@tokenbuddy/tokenbuddy 1.0.25 → 1.0.27

package/static/ui/index.html

@@ -12,8 +12,8 @@
     <link rel="icon" type="image/png" sizes="192x192" href="/icons/tokenbuddy-192.png" />
     <link rel="apple-touch-icon" href="/icons/apple-touch-icon.png" />
     <title>TokenBuddy · Local Control</title>
-    <script type="module" crossorigin src="/assets/index-BJSOFJIU.js"></script>
-    <link rel="stylesheet" crossorigin href="/assets/index-1uuyCCzj.css">
+    <script type="module" crossorigin src="/assets/index-UAfOhbwC.js"></script>
+    <link rel="stylesheet" crossorigin href="/assets/index-Bzbrp7Qe.css">
   </head>
   <body>
     <div id="root"></div>

package/tests/cli-routing.test.ts

@@ -2,6 +2,7 @@ import * as fs from "fs";
 import * as os from "os";
 import * as path from "path";
 import { BuyerStore } from "../src/buyer-store.js";
+import { DEFAULT_CLAWTIP_BOOTSTRAP_URL } from "../src/clawtip-bootstrap.js";
 import { buildCli } from "../src/cli.js";
 
 describe("tb routing set", () => {
@@ -245,12 +246,25 @@ describe("tb routing set", () => {
     }
   });
 
-  test("payment add clawtip requires a bootstrap url", async () => {
+  test("payment add clawtip uses the default registry control plane", async () => {
     const errors: string[] = [];
     const errorSpy = jest.spyOn(console, "error").mockImplementation((message?: unknown) => {
       errors.push(String(message));
     });
-    const fetchMock = jest.spyOn(globalThis, "fetch").mockResolvedValue(response({ ok: true }));
+    const fetchMock = jest.spyOn(globalThis, "fetch").mockResolvedValue(response({
+      activationFeeFen: 1,
+      payment: {
+        orderNo: "order_default_bootstrap",
+        amountFen: 1,
+        indicator: "indicator_default_bootstrap",
+        payTo: "pay-to-test",
+        encryptedData: "ciphertext",
+        slug: "tb-registry",
+        skillId: "si-tb-registry",
+        description: "TokenBuddy ClawTip wallet activation",
+        resourceUrl: DEFAULT_CLAWTIP_BOOTSTRAP_URL,
+      }
+    }));
     const previousExitCode = process.exitCode;
     const previousBootstrapUrl = process.env.TOKENBUDDY_BOOTSTRAP_URL;
 
@@ -259,8 +273,27 @@ describe("tb routing set", () => {
       delete process.env.TOKENBUDDY_BOOTSTRAP_URL;
       await buildCli().parseAsync(["node", "tb", "payment", "add", "clawtip"]);
 
-      expect(process.exitCode).toBe(1);
-      expect(errors.join("\n")).toContain("ClawTip bootstrap URL is required");
+      expect(process.exitCode).toBeUndefined();
+      expect(errors).toEqual([]);
+      expect(fetchMock).toHaveBeenCalledWith(
+        `${DEFAULT_CLAWTIP_BOOTSTRAP_URL}/payments/clawtip/bootstrap`,
+        expect.objectContaining({ method: "POST" })
+      );
+      const store = new BuyerStore({ root: storeRoot });
+      try {
+        expect(store.getPayment("clawtip")).toMatchObject({
+          method: "clawtip",
+          enabled: true,
+          isDefault: true,
+          config: {
+            bootstrapUrl: DEFAULT_CLAWTIP_BOOTSTRAP_URL,
+            orderNo: "order_default_bootstrap",
+            resourceUrl: DEFAULT_CLAWTIP_BOOTSTRAP_URL
+          }
+        });
+      } finally {
+        store.close();
+      }
     } finally {
       process.exitCode = previousExitCode;
       restoreEnv("TOKENBUDDY_BOOTSTRAP_URL", previousBootstrapUrl);

