@vellumai/assistant 0.9.0 → 0.10.0-staging.2

package/src/memory/__tests__/onboarding-events-store.test.ts

@@ -8,10 +8,10 @@ mock.module("../../util/logger.js", () => ({
     }),
 }));
 
-// Mutable usage-data gate, flipped per-test.
-let collectUsageData = true;
-mock.module("../../config/loader.js", () => ({
-  getConfig: () => ({ collectUsageData }),
+// Mutable consent gate, flipped per-test.
+let shareAnalytics = true;
+mock.module("../../platform/consent-cache.js", () => ({
+  getCachedShareAnalytics: () => shareAnalytics,
 }));
 
 import { getDb } from "../db-connection.js";
@@ -30,7 +30,7 @@ function resetTable(): void {
 
 describe("onboarding-events-store: recordActivationEvent", () => {
   beforeEach(() => {
-    collectUsageData = true;
+    shareAnalytics = true;
     resetTable();
   });
 
@@ -66,8 +66,8 @@ describe("onboarding-events-store: recordActivationEvent", () => {
     expect(rows[0]!.stepIndex).toBe(2);
   });
 
-  test("returns null and writes no row when collectUsageData is disabled", () => {
-    collectUsageData = false;
+  test("returns null and writes no row when share_analytics is disabled", () => {
+    shareAnalytics = false;
     const event = recordActivationEvent({
       stepName: "activation_moment_1_complete",
       sessionId: "conv-3",

package/src/memory/auth-fallback-events-store.ts

@@ -1,7 +1,7 @@
 import { and, asc, eq, gt, or } from "drizzle-orm";
 import { v4 as uuid } from "uuid";
 
-import { getConfig } from "../config/loader.js";
+import { getCachedShareAnalytics } from "../platform/consent-cache.js";
 import { getDb } from "./db-connection.js";
 import { authFallbackEvents } from "./schema.js";
 
@@ -36,7 +36,7 @@ export function recordAuthFallbackCounts(
   windowEnd: number,
   counts: AuthFallbackCount[],
 ): number {
-  if (!getConfig().collectUsageData) return 0;
+  if (!getCachedShareAnalytics()) return 0;
   if (counts.length === 0) return 0;
   const db = getDb();
   const createdAt = Date.now();

package/src/memory/auto-analysis-enqueue.ts

@@ -1,9 +1,7 @@
 import { isAssistantFeatureFlagEnabled } from "../config/assistant-feature-flags.js";
 import { getConfig } from "../config/loader.js";
-import {
-  isUntrustedTrustClass,
-  type TrustClass,
-} from "../runtime/actor-trust-resolver.js";
+import { type TrustClass } from "../runtime/actor-trust-resolver.js";
+import { resolveCapabilities } from "../runtime/capabilities.js";
 import { getLogger } from "../util/logger.js";
 import { isAutoAnalysisConversation } from "./auto-analysis-guard.js";
 import { isMemoryEnabled, upsertAutoAnalysisJob } from "./jobs-store.js";
@@ -118,7 +116,7 @@ export function enqueueAutoAnalysisOnCompaction(
   conversationId: string,
   trustClass: TrustClass | undefined,
 ): void {
-  if (isUntrustedTrustClass(trustClass)) {
+  if (!resolveCapabilities(trustClass).canAccessMemory) {
     return;
   }
   try {

package/src/memory/bookmark-crud.ts

@@ -7,8 +7,7 @@ import { conversations, messageBookmarks, messages } from "./schema.js";
 
 /**
  * Wire-shape representation of a bookmark, joined with the bookmarked
- * message and its parent conversation. Mirrors
- * `clients/shared/Network/BookmarkSummary.swift` — dates are emitted as
+ * message and its parent conversation. Dates are emitted as
  * unix-millisecond integers, and the message preview is capped to keep
  * the list payload bounded.
  */

package/src/memory/canonical-guardian-store.ts

@@ -74,7 +74,7 @@ export interface CanonicalGuardianRequest {
   updatedAt: number;
 }
 
