diff --git a/core/src/main/c/share/files.c b/core/src/main/c/share/files.c
index 629eacb2..02fb93a1 100644
--- a/core/src/main/c/share/files.c
+++ b/core/src/main/c/share/files.c
@@ -164,9 +164,16 @@ JNIEXPORT jboolean JNICALL Java_io_questdb_client_std_Files_allocate
     fst.fst_length = (off_t) size;
     fst.fst_bytesalloc = 0;
     if (fcntl((int) fd, F_PREALLOCATE, &fst) == -1) {
+        /* Contiguous allocation failed (e.g. fragmented filesystem); retry
+         * non-contiguous all-or-nothing. Only fall through to ftruncate when
+         * the filesystem doesn't support F_PREALLOCATE at all; real failures
+         * (notably ENOSPC) must surface so the caller doesn't end up with a
+         * sparse file that SIGBUSes on later mmap store (sf-client.md §6). */
         fst.fst_flags = F_ALLOCATEALL;
-        (void) fcntl((int) fd, F_PREALLOCATE, &fst);
-        /* if F_PREALLOCATE fails we still try ftruncate to set logical size */
+        if (fcntl((int) fd, F_PREALLOCATE, &fst) == -1
+            && errno != ENOTSUP && errno != EOPNOTSUPP) {
+            return JNI_FALSE;
+        }
     }
 #endif
     int res2;
diff --git a/core/src/main/java/io/questdb/client/Sender.java b/core/src/main/java/io/questdb/client/Sender.java
index 790a2210..27a79962 100644
--- a/core/src/main/java/io/questdb/client/Sender.java
+++ b/core/src/main/java/io/questdb/client/Sender.java
@@ -620,6 +620,10 @@ final class LineSenderBuilder {
         private static final long DEFAULT_WS_AUTO_FLUSH_INTERVAL_NANOS = 100_000_000L; // 100ms
         private static final int DEFAULT_WS_AUTO_FLUSH_ROWS = 1_000;
         private static final int MIN_BUFFER_SIZE = AuthUtils.CHALLENGE_LEN + 1; // challenge size + 1;
+        // sf-client.md section 4.4: the inbox capacity must accommodate the
+        // distinct error categories in a bursty error stream so that drop-oldest
+        // does not erase the trailing distribution of categories.
+        private static final int MIN_ERROR_INBOX_CAPACITY = 16;
         // The PARAMETER_NOT_SET_EXPLICITLY constant is used to detect if a parameter was set explicitly in configuration parameters
         // where it matters. This is needed to detect invalid combinations of parameters. Why?
         // We want to fail-fast even when an explicitly configured options happens to be same value as the default value,
@@ -1864,15 +1868,20 @@ public LineSenderBuilder errorHandler(io.questdb.client.SenderErrorHandler handl
          *
          * <p>WebSocket transport only; setting on other transports throws.
          *
-         * @param capacity must be {@code >= 1}
+         * @param capacity must be {@code >= 16} (sf-client.md section 4.4).
+         *                 The floor exists because overflow drops the oldest
+         *                 entry and watermarks are monotonic, so the inbox
+         *                 must be wide enough to keep a useful trailing
+         *                 window of categories under bursty errors.
          * @return this instance for method chaining
          */
         public LineSenderBuilder errorInboxCapacity(int capacity) {
             if (protocol != PARAMETER_NOT_SET_EXPLICITLY && protocol != PROTOCOL_WEBSOCKET) {
                 throw new LineSenderException("error_inbox_capacity is only supported for WebSocket transport");
             }
-            if (capacity < 1) {
-                throw new LineSenderException("error_inbox_capacity must be >= 1, was " + capacity);
+            if (capacity < MIN_ERROR_INBOX_CAPACITY) {
+                throw new LineSenderException("error_inbox_capacity must be >= "
+                        + MIN_ERROR_INBOX_CAPACITY + ", was " + capacity);
             }
             this.errorInboxCapacity = capacity;
             return this;
diff --git a/core/src/main/java/io/questdb/client/cutlass/qwp/client/QwpQueryClient.java b/core/src/main/java/io/questdb/client/cutlass/qwp/client/QwpQueryClient.java
index deb9a75f..178d35d0 100644
--- a/core/src/main/java/io/questdb/client/cutlass/qwp/client/QwpQueryClient.java
+++ b/core/src/main/java/io/questdb/client/cutlass/qwp/client/QwpQueryClient.java
@@ -293,7 +293,9 @@ private QwpQueryClient(String host, int port) {
      * <ul>
      *   <li>{@code addr=host[:port][,host[:port]...]} -- required. Comma-separated list of
      *       WebSocket endpoints; {@link #connect()} walks them in order and stops at the
-     *       first matching {@code target=}. Default port on each entry is {@value #DEFAULT_WS_PORT}.</li>
+     *       first matching {@code target=}. Default port on each entry is {@value #DEFAULT_WS_PORT}.
+     *       Per {@code failover.md} section 1, the comma form and repeated {@code addr=} keys
+     *       both accumulate into a single ordered list; empty entries are rejected.</li>
      *   <li>{@code target=any|primary|replica} -- endpoint filter applied against the role
      *       byte from the v2 {@code SERVER_INFO} frame. Default {@code any}. {@code primary}
      *       accepts {@code PRIMARY}, {@code PRIMARY_CATCHUP} and {@code STANDALONE}.</li>
@@ -359,7 +361,7 @@ public static QwpQueryClient fromConfig(CharSequence configurationString) {
                     "unsupported schema [schema=" + sink + ", supported-schemas=[ws, wss]]");
         }
 