package/tests/control-plane-ui-endpoints.test.ts

@@ -111,7 +111,7 @@ describe("TokenbuddyDaemon control-plane UI endpoints (PR-0)", () => {
         enabled: true,
         isDefault: true,
         config: {
-          resourceUrl: "https://tb-wallet-bootstrap.example.test",
+          resourceUrl: "https://tb-registry.example.test",
           walletConfigPresent: true
         }
       });
@@ -137,10 +137,10 @@ describe("TokenbuddyDaemon control-plane UI endpoints (PR-0)", () => {
             payTo: "real-pay-to",
             encryptedData: "ciphertext",
             indicator: "indicator_ui_qr",
-            slug: "tb-wallet-bootstrap",
-            skillId: "si-tb-wallet-bootstrap",
+            slug: "tb-registry",
+            skillId: "si-tb-registry",
             description: "TokenBuddy ClawTip wallet activation",
-            resourceUrl: "https://tb-wallet-bootstrap.example.test"
+            resourceUrl: "https://tb-registry.example.test"
           }
         }),
         clawtipWalletBootstrapStarter: async (payment) => ({
@@ -183,7 +183,7 @@ describe("TokenbuddyDaemon control-plane UI endpoints (PR-0)", () => {
             payTo: "real-pay-to",
             encryptedData: "ciphertext",
             indicator: "indicator_wait_qr",
-            resourceUrl: "https://tb-wallet-bootstrap.example.test"
+            resourceUrl: "https://tb-registry.example.test"
           }
         }),
         clawtipWalletBootstrapStarter: async (payment) => ({
@@ -228,7 +228,7 @@ describe("TokenbuddyDaemon control-plane UI endpoints (PR-0)", () => {
             payTo: "real-pay-to",
             encryptedData: "ciphertext",
             indicator: "indicator_no_media",
-            resourceUrl: "https://tb-wallet-bootstrap.example.test"
+            resourceUrl: "https://tb-registry.example.test"
           }
         }),
         clawtipWalletBootstrapStarter: async (payment) => ({
@@ -282,7 +282,7 @@ describe("TokenbuddyDaemon control-plane UI endpoints (PR-0)", () => {
         isDefault: true,
         config: {
           orderNo: "order_recharge_static",
-          resourceUrl: "https://tb-wallet-bootstrap.example.test",
+          resourceUrl: "https://tb-registry.example.test",
           walletConfigPresent: true
         }
       });

