-specific advice.
+
+The frontend receives the fully-baked `FriendlyError` struct via the `listing-error` Tauri event and renders it with
+category-based visual styling. The frontend never sees errno codes or does OS-specific logic.
+
+### Adding a new error message
+
+When you need to handle a new errno or `VolumeError` variant:
+
+1. Add the match arm in `friendly_error_from_volume_error`
+2. Pick the right `ErrorCategory`: **Transient** (retry might work), **NeedsAction** (user must do something),
+   **Serious** (something is genuinely broken)
+3. Write the message following the rules below
+4. Add a unit test asserting the category and that the text follows the style rules
+5. Run the existing `error_messages_never_contain_error_or_failed` test to catch violations
+
+### Adding a new provider
+
+When a new cloud storage or mount tool becomes popular enough to detect:
+
+1. Add a variant to the `Provider` enum with `display_name()` and `app_name()`
+2. Add path detection in `detect_provider` (CloudStorage prefix, specific path, or `statfs` type)
+3. Write provider-specific suggestions in `provider_suggestion` for each `ErrorCategory`
+4. Add a unit test for path detection and suggestion content
+5. Update `volumes/CLAUDE.md` provider table to keep the two lists in sync
+
+### Writing rules for error messages
+
+These are non-negotiable. The existing test suite enforces some of them automatically.
+
+- **NEVER use "error" or "failed"** in titles, explanations, or suggestions. Say "Couldn't read" not "Read error". The
+  automated test `error_messages_never_contain_error_or_failed` catches this.
+- **Active voice, contractions**: "Cmdr couldn't..." not "The operation was unable to..."
+- **No trivializing**: no "just", "simply", "easy", "all you have to do"
+- **No permissive language**: "Check your connection" not "You might want to check..."
+- **Direct and warm**: "Here's what to try:" not "Please attempt the following remediation steps:"
+- **No em dashes**: use parentheses, commas, or new sentences
+- **Sentence case in titles**: "Connection timed out" not "Connection Timed Out"
+- **Bold key terms** with `**` only when it helps scanning (for example, provider names)
+- **Platform-native terms**: "System Settings" on macOS, "Finder", "Trash"
+- **Keep it short**: max two sentences for explanation, bullets for suggestions
+
+Good example:
+```
+title: "Connection timed out"
+explanation: "Cmdr tried to read this folder but the connection didn't respond in time."
+suggestion: "Here's what to try:\n- Check that the device or server is reachable\n- ..."
+```
+
+Bad example (every rule violated):
+```
+title: "I/O Error: Operation Timed Out"   // "Error", Title Case
+explanation: "An error occurred while the system attempted to access the directory."  // passive, "error"
+suggestion: "You may want to try simply reconnecting the device."  // permissive, trivializing
+```
+
+### Provider detection strategies
+
+| Strategy | Providers covered |
+|---|---|
+| `~/Library/CloudStorage/<Prefix>*` | Dropbox, GoogleDrive, OneDrive, Box, pCloud, Nextcloud, SynologyDrive, Tresorit, ProtonDrive, Sync, Egnyte, MacDroid, plus a generic fallback for unrecognized providers |
+| `~/Library/Mobile Documents/` | iCloud Drive |
+| `/Volumes/pCloudDrive` | pCloud (FUSE virtual drive) |
+| `/Volumes/veracrypt*` | VeraCrypt |
+| `~/.CMVolumes/` | CloudMounter |
+| `statfs` `f_fstypename` (macOS) | macFUSE/SSHFS/Cryptomator/rclone (`macfuse`, `osxfuse`), pCloud (`pcloudfs`) |
+
+The `statfs` check runs only at error time (not on every listing), so the syscall cost is negligible.
+
 ## Integration status
 
 `LocalPosixVolume` is wired into the indexing subsystem. `VolumeManager` is actively used.
@@ -93,7 +187,13 @@ provides a manual upgrade path.
 **Why**: The `Volume` trait is synchronous because local filesystem ops are blocking and shouldn't touch the async executor. MTP operations are inherently async (USB bulk transfers), so `block_on` bridges the gap. This is safe because MTP methods are always called from `spawn_blocking` contexts (separate OS thread pool), avoiding nested-runtime panics.
 
 **Decision**: `VolumeError` stores `String` messages, not the original `std::io::Error`
-**Why**: `std::io::Error` is not `Clone`, but `VolumeError` needs to be `Clone` for ergonomic error propagation across thread boundaries and for serialization to the frontend. Storing the formatted message loses the original error type but keeps the information that matters for user-facing error messages.
+**Why**: `std::io::Error` is not `Clone`, but `VolumeError` needs to be `Clone` for ergonomic error propagation across thread boundaries and for serialization to the frontend. Storing the formatted message loses the original error type but keeps the information that matters for user-facing error messages. The `IoError` variant also carries `raw_os_error: Option<i32>` so the friendly error mapper can match on platform-specific errno codes.
+
+**Decision**: Friendly error mapping is two layers: errno mapping, then provider enrichment
+**Why**: Not every provider+errno combination needs custom copy. The base errno message is always useful. Provider enrichment is additive, making the suggestion more specific when we recognize who manages the mount. Keeping them separate avoids a combinatorial explosion of messages.
+
+**Decision**: Friendly error mapping lives in Rust, not the frontend
+**Why**: The mapping needs access to the full path (for provider detection) and platform-specific errno codes. Doing it in Rust keeps the frontend thin (principle: smart backend, thin frontend) and avoids duplicating errno knowledge in TypeScript. The frontend receives a ready-to-render `FriendlyError` struct with markdown strings.
 
 **Decision**: `LocalPosixVolume` uses `symlink_metadata` for `exists()` instead of `Path::exists()`
 **Why**: `Path::exists()` follows symlinks — a dangling symlink returns `false`, which would make the volume claim a file doesn't exist when it visibly does in a directory listing. `symlink_metadata` detects the symlink itself, matching what the user sees.
@@ -150,6 +250,7 @@ provides a manual upgrade path.
 
 ## Testing
 
+- **E2E error injection**: The `Volume` trait has an `inject_error(&self, errno: i32)` method behind the `playwright-e2e` feature flag. `LocalPosixVolume` and `InMemoryVolume` implement it — the next `list_directory` call returns the injected errno, then clears it (single-shot, so retry tests work). Default is no-op.
 - `in_memory_test.rs` — unit tests for `InMemoryVolume` (CRUD, sorting, concurrency, stress 50k entries)
 - `inmemory_test.rs` — integration tests combining `InMemoryVolume` + `VolumeManager`, streaming state, sort helpers
 - `local_posix_test.rs` — real-FS tests (write ops, symlinks, copy, space info) using `std::env::temp_dir()`