-        List<Endpoint> parsedEndpoints = null;
+        List<Endpoint> parsedEndpoints = new ArrayList<>();
         String path = DEFAULT_ENDPOINT_PATH;
         String target = TARGET_ANY;
         Boolean failover = null;
@@ -398,7 +400,9 @@ public static QwpQueryClient fromConfig(CharSequence configurationString) {
             String value = sink.toString();
             switch (key) {
                 case "addr":
-                    parsedEndpoints = parseEndpointList(value);
+                    // failover.md §1: comma syntax and repeated addr= keys must
+                    // accumulate. parseEndpointList rejects empty entries.
+                    parsedEndpoints.addAll(parseEndpointList(value));
                     break;
                 case "target":
                     if (!TARGET_ANY.equals(value) && !TARGET_PRIMARY.equals(value) && !TARGET_REPLICA.equals(value)) {
@@ -551,7 +555,7 @@ public static QwpQueryClient fromConfig(CharSequence configurationString) {
                     throw new IllegalArgumentException("unknown configuration key: " + key);
             }
         }
-        if (parsedEndpoints == null || parsedEndpoints.isEmpty()) {
+        if (parsedEndpoints.isEmpty()) {
             throw new IllegalArgumentException("missing required key: addr");
         }
         boolean hasBasic = username != null || password != null;
diff --git a/core/src/main/java/io/questdb/client/cutlass/qwp/client/QwpWebSocketSender.java b/core/src/main/java/io/questdb/client/cutlass/qwp/client/QwpWebSocketSender.java
index 074e6938..153b411c 100644
--- a/core/src/main/java/io/questdb/client/cutlass/qwp/client/QwpWebSocketSender.java
+++ b/core/src/main/java/io/questdb/client/cutlass/qwp/client/QwpWebSocketSender.java
@@ -125,6 +125,9 @@ public class QwpWebSocketSender implements Sender {
     private static final int DEFAULT_MICROBATCH_BUFFER_SIZE = 1024 * 1024; // 1MB
     private static final Logger LOG = LoggerFactory.getLogger(QwpWebSocketSender.class);
     private static final int MAX_TABLE_NAME_LENGTH = 127;
+    // sf-client.md section 4.4 floor: drop-oldest under bursts needs a wide
+    // enough window to preserve the trailing category distribution.
+    private static final int MIN_ERROR_INBOX_CAPACITY = 16;
     private static final String WRITE_PATH = "/write/v4";
     private final String authorizationHeader;
     private final int autoFlushBytes;
@@ -1725,10 +1728,13 @@ public void setErrorHandler(SenderErrorHandler handler) {
     /**
      * Configure the bounded inbox capacity used by the dispatcher. Must be
      * called before {@code connect()}; later changes have no effect.
+     * The minimum follows sf-client.md section 4.4: drop-oldest under bursts
+     * needs a wide enough window to preserve the trailing category distribution.
      */
     public void setErrorInboxCapacity(int capacity) {
-        if (capacity < 1) {
-            throw new IllegalArgumentException("errorInboxCapacity must be >= 1, was " + capacity);
+        if (capacity < MIN_ERROR_INBOX_CAPACITY) {
+            throw new IllegalArgumentException("errorInboxCapacity must be >= "
+                    + MIN_ERROR_INBOX_CAPACITY + ", was " + capacity);
         }
         this.errorInboxCapacity = capacity;
     }
diff --git a/core/src/main/java/io/questdb/client/cutlass/qwp/client/sf/cursor/SegmentRing.java b/core/src/main/java/io/questdb/client/cutlass/qwp/client/sf/cursor/SegmentRing.java
index 45807a5e..e4eafb47 100644
--- a/core/src/main/java/io/questdb/client/cutlass/qwp/client/sf/cursor/SegmentRing.java
+++ b/core/src/main/java/io/questdb/client/cutlass/qwp/client/sf/cursor/SegmentRing.java
@@ -376,8 +376,11 @@ public long appendOrFsn(long payloadAddr, int payloadLen) {
             hotSpare = null;
             // Fresh active just consumed the spare → ask the manager to start
             // making the next one immediately, before this segment fills.
+            // The flag is per-active and tracks whether the backup-signal
+            // branch has fired for the *current* active. Rotation installs a
+            // new active, so the flag resets here to re-arm the backup branch.
             // Plain field reset is safe (producer-only state).
-            wakeupRequestedForActive = true;
+            wakeupRequestedForActive = false;
             Runnable wakeup = managerWakeup;
             if (wakeup != null) {
                 wakeup.run();
diff --git a/core/src/main/java/io/questdb/client/cutlass/qwp/client/sf/cursor/SenderConnectionDispatcher.java b/core/src/main/java/io/questdb/client/cutlass/qwp/client/sf/cursor/SenderConnectionDispatcher.java
index fec299e0..2dec7668 100644
--- a/core/src/main/java/io/questdb/client/cutlass/qwp/client/sf/cursor/SenderConnectionDispatcher.java
+++ b/core/src/main/java/io/questdb/client/cutlass/qwp/client/sf/cursor/SenderConnectionDispatcher.java
@@ -30,8 +30,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.util.concurrent.ArrayBlockingQueue;
-import java.util.concurrent.BlockingQueue;
+import java.util.concurrent.LinkedBlockingDeque;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicLong;
 
