diff --git a/.oxfmtrc.json b/.oxfmtrc.json
index 87ba4177..d85079db 100644
--- a/.oxfmtrc.json
+++ b/.oxfmtrc.json
@@ -24,6 +24,7 @@
     "**/playwright-report/",
     "**/test-results/",
     "**/coverage/",
+    "apps/desktop/test/smb-servers/.compose/",
     "apps/website/src/pages/pricing.astro"
   ]
 }
diff --git a/Cargo.lock b/Cargo.lock
index d7e7a46a..f32c4f8b 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -243,7 +243,7 @@ dependencies = [
  "objc2-foundation 0.3.2",
  "parking_lot",
  "percent-encoding",
- "windows-sys 0.52.0",
+ "windows-sys 0.60.2",
  "wl-clipboard-rs",
  "x11rb",
 ]
@@ -1975,7 +1975,7 @@ dependencies = [
  "libc",
  "option-ext",
  "redox_users 0.5.2",
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -2248,7 +2248,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
 dependencies = [
  "libc",
- "windows-sys 0.52.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -2985,7 +2985,7 @@ dependencies = [
  "gobject-sys 0.21.5",
  "libc",
  "system-deps 7.0.8",
- "windows-sys 0.52.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -4786,7 +4786,7 @@ checksum = "3640c1c38b8e4e43584d8df18be5fc6b0aa314ce6ebf51b53313d4306cca8e46"
 dependencies = [
  "hermit-abi",
  "libc",
- "windows-sys 0.52.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -4864,7 +4864,7 @@ dependencies = [
  "portable-atomic",
  "portable-atomic-util",
  "serde_core",
- "windows-sys 0.52.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -5720,7 +5720,7 @@ version = "0.7.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "680998035259dcfcafe653688bf2aa6d3e2dc05e98be6ab46afb089dc84f1df8"
 dependencies = [
- "proc-macro-crate 1.3.1",
+ "proc-macro-crate 3.5.0",
  "proc-macro2",
  "quote",
  "syn 2.0.117",
@@ -6240,7 +6240,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7d8fae84b431384b68627d0f9b3b1245fcf9f46f6c0e3dc902e9dce64edd1967"
 dependencies = [
  "libc",
- "windows-sys 0.45.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -6995,7 +6995,7 @@ dependencies = [
  "once_cell",
  "socket2",
  "tracing",
- "windows-sys 0.52.0",
+ "windows-sys 0.60.2",
 ]
 
 [[package]]
@@ -7458,7 +7458,7 @@ dependencies = [
  "errno",
  "libc",
  "linux-raw-sys",
- "windows-sys 0.52.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -7516,7 +7516,7 @@ dependencies = [
  "security-framework",
  "security-framework-sys",
  "webpki-root-certs",
- "windows-sys 0.52.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -8064,9 +8064,9 @@ checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03"
 
 [[package]]
 name = "smb2"
-version = "0.8.0"
+version = "0.9.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ac712ad8fd6e9712cb44782bb4d084afa4081cdce296b39fbaade28e0cfd0a1c"
+checksum = "f584485452a389b86e87b15740b3645a08c1a81f599cf3f5a346f1604180faa4"
 dependencies = [
  "aes 0.9.0-rc.4",
  "aes-gcm 0.11.0-rc.3",
@@ -8991,7 +8991,7 @@ dependencies = [
  "getrandom 0.4.2",
  "once_cell",
  "rustix",
- "windows-sys 0.52.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -10169,7 +10169,7 @@ version = "0.1.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
 dependencies = [
- "windows-sys 0.48.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
diff --git a/apps/desktop/src-tauri/Cargo.toml b/apps/desktop/src-tauri/Cargo.toml
index cad0344d..3de5e42c 100644
--- a/apps/desktop/src-tauri/Cargo.toml
+++ b/apps/desktop/src-tauri/Cargo.toml
@@ -170,7 +170,7 @@ mdns-sd = { version = "0.19", features = ["logging"] }
 # SMB2/3 protocol client for share enumeration (pure Rust, pipelined I/O).
 # When bumping: also re-vendor the test containers per
 # apps/desktop/test/smb-servers/.compose/VENDORED.md
-smb2 = "0.8.0"
+smb2 = "0.9.1"
 # NFD normalization for APFS collation and SMB path normalization
 unicode-normalization = "0.1"
 
diff --git a/apps/desktop/src-tauri/src/commands/ui.rs b/apps/desktop/src-tauri/src/commands/ui.rs
index 9f3744a2..3afd86a7 100644
--- a/apps/desktop/src-tauri/src/commands/ui.rs
+++ b/apps/desktop/src-tauri/src/commands/ui.rs
@@ -118,6 +118,24 @@ pub fn show_breadcrumb_context_menu<R: Runtime>(window: Window<R>, shortcut: Str
 #[tauri::command]
 #[specta::specta]
 pub fn show_main_window<R: Runtime>(window: Window<R>) -> Result<(), String> {
+    // E2E: on macOS, use `orderFront:` instead of `makeKeyAndOrderFront:` so the
+    // window appears without stealing focus from whatever the user is currently
+    // working in. `window.show()` calls the latter on macOS, which always grabs
+    // OS focus. Linux/Windows test runs happen in headless containers, so the
+    // standard show is fine there.
+    #[cfg(target_os = "macos")]
+    if crate::test_mode::is_e2e_mode() {
+        use objc2::msg_send;
+        use objc2::runtime::AnyObject;
+        let ns_window = window.ns_window().map_err(|e| e.to_string())? as *mut AnyObject;
+        if ns_window.is_null() {
+            return Err("NSWindow pointer is null".into());
+        }
+        unsafe {
+            let _: () = msg_send![ns_window, orderFront: std::ptr::null_mut::<AnyObject>()];
+        }
+        return Ok(());
+    }
     window.show().map_err(|e| e.to_string())
 }
 
diff --git a/apps/desktop/src-tauri/src/file_system/volume/CLAUDE.md b/apps/desktop/src-tauri/src/file_system/volume/CLAUDE.md
index a6ed10ac..a25783d0 100644
--- a/apps/desktop/src-tauri/src/file_system/volume/CLAUDE.md
+++ b/apps/desktop/src-tauri/src/file_system/volume/CLAUDE.md
@@ -128,7 +128,7 @@ When adding a new volume, add a column for it and fill in each row. The matrix d
 Reads and writes have different shapes because the consumer relationship is different:
 
 - **Reads** return a `VolumeReadStream` that an external caller polls. The download handle has to live past the function call and cross async contexts. That's where the lifetime/ownership gymnastics below come from.
-- **Writes** consume a stream (or a local file) inside the method itself. The chunk loop is the consumer, so there's nothing to hand off. Just hold the session lock for the duration, pull chunks from the source, push them into the backend's chunk-by-chunk writer. `SmbVolume::import_single_file_with_progress` and `SmbVolume::write_from_stream` are the reference implementations: open the smb2 `FileWriter`, loop `write_chunk`, call `finish()` on success or `abort()` on cancel. No task spawn, no channel, no self-referential struct.
+- **Writes** consume a stream (or a local file) inside the method itself. The chunk loop is the consumer, so there's nothing to hand off. For backends with a `'static` writer (smb2 0.9's owned `FileWriter`, mtp-rs's `upload_stream`), drive the writer directly on a cloned session handle — no lock held across I/O. For backends whose writer borrows from the session, hold the session lock for the chunk loop's duration. `SmbVolume::write_from_stream` is the reference implementation: clone the session once, open the smb2 `FileWriter` on the clone, loop `write_chunk`, call `finish()` on success or `abort()` on cancel. No task spawn, no channel, no self-referential struct, no client mutex held while WRITEs are in flight.
 
 The rest of this section is about **read-side** lifetime handling. Which pattern to pick depends on whether your protocol SDK's download handle is `'static` or borrowed.
 
@@ -387,7 +387,7 @@ spawned detached task. This is safe because the stream always lives in an async
 **Why**: `SmbVolume` now handles listing updates via `notify_mutation` using its own smb2 `get_metadata`. The old `std::fs`-based synthetic diff path (`emit_synthetic_entry_diff`) is redundant and goes through the slow OS mount. Returning `false` skips it.
 
 **Decision**: `SmbVolume` splits session storage: `Arc<Mutex<Option<SmbClient>>>` + `Arc<RwLock<Option<Arc<Tree>>>>`
-**Why**: Phase 4 Fix 2 unblocks concurrency on the hot copy path. Previously the session lived in one `Mutex<Option<(SmbClient, Tree)>>`, which the streaming-read producer and the compound read/write fast-paths held for the entire transfer, serializing every concurrent copy through the mutex. With smb2 0.7.x, `Connection` is `Clone` (cheap `Arc::clone`, all clones multiplex frames over one SMB session). Splitting the Tree out lets us briefly lock the client, clone its `Connection`, and release the lock, then drive `Tree::download` / `Tree::read_file_compound` / `Tree::write_file_compound` on the cloned `Connection` with no lock held. N concurrent copies on one `SmbVolume` now pipeline N operations over the single session instead of queuing on the mutex. Tree lives in a `RwLock` because we only take read locks in the hot path (cloning an `Arc<Tree>`) and only write on disconnect. The legacy large-file streaming writer (`FileWriter<'a>`) still takes the client mutex for its duration because its lifetime borrows `&'a mut Connection` from the `SmbClient`; that's documented as a Gotcha below. Large files are rare in the hot path, the compound fast-path covers every small write.
+**Why**: Phase 4 Fix 2 unblocks concurrency on the hot copy path. Previously the session lived in one `Mutex<Option<(SmbClient, Tree)>>`, which the streaming-read producer and the compound read/write fast-paths held for the entire transfer, serializing every concurrent copy through the mutex. With smb2 0.7.x, `Connection` is `Clone` (cheap `Arc::clone`, all clones multiplex frames over one SMB session). Splitting the Tree out lets us briefly lock the client, clone its `Connection`, and release the lock, then drive `Tree::download` / `Tree::read_file_compound` / `Tree::write_file_compound` on the cloned `Connection` with no lock held. N concurrent copies on one `SmbVolume` now pipeline N operations over the single session instead of queuing on the mutex. Tree lives in a `RwLock` because we only take read locks in the hot path (cloning an `Arc<Tree>`) and only write on disconnect. Since smb2 0.9, the streaming-write path also uses this clone-and-release shape (see the `write_from_stream` Decision below), so the client mutex is no longer held across any I/O.
 