package/tests/daemon-trusted-registry-cache.test.ts

@@ -0,0 +1,132 @@
+import * as http from "http";
+import * as fs from "fs";
+import * as path from "path";
+import { AddressInfo } from "net";
+import { TokenbuddyDaemon } from "../src/daemon.js";
+import { BuyerStore } from "../src/buyer-store.js";
+
+describe("TokenbuddyDaemon trusted registry cache", () => {
+  const TEMP_DB = path.resolve(__dirname, "../../data-test/trusted-registry-cache-test.db");
+  let server: http.Server;
+  let serverPort: number;
+  let registryAvailable = true;
+  let daemon: TokenbuddyDaemon | undefined;
+
+  function rmDb(): void {
+    for (const suffix of ["", "-wal", "-shm"]) {
+      fs.rmSync(`${TEMP_DB}${suffix}`, { force: true });
+    }
+  }
+
+  function startDaemon(): { controlPort: number; proxyPort: number } {
+    daemon = new TokenbuddyDaemon({
+      controlPort: 0,
+      proxyPort: 0,
+      dbPath: TEMP_DB,
+      sellerRegistryUrl: `http://127.0.0.1:${serverPort}/registry/sellers`
+    });
+    daemon.start();
+    return {
+      controlPort: ((daemon as unknown as { controlServer: { address(): AddressInfo } }).controlServer.address()).port,
+      proxyPort: ((daemon as unknown as { proxyServer: { address(): AddressInfo } }).proxyServer.address()).port
+    };
+  }
+
+  async function stopDaemon(): Promise<void> {
+    daemon?.stop();
+    daemon = undefined;
+    await new Promise<void>((resolve) => setTimeout(resolve, 50));
+  }
+
+  beforeAll((done) => {
+    server = http.createServer((req, res) => {
+      res.setHeader("Content-Type", "application/json");
+      if (req.url === "/registry/sellers") {
+        if (!registryAvailable) {
+          res.statusCode = 500;
+          res.end(JSON.stringify({ error: "registry unavailable" }));
+          return;
+        }
+        res.statusCode = 200;
+        res.end(JSON.stringify({
+          version: 7,
+          defaultSeller: "cached-seller",
+          sellers: [
+            {
+              id: "cached-seller",
+              name: "Cached Seller",
+              status: "active",
+              url: `http://127.0.0.1:${serverPort}/cached-seller`,
+              supportedProtocols: ["chat_completions"],
+              paymentMethods: ["mock"],
+              models: ["gpt-cache"]
+            }
+          ]
+        }));
+        return;
+      }
+      if (req.url === "/cached-seller/manifest") {
+        res.statusCode = 200;
+        res.end(JSON.stringify({
+          sellerId: "cached-seller",
+          supportedProtocols: ["chat_completions"],
+          paymentMethods: ["mock"],
+          models: [{ id: "gpt-cache" }]
+        }));
+        return;
+      }
+      res.statusCode = 404;
+      res.end(JSON.stringify({ error: "not found" }));
+    });
+    server.listen(0, "127.0.0.1", () => {
+      serverPort = (server.address() as AddressInfo).port;
+      done();
+    });
+  });
+
+  afterAll((done) => {
+    server.close(() => done());
+  });
+
+  beforeEach(() => {
+    rmDb();
+    registryAvailable = true;
+  });
+
+  afterEach(async () => {
+    await stopDaemon();
+    rmDb();
+  });
+
+  test("persists a trusted registry snapshot and reuses it after daemon restart", async () => {
+    let ports = startDaemon();
+    const firstModels = await (await fetch(`http://127.0.0.1:${ports.proxyPort}/v1/models`)).json() as any;
+    expect(firstModels.data).toEqual(expect.arrayContaining([
+      expect.objectContaining({ id: "gpt-cache", sellerId: "cached-seller" })
+    ]));
+
+    const store = new BuyerStore({ dbPath: TEMP_DB });
+    const cache = store.getDaemonRuntimeConfig<any>("trusted-registry-snapshot")?.config;
+    store.close();
+    expect(cache).toMatchObject({
+      schemaVersion: 1,
+      registryUrl: `http://127.0.0.1:${serverPort}/registry/sellers`,
+      version: 7,
+      trust: {
+        verified: false
+      }
+    });
+    expect(cache.registrySha256).toMatch(/^[a-f0-9]{64}$/);
+
+    await stopDaemon();
+    registryAvailable = false;
+
+    ports = startDaemon();
+    const secondModelsResponse = await fetch(`http://127.0.0.1:${ports.proxyPort}/v1/models`);
+    expect(secondModelsResponse.status).toBe(200);
+    const secondModels = await secondModelsResponse.json() as any;
+    expect(secondModels.data).toEqual([
+      expect.objectContaining({ id: "gpt-cache", sellerId: "cached-seller" })
+    ]);
+  });
+});

package/tests/e2e.test.ts

@@ -32,7 +32,19 @@ describe("TokenBuddy Full End-to-End Integration Flow Tests", () => {
     if (!fs.existsSync(TEMP_DIR)) {
       fs.mkdirSync(TEMP_DIR, { recursive: true });
     }
-    fs.writeFileSync(TEMP_BOOTSTRAP_JSON, JSON.stringify({ version: 1, sellers: [] }), "utf8");
+    fs.writeFileSync(TEMP_BOOTSTRAP_JSON, JSON.stringify({
+      version: 1,
+      sellers: [
+        {
+          id: "seller-e2e-seed",
+          name: "Seller E2E Seed",
+          url: "http://127.0.0.1:1",
+          supportedProtocols: ["chat_completions"],
+          paymentMethods: ["mock"],
+          models: ["gpt-4"]
+        }
+      ]
+    }), "utf8");
 