@@ -61,10 +60,10 @@ public final class SenderConnectionDispatcher implements QuietCloseable {
             SenderConnectionEvent.NO_ROUND_NUMBER,
             null, 0L);
     private final AtomicLong dropped = new AtomicLong();
-    // volatile so the user can swap the listener post-connect, mirroring
-    // SenderErrorDispatcher's setHandler contract.
-    private volatile SenderConnectionListener listener;
-    private final BlockingQueue<SenderConnectionEvent> inbox;
+    // Deque (not plain queue) so offer() can drop the head when the inbox is
+    // full, per the drop-oldest contract inherited from SenderErrorDispatcher
+    // (sf-client.md section 14.6).
+    private final LinkedBlockingDeque<SenderConnectionEvent> inbox;
     // First offer() that observes a null thread wins the race to spawn it.
     private final Object lock = new Object();
     private final String threadName;
@@ -75,6 +74,9 @@ public final class SenderConnectionDispatcher implements QuietCloseable {
     // double-checked first-null guard is a JMM race -- benign in practice
     // (the synchronized re-check covers double-start) but spec-incorrect.
     private volatile Thread dispatcherThread;
+    // volatile so the user can swap the listener post-connect, mirroring
+    // SenderErrorDispatcher's setHandler contract.
+    private volatile SenderConnectionListener listener;
 
     public SenderConnectionDispatcher(SenderConnectionListener listener) {
         this(listener, DEFAULT_CAPACITY, "qdb-sf-connection-dispatcher");
@@ -92,7 +94,7 @@ public SenderConnectionDispatcher(SenderConnectionListener listener, int capacit
             throw new IllegalArgumentException("capacity must be >= 1, was " + capacity);
         }
         this.listener = listener;
-        this.inbox = new ArrayBlockingQueue<>(capacity);
+        this.inbox = new LinkedBlockingDeque<>(capacity);
         this.threadName = threadName;
     }
 
@@ -103,7 +105,6 @@ public void close() {
                 return;
             }
             closed = true;
-            //noinspection ResultOfMethodCallIgnored
             inbox.offer(POISON);
             Thread t = dispatcherThread;
             if (t != null) {
@@ -128,9 +129,10 @@ public void close() {
     }
 
     /**
-     * Total events dropped via inbox-overflow since startup. Non-zero means the
-     * listener is slower than the event rate -- typically a symptom of a
-     * misbehaving listener. Reported by the sender for ops dashboards.
+     * Total events discarded by the drop-oldest overflow policy since startup.
+     * Non-zero means the listener is slower than the event rate -- typically
+     * a symptom of a misbehaving listener. Reported by the sender for ops
+     * dashboards.
      */
     public long getDroppedNotifications() {
         return dropped.get();
@@ -145,18 +147,14 @@ public long getTotalDelivered() {
     }
 
     /**
-     * Replace the user-supplied listener. Effective for the next delivery.
-     * Null reverts to the loud-not-silent default.
-     */
-    public void setListener(SenderConnectionListener listener) {
-        this.listener = listener != null ? listener : DefaultSenderConnectionListener.INSTANCE;
-    }
-
-    /**
-     * Non-blocking enqueue. Returns {@code true} if the event will be
-     * delivered to the listener (eventually, on the dispatcher thread).
-     * Returns {@code false} if the inbox was full or the dispatcher was
-     * closed -- caller's only obligation is to not block.
+     * Non-blocking enqueue. Always admits the new event unless the dispatcher
+     * is closed or {@code event} is null. Returns {@code true} when the new
+     * event is enqueued for delivery, {@code false} when rejected outright.
+     *
+     * <p>When the inbox is full, drops the oldest pending entry to make room
+     * (sf-client.md section 14.6, inherited contract) and bumps
+     * {@link #getDroppedNotifications()}. The newest entry is always retained
+     * because later events carry the most recent connection state.
      *
      * <p>Lazy-starts the dispatcher thread on the first successful offer.
      */
@@ -164,10 +162,18 @@ public boolean offer(SenderConnectionEvent event) {
         if (closed || event == null) {
             return false;
         }
-        boolean accepted = inbox.offer(event);
-        if (!accepted) {
-            dropped.incrementAndGet();
-            return false;
+        // Drop-oldest overflow policy. The pollFirst()/offerLast() pair is
+        // not atomic with the consumer, but the consumer can only remove
+        // entries (never add). The retry loop converges in at most one extra
+        // iteration under SPSC; close()'s POISON enqueue widens the race
+        // briefly but the `closed` re-check exits cleanly.
+        while (!inbox.offerLast(event)) {
+            if (inbox.pollFirst() != null) {
+                dropped.incrementAndGet();
+            }
+            if (closed) {
+                return false;
+            }
         }
         if (dispatcherThread == null) {
             startDispatcherIfNeeded();
@@ -175,6 +181,14 @@ public boolean offer(SenderConnectionEvent event) {
         return true;
     }
 