 **Decision**: `SmbVolume::local_path()` returns `None`
 **Why**: `local_path()` is checked in `volume_copy.rs` to decide whether to use native OS copy APIs. If SmbVolume returned `Some(mount_path)`, copies would go through the slow OS mount, which is exactly what we're trying to avoid. `root()` still returns the mount path for frontend path resolution.
@@ -410,8 +410,11 @@ spawned detached task. This is safe because the stream always lives in an async
 **Gotcha**: Watcher filenames are NFC (from server) but macOS mount paths are NFD
 **Why**: SMB servers return NFC-normalized filenames. macOS filesystem paths use NFD. The watcher NFD-normalizes filenames before constructing display paths used for cache lookups.
 
-**Gotcha**: SMB write streaming fallback still holds the client mutex for the whole upload
-**Why**: `SmbClient::create_file_writer` / `Tree::create_file_writer` both return `FileWriter<'a>` which borrows `&'a mut Connection`. We can't release the client mutex while the writer is alive, so the streaming (large-file) write path serializes concurrent writes on one `SmbVolume`. This is acceptable because the compound fast-path in `write_from_stream` handles every file ≤ `max_write_size` (typically 1 MB on QNAP, the SMB2 spec ceiling is 8 MB) without touching the client mutex for the actual write. Large files are rare in the hot copy path; if this ever becomes a bottleneck, the fix is a future `smb2` release that exposes a `FileWriter` built from a cloned `Connection` + `Arc<Tree>` (both owned inside the writer) rather than borrowing.
+**Gotcha (no longer applicable as of smb2 0.9)**: SMB write streaming fallback used to hold the client mutex for the whole upload
+**Why**: Historically `FileWriter<'a>` borrowed `&'a mut Connection` from the `SmbClient`, so `write_from_stream` had to hold the client mutex for the duration of the streaming write. Under sustained concurrent pressure this two-phase pattern (brief `clone_session` fast-path probe → drop → long mutex-guarded streaming fallback) deadlocked. smb2 0.9 rebuilt `FileWriter` to own its `Connection` and `Arc<Tree>`, removing the borrow. The regression is pinned by `smb_integration_concurrent_streaming_writes_no_deadlock`. See the new Decision below (`write_from_stream` uses a cloned Connection + Arc<Tree>) for the current design.
+
+**Decision**: `write_from_stream` uses a cloned `Connection` + `Arc<Tree>` via smb2 0.9's owned `FileWriter`
+**Why**: smb2 0.9 made `FileWriter` own its `Connection` (cheap `Arc::clone`) and `Arc<Tree>` instead of borrowing `&'a mut Connection`. `write_from_stream` now calls `clone_session` once up front and drives both the compound fast-path AND the streaming fallback on the same owned `Connection` clone. The client mutex is held only for the few microseconds of `clone_session()`, never across I/O. The previous shape — fast-path on a clone, then drop and re-acquire the client for the streaming fallback — was the deadlock reproducer in Phase C against QNAP. The architectural property we get for free: N concurrent streaming writes on one `SmbVolume` pipeline N WRITE chains over a single SMB session, multiplexed by `MessageId` in smb2's receiver task. No external locking, no mutex contention on the hot copy path.
 
 **Decision**: `SmbVolume` overrides `scan_for_copy_batch` to pipeline per-path stats over a single SMB session
 **Why**: The copy pipeline's scan phase used to loop `scan_for_copy` per top-level source, N sequential RTTs on the wire before the copy phase could even start. For a 100-file copy over a ~60 ms Tailscale link that's ~5 s of serial stats. Fix 4 overrides `scan_for_copy_batch` to clone `smb2::Connection` per path under a brief client-mutex acquire (cheap `Arc::clone`, all clones multiplex over the same SMB session), release the lock, then drive `tree.stat(&mut conn, path)` on each clone inside a `FuturesUnordered`. Empty root paths skip the stat. Single-path batches fall through to `scan_recursive` so one-file drag-drops don't pay the batch machinery cost. Directories found during the stat phase recurse sequentially afterward. Parallel directory recursion is a future "Fix 5". Measured 6.5× wall-clock win at 100 × 10 KB: 6.11 s → 947 ms. See `docs/notes/phase4-rtt-investigation.md` for the wire trace.
diff --git a/apps/desktop/src-tauri/src/file_system/volume/friendly_error/kinds.rs b/apps/desktop/src-tauri/src/file_system/volume/friendly_error/kinds.rs
index fceff939..0c7708d9 100644
--- a/apps/desktop/src-tauri/src/file_system/volume/friendly_error/kinds.rs
+++ b/apps/desktop/src-tauri/src/file_system/volume/friendly_error/kinds.rs
@@ -206,6 +206,29 @@ pub(super) fn not_supported(raw_detail: String) -> FriendlyError {
     }
 }
 
+/// `STATUS_DELETE_PENDING`: the file has been marked for deletion on the server
+/// but at least one open handle is keeping it alive. The file disappears the
+/// moment the last handle closes, so retry-after-a-moment is the right hint.
+pub(super) fn delete_pending(path_display: &str, raw_detail: String) -> FriendlyError {
+    FriendlyError {
+        category: ErrorCategory::Transient,
+        title: "File is being removed".into(),
+        explanation: format!(
+            "`{}` is on its way out. The server marked it for deletion, but another \
+            open handle is keeping it around until that handle closes.",
+            path_display
+        ),
+        suggestion: "Here's what to try:\n\
+            - Wait a moment and try again — once the last handle closes, the file disappears\n\
+            - Close any other apps that might have this file open\n\
+            - If it sticks around, restart Cmdr to drop any handles it might still hold"
+            .into(),
+        raw_detail,
+        retry_hint: true,
+        action_kind: None,
+    }
+}
+
 pub(super) fn io_serious(path_display: &str, message: &str, raw_detail: String) -> FriendlyError {
     FriendlyError {
         category: ErrorCategory::Serious,
diff --git a/apps/desktop/src-tauri/src/file_system/volume/friendly_error/mod.rs b/apps/desktop/src-tauri/src/file_system/volume/friendly_error/mod.rs
index f9826227..075df64c 100644
--- a/apps/desktop/src-tauri/src/file_system/volume/friendly_error/mod.rs
+++ b/apps/desktop/src-tauri/src/file_system/volume/friendly_error/mod.rs
@@ -211,6 +211,7 @@ mod tests {
                 true,
             ),
             (VolumeError::Cancelled("x".into()), ErrorCategory::Transient, true),
+            (VolumeError::DeletePending("x".into()), ErrorCategory::Transient, true),
             (
                 VolumeError::IoError {
                     message: "x".into(),
@@ -296,6 +297,7 @@ mod tests {
             VolumeError::NotFound("x".into()),
             VolumeError::PermissionDenied("x".into()),
             VolumeError::ConnectionTimeout("x".into()),
+            VolumeError::DeletePending("x".into()),
             VolumeError::IoError {
                 message: "x".into(),
                 raw_os_error: None,
@@ -357,6 +359,36 @@ mod tests {
         }
     }
 
+    #[test]
+    fn delete_pending_uses_dedicated_copy() {
+        let path = Path::new("/Volumes/share/photo.jpg");
+        let err = VolumeError::DeletePending("Protocol error: STATUS_DELETE_PENDING during Create".into());
+        let friendly = friendly_error_from_volume_error(&err, path);
+
+        assert_eq!(friendly.category, ErrorCategory::Transient);
+        assert!(
+            friendly.retry_hint,
+            "DeletePending is transient — user should see a retry hint"
+        );
+        assert!(
+            friendly.title.contains("being removed"),
+            "DeletePending title should say the file is being removed, got: {:?}",
+            friendly.title,
+        );
+        // The path is interpolated into the explanation so the user knows which file.
+        assert!(
+            friendly.explanation.contains("photo.jpg"),
+            "DeletePending explanation should include the path, got: {:?}",
+            friendly.explanation,
+        );
+        // raw_detail preserves the underlying NTSTATUS for the technical-details disclosure.
+        assert!(
+            friendly.raw_detail.contains("DELETE_PENDING"),
+            "raw_detail should preserve the NTSTATUS code, got: {:?}",
+            friendly.raw_detail,
+        );
+    }
+
     // ── action_kind tests ───────────────────────────────────────────────
 