     if (fs.existsSync(TEMP_SELLER_DB)) {
       try { fs.unlinkSync(TEMP_SELLER_DB); } catch (e) {}
@@ -86,6 +98,7 @@ describe("TokenBuddy Full End-to-End Integration Flow Tests", () => {
     // 3. Launch Seller server
     const { app: sellerApp, close: closeDb } = buildSellerApp(TEMP_SELLER_DB, {
       allowMock: true,
+      publicMockPayments: true,
       upstreamUrl: `http://127.0.0.1:${upstreamPort}`,
       upstreamApiKey: "upstream-mock-key",
       operatorSecret: "op-secret"

package/tests/package-update.test.ts

@@ -0,0 +1,132 @@
+import * as fs from "fs";
+import * as os from "os";
+import * as path from "path";
+import {
+  checkPackageUpdate,
+  runPackageUpdate,
+  scheduleLaunchAgentRestart,
+} from "../src/package-update.js";
+
+function makeFetch(latestVersion: string, ok = true): typeof fetch {
+  return (async () => ({
+    ok,
+    status: ok ? 200 : 404,
+    json: async () => ({ "dist-tags": { latest: latestVersion } }),
+  })) as unknown as typeof fetch;
+}
+
+function writePackageJson(root: string, version: string, name = "@tokenbuddy/tokenbuddy"): string {
+  const binDir = path.join(root, "bin");
+  fs.mkdirSync(binDir, { recursive: true });
+  const binPath = path.join(binDir, "tb.js");
+  fs.writeFileSync(binPath, "", "utf8");
+  fs.writeFileSync(path.join(root, "package.json"), JSON.stringify({ name, version }), "utf8");
+  return binPath;
+}
+
+describe("TokenBuddy package update", () => {
+  let tempRoot: string;
+
+  beforeEach(() => {
+    tempRoot = fs.mkdtempSync(path.join(os.tmpdir(), "tokenbuddy-package-update-"));
+  });
+
+  afterEach(() => {
+    fs.rmSync(tempRoot, { recursive: true, force: true });
+  });
+
+  test("checks npm latest and maps the scoped workspace package to the public tokenbuddy package", async () => {
+    const binPath = writePackageJson(tempRoot, "1.0.0");
+
+    const check = await checkPackageUpdate({
+      fetch: makeFetch("1.2.0"),
+      argv: ["node", binPath],
+      cwd: tempRoot,
+      env: {},
+    });
+
+    expect(check).toMatchObject({
+      packageName: "tokenbuddy",
+      currentVersion: "1.0.0",
+      latestVersion: "1.2.0",
+      updateAvailable: true,
+      installCommand: "npm install -g tokenbuddy@1.2.0",
+    });
+  });
+
+  test("installs the latest package and restarts tb-proxyd when an update is available", async () => {
+    const binPath = writePackageJson(tempRoot, "1.0.0");
+    const installCalls: Array<{ command: string; args: string[] }> = [];
+    const restartCalls: number[] = [];
+
+    const result = await runPackageUpdate(
+      { apply: true, controlPort: 17820 },
+      {
+        fetch: makeFetch("1.1.0"),
+        argv: ["node", binPath],
+        cwd: tempRoot,
+        env: {},
+        runNpmInstall: (command, args) => {
+          installCalls.push({ command, args });
+        },
+        restartProxyd: async (controlPort) => {
+          restartCalls.push(controlPort);
+          return { attempted: true, restarted: true, method: "launchd" };
+        },
+      },
+    );
+
+    expect(result.install).toMatchObject({ attempted: true, succeeded: true });
+    expect(result.restart).toMatchObject({ attempted: true, restarted: true });
+    expect(installCalls).toEqual([{ command: "npm", args: ["install", "-g", "tokenbuddy@1.1.0"] }]);
+    expect(restartCalls).toEqual([17820]);
+  });
+
+  test("does not install or restart when the current version is already latest", async () => {
+    const binPath = writePackageJson(tempRoot, "1.0.0");
+    const result = await runPackageUpdate(
+      { apply: true, controlPort: 17820 },
+      {
+        fetch: makeFetch("1.0.0"),
+        argv: ["node", binPath],
+        cwd: tempRoot,
+        env: {},
+        runNpmInstall: () => {
+          throw new Error("install should not run");
+        },
+        restartProxyd: async () => {
+          throw new Error("restart should not run");
+        },
+      },
+    );
+
+    expect(result.install.attempted).toBe(false);
+    expect(result.restart.attempted).toBe(false);
+  });
+
+  test("reports launchd restart scheduling without blocking on the current daemon process", () => {
+    const homeDir = path.join(tempRoot, "home");
+    const plistPath = path.join(homeDir, "Library", "LaunchAgents", "com.tokenbuddy.proxyd.plist");
+    fs.mkdirSync(path.dirname(plistPath), { recursive: true });
+    fs.writeFileSync(plistPath, "", "utf8");
+    const children: string[][] = [];
+
+    const result = scheduleLaunchAgentRestart({
+      platform: "darwin",
+      homeDir,
+      spawn: ((command: string, args: string[]) => {
+        children.push([command, ...args]);
+        return { unref: () => undefined };
+      }) as unknown as typeof import("child_process").spawn,
+    });
+
+    expect(result).toMatchObject({
+      attempted: true,
+      scheduled: true,
+      method: "launchd",
+      plistPath,
+    });
+    expect(children[0]).toEqual(expect.arrayContaining(["sh", "-c"]));
+    expect(children[0][2]).toContain("launchctl kickstart -k");
+  });
+});