-interface CanonicalGuardianDelivery {
+export interface CanonicalGuardianDelivery {
   id: string;
   requestId: string;
   destinationChannel: string;
@@ -674,6 +674,44 @@ export function listPendingCanonicalGuardianRequestsByDestinationChat(
   return pendingRequests;
 }
 
+/**
+ * Find the pending canonical request whose guardian-facing delivery landed on a
+ * specific channel message (channel + chat + message id).
+ *
+ * This is the addressing key for emoji-reaction decisions: a reaction carries
+ * only the message it is attached to, so the delivered card's message id is how
+ * we recover which request the guardian acted on — even when several cards are
+ * pending in the same chat. Returns null when no delivery matches or the matched
+ * request is no longer pending.
+ */
+export function getPendingCanonicalRequestByDestinationMessage(
+  destinationChannel: string,
+  destinationChatId: string,
+  destinationMessageId: string,
+): CanonicalGuardianRequest | null {
+  const db = getDb();
+
+  const delivery = db
+    .select()
+    .from(canonicalGuardianDeliveries)
+    .where(
+      and(
+        eq(canonicalGuardianDeliveries.destinationChannel, destinationChannel),
+        eq(canonicalGuardianDeliveries.destinationChatId, destinationChatId),
+        eq(
+          canonicalGuardianDeliveries.destinationMessageId,
+          destinationMessageId,
+        ),
+      ),
+    )
+    .get();
+
+  if (!delivery) return null;
+
+  const request = getCanonicalGuardianRequest(delivery.requestId);
+  return request && request.status === "pending" ? request : null;
+}
+
 // ---------------------------------------------------------------------------
 // Conversation scope helpers
 // ---------------------------------------------------------------------------

package/src/memory/conversation-crud.ts

@@ -129,7 +129,7 @@ export const messageMetadataSchema = z
      * and read gate (conversation history loading) to enforce trust-aware access.
      */
     provenanceTrustClass: z
-      .enum(["guardian", "trusted_contact", "unknown"])
+      .enum(["guardian", "trusted_contact", "unverified_contact", "unknown"])
       .optional(),
     provenanceSourceChannel: channelIdSchema.optional(),
     provenanceGuardianExternalUserId: z.string().optional(),
@@ -2575,12 +2575,17 @@ export function getConversationOriginInterface(
  * in the given conversation, or `undefined` if none is found.
  *
  * Used by the pointer message trust resolver to detect conversations
- * whose audience is a guardian or trusted_contact outside desktop-origin
- * conversations.
+ * whose audience is a guardian, trusted_contact, or unverified_contact
+ * outside desktop-origin conversations.
  */
 export function getConversationRecentProvenanceTrustClass(
   conversationId: string,
-): "guardian" | "trusted_contact" | "unknown" | undefined {
+):
+  | "guardian"
+  | "trusted_contact"
+  | "unverified_contact"
+  | "unknown"
+  | undefined {
   const row = rawGet<{ metadata: string | null }>(
     `SELECT metadata FROM messages
      WHERE conversation_id = ? AND role = 'user' AND metadata IS NOT NULL

package/src/memory/conversation-key-store.ts

@@ -135,7 +135,16 @@ export function resolveConversationId(idOrKey: string): string | null {
  */
 export function getOrCreateConversation(
   conversationKey: string,
-  opts?: { conversationType?: "standard" },
+  opts?: {
+    conversationType?: "standard";
+    /**
+     * Caller-supplied title for the conversation, used only when this call
+     * actually creates the row. Treated as a user-set title (`isAutoTitle = 0`)
+     * so the async LLM title generator's safe-overwrite check leaves it
+     * untouched. Ignored when the conversation already exists.
+     */
+    title?: string;
+  },
 ): {
   conversationId: string;
   conversationType: string;
@@ -205,13 +214,19 @@ export function getOrCreateConversation(
 