     #[cfg(target_os = "macos")]
diff --git a/apps/desktop/src-tauri/src/file_system/volume/friendly_error/volume_error.rs b/apps/desktop/src-tauri/src/file_system/volume/friendly_error/volume_error.rs
index 3cab2ef3..3b21ed46 100644
--- a/apps/desktop/src-tauri/src/file_system/volume/friendly_error/volume_error.rs
+++ b/apps/desktop/src-tauri/src/file_system/volume/friendly_error/volume_error.rs
@@ -49,6 +49,7 @@ pub fn friendly_error_from_volume_error(err: &VolumeError, path: &Path) -> Frien
         VolumeError::StorageFull { .. } => kinds::storage_full(raw),
         VolumeError::ConnectionTimeout(_) => kinds::connection_timeout(raw),
         VolumeError::Cancelled(_) => kinds::cancelled(raw),
+        VolumeError::DeletePending(_) => kinds::delete_pending(&path_display, raw),
         VolumeError::IsADirectory(_) => FriendlyError {
             category: ErrorCategory::NeedsAction,
             title: "This is a folder, not a file".into(),
diff --git a/apps/desktop/src-tauri/src/file_system/volume/friendly_error/write_error.rs b/apps/desktop/src-tauri/src/file_system/volume/friendly_error/write_error.rs
index 39a152a3..8e607dcb 100644
--- a/apps/desktop/src-tauri/src/file_system/volume/friendly_error/write_error.rs
+++ b/apps/desktop/src-tauri/src/file_system/volume/friendly_error/write_error.rs
@@ -142,6 +142,7 @@ pub fn friendly_from_write_error(err: &crate::file_system::write_operations::Wri
             retry_hint: false,
             action_kind: None,
         },
+        W::DeletePending { path } => kinds::delete_pending(path, raw),
         W::IoError { path, message } => kinds::io_serious(path, message, raw),
     }
 }
diff --git a/apps/desktop/src-tauri/src/file_system/volume/mod.rs b/apps/desktop/src-tauri/src/file_system/volume/mod.rs
index 05070d75..5286562e 100644
--- a/apps/desktop/src-tauri/src/file_system/volume/mod.rs
+++ b/apps/desktop/src-tauri/src/file_system/volume/mod.rs
@@ -166,6 +166,11 @@ pub enum VolumeError {
     Cancelled(String),
     /// The path is a directory, not a file (for example, SMB STATUS_FILE_IS_A_DIRECTORY).
     IsADirectory(String),
+    /// The file is in `STATUS_DELETE_PENDING`: a delete has been requested on the server
+    /// but at least one open handle is keeping the file alive. The file will disappear
+    /// once the last handle closes; any new `Create` (stat, open, write) on the path
+    /// fails with this status in the meantime. SMB-only today.
+    DeletePending(String),
     IoError {
         message: String,
         raw_os_error: Option<i32>,
@@ -194,6 +199,7 @@ impl std::fmt::Display for VolumeError {
             Self::ConnectionTimeout(msg) => write!(f, "Connection timed out: {}", msg),
             Self::Cancelled(msg) => write!(f, "Cancelled: {}", msg),
             Self::IsADirectory(path) => write!(f, "Is a directory: {}", path),
+            Self::DeletePending(path) => write!(f, "Delete pending: {}", path),
             Self::IoError { message, .. } => write!(f, "I/O error: {}", message),
             Self::FriendlyGit(err) => write!(f, "git: {}", err),
         }
diff --git a/apps/desktop/src-tauri/src/file_system/volume/smb.rs b/apps/desktop/src-tauri/src/file_system/volume/smb.rs
index dd00e091..c6b00e71 100644
--- a/apps/desktop/src-tauri/src/file_system/volume/smb.rs
+++ b/apps/desktop/src-tauri/src/file_system/volume/smb.rs
@@ -94,6 +94,8 @@ impl ConnectionState {
     }
 }
 
+static CLIENT_LOCK_TICKET: std::sync::atomic::AtomicU64 = std::sync::atomic::AtomicU64::new(0);
+
 // ── Type mapping helpers ────────────────────────────────────────────
 
 /// Converts an `smb2::FileTime` to seconds since the Unix epoch, matching
@@ -134,6 +136,15 @@ fn fs_info_to_space_info(info: &smb2::client::tree::FsInfo) -> SpaceInfo {
 /// Converts an `smb2::Error` to `VolumeError`.
 fn map_smb_error(err: smb2::Error) -> VolumeError {
     use smb2::ErrorKind;
+    use smb2::types::status::NtStatus;
+
+    // `STATUS_DELETE_PENDING` currently classifies as `ErrorKind::Other` in
+    // smb2 (no typed variant yet), so we detect it via the raw NTSTATUS before
+    // falling through to the generic kind match.
+    if err.status() == Some(NtStatus::DELETE_PENDING) {
+        return VolumeError::DeletePending(err.to_string());
+    }
+
     match err.kind() {
         ErrorKind::NotFound => VolumeError::NotFound(err.to_string()),
         ErrorKind::AlreadyExists => VolumeError::AlreadyExists(err.to_string()),
@@ -454,21 +465,6 @@ impl SmbVolume {
         }
     }
 
-    /// Acquires the client mutex and returns a guard over the `Option<SmbClient>`.
-    /// Checks connection state first, then verifies the client is present.
-    ///
-    /// Most methods still go through this (stat, list_directory, rename, etc.);
-    /// only the hot streaming-read / compound-write paths use the cheaper
-    /// `clone_connection` helper that releases the lock before driving the op.
-    async fn acquire_client(&self) -> Result<tokio::sync::MutexGuard<'_, Option<SmbClient>>, VolumeError> {
-        self.check_connection()?;
-        let guard = self.client.lock().await;
-        if guard.is_none() {
-            return Err(VolumeError::DeviceDisconnected("SMB session not available".to_string()));
-        }
-        Ok(guard)
-    }
-
     /// Reads out a clone of `Arc<Tree>`. Cheap (`Arc::clone`).
     async fn tree_arc(&self) -> Result<Arc<Tree>, VolumeError> {
         self.check_connection()?;
@@ -489,12 +485,37 @@ impl SmbVolume {
     async fn clone_session(&self) -> Result<(Arc<Tree>, smb2::client::Connection), VolumeError> {
         self.check_connection()?;
         let tree = self.tree_arc().await?;
+        let ticket = CLIENT_LOCK_TICKET.fetch_add(1, Ordering::Relaxed);
+        let start = std::time::Instant::now();
+        log::debug!(
+            "client-mutex: waiting ticket={} caller=clone_session share={}",
+            ticket,
+            self.share_name
+        );
         let conn = {
             let mut guard = self.client.lock().await;
-            let client = guard
-                .as_mut()
-                .ok_or_else(|| VolumeError::DeviceDisconnected("SMB session not available".to_string()))?;
-            client.connection_mut().clone()
+            log::debug!(
+                "client-mutex: acquired ticket={} caller=clone_session share={} waited={:?}",
+                ticket,
+                self.share_name,
+                start.elapsed()
+            );
+            let acquired_at = std::time::Instant::now();
+            let client = guard.as_mut().ok_or_else(|| {
+                log::debug!(
+                    "client-mutex: released ticket={} caller=clone_session held_for={:?} (no-session-bail)",
+                    ticket,
+                    acquired_at.elapsed()
+                );
+                VolumeError::DeviceDisconnected("SMB session not available".to_string())
+            })?;
+            let c = client.connection_mut().clone();
+            log::debug!(
+                "client-mutex: released ticket={} caller=clone_session held_for={:?}",
+                ticket,
+                acquired_at.elapsed()
+            );
+            c
         };
         Ok((tree, conn))
     }
@@ -1699,6 +1720,23 @@ impl Volume for SmbVolume {
         mut stream: Box<dyn VolumeReadStream>,
         on_progress: &'a (dyn Fn(u64, u64) -> std::ops::ControlFlow<()> + Sync),
     ) -> Pin<Box<dyn Future<Output = Result<u64, VolumeError>> + Send + 'a>> {
+        // Lock-free streaming write path.
+        //
+        // Both branches below drive the upload on a cloned `Connection`
+        // (cheap `Arc::clone`) and an `Arc<Tree>`. The client mutex is
+        // held only for the few microseconds of `clone_session()`, never
+        // for the upload itself. With smb2 0.9's owned `FileWriter`, N
+        // concurrent `write_from_stream` calls on one `SmbVolume`
+        // pipeline N WRITE chains over a single SMB session: smb2's
+        // receiver task multiplexes responses by `MessageId`.
+        //
+        // This collapses the historical two-phase pattern (brief
+        // `clone_session` for the fast-path → drop → long
+        // session-mutex hold for the streaming fallback) into a single
+        // clone. The old shape deadlocked under sustained concurrent
+        // pressure; the regression test
+        // `smb_integration_concurrent_streaming_writes_no_deadlock`
+        // pins this shape.
         Box::pin(async move {
             let smb_path = self.to_smb_path(dest);
 
@@ -1707,15 +1745,18 @@ impl Volume for SmbVolume {
                 self.share_name, smb_path, size
             );
 