+    /**
+     * Replace the user-supplied listener. Effective for the next delivery.
+     * Null reverts to the loud-not-silent default.
+     */
+    public void setListener(SenderConnectionListener listener) {
+        this.listener = listener != null ? listener : DefaultSenderConnectionListener.INSTANCE;
+    }
+
     private void dispatchLoop() {
         while (!closed || !inbox.isEmpty()) {
             SenderConnectionEvent ev;
diff --git a/core/src/main/java/io/questdb/client/cutlass/qwp/client/sf/cursor/SenderErrorDispatcher.java b/core/src/main/java/io/questdb/client/cutlass/qwp/client/sf/cursor/SenderErrorDispatcher.java
index 240341e6..aef01dde 100644
--- a/core/src/main/java/io/questdb/client/cutlass/qwp/client/sf/cursor/SenderErrorDispatcher.java
+++ b/core/src/main/java/io/questdb/client/cutlass/qwp/client/sf/cursor/SenderErrorDispatcher.java
@@ -30,8 +30,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.util.concurrent.ArrayBlockingQueue;
-import java.util.concurrent.BlockingQueue;
+import java.util.concurrent.LinkedBlockingDeque;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.concurrent.atomic.AtomicLong;
@@ -48,11 +47,14 @@
  * the daemon dispatcher takes from the queue and invokes the handler.
  *
  * <h2>Backpressure</h2>
- * The queue is bounded ({@code capacity}, default 256). When full,
- * {@link #offer} returns {@code false} immediately and bumps
+ * The inbox is bounded ({@code capacity}, default 256). When full, {@link #offer}
+ * drops the oldest entry to admit the new one and bumps
  * {@link #getDroppedNotifications()}. The I/O thread does NOT spin or block.
  * A non-zero dropped count means the handler is too slow to keep up — visible
- * to operators via the sender's accessor.
+ * to operators via the sender's accessor. Drop-oldest is mandated by
+ * sf-client.md section 14.6: watermarks are monotonic, so the latest entry is
+ * always the most informative and drops compress information rather than
+ * lose it.
  *
  * <h2>Lifecycle</h2>
  * The dispatcher thread is started lazily on the first successful
@@ -88,7 +90,11 @@ public final class SenderErrorDispatcher implements QuietCloseable {
     // and reconfigurable apps install a new handler at any time without
     // tearing down the dispatcher thread.
     private volatile SenderErrorHandler handler;
-    private final BlockingQueue<SenderError> inbox;
+    // Deque (not plain queue) so offer() can drop the head when the inbox is
+    // full, per spec section 14.6. SPSC in steady state: the I/O thread is
+    // the sole producer, the dispatcher is the sole consumer; close() also
+    // enqueues POISON, but only once and under `lock`.
+    private final LinkedBlockingDeque<SenderError> inbox;
     // Threads are started lazily under this monitor; takes the same role as
     // SegmentManager.start() — first offer() that observes a null thread
     // wins the race to spawn it.
@@ -118,7 +124,7 @@ public SenderErrorDispatcher(SenderErrorHandler handler, int capacity, String th
             throw new IllegalArgumentException("capacity must be >= 1, was " + capacity);
         }
         this.handler = handler;
-        this.inbox = new ArrayBlockingQueue<>(capacity);
+        this.inbox = new LinkedBlockingDeque<>(capacity);
         this.threadName = threadName;
     }
 
@@ -170,10 +176,10 @@ public void close() {
     }
 
     /**
-     * Total errors delivered via inbox-overflow drop since startup. Non-zero
-     * means the user's handler is slower than the error rate — typically a
-     * symptom of a misbehaving handler or a misconfigured server. Reported by
-     * the sender for ops dashboards.
+     * Total errors discarded by the drop-oldest overflow policy since startup.
+     * Non-zero means the user's handler is slower than the error rate —
+     * typically a symptom of a misbehaving handler or a misconfigured server.
+     * Reported by the sender for ops dashboards.
      */
     public long getDroppedNotifications() {
         return dropped.get();
@@ -209,10 +215,14 @@ public void setHandler(SenderErrorHandler handler) {
     }
 
     /**
-     * Non-blocking enqueue. Returns {@code true} if the error will be
-     * delivered to the handler (eventually, on the dispatcher thread). Returns
-     * {@code false} if the inbox was full or the dispatcher was closed —
-     * caller's only obligation is to not block.
+     * Non-blocking enqueue. Always admits the new error unless the dispatcher
+     * is closed or {@code error} is null. Returns {@code true} when the new
+     * error is enqueued for delivery, {@code false} when rejected outright.
+     *
+     * <p>When the inbox is full, drops the oldest pending entry to make room
+     * (sf-client.md section 14.6) and bumps {@link #getDroppedNotifications()}.
+     * The newest entry is always retained because it carries the most recent
+     * watermark information.
      *
      * <p>Lazy-starts the dispatcher thread on the first successful offer.
      */
@@ -220,10 +230,18 @@ public boolean offer(SenderError error) {
         if (closed || error == null) {
             return false;
         }
-        boolean accepted = inbox.offer(error);
-        if (!accepted) {
-            dropped.incrementAndGet();
-            return false;
+        // Drop-oldest overflow policy. The pollFirst()/offerLast() pair is
+        // not atomic with the consumer, but the consumer can only remove
+        // entries (never add). The retry loop converges in at most one extra
+        // iteration under SPSC; close()'s POISON enqueue widens the race
+        // briefly but the `closed` re-check exits cleanly.
+        while (!inbox.offerLast(error)) {
+            if (inbox.pollFirst() != null) {
+                dropped.incrementAndGet();
+            }
+            if (closed) {
+                return false;
+            }
         }
         // Common case after the first offer: thread already running, hot
         // path is one volatile read. Lazy start happens once per dispatcher
diff --git a/core/src/main/java/io/questdb/client/std/Files.java b/core/src/main/java/io/questdb/client/std/Files.java
index 1b03a40d..7735fb40 100644
--- a/core/src/main/java/io/questdb/client/std/Files.java
+++ b/core/src/main/java/io/questdb/client/std/Files.java
@@ -258,12 +258,15 @@ public static void freeNativePath(long pathPtr) {
      */
     public static int rename(String oldPath, String newPath) {
         long o = pathPtr(oldPath);
-        long n = pathPtr(newPath);
         try {
-            return rename0(o, n);
+            long n = pathPtr(newPath);
+            try {
+                return rename0(o, n);
+            } finally {
+                freePathPtr(n);
+            }
         } finally {
             freePathPtr(o);
-            freePathPtr(n);
         }
     }
 