     const now = Date.now();
     const conversationId = uuid();
-    const title = GENERATING_TITLE;
+    const customTitle = opts?.title?.trim();
+    const title = customTitle || GENERATING_TITLE;
     const memoryScopeId = "default";
 
     tx.insert(conversations)
       .values({
         id: conversationId,
         title,
+        // A caller-supplied title is user-set: mark it non-auto (0) so the
+        // async LLM title generator's `canReplaceTitle` check won't overwrite
+        // it. Without one, omit the column so it takes its default
+        // (AUTO_TITLE_LLM) and follows the auto-generated placeholder flow.
+        ...(customTitle ? { isAutoTitle: 0 } : {}),
         createdAt: now,
         updatedAt: now,
         totalInputTokens: 0,

package/src/memory/conversation-title-service.ts

@@ -166,6 +166,7 @@ export async function generateAndPersistConversationTitle(
     const fallback = deriveFallbackTitle(context) ?? UNTITLED_FALLBACK;
     updateConversationTitle(conversationId, fallback, AUTO_TITLE_DETERMINISTIC);
     publishConversationTitleChanged(conversationId, fallback);
+    logRetryableFallback(params, "no_provider");
     return { title: fallback, updated: true };
   }
 
@@ -206,6 +207,7 @@ export async function generateAndPersistConversationTitle(
   const fallback = deriveFallbackTitle(context) ?? UNTITLED_FALLBACK;
   updateConversationTitle(conversationId, fallback, AUTO_TITLE_DETERMINISTIC);
   publishConversationTitleChanged(conversationId, fallback);
+  logRetryableFallback(params, "empty_output");
   return { title: fallback, updated: true };
 }
 
@@ -230,7 +232,7 @@ export const titleMutex = new Mutex();
 /**
  * Fire-and-forget wrapper for title generation. Failures are logged
  * but do not propagate. On failure, replaces loading placeholder with
- * a stable fallback title so loading state is never permanent.
+ * a retryable fallback title so loading state is never permanent.
  *
  * Calls are serialized via {@link titleMutex} so burst conversation
  * creation does not overwhelm the LLM provider.
@@ -244,16 +246,20 @@ export function queueGenerateConversationTitle(
     })
     .catch((err) => {
       log.warn(
-        { err, conversationId: params.conversationId },
-        "Failed to generate conversation title (non-fatal)",
+        retryableFallbackLogFields(params, "generation_error", err),
+        "Conversation title generation used retryable fallback",
       );
-      // Replace loading placeholder with stable fallback
+      // Replace loading placeholder with a retryable fallback.
       try {
         const conversation = getConversation(params.conversationId);
         if (conversation && conversation.title === GENERATING_TITLE) {
           const fallback =
             deriveFallbackTitle(params.context) ?? UNTITLED_FALLBACK;
-          updateConversationTitle(params.conversationId, fallback);
+          updateConversationTitle(
+            params.conversationId,
+            fallback,
+            AUTO_TITLE_DETERMINISTIC,
+          );
           publishConversationTitleChanged(params.conversationId, fallback);
         }
       } catch {
@@ -268,6 +274,11 @@ export interface RegenerateTitleParams {
   conversationId: string;
   provider?: Provider;
   signal?: AbortSignal;
+  /**
+   * Limit regeneration to placeholder or deterministic titles. Used for retrying
+   * failed initial generation without racing against a successful initial title.
+   */
+  onlyIfReplaceable?: boolean;
 }
 