-            // Compound fast-path: when the caller promised a size that fits in
-            // one WRITE, drain the source stream into a buffer and send
+            // Acquire a cloned session once, up front. Both the compound
+            // fast-path and the streaming fallback drive their write on
+            // this same clone — no second `clone_session` needed.
+            let (tree, conn) = self.clone_session().await?;
+
+            // Compound fast-path: when the caller promised a size that fits
+            // in one WRITE, drain the source stream into a buffer and send
             // CREATE+WRITE+FLUSH+CLOSE as a single compound frame (1 RTT
-            // instead of 4). Runs on a cloned `Connection` with no lock held,
-            // so N concurrent small writes pipeline over one SMB session.
-            // Small files are the hot case; for anything larger we fall
-            // through to the streaming writer below.
+            // instead of 4). Small files are the hot case; we fall through
+            // to the streaming writer for anything larger or when the source
+            // returns short.
             if size > 0 {
-                let (tree, mut conn) = self.clone_session().await?;
                 let max_write = conn.params().map(|p| p.max_write_size).unwrap_or(65536) as u64;
                 if size <= max_write {
                     let mut buffer = Vec::with_capacity(size as usize);
@@ -1736,48 +1777,38 @@ impl Volume for SmbVolume {
                             "SmbVolume::write_from_stream: using compound fast-path ({} bytes)",
                             buffer.len()
                         );
+                        let mut conn = conn;
                         let write_result = tree.write_file_compound(&mut conn, &smb_path, &buffer).await;
                         let bytes_written = self.handle_smb_result("write_from_stream(compound)", write_result)?;
                         return Ok(bytes_written);
                     }
-                    // Size mismatch: drop the cloned conn and re-feed the
-                    // already-drained buffer through the streaming writer
-                    // below (which needs the client mutex because
-                    // `FileWriter` borrows `&'a mut Connection` from the
-                    // `SmbClient`).
+                    // Size mismatch: feed the already-drained buffer through
+                    // the streaming writer on the same cloned connection.
+                    // No lock acquired; this is the rare path.
                     debug!(
-                        "SmbVolume::write_from_stream: compound fast-path source yielded {} bytes, expected {}; falling back",
+                        "SmbVolume::write_from_stream: compound fast-path source yielded {} bytes, expected {}; falling back to streaming writer",
                         buffer.len(),
                         size
                     );
-                    drop(conn);
-                    let tree_arc = tree;
-                    let mut guard = self.acquire_client().await?;
-                    let client = guard.as_mut().unwrap();
-                    let writer_result = client.create_file_writer(&tree_arc, &smb_path).await;
+                    let writer_result = tree.create_file_writer(conn, &smb_path).await;
                     let mut writer = self.handle_smb_result("write_from_stream(open)", writer_result)?;
                     if !buffer.is_empty() {
                         let write_result = writer.write_chunk(&buffer).await;
                         self.handle_smb_result("write_from_stream(write_chunk)", write_result)?;
                     }
+                    // The source signalled end-of-stream by returning None
+                    // above (we exited the drain loop). No further chunks.
                     let finish_result = writer.finish().await;
                     self.handle_smb_result("write_from_stream(finish)", finish_result)?;
                     return Ok(buffer.len() as u64);
                 }
             }
 
-            // Streaming fallback for large / unknown-size writes. Holds the
-            // client mutex for the duration of the transfer because
-            // `FileWriter<'a>` borrows `&'a mut Connection` from the
-            // `SmbClient` we create it from. Large files are rare in the hot
-            // copy path, so this doesn't hurt concurrency in practice; the
-            // compound fast-path above handles every small file without
-            // touching the client mutex for the write itself.
-            let tree_arc = self.tree_arc().await?;
-            let mut guard = self.acquire_client().await?;
-            let client = guard.as_mut().unwrap();
-
-            let writer_result = client.create_file_writer(&tree_arc, &smb_path).await;
+            // Streaming path for large / unknown-size writes. Drives the
+            // owned `FileWriter` on the cloned `Connection` directly —
+            // no client mutex is held while WRITEs are in flight, so N
+            // concurrent large copies pipeline over one SMB session.
+            let writer_result = tree.create_file_writer(conn, &smb_path).await;
             let mut writer = self.handle_smb_result("write_from_stream(open)", writer_result)?;
 
             let mut bytes_read = 0u64;
@@ -1800,7 +1831,11 @@ impl Volume for SmbVolume {
                     // anyway). Dropping directly would leave stale responses
                     // on the connection and poison the next op.
                     let _ = writer.abort().await;
-                    let _ = tree_arc.delete_file(client.connection_mut(), &smb_path).await;
+                    // Best-effort delete of the partial file on its own
+                    // cloned connection (the writer's connection is gone).
+                    if let Ok((tree_for_delete, mut conn_for_delete)) = self.clone_session().await {
+                        let _ = tree_for_delete.delete_file(&mut conn_for_delete, &smb_path).await;
+                    }
                     return Err(VolumeError::Cancelled("Operation cancelled by user".to_string()));
                 }
             }
@@ -1989,6 +2024,26 @@ mod tests {
         assert!(matches!(ve, VolumeError::NotFound(_)));
     }
 