diff --git a/core/src/main/resources/io/questdb/client/bin/darwin-aarch64/libquestdb.dylib b/core/src/main/resources/io/questdb/client/bin/darwin-aarch64/libquestdb.dylib
index dd757017..4b53fe79 100644
Binary files a/core/src/main/resources/io/questdb/client/bin/darwin-aarch64/libquestdb.dylib and b/core/src/main/resources/io/questdb/client/bin/darwin-aarch64/libquestdb.dylib differ
diff --git a/core/src/main/resources/io/questdb/client/bin/darwin-x86-64/libquestdb.dylib b/core/src/main/resources/io/questdb/client/bin/darwin-x86-64/libquestdb.dylib
index b0eef508..bea672c7 100644
Binary files a/core/src/main/resources/io/questdb/client/bin/darwin-x86-64/libquestdb.dylib and b/core/src/main/resources/io/questdb/client/bin/darwin-x86-64/libquestdb.dylib differ
diff --git a/core/src/main/resources/io/questdb/client/bin/windows-x86-64/libquestdb.dll b/core/src/main/resources/io/questdb/client/bin/windows-x86-64/libquestdb.dll
index 1688d230..7b9c7d95 100755
Binary files a/core/src/main/resources/io/questdb/client/bin/windows-x86-64/libquestdb.dll and b/core/src/main/resources/io/questdb/client/bin/windows-x86-64/libquestdb.dll differ
diff --git a/core/src/test/java/io/questdb/client/test/SenderBuilderErrorApiTest.java b/core/src/test/java/io/questdb/client/test/SenderBuilderErrorApiTest.java
index f02cb914..ed3c35c6 100644
--- a/core/src/test/java/io/questdb/client/test/SenderBuilderErrorApiTest.java
+++ b/core/src/test/java/io/questdb/client/test/SenderBuilderErrorApiTest.java
@@ -94,19 +94,38 @@ public void testErrorHandlerRejectedOnNonWebSocketProtocol() {
     }
 
     @Test
-    public void testErrorInboxCapacityRejectsZeroAndNegative() {
-        try {
-            Sender.builder(Sender.Transport.WEBSOCKET).errorInboxCapacity(0);
-            Assert.fail("zero capacity must be rejected");
-        } catch (LineSenderException expected) {
-            Assert.assertTrue(expected.getMessage().contains("error_inbox_capacity"));
-            Assert.assertTrue(expected.getMessage().contains(">="));
+    public void testErrorInboxCapacityRejectsBelowSpecFloor() {
+        // sf-client.md section 4.4: minimum is 16. Values below the floor
+        // (including 0 and negative) must surface the floor in the message
+        // so users can fix their configuration.
+        int[] rejected = {-5, 0, 1, 2, 15};
+        for (int v : rejected) {
+            try {
+                Sender.builder(Sender.Transport.WEBSOCKET).errorInboxCapacity(v);
+                Assert.fail("capacity " + v + " must be rejected; spec floor is 16");
+            } catch (LineSenderException expected) {
+                Assert.assertTrue("missing key in message: " + expected.getMessage(),
+                        expected.getMessage().contains("error_inbox_capacity"));
+                Assert.assertTrue("missing floor (16) in message: " + expected.getMessage(),
+                        expected.getMessage().contains(">= 16"));
+            }
         }
+        // The floor itself is accepted.
+        Sender.builder(Sender.Transport.WEBSOCKET).errorInboxCapacity(16);
+    }
+
+    @Test
+    public void testConnectStringRejectsErrorInboxCapacityBelowFloor() {
+        // The connect-string path delegates to the builder, so the floor
+        // applies there too. A value below 16 must surface the floor.
         try {
-            Sender.builder(Sender.Transport.WEBSOCKET).errorInboxCapacity(-5);
-            Assert.fail("negative capacity must be rejected");
+            Sender.builder("ws::addr=127.0.0.1:1;error_inbox_capacity=8;").build().close();
+            Assert.fail("capacity 8 must be rejected; spec floor is 16");
         } catch (LineSenderException expected) {
-            // ok
+            Assert.assertTrue("missing key in message: " + expected.getMessage(),
+                    expected.getMessage().contains("error_inbox_capacity"));
+            Assert.assertTrue("missing floor (16) in message: " + expected.getMessage(),
+                    expected.getMessage().contains(">= 16"));
         }
     }
 
diff --git a/core/src/test/java/io/questdb/client/test/cutlass/qwp/client/QwpQueryClientFromConfigTest.java b/core/src/test/java/io/questdb/client/test/cutlass/qwp/client/QwpQueryClientFromConfigTest.java
index 0d7dc626..4b30259d 100644
--- a/core/src/test/java/io/questdb/client/test/cutlass/qwp/client/QwpQueryClientFromConfigTest.java
+++ b/core/src/test/java/io/questdb/client/test/cutlass/qwp/client/QwpQueryClientFromConfigTest.java
@@ -160,6 +160,48 @@ public void testAddrPortZeroRejected() {
         assertReject("ws::addr=db:0;", "port out of range in addr: db:0 (must be 1-65535)");
     }
 