 /**
@@ -278,12 +289,15 @@ export interface RegenerateTitleParams {
 export async function regenerateConversationTitle(
   params: RegenerateTitleParams,
 ): Promise<{ title: string; updated: boolean }> {
-  const { conversationId, signal } = params;
+  const { conversationId, onlyIfReplaceable, signal } = params;
 
   const conversation = getConversation(conversationId);
   if (!conversation || !conversation.isAutoTitle) {
     return { title: conversation?.title ?? UNTITLED_FALLBACK, updated: false };
   }
+  if (onlyIfReplaceable && !canReplaceTitle(conversation)) {
+    return { title: conversation.title ?? UNTITLED_FALLBACK, updated: false };
+  }
 
   const provider =
     params.provider ?? (await getConfiguredProvider("conversationTitle"));
@@ -317,7 +331,11 @@ export async function regenerateConversationTitle(
   if (title) {
     // Re-check isAutoTitle before persisting (race guard against manual rename)
     const current = getConversation(conversationId);
-    if (!current || !current.isAutoTitle) {
+    if (
+      !current ||
+      !current.isAutoTitle ||
+      (onlyIfReplaceable && !canReplaceTitle(current))
+    ) {
       return { title: current?.title ?? UNTITLED_FALLBACK, updated: false };
     }
 
@@ -408,6 +426,45 @@ function buildTitlePrompt(
   return parts.join("\n");
 }
 
+function titleGenerationLogFields(params: GenerateTitleParams) {
+  return {
+    conversationId: params.conversationId,
+    contextOrigin: params.context?.origin,
+    hasContext: Boolean(params.context),
+    userMessageLength: params.userMessage?.length ?? 0,
+    assistantResponseLength: params.assistantResponse?.length ?? 0,
+  };
+}
+
+type TitleGenerationFallbackReason =
+  | "no_provider"
+  | "empty_output"
+  | "generation_error";
+
+function retryableFallbackLogFields(
+  params: GenerateTitleParams,
+  reason: TitleGenerationFallbackReason,
+  err?: unknown,
+): Record<string, unknown> {
+  const fields: Record<string, unknown> = {
+    ...titleGenerationLogFields(params),
+    reason,
+    fallbackSource: params.context ? "context" : "untitled",
+  };
+  if (err) fields.err = err;
+  return fields;
+}
+
+function logRetryableFallback(
+  params: GenerateTitleParams,
+  reason: TitleGenerationFallbackReason,
+): void {
+  log.warn(
+    retryableFallbackLogFields(params, reason),
+    "Conversation title generation used retryable fallback",
+  );
+}
+
 const META_FAILURE_TITLES = new Set([
   "missing context",
   "no context",

package/src/memory/db-init.ts

@@ -40,6 +40,7 @@ import {
   createSkillLoadedEventsTable,
   createTasksAndWorkItemsTables,
   createWatchersAndLogsTables,
+  dropApprovalPromptTsTrackerTable,
   migrate230AcpSessionHistory,
   migrate231RepairMemoryGraphEventDates,
   migrateA2ATasks,
@@ -68,6 +69,7 @@ import {
   migrateChannelInboundDeliveryAttempts,
   migrateChannelInteractionColumns,
   migrateContactChannelsAccessFields,
+  migrateContactChannelsRenormalizeAddresses,
   migrateContactChannelsTypeChatIdIndex,
   migrateContactChannelsUniqueExtUser,
   migrateContactsAssistantId,
@@ -101,6 +103,7 @@ import {
   migrateDropConflicts,
   migrateDropContactInteractionColumns,
   migrateDropEntityTables,
+  migrateDropExternalUserId,
   migrateDropLegacyMemberGuardianTables,
   migrateDropLoopbackPortColumn,
   migrateDropMemoryItemsTables,
@@ -194,7 +197,9 @@ import {
   migrateRenameVerificationSessionIdColumn,
   migrateRenameVerificationTable,
   migrateRenameVoiceToPhone,
+  migrateRewriteBalancedEconomyProfilePins,
   migrateScheduleCapabilities,
+  migrateScheduleDefaultNoReuseConversation,
   migrateScheduleDescription,
   migrateScheduleInferenceProfile,
   migrateScheduleOneShotRouting,
@@ -222,6 +227,7 @@ import {
   migrateUsageLlmCallCount,
   migrateVoiceInviteColumns,
   migrateVoiceInviteDisplayMetadata,
+  migrateWorkflowJournalLeafTokens,
   migrateWorkflowRuns,
   migrateWorkflowRunTrust,
   recoverCrashedMigrations,
@@ -229,6 +235,7 @@ import {
   runLateMigrations,
   validateMigrationState,
 } from "./migrations/index.js";
+import { runMigrationSteps } from "./migrations/run-migrations.js";
 