+    #[test]
+    fn map_smb_error_delete_pending() {
+        // STATUS_DELETE_PENDING surfaces when a delete has been requested but at
+        // least one open handle is keeping the file alive. smb2 currently classifies
+        // it as `ErrorKind::Other`, so `map_smb_error` must dispatch on the raw
+        // NTSTATUS to produce the typed `VolumeError::DeletePending` variant —
+        // otherwise the FE falls back to the generic "disk needs attention" copy
+        // instead of the transient "file is being removed" message.
+        let err = smb2::Error::Protocol {
+            status: smb2::types::status::NtStatus::DELETE_PENDING,
+            command: smb2::types::Command::Create,
+        };
+        let ve = map_smb_error(err);
+        assert!(
+            matches!(ve, VolumeError::DeletePending(_)),
+            "STATUS_DELETE_PENDING should map to VolumeError::DeletePending, got: {:?}",
+            ve,
+        );
+    }
+
     #[test]
     fn map_smb_error_access_denied() {
         let err = smb2::Error::Protocol {
@@ -4056,4 +4111,353 @@ mod tests {
             final_fds
         );
     }
+
+    // ── SMB streaming-write regression test ────────────────────────────
+    //
+    // Helpers + one `#[ignore]`d integration test that guards against the
+    // streaming-write deadlock fixed in commit `efb15479`. See the docstring
+    // on `smb_integration_concurrent_streaming_writes_no_deadlock` for the
+    // full story.
+
+    /// All test artifacts on the SMB share live under this prefix. The
+    /// cleanup helper refuses to delete anything that doesn't start with it.
+    const TEST_PREFIX_ROOT: &str = "_test/cmdr-regression-";
+
+    /// Captures `client-mutex:` (cmdr) and `recv:` (smb2 receiver loop)
+    /// debug lines into bounded ring buffers so a hung test's panic message
+    /// can include the last ~30 lines from each stream. That's invaluable
+    /// for diagnosing a future regression. Installed via `log::set_logger`
+    /// once per process; subsequent installs are no-ops.
+    struct MutexCaptureLogger {
+        mutex_lines: std::sync::Mutex<std::collections::VecDeque<String>>,
+        recv_lines: std::sync::Mutex<std::collections::VecDeque<String>>,
+    }
+    impl log::Log for MutexCaptureLogger {
+        fn enabled(&self, _md: &log::Metadata) -> bool {
+            true
+        }
+        fn log(&self, record: &log::Record) {
+            let msg = format!("{}", record.args());
+            let target = record.target();
+            // `client-mutex:` lines come from smb.rs via `log::debug!` with
+            // the module-path target (`cmdr_lib::file_system::volume::smb`).
+            // `recv:` lines come from the smb2 receiver loop with an `smb2::*`
+            // target.
+            if msg.starts_with("client-mutex:") {
+                let mut q = self.mutex_lines.lock().unwrap();
+                if q.len() >= 200 {
+                    q.pop_front();
+                }
+                q.push_back(format!("[{}] {}", target, msg));
+            } else if msg.starts_with("recv:") || (target.starts_with("smb2") && msg.contains("recv")) {
+                let mut q = self.recv_lines.lock().unwrap();
+                if q.len() >= 200 {
+                    q.pop_front();
+                }
+                q.push_back(format!("[{}] {}", target, msg));
+            }
+            // The captured ring buffers are the diagnostic. We deliberately
+            // skip mirroring to stderr: `eprintln!` is denied crate-wide,
+            // and re-emitting through `log::*` would recurse into this same
+            // logger (and the mutex above) on every call.
+        }
+        fn flush(&self) {}
+    }
+
+    static MUTEX_CAPTURE_LOGGER: OnceLock<&'static MutexCaptureLogger> = OnceLock::new();
+
+    fn install_mutex_capture_logger() -> &'static MutexCaptureLogger {
+        if let Some(l) = MUTEX_CAPTURE_LOGGER.get() {
+            return l;
+        }
+        let leaked: &'static MutexCaptureLogger = Box::leak(Box::new(MutexCaptureLogger {
+            mutex_lines: std::sync::Mutex::new(std::collections::VecDeque::with_capacity(200)),
+            recv_lines: std::sync::Mutex::new(std::collections::VecDeque::with_capacity(200)),
+        }));
+        // Best-effort: if another logger is already installed, ignore.
+        let _ = log::set_logger(leaked);
+        log::set_max_level(log::LevelFilter::Debug);
+        let _ = MUTEX_CAPTURE_LOGGER.set(leaked);
+        leaked
+    }
+
+    /// Deletes every file under `unique_prefix_smb` and then the directory
+    /// itself. Safety: refuses any path that doesn't start with
+    /// `TEST_PREFIX_ROOT`, both at the top level and per entry, so a logic
+    /// bug in the caller can never reach outside the regression sandbox.
+    /// Called explicitly at the end of each pass (best effort: logs but
+    /// never overrides the test outcome).
+    async fn cleanup_test_prefix(vol: &SmbVolume, mount_path: &Path, unique_prefix_smb: &str) {
+        assert!(
+            unique_prefix_smb.starts_with(TEST_PREFIX_ROOT),
+            "cleanup_test_prefix: refusing to clean a prefix outside {TEST_PREFIX_ROOT:?}: {unique_prefix_smb:?}"
+        );
+        let dir_abs = mount_path.join(unique_prefix_smb.trim_start_matches('/'));
+        let rel_of = |abs: &Path| -> String {
+            abs.to_string_lossy()
+                .strip_prefix(mount_path.to_string_lossy().as_ref())
+                .map(|s| s.trim_start_matches('/').to_string())
+                .unwrap_or_else(|| abs.to_string_lossy().to_string())
+        };
+        match vol.list_directory_impl(&dir_abs).await {
+            Ok(entries) => {
+                for entry in entries {
+                    let abs = dir_abs.join(&entry.name);
+                    let rel = rel_of(&abs);
+                    if !rel.starts_with(TEST_PREFIX_ROOT) {
+                        log::warn!("cleanup_test_prefix: refusing to delete {rel} (outside prefix)");
+                        continue;
+                    }
+                    if let Err(e) = vol.delete(&abs).await {
+                        log::warn!("cleanup_test_prefix: failed to delete {rel}: {e:?}");
+                    }
+                }
+            }
+            Err(e) => log::warn!("cleanup_test_prefix: list_directory_impl failed for {dir_abs:?}: {e:?}"),
+        }
+        let rel_dir = rel_of(&dir_abs);
+        if rel_dir.starts_with(TEST_PREFIX_ROOT)
+            && let Err(e) = vol.delete(&dir_abs).await
+        {
+            log::warn!("cleanup_test_prefix: failed to delete prefix dir {rel_dir}: {e:?}");
+        }
+    }
+
+    /// Connects to a Docker SMB fixture's `public` share at `127.0.0.1:port`
+    /// as guest. `mount_label` becomes the synthetic mount path
+    /// (`/Volumes/<label>`); no real OS mount is needed because the test
+    /// only drives the smb2 path.
+    async fn connect_docker_smb_volume(port: u16, mount_label: &str) -> SmbVolume {
+        let mount_path = format!("/Volumes/{mount_label}");
+        connect_smb_volume("public", &mount_path, "127.0.0.1", "public", None, None, port)
+            .await
+            .unwrap_or_else(|e| panic!("connect to 127.0.0.1:{port} failed: {e:?}"))
+    }
+
+    /// One pass of the concurrent-streaming-write scenario:
+    /// - generate `n_files` source files of `file_size` bytes in a tempdir,
+    /// - pre-upload `n_conflicts` of them to the destination at the same
+    ///   size so `OverwriteSmaller` resolves them as Skip,
+    /// - run `copy_volumes_with_progress` over all `n_files` with a timeout,
+    /// - on timeout, panic with the last 30 mutex/recv lines as a diagnostic
+    ///   dump,
+    /// - clean up the unique prefix directory either way.
+    async fn run_concurrent_write_pass(
+        vol: Arc<SmbVolume>,
+        mount_path: &Path,
+        logger: &'static MutexCaptureLogger,
+        n_files: usize,
+        n_conflicts: usize,
+        file_size: usize,
+        timeout_secs: u64,
+    ) -> Duration {
+        use crate::file_system::write_operations::{
+            CollectorEventSink, VolumeCopyConfig, WriteOperationState, copy_volumes_with_progress,
+        };
+
+        assert!(n_conflicts <= n_files);
+
+        let ts = std::time::SystemTime::now()
+            .duration_since(std::time::UNIX_EPOCH)
+            .unwrap()
+            .as_secs();
+        let unique_prefix = format!("{TEST_PREFIX_ROOT}{ts}-n{n_files}");
+
+        let dest_dir_abs = mount_path.join(unique_prefix.trim_start_matches('/'));
+        let _ = vol.create_directory(&mount_path.join("_test")).await;
+        vol.create_directory(&dest_dir_abs)
+            .await
+            .expect("create unique dest dir");
+
+        let local_dir = tempfile::TempDir::new().expect("tempdir");
+        for i in 0..n_files {
+            let name = format!("f_{i:04}.bin");
+            let path = local_dir.path().join(&name);
+            // Distinct content per file (byte = i % 251) + an 8-byte seed
+            // prefix, so identical-size pre-uploads still hash-differ from
+            // their sources should we ever want to verify content.
+            let mut buf = vec![0u8; file_size];
+            buf[..8].copy_from_slice(&(i as u64).to_le_bytes());
+            for b in buf.iter_mut().skip(8) {
+                *b = (i % 251) as u8;
+            }
+            std::fs::write(&path, &buf).expect("write source");
+        }
+
+        log::info!("regression: pre-uploading {n_conflicts} conflicting files to {unique_prefix}");
+        for i in 0..n_conflicts {
+            let name = format!("f_{i:04}.bin");
+            let dest_abs = dest_dir_abs.join(&name);
+            let buf = std::fs::read(local_dir.path().join(&name)).unwrap();
+            let stream: Box<dyn VolumeReadStream> = Box::new(InlineReadStream::new(buf.clone()));
+            let size = buf.len() as u64;
+            let progress = |_a: u64, _b: u64| -> std::ops::ControlFlow<()> { std::ops::ControlFlow::Continue(()) };
+            let bytes = vol
+                .write_from_stream(&dest_abs, size, stream, &progress)
+                .await
+                .unwrap_or_else(|e| panic!("pre-upload {name} failed: {e:?}"));
+            assert_eq!(bytes, size, "pre-upload size mismatch");
+        }
+        log::info!("regression: pre-upload done");
+
+        let src_vol: Arc<dyn Volume> = Arc::new(crate::file_system::volume::LocalPosixVolume::new(
+            "regression-src",
+            local_dir.path().to_path_buf(),
+        ));
+        let dst_vol: Arc<dyn Volume> = vol.clone() as Arc<dyn Volume>;
+        let source_rel_paths: Vec<PathBuf> = (0..n_files).map(|i| PathBuf::from(format!("f_{i:04}.bin"))).collect();
+
+        let state = Arc::new(WriteOperationState::new(Duration::from_millis(200)));
+        let events = Arc::new(CollectorEventSink::new());
+        let config = VolumeCopyConfig {
+            conflict_resolution: crate::file_system::write_operations::ConflictResolution::OverwriteSmaller,
+            ..VolumeCopyConfig::default()
+        };
+
+        let start = std::time::Instant::now();
+        log::info!(
+            "regression: spawning copy n_files={n_files} n_conflicts={n_conflicts} size={file_size} timeout={timeout_secs}s"
+        );
+
+        let res = tokio::time::timeout(
+            Duration::from_secs(timeout_secs),
+            copy_volumes_with_progress(
+                events.clone(),
+                "regression-op",
+                &state,
+                Arc::clone(&src_vol),
+                &source_rel_paths,
+                Arc::clone(&dst_vol),
+                &dest_dir_abs,
+                &config,
+            ),
+        )
+        .await;
+
+        let elapsed = start.elapsed();
+
+        let panic_msg: Option<String> = match res {
+            Ok(Ok(())) => {
+                log::info!("regression: copy completed in {elapsed:?}");
+                None
+            }
+            Ok(Err(e)) => Some(format!("regression: copy failed in {elapsed:?}: {e:?}")),
+            Err(_) => {
+                let tail = |q: &std::sync::Mutex<std::collections::VecDeque<String>>| -> Vec<String> {
+                    let q = q.lock().unwrap();
+                    let n = q.len().min(30);
+                    q.iter().skip(q.len() - n).cloned().collect()
+                };
+                let mutex_dump = tail(&logger.mutex_lines);
+                let recv_dump = tail(&logger.recv_lines);
+                let last_ticket = CLIENT_LOCK_TICKET.load(Ordering::Relaxed);
+                Some(format!(
+                    "regression: HANG after {:?} (timeout={}s) n_files={} n_conflicts={} last_ticket={}\n\
+                     ── last {} client-mutex lines ──\n{}\n── last {} recv lines ──\n{}\n",
+                    elapsed,
+                    timeout_secs,
+                    n_files,
+                    n_conflicts,
+                    last_ticket,
+                    mutex_dump.len(),
+                    mutex_dump.join("\n"),
+                    recv_dump.len(),
+                    recv_dump.join("\n"),
+                ))
+            }
+        };
+
+        cleanup_test_prefix(&vol, mount_path, &unique_prefix).await;
+
+        if let Some(m) = panic_msg {
+            panic!("{m}");
+        }
+        elapsed
+    }
+
+    /// Guards the invariant that concurrent streaming writes through
+    /// `SmbVolume::write_from_stream` complete without deadlocking.
+    ///
+    /// Uses the consumer-class `smb-consumer-maxreadsize` fixture
+    /// (`smb2 max read = smb2 max write = 65536`) so every 1 MB write exceeds
+    /// the server's max_write and is forced through the streaming-fallback
+    /// (FileWriter) path. That's the path that historically nested a
+    /// per-write lock under the client mutex and could starve the receiver
+    /// task to a halt.
+    ///
+    /// Shape (200 files, 140 OverwriteSmaller conflicts + 60 actual copies,
+    /// concurrency=8) mirrors the production workload that originally
+    /// surfaced the bug, where mixed conflict-skip / write iterations on a
+    /// shared SmbClient stressed the lock-ordering pattern hardest.
+    ///
+    /// Run with `./apps/desktop/test/smb-servers/start.sh core` (CI does
+    /// this) or `start.sh all`, then either `./scripts/check.sh --rust` or
+    /// `cargo nextest run -p cmdr smb_integration_concurrent_streaming_writes_no_deadlock --run-ignored all`.
+    ///
+    /// Originally hung at a QNAP NAS for >5 minutes before the fix in smb2
+    /// 0.9.0 (`FileWriter` owns its `Connection`) and the matching
+    /// `write_from_stream` rewrite. On post-fix code each pass completes in
+    /// roughly 5–15 s.
+    #[tokio::test(flavor = "multi_thread", worker_threads = 4)]
+    #[ignore = "Requires docker-compose smb-consumer-maxreadsize on port 10494 (started by start.sh core)"]
+    async fn smb_integration_concurrent_streaming_writes_no_deadlock() {
+        use futures_util::FutureExt;
+
+        // 10494 matches smb2's smb-consumer-maxreadsize container; override
+        // with `SMB_CONSUMER_MAXREADSIZE_PORT` to match
+        // `smb2::testing::maxreadsize_port()` (requires the `smb-e2e`
+        // feature; bare integration tests hardcode the default).
+        let port: u16 = std::env::var("SMB_CONSUMER_MAXREADSIZE_PORT")
+            .ok()
+            .and_then(|v| v.parse().ok())
+            .unwrap_or(10494);
+        let logger = install_mutex_capture_logger();
+        let prior_concurrency = crate::file_system::smb_concurrency();
+        crate::file_system::set_smb_concurrency(8);
+
+        let vol = Arc::new(connect_docker_smb_volume(port, "cmdr-regression-maxreadsize").await);
+        let mount_path = vol.mount_path.clone();
+
+        let result = std::panic::AssertUnwindSafe(run_concurrent_write_pass(
+            Arc::clone(&vol),
+            &mount_path,
+            logger,
+            /* n_files = */ 200,
+            /* n_conflicts = */ 140,
+            /* file_size = */ 1024 * 1024,
+            /* timeout_secs = */ 120,
+        ))
+        .catch_unwind()
+        .await;
+
+        // Always restore concurrency, even on panic, before resuming the unwind.
+        crate::file_system::set_smb_concurrency(prior_concurrency);
+        if let Err(p) = result {
+            std::panic::resume_unwind(p);
+        }
+    }
+
+    #[test]
+    #[should_panic(expected = "refusing to clean a prefix outside")]
+    fn cleanup_test_prefix_rejects_unsafe_prefix() {
+        // The cleanup helper is async, but the safety assert fires before
+        // any await point. Poll the future once via a no-op waker so we
+        // hit the assert without needing a runtime.
+        use std::task::Context;
+        let vol = make_test_volume();
+        let mount = PathBuf::from("/Volumes/TestShare");
+        let mut fut = Box::pin(cleanup_test_prefix(&vol, &mount, "etc/passwd"));
+        let waker = futures_util::task::noop_waker();
+        let mut cx = Context::from_waker(&waker);
+        let _ = fut.as_mut().poll(&mut cx); // panics in the assert
+    }
+
+    #[test]
+    fn test_prefix_root_is_safely_scoped() {
+        // Static check: the prefix lives under `_test/` and clearly
+        // identifies cmdr's regression test, so a future reader (or a
+        // misconfigured share) can recognize stale artifacts at a glance.
+        assert!(TEST_PREFIX_ROOT.starts_with("_test/"));
+        assert!(TEST_PREFIX_ROOT.contains("cmdr-regression-"));
+    }
 }
diff --git a/apps/desktop/src-tauri/src/file_system/write_operations/types.rs b/apps/desktop/src-tauri/src/file_system/write_operations/types.rs
index 82c9d5eb..3fa453d7 100644
--- a/apps/desktop/src-tauri/src/file_system/write_operations/types.rs
+++ b/apps/desktop/src-tauri/src/file_system/write_operations/types.rs
@@ -455,6 +455,12 @@ pub enum WriteOperationError {
         path: String,
         message: String,
     },
+    /// The file is in `STATUS_DELETE_PENDING` on the server: a delete was requested
+    /// but at least one open handle is keeping it alive. Transient — clears when the
+    /// last handle closes. SMB-only today.
+    DeletePending {
+        path: String,
+    },
     /// Catch-all for genuinely unexpected IO errors.
     IoError {
         path: String,
diff --git a/apps/desktop/src-tauri/src/file_system/write_operations/volume_copy.rs b/apps/desktop/src-tauri/src/file_system/write_operations/volume_copy.rs
index a15f59d9..e942980d 100644
--- a/apps/desktop/src-tauri/src/file_system/write_operations/volume_copy.rs
+++ b/apps/desktop/src-tauri/src/file_system/write_operations/volume_copy.rs
@@ -1619,6 +1619,9 @@ pub(super) fn map_volume_error(context_path: &str, e: VolumeError) -> WriteOpera
             path,
             message: "Is a directory".to_string(),
         },
+        VolumeError::DeletePending(_) => WriteOperationError::DeletePending {
+            path: context_path.to_string(),
+        },
     }
 }
 