package/tests/registry-trust.test.ts

@@ -0,0 +1,28 @@
+import * as crypto from "crypto";
+import {
+  DEFAULT_SELLER_REGISTRY_SIGNATURE_URL,
+  DEFAULT_SELLER_REGISTRY_URL,
+  signatureUrlForRegistryUrl,
+  verifyRegistrySignatureWithKeys
+} from "../src/registry-trust.js";
+
+describe("registry trust", () => {
+  test("derives the default signature URL", () => {
+    expect(signatureUrlForRegistryUrl(DEFAULT_SELLER_REGISTRY_URL)).toBe(DEFAULT_SELLER_REGISTRY_SIGNATURE_URL);
+    expect(signatureUrlForRegistryUrl("https://example.test/v1/registry.json")).toBe("https://example.test/v1/registry.sig");
+  });
+
+  test("verifies Ed25519 detached signatures with supplied keys", () => {
+    const { privateKey, publicKey } = crypto.generateKeyPairSync("ed25519");
+    const registry = JSON.stringify({ version: 1, sellers: [] });
+    const signature = crypto.sign(null, Buffer.from(registry, "utf8"), privateKey).toString("base64url");
+    const keyId = verifyRegistrySignatureWithKeys(registry, signature, {
+      "test-key": publicKey.export({ format: "der", type: "spki" }).toString("base64")
+    });
+
+    expect(keyId).toBe("test-key");
+    expect(() => verifyRegistrySignatureWithKeys(`${registry}\n`, signature, {
+      "test-key": publicKey.export({ format: "der", type: "spki" }).toString("base64")
+    })).toThrow("registry signature verification failed");
+  });
+});

package/tests/route-failover.test.ts

@@ -154,6 +154,19 @@ describe("RouteFailover", () => {
     expect(decision.freshPurchase).toBe(true);
   });
 
+  test("decide on purchase_failed fails over without scheduling a soft retry", () => {
+    const { failover, credit } = buildHarness([{ id: "s1" }, { id: "s2" }]);
+    credit.recordPurchase("s1", 1_000_000, 750_000);
+    const decision = failover.decide(
+      { sellerId: "s1", errorKind: "purchase_failed", errorMessage: "purchase create failed", attempt: 0 },
+      2
+    );
+
+    expect(decision.action).toBe("failover_next");
+    expect(decision.reason).toBe("purchase_failed");
+    expect(decision.wastedCreditMicros).toBe(750_000);
+  });
+
   test("budgetExceeded flag is set when the per-minute purchase budget is exhausted", () => {
     const { failover, credit } = buildHarness([{ id: "s1" }]);
     // Burn through the per-minute budget.