 // ---------------------------------------------------------------------------
 // Test DB template — run migrations once, reuse across test files
@@ -518,29 +525,22 @@ export function initializeDb(): void {
     migrateBackfillOriginChannelFromBindings,
     migrateContactChannelsUniqueExtUser,
     migrateScheduleCapabilities,
+    migrateContactChannelsRenormalizeAddresses,
+    migrateScheduleDefaultNoReuseConversation,
+    migrateWorkflowJournalLeafTokens,
+    migrateDropExternalUserId,
+    dropApprovalPromptTsTrackerTable,
+    migrateRewriteBalancedEconomyProfilePins,
   ];
 
   // Run each migration step, catching and logging individual failures so one
   // broken migration doesn't prevent independent later ones from succeeding.
-  const failures: string[] = [];
-  for (const step of migrationSteps) {
-    try {
-      log.debug({ migration: step.name }, `Starting migration: ${step.name}`);
-      step(database);
-      log.debug({ migration: step.name }, `Migration succeeded: ${step.name}`);
-    } catch (err) {
-      failures.push(step.name);
-      log.error(
-        { err, migration: step.name },
-        `Migration failed: ${step.name}`,
-      );
-    }
-  }
+  const { failed } = runMigrationSteps(database, migrationSteps);
 
-  if (failures.length > 0) {
+  if (failed.length > 0) {
     log.error(
-      { failedMigrations: failures, count: failures.length },
-      `DB initialization completed with ${failures.length} failed migration(s)`,
+      { failedMigrations: failed, count: failed.length },
+      `DB initialization completed with ${failed.length} failed migration(s)`,
     );
   }
 

package/src/memory/embedding-backend.ts

@@ -7,6 +7,13 @@ import { PLATFORM_PROVIDER_META } from "../providers/platform-proxy/constants.js
 import { resolveManagedProxyContext } from "../providers/platform-proxy/context.js";
 import { getProviderKeyAsync } from "../security/secure-keys.js";
 import { getLogger } from "../util/logger.js";
+import {
+  EmbeddingBillingBlockError,
+  extractHttpStatus,
+  isEmbeddingBillingBreakerOpen,
+  recordBillingBlock,
+  recordBillingSuccess,
+} from "./embedding-billing-breaker.js";
 import { GeminiEmbeddingBackend } from "./embedding-gemini.js";
 import { OllamaEmbeddingBackend } from "./embedding-ollama.js";
 import { OpenAIEmbeddingBackend } from "./embedding-openai.js";
@@ -490,6 +497,20 @@ export async function getMemoryBackendStatus(config: AssistantConfig): Promise<{
   };
 }
 
+/**
+ * Thrown by {@link embedWithBackend} when no embedding backend is configured or
+ * available. This is a PROCESS-WIDE condition (backend selection is effectively
+ * cached for the run), so a caller embedding many items should treat the first
+ * occurrence as fatal to the whole batch rather than a per-item failure — see
+ * `backfillAllSections`, which aborts on it instead of churning through deletes.
+ */
+export class EmbeddingBackendUnavailableError extends Error {
+  constructor(message = "No memory embedding backend configured") {
+    super(message);
+    this.name = "EmbeddingBackendUnavailableError";
+  }
+}
+
 export async function embedWithBackend(
   config: AssistantConfig,
   inputs: EmbeddingInput[],
@@ -499,9 +520,15 @@ export async function embedWithBackend(
   model: string;
   vectors: number[][];
 }> {
+  // Fail-fast when the billing breaker is open — avoids burning a network
+  // round-trip on every caller (embed lane jobs, activation recompute, etc.).
+  if (isEmbeddingBillingBreakerOpen()) {
+    throw new EmbeddingBillingBlockError();
+  }
+
   const selection = await selectEmbeddingBackend(config);
   if (!selection.backend) {
-    throw new Error(
+    throw new EmbeddingBackendUnavailableError(
       selection.reason ?? "No memory embedding backend configured",
     );
   }
@@ -612,6 +639,10 @@ export async function embedWithBackend(
         );
       }
 