diff --git a/apps/desktop/src-tauri/src/file_system/write_operations/volume_copy_tests.rs b/apps/desktop/src-tauri/src/file_system/write_operations/volume_copy_tests.rs
index ad1af1ec..b18efc0d 100644
--- a/apps/desktop/src-tauri/src/file_system/write_operations/volume_copy_tests.rs
+++ b/apps/desktop/src-tauri/src/file_system/write_operations/volume_copy_tests.rs
@@ -183,6 +183,17 @@ fn test_map_volume_error_not_supported() {
     );
 }
 
+#[test]
+fn test_map_volume_error_delete_pending() {
+    // STATUS_DELETE_PENDING surfaces when a delete was requested but an open
+    // handle is keeping the file alive on the server. It MUST become a typed
+    // `WriteOperationError::DeletePending` so the write-error event carries
+    // the transient "file is being removed" friendly copy — not the generic
+    // IoError fallback.
+    let err = map_volume_error("/ctx", VolumeError::DeletePending("STATUS_DELETE_PENDING".to_string()));
+    assert!(matches!(err, WriteOperationError::DeletePending { path } if path == "/ctx"));
+}
+
 // ========================================
 // LocalPosixVolume integration tests
 // ========================================
diff --git a/apps/desktop/src-tauri/src/volumes_linux/mod.rs b/apps/desktop/src-tauri/src/volumes_linux/mod.rs
index 14e51ccd..481296d4 100644
--- a/apps/desktop/src-tauri/src/volumes_linux/mod.rs
+++ b/apps/desktop/src-tauri/src/volumes_linux/mod.rs
@@ -338,7 +338,7 @@ pub fn get_mounted_volumes(mounts: &[MountEntry]) -> Vec<LocationInfo> {
         });
     }
 
-    volumes.sort_by(|a, b| a.name.to_lowercase().cmp(&b.name.to_lowercase()));
+    volumes.sort_by_key(|v| v.name.to_lowercase());
     volumes
 }
 
@@ -375,7 +375,7 @@ fn get_cloud_drives(mounts: &[MountEntry]) -> Vec<LocationInfo> {
         }
     }
 
-    drives.sort_by(|a, b| a.name.to_lowercase().cmp(&b.name.to_lowercase()));
+    drives.sort_by_key(|d| d.name.to_lowercase());
     drives
 }
 
@@ -443,7 +443,7 @@ fn get_network_mounts() -> Vec<LocationInfo> {
         }
     }
 
-    mounts.sort_by(|a, b| a.name.to_lowercase().cmp(&b.name.to_lowercase()));
+    mounts.sort_by_key(|m| m.name.to_lowercase());
     mounts
 }
 
diff --git a/apps/desktop/src/lib/file-viewer/open-viewer.ts b/apps/desktop/src/lib/file-viewer/open-viewer.ts
index a39c031d..eaa93831 100644
--- a/apps/desktop/src/lib/file-viewer/open-viewer.ts
+++ b/apps/desktop/src/lib/file-viewer/open-viewer.ts
@@ -1,12 +1,17 @@
 /** Opens a file viewer window for the given file path. Multiple viewers can be open at once. */
 export async function openFileViewer(filePath: string): Promise<void> {
   const { WebviewWindow } = await import('@tauri-apps/api/webviewWindow')
-  const { decorateChildWindowTitle } = await import('$lib/app-mode')
+  const { decorateChildWindowTitle, getAppMode } = await import('$lib/app-mode')
 
   // Use a unique label per viewer instance (timestamp-based)
   const label = `viewer-${String(Date.now())}`
   const encodedPath = encodeURIComponent(filePath)
 
+  // E2E suites open viewer windows repeatedly; stealing OS focus each time
+  // makes the host machine unusable while tests run. The plugin reaches the
+  // webview over a Unix socket, so it doesn't need OS focus to drive the DOM.
+  const isE2e = getAppMode() === 'e2e'
+
   new WebviewWindow(label, {
     url: `/viewer?path=${encodedPath}`,
     title: decorateChildWindowTitle(filePath.split('/').pop() ?? 'Viewer'),
@@ -18,6 +23,6 @@ export async function openFileViewer(filePath: string): Promise<void> {
     minimizable: true,
     maximizable: true,
     closable: true,
-    focus: true,
+    focus: !isE2e,
   })
 }
diff --git a/apps/desktop/src/lib/ipc/bindings.ts b/apps/desktop/src/lib/ipc/bindings.ts
index 409454e5..71a9f51d 100644
--- a/apps/desktop/src/lib/ipc/bindings.ts
+++ b/apps/desktop/src/lib/ipc/bindings.ts
@@ -3192,6 +3192,12 @@ export type WriteOperationError =
   | { type: 'name_too_long'; path: string }
   // File name contains characters not allowed at the destination.
   | { type: 'invalid_name'; path: string; message: string }
+  /**
+   *  The file is in `STATUS_DELETE_PENDING` on the server: a delete was requested
+   *  but at least one open handle is keeping it alive. Transient — clears when the
+   *  last handle closes. SMB-only today.
+   */
+  | { type: 'delete_pending'; path: string }
   // Catch-all for genuinely unexpected IO errors.
   | { type: 'io_error'; path: string; message: string }
 
diff --git a/apps/desktop/src/lib/settings/settings-window.ts b/apps/desktop/src/lib/settings/settings-window.ts
index 8b66d1b8..95ade8f6 100644
--- a/apps/desktop/src/lib/settings/settings-window.ts
+++ b/apps/desktop/src/lib/settings/settings-window.ts
@@ -21,7 +21,7 @@ import { WebviewWindow } from '@tauri-apps/api/webviewWindow'
 import { emitTo } from '@tauri-apps/api/event'
 import { getAppLogger } from '$lib/logging/logger'
 import { getEffectiveScale } from '$lib/text-size.svelte'
-import { decorateChildWindowTitle } from '$lib/app-mode'
+import { decorateChildWindowTitle, getAppMode } from '$lib/app-mode'
 
 const log = getAppLogger('settings')
 