+    @Test
+    public void testAddrRepeatedKeysAccumulate() {
+        // failover.md section 1: repeated addr= keys must accumulate into a
+        // single ordered list, mirroring the ingress Sender behavior.
+        try (QwpQueryClient c = QwpQueryClient.fromConfig(
+                "ws::addr=alpha:9000;addr=bravo:9001;addr=charlie:9002;")) {
+            Assert.assertEquals(3, c.getEndpointCountForTest());
+            Assert.assertEquals("alpha", c.getEndpointHostForTest(0));
+            Assert.assertEquals(9000, c.getEndpointPortForTest(0));
+            Assert.assertEquals("bravo", c.getEndpointHostForTest(1));
+            Assert.assertEquals(9001, c.getEndpointPortForTest(1));
+            Assert.assertEquals("charlie", c.getEndpointHostForTest(2));
+            Assert.assertEquals(9002, c.getEndpointPortForTest(2));
+        }
+    }
+
+    @Test
+    public void testAddrRepeatedKeysAndCommasMixed() {
+        // The two accumulation forms must compose: comma-list followed by a
+        // second addr= key extends the list, not replaces it.
+        try (QwpQueryClient c = QwpQueryClient.fromConfig(
+                "ws::addr=alpha:9000,bravo:9001;addr=charlie:9002,delta:9003;")) {
+            Assert.assertEquals(4, c.getEndpointCountForTest());
+            Assert.assertEquals("alpha", c.getEndpointHostForTest(0));
+            Assert.assertEquals(9000, c.getEndpointPortForTest(0));
+            Assert.assertEquals("bravo", c.getEndpointHostForTest(1));
+            Assert.assertEquals(9001, c.getEndpointPortForTest(1));
+            Assert.assertEquals("charlie", c.getEndpointHostForTest(2));
+            Assert.assertEquals(9002, c.getEndpointPortForTest(2));
+            Assert.assertEquals("delta", c.getEndpointHostForTest(3));
+            Assert.assertEquals(9003, c.getEndpointPortForTest(3));
+        }
+    }
+
+    @Test
+    public void testAddrRepeatedKeysEmptyEntryStillRejected() {
+        // The empty-entry rejection must fire on every addr= occurrence, not
+        // just the first one, so a second key cannot smuggle in a malformed
+        // value.
+        assertReject("ws::addr=a:9000;addr=b:9000,;", "empty addr entry");
+    }
+
     @Test
     public void testAddrSingleWhitespaceTrimmedAroundHostPort() {
         // The parser splits on commas and trims; a single leading space on a
diff --git a/core/src/test/java/io/questdb/client/test/cutlass/qwp/client/QwpRoleRejectCloseRaceTest.java b/core/src/test/java/io/questdb/client/test/cutlass/qwp/client/QwpRoleRejectCloseRaceTest.java
index f3a030d2..66c5e630 100644
--- a/core/src/test/java/io/questdb/client/test/cutlass/qwp/client/QwpRoleRejectCloseRaceTest.java
+++ b/core/src/test/java/io/questdb/client/test/cutlass/qwp/client/QwpRoleRejectCloseRaceTest.java
@@ -51,7 +51,9 @@ public void testCloseDuringRoleRejectBackoffReturnsPromptly() throws Exception {
                     + ";close_flush_timeout_millis=0"
                     + ";initial_connect_retry=async;";
 
-            try (Sender sender = Sender.fromConfig(cfg)) {
+            Sender sender = Sender.fromConfig(cfg);
+            long elapsed;
+            try {
                 // Push a row so the I/O thread starts attempting connect; the
                 // first attempt will hit the role reject and enter the parkNanos
                 // backoff branch.
@@ -59,12 +61,15 @@ public void testCloseDuringRoleRejectBackoffReturnsPromptly() throws Exception {
                 waitFor(() -> server.upgrades.get() >= 1, 5_000);
                 Thread.sleep(100);
             } finally {
+                // Bracket the close() so the timing assertion is meaningful;
+                // the race this test is named for lives entirely inside close().
                 long start = System.currentTimeMillis();
-                long elapsed = System.currentTimeMillis() - start;
-                Assert.assertTrue(
-                        "close() during role-reject backoff must return promptly (got " + elapsed + "ms)",
-                        elapsed < 2_000);
+                sender.close();
+                elapsed = System.currentTimeMillis() - start;
             }
+            Assert.assertTrue(
+                    "close() during role-reject backoff must return promptly (got " + elapsed + "ms)",
+                    elapsed < 2_000);
         }
     }
 
diff --git a/core/src/test/java/io/questdb/client/test/cutlass/qwp/client/sf/cursor/SegmentRingTest.java b/core/src/test/java/io/questdb/client/test/cutlass/qwp/client/sf/cursor/SegmentRingTest.java
index d50d6550..cec666a2 100644
--- a/core/src/test/java/io/questdb/client/test/cutlass/qwp/client/sf/cursor/SegmentRingTest.java
+++ b/core/src/test/java/io/questdb/client/test/cutlass/qwp/client/sf/cursor/SegmentRingTest.java
@@ -166,6 +166,67 @@ public void testRotationRebasesSpareToCorrectFsnRegardlessOfManagerGuess() throw
         });
     }
 