+      // A successful backend call proves billing is active — close the
+      // breaker if it was in the probe window.
+      recordBillingSuccess();
+
       if (isPrimary) {
         const merged = [...cached] as number[][];
         for (let i = 0; i < uncachedIndices.length; i++) {
@@ -626,6 +657,12 @@ export async function embedWithBackend(
       return { provider: backend.provider, model: backend.model, vectors };
     } catch (err) {
       lastErr = err;
+      // If ANY backend in the chain returns 402, trip the billing breaker
+      // immediately — fallbacks will hit the same depleted balance.
+      if (extractHttpStatus(err) === 402) {
+        recordBillingBlock();
+        throw err;
+      }
       if (backends.length > 1) {
         log.warn(
           { err, provider: backend.provider },

package/src/memory/embedding-billing-breaker.ts

@@ -0,0 +1,96 @@
+import { getLogger } from "../util/logger.js";
+
+const log = getLogger("embedding-billing-breaker");
+
+/**
+ * Lightweight circuit breaker for embedding billing blocks (HTTP 402).
+ *
+ * Unlike the Qdrant circuit breaker (which needs a failure threshold and
+ * half-open probe logic), billing exhaustion is deterministic — a single
+ * 402 means the org is depleted and every subsequent call will fail
+ * identically. The breaker opens immediately on the first 402 and stays
+ * open for COOLDOWN_MS, then allows one probe through. A successful
+ * probe (no 402) closes the breaker; a failed probe re-opens it.
+ */
+
+const COOLDOWN_MS = 5 * 60 * 1000; // 5 minutes
+
+type BreakerState = "closed" | "open";
+
+let breakerState: BreakerState = "closed";
+let openedAt = 0;
+
+export class EmbeddingBillingBlockError extends Error {
+  constructor() {
+    super("Embedding billing breaker open — org balance depleted");
+    this.name = "EmbeddingBillingBlockError";
+  }
+}
+
+/** Trip the breaker after a 402 billing block. */
+export function recordBillingBlock(): void {
+  if (breakerState === "closed") {
+    log.warn(
+      { cooldownMs: COOLDOWN_MS },
+      "Embedding billing breaker opened — embedding jobs paused until probe succeeds",
+    );
+  }
+  breakerState = "open";
+  openedAt = Date.now();
+}
+
+/**
+ * Clear the breaker after a successful embedding call during the probe
+ * window. Ignored when the breaker is closed or when the cooldown has not
+ * yet elapsed — this prevents a concurrent in-flight embed job (started
+ * before the breaker opened) from prematurely closing a freshly-tripped
+ * breaker.
+ */
+export function recordBillingSuccess(): void {
+  if (breakerState !== "open") return;
+  if (Date.now() - openedAt < COOLDOWN_MS) return;
+  log.info("Embedding billing breaker closed — billing probe succeeded");
+  breakerState = "closed";
+  openedAt = 0;
+}
+
+/** True when the breaker is open and the cooldown has NOT yet elapsed. */
+export function isEmbeddingBillingBreakerOpen(): boolean {
+  if (breakerState === "closed") return false;
+  if (Date.now() - openedAt >= COOLDOWN_MS) return false;
+  return true;
+}
+
+/**
+ * True when the breaker is open but the cooldown has elapsed, meaning the
+ * next embed job should be allowed through as a probe to check whether
+ * the org has been re-funded.
+ */
+export function shouldAllowBillingProbe(): boolean {
+  return breakerState === "open" && Date.now() - openedAt >= COOLDOWN_MS;
+}
+
+/** Extract an HTTP status code from an error, if present. */
+export function extractHttpStatus(err: unknown): number | undefined {
+  if (err == null || typeof err !== "object") return undefined;
+
+  // SDK-style errors (OpenAI, Anthropic) carry `.status` directly.
+  if ("status" in err) {
+    const s = (err as { status?: unknown }).status;
+    if (typeof s === "number") return s;
+  }
+
+  // Gemini/Ollama backends embed the status in the message: "... (402): ..."
+  if (err instanceof Error) {
+    const match = err.message.match(/\((\d{3})\)/);
+    if (match) return parseInt(match[1], 10);
+  }
+
+  return undefined;
+}
+
+/** @internal Test-only: reset breaker state. */
+export function _resetEmbeddingBillingBreaker(): void {
+  breakerState = "closed";
+  openedAt = 0;
+}