@@ -54,11 +54,18 @@ export const settingsMaxWidth = (scale: number): number =>
  * the matching section path (e.g., `['File systems', 'SMB/Network shares']`).
  */
 export async function openSettingsWindow(section?: string[]): Promise<void> {
+  // E2E suites re-open Settings many times; stealing OS focus each time
+  // makes the host machine unusable while tests run. The plugin reaches the
+  // webview over a Unix socket, so it doesn't need OS focus to drive the DOM.
+  const isE2e = getAppMode() === 'e2e'
+
   const existing = await WebviewWindow.getByLabel('settings')
   if (existing) {
     // Emit to the settings window so it can self-focus. Cross-window setFocus()
     // doesn't reliably bring a window to front on macOS.
-    await emitTo('settings', 'focus-self')
+    if (!isE2e) {
+      await emitTo('settings', 'focus-self')
+    }
     if (section) {
       await emitTo('settings', 'navigate-to-section', { section })
     }
@@ -84,6 +91,6 @@ export async function openSettingsWindow(section?: string[]): Promise<void> {
     center: true,
     resizable: true,
     decorations: true,
-    focus: true,
+    focus: !isE2e,
   })
 }
diff --git a/apps/desktop/test/e2e-playwright/mtp.spec.ts b/apps/desktop/test/e2e-playwright/mtp.spec.ts
index dc34e8f0..03ffb9db 100644
--- a/apps/desktop/test/e2e-playwright/mtp.spec.ts
+++ b/apps/desktop/test/e2e-playwright/mtp.spec.ts
@@ -346,11 +346,21 @@ test.describe('MTP file operations', () => {
     await mcpCall('move_cursor', { pane: 'left', filename: 'report.txt' })
     await mcpCall('copy', { autoConfirm: true })
 
-    // Wait for file to appear in right pane
-    await mcpAwaitItem('right', 'report.txt')
-
-    // Verify on disk
-    expect(fs.existsSync(path.join(fixtureRoot, 'right', 'report.txt'))).toBe(true)
+    // Poll the destination on disk first: that's the authoritative truth.
+    // Under heavy concurrent load (full slow-suite run with rust-tests-linux +
+    // Docker SMB containers eating disk + CPU), both safety nets for refreshing
+    // the destination pane can race: the FilePane's notify-rs watcher (200 ms
+    // debounce) can miss the FSEvents add, and the `refreshPanesAfterTransfer`
+    // IPC fired from `handleTransferComplete` can queue up behind a saturated
+    // Tauri event loop. PaneStateStore then stays stale even though the BE
+    // copy already succeeded and the file is on disk. Tests 11 (local→MTP) and
+    // 27 (50 MB MTP→local) already use this pattern; this brings test 10 inline.
+    const destPath = path.join(fixtureRoot, 'right', 'report.txt')
+    await pollFs(tauriPage, () => fs.existsSync(destPath), 30000)
+
+    // Force the pane to re-list so the await reads a fresh PaneStateStore.
+    await mcpCall('refresh', {})
+    await mcpAwaitItem('right', 'report.txt', 30)
 
     // Verify source still exists (copy, not move)
     await mcpSwitchPane()
diff --git a/apps/desktop/test/e2e-playwright/settings.spec.ts b/apps/desktop/test/e2e-playwright/settings.spec.ts
index f7362556..34a5991d 100644
--- a/apps/desktop/test/e2e-playwright/settings.spec.ts
+++ b/apps/desktop/test/e2e-playwright/settings.spec.ts
@@ -314,42 +314,25 @@ test.describe('Settings keyboard binding', () => {
     const settings = await openSettingsWindowViaProd(main)
     await settings.waitForSelector('.settings-window', 3000)
 
-    // Verify focus is actually inside the settings webview before pressing
-    // Escape. Without this the keystroke can land on the main window (or
-    // wherever focus drifted to during async onMount in the settings UI),
-    // the settings window never receives it, and the test sits waiting for
-    // a window-close that won't come. Two attempts max as cheap insurance.
-    const tryEscape = async (): Promise<boolean> => {
-      const focused = await pollUntil(
-        settings,
-        async () =>
-          settings.evaluate<boolean>(`(function(){
-            if (!document.hasFocus()) return false;
-            var root = document.querySelector('.settings-window');
-            return !!(root && document.activeElement && root.contains(document.activeElement));
-          })()`),
-        1000,
-      )
-      if (!focused) {
-        // Re-focus inside the settings webview and let the caller retry.
-        await settings.evaluate(`(function(){
-          var root = document.querySelector('.settings-window');
-          if (root && 'focus' in root) root.focus();
-        })()`)
-        return false
-      }
-      // Fire-and-forget: the dispatched Escape triggers getCurrentWindow().close()
-      // synchronously inside the handler, so the window may die before pw_result
-      // fires back. The poll on listWindows() below is the assertion.
-      settings.keyboard.press('Escape').catch(() => {
+    // Dispatch a synthetic Escape keydown into the settings webview rather
+    // than going through Playwright's OS-level `keyboard.press`. The handler
+    // we want to exercise is the JS `<svelte:window on:keydown>` in
+    // `routes/settings/+page.svelte` — bubbling from `document` fires that
+    // listener regardless of OS focus. Going through the OS path adds a
+    // focus dependency that flakes under Xvfb on Linux CI (the keystroke
+    // lands on the main window and the settings webview never sees it).
+    // The Tauri/webkit2gtk OS → webview event pipeline isn't cmdr's
+    // responsibility to test; this binding is.
+    //
+    // Fire-and-forget: the dispatched Escape triggers
+    // `getCurrentWindow().close()` (after a 2-rAF defer) inside the handler,
+    // so the window may die before the evaluate promise's `pw_result` fires
+    // back. The poll on `listWindows()` below is the assertion that matters.
+    settings
+      .evaluate(`document.dispatchEvent(new KeyboardEvent('keydown', { key: 'Escape', bubbles: true }))`)
+      .catch(() => {
         /* window died mid-script before pw_result; expected */
       })
-      return true
-    }
-
-    if (!(await tryEscape())) {
-      await tryEscape()
-    }
 
     const gone = await pollUntil(
       main,
diff --git a/apps/desktop/test/e2e-playwright/viewer.spec.ts b/apps/desktop/test/e2e-playwright/viewer.spec.ts
index 8cfd4e7d..a6e184d3 100644
--- a/apps/desktop/test/e2e-playwright/viewer.spec.ts
+++ b/apps/desktop/test/e2e-playwright/viewer.spec.ts
@@ -189,43 +189,25 @@ test.describe('File viewer keyboard binding', () => {
     const label = viewer.targetWindow
     if (!label) throw new Error('Scoped viewer page has no targetWindow label')
 
-    // Verify focus is inside the viewer webview before pressing Escape. If the
-    // keystroke lands on the main window (focus race with the open animation,
-    // or a late-mounting modal stealing focus), the viewer never receives it
-    // and the test sits waiting for the window-close. Two attempts max.
-    const tryEscape = async (): Promise<boolean> => {
-      const focused = await pollUntil(
-        viewer,
-        async () =>
-          viewer.evaluate<boolean>(`(function(){
-            if (!document.hasFocus()) return false;
-            var root = document.querySelector('.viewer-container');
-            return !!(root && document.activeElement && root.contains(document.activeElement));
-          })()`),
-        1000,
-      )
-      if (!focused) {
-        await viewer.evaluate(`(function(){
-          var root = document.querySelector('.viewer-container');
-          if (root && 'focus' in root) root.focus();
-        })()`)
-        return false
-      }
-      // Fire-and-forget: the eval that dispatches Escape may not resolve if the
-      // window dies before pw_result fires back to the test runner. The
-      // closeWindow() path uses two rAFs before calling .close(), so in practice
-      // the eval usually resolves first, but defending against either ordering
-      // keeps the test deterministic. We assert on the windowDisappeared, not
-      // on the press itself.
-      viewer.keyboard.press('Escape').catch(() => {
+    // Dispatch a synthetic Escape keydown into the viewer webview rather
+    // than going through Playwright's OS-level `keyboard.press`. The handler
+    // we want to exercise is the JS `<svelte:window on:keydown>` in
+    // `routes/viewer/+page.svelte` — bubbling from `document` fires that
+    // listener regardless of OS focus. Going through the OS path adds a
+    // focus dependency that flakes under Xvfb on Linux CI (the keystroke
+    // lands on the main window and the viewer webview never sees it).
+    // The Tauri/webkit2gtk OS → webview event pipeline isn't cmdr's
+    // responsibility to test; this binding is.
+    //
+    // Fire-and-forget: the dispatched Escape triggers `closeWindow()`
+    // (which itself defers via two rAFs before calling `.close()`), so the
+    // window may die before the evaluate promise's `pw_result` fires back.
+    // The poll on `listWindows()` below is the assertion that matters.
+    viewer
+      .evaluate(`document.dispatchEvent(new KeyboardEvent('keydown', { key: 'Escape', bubbles: true }))`)
+      .catch(() => {
         /* window died mid-script before pw_result; expected */
       })
-      return true
-    }
-
-    if (!(await tryEscape())) {
-      await tryEscape()
-    }
 
     const gone = await pollUntil(
       main,
diff --git a/apps/desktop/test/smb-servers/.compose/VENDORED.md b/apps/desktop/test/smb-servers/.compose/VENDORED.md
index 39449f2e..0aea9ebf 100644
--- a/apps/desktop/test/smb-servers/.compose/VENDORED.md
+++ b/apps/desktop/test/smb-servers/.compose/VENDORED.md
@@ -17,10 +17,11 @@ the Docker container where those deps aren't installed. Vendoring sidesteps the
 ## How to update (when you bump the smb2 git dep)
 