package/tests/seller-catalog-413.test.ts

@@ -1,4 +1,6 @@
-import { RegistryTooLargeError, fetchSellerRegistry } from "../src/seller-catalog.js";
+import * as crypto from "crypto";
+import { RegistryTooLargeError, fetchSellerRegistry, fetchSellerRegistryWithTrust } from "../src/seller-catalog.js";
+import { DEFAULT_SELLER_REGISTRY_URL } from "../src/registry-trust.js";
 
 /**
  * v1.2 §18.9: registry-too-large fallback. The bootstrap returns 413
@@ -46,6 +48,63 @@ describe("RegistryTooLargeError + fetchSellerRegistry 413", () => {
     ).rejects.toThrow(/registry returned 500/);
   });
 
+  test("fetchSellerRegistry rejects the default registry when signature is missing", async () => {
+    globalThis.fetch = (async (url: string | URL | Request) => {
+      const href = String(url);
+      if (href.endsWith("/registry.json")) {
+        return mockJsonResponse(200, { version: 1, sellers: [] });
+      }
+      if (href.endsWith("/registry.sig")) {
+        return mockJsonResponse(404, { error: "missing" });
+      }
+      throw new Error(`unexpected fetch ${href}`);
+    }) as unknown as typeof globalThis.fetch;
+
+    await expect(fetchSellerRegistry(DEFAULT_SELLER_REGISTRY_URL)).rejects.toThrow("registry signature returned 404");
+  });
+
+  test("fetchSellerRegistry can explicitly allow unsigned registry for local development", async () => {
+    const previous = process.env.TB_PROXYD_ALLOW_UNSIGNED_REGISTRY;
+    process.env.TB_PROXYD_ALLOW_UNSIGNED_REGISTRY = "1";
+    globalThis.fetch = (async () => mockJsonResponse(200, { version: 1, sellers: [] })) as unknown as typeof globalThis.fetch;
+    try {
+      await expect(fetchSellerRegistry(DEFAULT_SELLER_REGISTRY_URL)).resolves.toMatchObject({ version: 1, sellers: [] });
+    } finally {
+      if (previous === undefined) {
+        delete process.env.TB_PROXYD_ALLOW_UNSIGNED_REGISTRY;
+      } else {
+        process.env.TB_PROXYD_ALLOW_UNSIGNED_REGISTRY = previous;
+      }
+    }
+  });
+
+  test("fetchSellerRegistryWithTrust returns hash and unsigned trust metadata for allowed local development", async () => {
+    const previous = process.env.TB_PROXYD_ALLOW_UNSIGNED_REGISTRY;
+    process.env.TB_PROXYD_ALLOW_UNSIGNED_REGISTRY = "1";
+    const body = JSON.stringify({ version: 1, sellers: [] });
+    globalThis.fetch = (async () => new Response(body, {
+      status: 200,
+      headers: { "Content-Type": "application/json" }
+    })) as unknown as typeof globalThis.fetch;
+    try {
+      const result = await fetchSellerRegistryWithTrust(DEFAULT_SELLER_REGISTRY_URL);
+      expect(result.registry).toMatchObject({ version: 1, sellers: [] });
+      expect(result.trust).toMatchObject({
+        registryUrl: DEFAULT_SELLER_REGISTRY_URL,
+        registrySha256: crypto.createHash("sha256").update(body).digest("hex"),
+        verified: false
+      });
+      expect(result.trust.signature).toBeUndefined();
+      expect(result.trust.signingKeyId).toBeUndefined();
+    } finally {
+      if (previous === undefined) {
+        delete process.env.TB_PROXYD_ALLOW_UNSIGNED_REGISTRY;
+      } else {
+        process.env.TB_PROXYD_ALLOW_UNSIGNED_REGISTRY = previous;
+      }
+    }
+  });
+
   test("RegistryTooLargeError is a stable Error subclass with a useful message", () => {
     const err = new RegistryTooLargeError({
       status: 413,