package/src/memory/jobs-store.ts

@@ -5,6 +5,10 @@ import { getConfig } from "../config/loader.js";
 import { getLogger } from "../util/logger.js";
 import { truncate } from "../util/truncate.js";
 import { getDb } from "./db-connection.js";
+import {
+  isEmbeddingBillingBreakerOpen,
+  shouldAllowBillingProbe,
+} from "./embedding-billing-breaker.js";
 import {
   isQdrantBreakerOpen,
   shouldAllowQdrantProbe,
@@ -533,24 +537,32 @@ export function claimMemoryJobs(limits: LaneBudgets): MemoryJob[] {
           .all()
       : [];
 
-  // Embed lane: gated by the Qdrant circuit breaker. When the breaker is open,
-  // skip embed jobs entirely — they would just be claimed → fail → deferred,
-  // wasting CPU cycles. Exception: if the cooldown has elapsed (breaker ready
-  // for half-open probe), allow exactly 1 embed job through so the breaker
-  // can self-heal. Note: this gate applies ONLY to the embed lane; slow and
-  // fast lanes run unimpeded.
-  const breakerOpen = isQdrantBreakerOpen();
-  const probeAllowed = breakerOpen && shouldAllowQdrantProbe();
-  const skipEmbedJobs = breakerOpen && !probeAllowed;
+  // Embed lane: gated by both the Qdrant circuit breaker and the billing
+  // breaker. When either breaker is open, skip embed jobs entirely — they
+  // would just be claimed → fail → deferred, wasting CPU cycles. Exception:
+  // if the cooldown has elapsed (breaker ready for probe), allow exactly
+  // 1 embed job through so the breaker can self-heal.
+  const qdrantBreakerOpen = isQdrantBreakerOpen();
+  const qdrantProbeAllowed = qdrantBreakerOpen && shouldAllowQdrantProbe();
+  const billingBreakerOpen = isEmbeddingBillingBreakerOpen();
+  const billingProbeAllowed = !billingBreakerOpen && shouldAllowBillingProbe();
+  const skipEmbedJobs =
+    (qdrantBreakerOpen && !qdrantProbeAllowed) ||
+    (billingBreakerOpen && !billingProbeAllowed);
+  const probeAllowed = qdrantProbeAllowed || billingProbeAllowed;
   const embedLimit = probeAllowed ? Math.min(1, limits.embed) : limits.embed;
 
   if (skipEmbedJobs && limits.embed > 0) {
-    log.debug("Skipping embed job claims — Qdrant circuit breaker is open");
+    if (billingBreakerOpen) {
+      log.debug(
+        "Skipping embed job claims — embedding billing breaker is open",
+      );
+    } else {
+      log.debug("Skipping embed job claims — Qdrant circuit breaker is open");
+    }
   }
   if (probeAllowed && limits.embed > 0) {
-    log.debug(
-      "Allowing 1 embed probe job — Qdrant circuit breaker cooldown elapsed",
-    );
+    log.debug("Allowing 1 embed probe job — breaker cooldown elapsed");
   }
 
   const embedCandidates =