 1. Bump `smb2` in `apps/desktop/src-tauri/Cargo.toml` (or `Cargo.lock`).
-2. Re-vendor the compose files:
+2. Re-vendor the compose files, preserving this `VENDORED.md` (it lives only here, not upstream):
    ```bash
-   rm -rf apps/desktop/test/smb-servers/.compose
-   cp -r ~/projects-git/vdavid/smb2/tests/docker/consumer apps/desktop/test/smb-servers/.compose
+   rsync -a --delete --exclude=VENDORED.md \
+       ~/projects-git/vdavid/smb2/tests/docker/consumer/ \
+       apps/desktop/test/smb-servers/.compose/
    ```
    (Or the equivalent from a checkout of the new rev. The smb2 consumer containers live at `tests/docker/consumer/` in
    the smb2 repo.)
@@ -29,3 +30,10 @@ the Docker container where those deps aren't installed. Vendoring sidesteps the
    docker compose -p smb-consumer -f apps/desktop/test/smb-servers/.compose/docker-compose.yml build --no-cache
    ```
 4. Commit the new `.compose/` state alongside the `Cargo.lock` bump.
+
+## Why `.compose/` is excluded from `oxfmt`
+
+`.oxfmtrc.json` lists `apps/desktop/test/smb-servers/.compose/` under `ignorePatterns` so the vendored files stay
+byte-for-byte identical to smb2's source of truth. Without that, oxfmt would rewrite YAML quoting on every re-vendor
+and create endless diff churn. If you ever add a new file type to the vendored set that needs cmdr-specific
+formatting, prefer either fixing it upstream in smb2 or extending the exclusion than reformatting in place.
diff --git a/apps/desktop/test/smb-servers/.compose/docker-compose.yml b/apps/desktop/test/smb-servers/.compose/docker-compose.yml
index 40634555..0b02368f 100644
--- a/apps/desktop/test/smb-servers/.compose/docker-compose.yml
+++ b/apps/desktop/test/smb-servers/.compose/docker-compose.yml
@@ -3,84 +3,90 @@ services:
     build:
       context: smb-consumer-guest
     ports:
-      - '${SMB_CONSUMER_GUEST_PORT:-10480}:445'
+      - "${SMB_CONSUMER_GUEST_PORT:-10480}:445"
 
   smb-consumer-auth:
     build:
       context: smb-consumer-auth
     ports:
-      - '${SMB_CONSUMER_AUTH_PORT:-10481}:445'
+      - "${SMB_CONSUMER_AUTH_PORT:-10481}:445"
 
   smb-consumer-both:
     build:
       context: smb-consumer-both
     ports:
-      - '${SMB_CONSUMER_BOTH_PORT:-10482}:445'
+      - "${SMB_CONSUMER_BOTH_PORT:-10482}:445"
 
   smb-consumer-50shares:
     build:
       context: smb-consumer-50shares
     ports:
-      - '${SMB_CONSUMER_50SHARES_PORT:-10483}:445'
+      - "${SMB_CONSUMER_50SHARES_PORT:-10483}:445"
 
   smb-consumer-unicode:
     build:
       context: smb-consumer-unicode
     ports:
-      - '${SMB_CONSUMER_UNICODE_PORT:-10484}:445'
+      - "${SMB_CONSUMER_UNICODE_PORT:-10484}:445"
 
   smb-consumer-longnames:
     build:
       context: smb-consumer-longnames
     ports:
-      - '${SMB_CONSUMER_LONGNAMES_PORT:-10485}:445'
+      - "${SMB_CONSUMER_LONGNAMES_PORT:-10485}:445"
 
   smb-consumer-deepnest:
     build:
       context: smb-consumer-deepnest
     ports:
-      - '${SMB_CONSUMER_DEEPNEST_PORT:-10486}:445'
+      - "${SMB_CONSUMER_DEEPNEST_PORT:-10486}:445"
 
   smb-consumer-manyfiles:
     build:
       context: smb-consumer-manyfiles
     ports:
-      - '${SMB_CONSUMER_MANYFILES_PORT:-10487}:445'
+      - "${SMB_CONSUMER_MANYFILES_PORT:-10487}:445"
 
   smb-consumer-readonly:
     build:
       context: smb-consumer-readonly
     ports:
-      - '${SMB_CONSUMER_READONLY_PORT:-10488}:445'
+      - "${SMB_CONSUMER_READONLY_PORT:-10488}:445"
 
   smb-consumer-windows:
     build:
       context: smb-consumer-windows
     ports:
-      - '${SMB_CONSUMER_WINDOWS_PORT:-10489}:445'
+      - "${SMB_CONSUMER_WINDOWS_PORT:-10489}:445"
 
   smb-consumer-synology:
     build:
       context: smb-consumer-synology
     ports:
-      - '${SMB_CONSUMER_SYNOLOGY_PORT:-10490}:445'
+      - "${SMB_CONSUMER_SYNOLOGY_PORT:-10490}:445"
 
   smb-consumer-linux:
     build:
       context: smb-consumer-linux
     ports:
-      - '${SMB_CONSUMER_LINUX_PORT:-10491}:445'
+      - "${SMB_CONSUMER_LINUX_PORT:-10491}:445"
 
   smb-consumer-flaky:
     build:
       context: smb-consumer-flaky
     ports:
-      - '${SMB_CONSUMER_FLAKY_PORT:-10492}:445'
+      - "${SMB_CONSUMER_FLAKY_PORT:-10492}:445"
 
   smb-consumer-slow:
     build:
       context: smb-consumer-slow
     ports:
-      - '${SMB_CONSUMER_SLOW_PORT:-10493}:445'
+      - "${SMB_CONSUMER_SLOW_PORT:-10493}:445"
     cap_add:
       - NET_ADMIN
+
+  smb-consumer-maxreadsize:
+    build:
+      context: smb-consumer-maxreadsize
+    ports:
+      - "${SMB_CONSUMER_MAXREADSIZE_PORT:-10494}:445"
diff --git a/apps/desktop/test/smb-servers/.compose/smb-consumer-maxreadsize/Dockerfile b/apps/desktop/test/smb-servers/.compose/smb-consumer-maxreadsize/Dockerfile
new file mode 100644
index 00000000..995e52c7
--- /dev/null
+++ b/apps/desktop/test/smb-servers/.compose/smb-consumer-maxreadsize/Dockerfile
@@ -0,0 +1,8 @@
+FROM alpine:3.21
+RUN apk add --no-cache samba
+COPY smb.conf /etc/samba/smb.conf
+RUN mkdir -p /shares/public && chmod 777 /shares/public
+EXPOSE 445
+HEALTHCHECK --interval=2s --timeout=3s --retries=10 \
+    CMD nc -z localhost 445
+CMD ["smbd", "--foreground", "--no-process-group", "--debug-stdout"]
diff --git a/apps/desktop/test/smb-servers/.compose/smb-consumer-maxreadsize/smb.conf b/apps/desktop/test/smb-servers/.compose/smb-consumer-maxreadsize/smb.conf
new file mode 100644
index 00000000..97d49f84
--- /dev/null
+++ b/apps/desktop/test/smb-servers/.compose/smb-consumer-maxreadsize/smb.conf
@@ -0,0 +1,22 @@
+[global]
+server role = standalone server
+server min protocol = SMB2_02
+server max protocol = SMB3_11
+map to guest = Bad User
+log level = 1
+# Force tiny read/write sizes (64 KB) so every multi-MB transfer is
+# chunked. Lets consumer tests exercise the streaming-write fallback
+# path that historically deadlocked when wrapped in a single-shared-
+# session mutex; consumers can use this fixture as a regression guard
+# without standing up the internal-fixture smb-maxreadsize container.
+smb2 max read = 65536
+smb2 max write = 65536
+smb2 max trans = 65536
+
+[public]
+path = /shares/public
+read only = no
+guest ok = yes
+browseable = yes
+create mask = 0666
+directory mask = 0777
diff --git a/apps/desktop/test/smb-servers/start.sh b/apps/desktop/test/smb-servers/start.sh
index 26be4a2c..5968928f 100755
--- a/apps/desktop/test/smb-servers/start.sh
+++ b/apps/desktop/test/smb-servers/start.sh
@@ -40,10 +40,11 @@ case "$mode" in
     core)
         echo "Starting core SMB servers (auth scenarios + edge cases)..."
         services=(smb-consumer-guest smb-consumer-auth smb-consumer-both \
-                  smb-consumer-readonly smb-consumer-flaky smb-consumer-slow)
+                  smb-consumer-readonly smb-consumer-flaky smb-consumer-slow \
+                  smb-consumer-maxreadsize)
         ;;
     all)
-        echo "Starting all SMB servers (14 containers)..."
+        echo "Starting all SMB servers (15 containers)..."
         # Empty services list means "all defined in compose" for both `up` and
         # the post-up probe loop. We resolve the actual set via `compose ps`.
         ;;