+    @Test
+    public void testRotationRearmsHighWaterBackupWakeup() throws Exception {
+        // The producer-thread flag that gates the high-water backup wakeup is
+        // per-active. Rotation must reset it so the new active can fire the
+        // backup again if the rotation-time wakeup didn't get a fresh spare
+        // installed in time. Pre-fix the flag stayed sticky-true after the
+        // first set, so on every active past the first the backup branch was
+        // a dead path.
+        TestUtils.assertMemoryLeak(() -> {
+            // 4 100-byte frames per segment. signalAtBytes is 75% of segSize,
+            // and HEADER (24) + 3 frames (3*108 = 324) lands publishedOffset
+            // at 348, just past the 342-byte threshold.
+            long segSize = MmapSegment.HEADER_SIZE
+                    + 4 * (MmapSegment.FRAME_HEADER_SIZE + 100);
+            long buf = Unsafe.malloc(100, MemoryTag.NATIVE_DEFAULT);
+            try {
+                MmapSegment seg0 = MmapSegment.create(tmpDir + "/wseg0.sfa", 0, segSize);
+                try (SegmentRing ring = new SegmentRing(seg0, segSize)) {
+                    int[] wakeups = {0};
+                    ring.setManagerWakeup(() -> wakeups[0]++);
+                    fillPattern(buf, 100, 0);
+
+                    // First active: two frames stay below high-water.
+                    assertEquals(0, ring.appendOrFsn(buf, 100));
+                    assertEquals(1, ring.appendOrFsn(buf, 100));
+                    assertEquals("no wakeup before high-water", 0, wakeups[0]);
+                    // Third frame crosses 75%: backup branch fires once.
+                    assertEquals(2, ring.appendOrFsn(buf, 100));
+                    assertEquals("backup signal fires on high-water crossing", 1, wakeups[0]);
+                    // Fourth frame fills the active. Still same active, so the
+                    // backup branch must coalesce and not fire again.
+                    assertEquals(3, ring.appendOrFsn(buf, 100));
+                    assertEquals("backup signal coalesces within an active", 1, wakeups[0]);
+                    // Active is full and there is still no spare.
+                    assertEquals(SegmentRing.BACKPRESSURE_NO_SPARE,
+                            ring.appendOrFsn(buf, 100));
+                    assertEquals("backpressure does not fire wakeup", 1, wakeups[0]);
+
+                    // Install spare, then retry. The retry triggers rotation,
+                    // which fires the wakeup unconditionally.
+                    ring.installHotSpare(MmapSegment.create(
+                            tmpDir + "/wseg1.sfa", ring.nextSeqHint(), segSize));
+                    assertEquals(4, ring.appendOrFsn(buf, 100));
+                    assertEquals("rotation fires wakeup", 2, wakeups[0]);
+
+                    // New active. Two frames keep publishedOffset below the
+                    // high-water mark (the rotated frame counts as the first).
+                    assertEquals(5, ring.appendOrFsn(buf, 100));
+                    assertEquals(2, wakeups[0]);
+                    // Third frame on the new active crosses 75% again. Without
+                    // rotation re-arming the per-active flag, this assertion
+                    // catches the regression: pre-fix wakeups stayed at 2.
+                    assertEquals(6, ring.appendOrFsn(buf, 100));
+                    assertEquals("backup signal re-arms on the new active", 3, wakeups[0]);
+                }
+            } finally {
+                Unsafe.free(buf, 100, MemoryTag.NATIVE_DEFAULT);
+            }
+        });
+    }
+
     @Test
     public void testAcknowledgeAndDrainTrimsOldestFirstUntilUnackedFound() throws Exception {
         TestUtils.assertMemoryLeak(() -> {
diff --git a/core/src/test/java/io/questdb/client/test/cutlass/qwp/client/sf/cursor/SenderConnectionDispatcherTest.java b/core/src/test/java/io/questdb/client/test/cutlass/qwp/client/sf/cursor/SenderConnectionDispatcherTest.java
index f3aed2fe..e7c0d7c1 100644
--- a/core/src/test/java/io/questdb/client/test/cutlass/qwp/client/sf/cursor/SenderConnectionDispatcherTest.java
+++ b/core/src/test/java/io/questdb/client/test/cutlass/qwp/client/sf/cursor/SenderConnectionDispatcherTest.java
@@ -95,19 +95,24 @@ public void testConstructorRejectsNullListener() {
     }
 