package/tests/seller-concurrency-limiter.test.ts

@@ -0,0 +1,83 @@
+import { SellerConcurrencyLimiter } from "../src/seller-concurrency-limiter.js";
+
+describe("SellerConcurrencyLimiter", () => {
+  afterEach(() => {
+    jest.useRealTimers();
+  });
+
+  test("returns disabled no-op leases by default", () => {
+    const limiter = new SellerConcurrencyLimiter();
+    const first = limiter.tryAcquire("seller-a");
+    const second = limiter.tryAcquire("seller-a");
+
+    expect(first).toBeDefined();
+    expect(second).toBeDefined();
+    expect(limiter.snapshot()).toEqual({
+      enabled: false,
+      maxInFlightPerSeller: 2,
+      leaseTtlMs: 185000,
+      active: []
+    });
+  });
+
+  test("rejects sellers at the local in-flight limit and releases idempotently", () => {
+    const limiter = new SellerConcurrencyLimiter({
+      enabled: true,
+      maxInFlightPerSeller: 1,
+      leaseTtlMs: 10000
+    });
+
+    const lease = limiter.tryAcquire("seller-a");
+    expect(lease).toBeDefined();
+    expect(limiter.tryAcquire("seller-a")).toBeUndefined();
+    expect(limiter.tryAcquire("seller-b")).toBeDefined();
+    expect(limiter.snapshot().active).toEqual([
+      { sellerId: "seller-a", activeCount: 1 },
+      { sellerId: "seller-b", activeCount: 1 }
+    ]);
+
+    lease?.release();
+    lease?.release();
+
+    expect(limiter.tryAcquire("seller-a")).toBeDefined();
+  });
+
+  test("expires leaked leases so sellers become selectable again", () => {
+    jest.useFakeTimers();
+    const limiter = new SellerConcurrencyLimiter({
+      enabled: true,
+      maxInFlightPerSeller: 1,
+      leaseTtlMs: 1000
+    });
+
+    expect(limiter.tryAcquire("seller-a")).toBeDefined();
+    expect(limiter.tryAcquire("seller-a")).toBeUndefined();
+
+    jest.advanceTimersByTime(1000);
+
+    expect(limiter.snapshot().active).toEqual([]);
+    expect(limiter.tryAcquire("seller-a")).toBeDefined();
+  });
+
+  test("refresh extends an active lease watchdog", () => {
+    jest.useFakeTimers();
+    const limiter = new SellerConcurrencyLimiter({
+      enabled: true,
+      maxInFlightPerSeller: 1,
+      leaseTtlMs: 1000
+    });
+
+    const lease = limiter.tryAcquire("seller-a");
+    expect(lease).toBeDefined();
+
+    jest.advanceTimersByTime(900);
+    lease?.refresh();
+    jest.advanceTimersByTime(900);
+
+    expect(limiter.snapshot().active).toEqual([{ sellerId: "seller-a", activeCount: 1 }]);
+
+    jest.advanceTimersByTime(100);
+
+    expect(limiter.snapshot().active).toEqual([]);
+  });
+});

package/tests/seller-pool.test.ts

@@ -112,6 +112,29 @@ describe("SellerPool", () => {
     expect(pool.snapshot()[0].circuit).toBe("half_open");
   });
 
+  test("recycleOpenCircuits refreshes snapshot-based route planning state", () => {
+    const clock = makeClock();
+    const ctx = build([{ id: "s1" }, { id: "s2" }]);
+    const pool = new SellerPool({
+      modelIndex: ctx.index,
+      cache: ctx.cache,
+      creditTracker: ctx.credit,
+      failureThreshold: 1,
+      openStateMs: 1000,
+      now: () => clock.now
+    });
+    pool.sync();
+    pool.recordFailure("s1", "soft_5xx");
+
+    clock.advance(500);
+    expect(pool.recycleOpenCircuits()).toBe(0);
+    expect(pool.snapshot().find((entry) => entry.sellerId === "s1")?.circuit).toBe("open");
+
+    clock.advance(600);
+    expect(pool.recycleOpenCircuits()).toBe(1);
+    expect(pool.snapshot().find((entry) => entry.sellerId === "s1")?.circuit).toBe("half_open");
+  });
+
   test("recordFailure escalates to open after the configured threshold", () => {
     const clock = makeClock();
     const ctx = build([{ id: "s1" }]);