     @Test
-    public void testFullInboxDropsAndCounts() throws Exception {
-        // Slow listener releases only when the test allows. Until then,
-        // every offer beyond capacity must be dropped (returning false) and
-        // counted via getDroppedNotifications.
+    public void testFullInboxDropsOldestAndCounts() throws Exception {
+        // Inherits sf-client.md section 14.6: on overflow, drop the OLDEST
+        // entry and admit the new one. Later connection events carry the
+        // freshest state, so dropping the head loses the least information.
         CountDownLatch unblock = new CountDownLatch(1);
-        AtomicInteger delivered = new AtomicInteger();
+        List<SenderConnectionEvent> received = new ArrayList<>();
+        Object lock = new Object();
+        CountDownLatch allDelivered = new CountDownLatch(5);
         try (SenderConnectionDispatcher d = new SenderConnectionDispatcher(ev -> {
             try {
                 unblock.await();
             } catch (InterruptedException ignored) {
                 Thread.currentThread().interrupt();
             }
-            delivered.incrementAndGet();
+            synchronized (lock) {
+                received.add(ev);
+            }
+            allDelivered.countDown();
         }, /*capacity=*/ 4)) {
             // First offer starts the dispatcher and lands in the listener
             // immediately (and blocks there), freeing one slot. Now we can
@@ -118,10 +123,24 @@ public void testFullInboxDropsAndCounts() throws Exception {
                 Assert.assertTrue("inbox should accept offer " + i,
                         d.offer(buildEvent(i)));
             }
-            Assert.assertFalse("offer beyond capacity must drop",
+            // Inbox holds [1,2,3,4]. The next two offers each drop the head
+            // (1, then 2) to admit the new arrival, returning true.
+            Assert.assertTrue("offer beyond capacity must admit the new entry",
                     d.offer(buildEvent(5)));
-            Assert.assertFalse(d.offer(buildEvent(6)));
+            Assert.assertTrue(d.offer(buildEvent(6)));
             Assert.assertEquals(2L, d.getDroppedNotifications());
+
+            unblock.countDown();
+            Assert.assertTrue("all retained entries should deliver within 5s",
+                    allDelivered.await(5, TimeUnit.SECONDS));
+            synchronized (lock) {
+                long[] attempts = new long[received.size()];
+                for (int i = 0; i < received.size(); i++) {
+                    attempts[i] = received.get(i).getAttemptNumber();
+                }
+                Assert.assertArrayEquals("drop-oldest must retain the newest tail",
+                        new long[]{0, 3, 4, 5, 6}, attempts);
+            }
         } finally {
             unblock.countDown();
         }
diff --git a/core/src/test/java/io/questdb/client/test/cutlass/qwp/client/sf/cursor/SenderErrorDispatcherTest.java b/core/src/test/java/io/questdb/client/test/cutlass/qwp/client/sf/cursor/SenderErrorDispatcherTest.java
index 002de649..a6d3f17d 100644
--- a/core/src/test/java/io/questdb/client/test/cutlass/qwp/client/sf/cursor/SenderErrorDispatcherTest.java
+++ b/core/src/test/java/io/questdb/client/test/cutlass/qwp/client/sf/cursor/SenderErrorDispatcherTest.java
@@ -97,23 +97,28 @@ public void testConstructorRejectsNullHandler() {
     }
 
     @Test
-    public void testFullInboxDropsAndCounts() throws Exception {
-        // Slow handler — releases once the test allows it. Until then, every
-        // offer beyond capacity must be dropped (returning false) and counted.
+    public void testFullInboxDropsOldestAndCounts() throws Exception {
+        // Spec sf-client.md section 14.6: on overflow, drop the OLDEST entry
+        // and admit the new one. The latest entry is always the most
+        // informative, so the FIFO head loses, not the new arrival.
         CountDownLatch unblock = new CountDownLatch(1);
-        AtomicInteger delivered = new AtomicInteger();
-        /*capacity=*/
+        List<SenderError> received = new ArrayList<>();
+        Object lock = new Object();
+        CountDownLatch allDelivered = new CountDownLatch(5);
         try (SenderErrorDispatcher d = new SenderErrorDispatcher(err -> {
             try {
                 unblock.await();
             } catch (InterruptedException ignored) {
                 Thread.currentThread().interrupt();
             }
-            delivered.incrementAndGet();
+            synchronized (lock) {
+                received.add(err);
+            }
+            allDelivered.countDown();
         }, /*capacity=*/ 4)) {
-            // First offer starts the dispatcher and is taken into the
-            // handler immediately (and blocks there). Now we can fill the
-            // bounded inbox to capacity, then overflow.
+            // First offer starts the dispatcher and lands in the handler
+            // immediately (and blocks there). Now we can fill the bounded
+            // inbox to capacity, then overflow.
             Assert.assertTrue(d.offer(buildError(0)));
             // Give the dispatcher a moment to take the head into the
             // handler so subsequent offers don't get an extra slot.
@@ -122,11 +127,27 @@ public void testFullInboxDropsAndCounts() throws Exception {
                 Assert.assertTrue("inbox should accept offer " + i,
                         d.offer(buildError(i)));
             }
-            // Inbox is now at capacity (4); next offer must drop.
-            Assert.assertFalse("offer beyond capacity must drop",
+            // Inbox is now at capacity (4) holding [1,2,3,4]. The next two
+            // offers must each drop the head (1, then 2) to admit the new
+            // arrival. They return true because the new entry IS enqueued.
+            Assert.assertTrue("offer beyond capacity must admit the new entry",
                     d.offer(buildError(5)));
-            Assert.assertFalse(d.offer(buildError(6)));
+            Assert.assertTrue(d.offer(buildError(6)));
             Assert.assertEquals(2L, d.getDroppedNotifications());
+
+            unblock.countDown();
+            Assert.assertTrue("all retained entries should deliver within 5s",
+                    allDelivered.await(5, TimeUnit.SECONDS));
+            synchronized (lock) {
+                // 0 was taken by the handler before overflow began; 1 and 2
+                // are the dropped pair; 3, 4, 5, 6 are the surviving tail.
+                long[] fromFsns = new long[received.size()];
+                for (int i = 0; i < received.size(); i++) {
+                    fromFsns[i] = received.get(i).getFromFsn();
+                }
+                Assert.assertArrayEquals("drop-oldest must retain the newest tail",
+                        new long[]{0, 3, 4, 5, 6}, fromFsns);
+            }
         } finally {
             unblock.countDown();
         }