switchroom 0.11.0 → 0.11.1

package/telegram-plugin/gateway/auth-command.ts

@@ -220,6 +220,16 @@ export interface AuthBrokerClient {
     agent: string,
     account: string | null,
   ): Promise<{ agent: string; account: string | null }>
+  /**
+   * Live Anthropic quota probe via the broker (#1336). The broker
+   * uses its stored accessTokens to hit `/v1/messages` server-side
+   * and returns parsed rate-limit headers. Tokens never reach the
+   * caller. Per-label results are returned in input order.
+   */
+  probeQuota(
+    accounts: readonly string[],
+    timeoutMs?: number,
+  ): Promise<{ results: Array<{ label: string; result: import('../quota-check.js').QuotaResult }> }>
 }
 
 export interface AuthCommandContext {

package/telegram-plugin/gateway/gateway.ts

@@ -128,7 +128,6 @@ import {
   resolveModelUnavailableFromOperatorEvent,
 } from '../model-unavailable.js'
 import { runFleetAutoFallback } from '../auto-fallback-fleet.js'
-import { fetchAccountQuota } from '../quota-check.js'
 import { startRestartWatchdog } from './restart-watchdog.js'
 import { validateStringArray } from './access-validator.js'
 
@@ -8908,12 +8907,18 @@ async function doFireFleetAutoFallback(triggerAgent: string): Promise<boolean> {
       return false
     }
     const state = await client.listState()
-    // Probe live quota for every account in parallel. force:true
-    // bypasses the 5-min in-process cache — we want the freshest data
-    // for the swap decision, not a cached stale read.
-    const quotas = await Promise.all(
-      state.accounts.map((a) => fetchAccountQuota(a.label, { force: true })),
-    )
+    // Probe live quota via the broker (#1336). Pre-fix this read
+    // credentials.json off the agent HOME, which is never populated
+    // post-RFC-H — every account looked "no credentials" and the
+    // fallback logic rolled blindly. Broker-routed probes use the
+    // canonical stored tokens.
+    const probeResp = state.accounts.length > 0
+      ? await client.probeQuota(state.accounts.map((a) => a.label)).catch(() => ({ results: [] }))
+      : { results: [] }
+    const quotas = state.accounts.map((a) => {
+      const hit = probeResp.results.find((r) => r.label === a.label)
+      return hit?.result ?? { ok: false as const, reason: 'broker returned no result for account' }
+    })
     const tz = process.env.SWITCHROOM_TIMEZONE ?? process.env.TZ ?? 'UTC'
     const outcome = await runFleetAutoFallback({
       state,
@@ -9098,17 +9103,31 @@ bot.command("auth", async ctx => {
     isAdmin,
     client,
     chatId,
-    // Format 2 enricher — probe live quota for every account in
-    // parallel so the snapshot reflects current Anthropic-side
-    // utilization, not the broker's potentially-days-stale
-    // disk-cached `quota.json`. force:true bypasses the 5-min
-    // in-process cache for this call. ~500-800ms per account
-    // serial; in parallel ~800ms total for typical 3-account
-    // fleets — acceptable for an interactive command.
-    liveQuotas: async (accounts) =>
-      Promise.all(
-        accounts.map((a) => fetchAccountQuota(a.label, { force: true })),
-      ),
+    // Format 2 enricher — live quota probe via the broker (#1336).
+    // Pre-broker this read `~/.switchroom/accounts/<label>/credentials.json`
+    // off the agent's HOME, which post-RFC-H is never populated (broker
+    // writes only the per-agent .claude/.credentials.json mirror) — so
+    // every account showed "no credentials.json or accessToken" in
+    // /auth show. The broker is the source of truth for tokens and now
+    // does the Anthropic probe server-side via `probe-quota`. Tokens
+    // never leave the broker container.
+    liveQuotas: async (accounts) => {
+      try {
+        const { results } = await client.probeQuota(accounts.map((a) => a.label))
+        // Preserve input order (broker also preserves it, but be defensive).
+        return accounts.map((a) => {
+          const hit = results.find((r) => r.label === a.label)
+          if (!hit) return { ok: false as const, reason: "broker returned no result for account" }
+          return hit.result
+        })
+      } catch (err) {
+        // Surface a uniform per-account failure so the dashboard renders
+        // gracefully (label badge stays UNKNOWN) instead of falling back
+        // to the legacy table.
+        const reason = `broker probe-quota failed: ${(err as Error)?.message ?? String(err)}`
+        return accounts.map(() => ({ ok: false as const, reason }))
+      }
+    },
     tz: process.env.SWITCHROOM_TIMEZONE ?? process.env.TZ,
   })
   // Translate the handler's optional keyboard shape into grammy's
@@ -10855,9 +10874,14 @@ async function handleAuthDashboardCallback(ctx: Context): Promise<void> {
         return
       }
       const state = await client.listState()
-      const quotas = await Promise.all(
-        state.accounts.map((a) => fetchAccountQuota(a.label, { force: true })),
-      )
+      // Broker-routed probe (#1336) — see gateway.ts:8910 for diagnosis.
+      const probeResp = state.accounts.length > 0
+        ? await client.probeQuota(state.accounts.map((a) => a.label)).catch(() => ({ results: [] }))
+        : { results: [] }
+      const quotas = state.accounts.map((a) => {
+        const hit = probeResp.results.find((r) => r.label === a.label)
+        return hit?.result ?? { ok: false as const, reason: 'broker returned no result for account' }
+      })
       const tz = process.env.SWITCHROOM_TIMEZONE ?? process.env.TZ ?? 'UTC'
       const { renderAuthSnapshotFormat2, buildSnapshotsFromState, buildSnapshotKeyboard } = await import(
         '../auth-snapshot-format.js'
@@ -11329,9 +11353,12 @@ bot.command('usage', async ctx => {
     if (client) {
       const state = await client.listState()
       if (state.accounts.length > 0) {
-        const quotas = await Promise.all(
-          state.accounts.map((a) => fetchAccountQuota(a.label, { force: true })),
-        )
+        // Broker-routed probe (#1336) — see gateway.ts:8910 for diagnosis.
+        const probeResp = await client.probeQuota(state.accounts.map((a) => a.label)).catch(() => ({ results: [] }))
+        const quotas = state.accounts.map((a) => {
+          const hit = probeResp.results.find((r) => r.label === a.label)
+          return hit?.result ?? { ok: false as const, reason: 'broker returned no result for account' }
+        })
         const { renderAuthSnapshotFormat2, buildSnapshotsFromState } = await import(
           '../auth-snapshot-format.js'
         )

package/telegram-plugin/gateway/hostd-dispatch.ts

@@ -30,15 +30,23 @@ let _hostdEnabled: boolean | undefined;
  * Cached for the gateway's lifetime — config doesn't change without a
  * restart, and the file-read isn't free.
  *
+ * Default-on since the RFC C Phase 2 default-flip: the schema gives
+ * `host_control.enabled` a `.default(true)` and the block itself a
+ * `.default({})`, so any config parsed through Zod will have the
+ * field populated. We use `!== false` semantics here so this helper
+ * also matches the default-on view on paths that bypass the parser
+ * (tests with partial mocks, code that constructs configs directly).
+ *
  * Best-effort: if the config can't be loaded (gateway running in a
  * dir where loadConfig fails), returns false so the dispatch helper
- * falls through to the legacy spawn path.
+ * falls through to the legacy spawn path — better to fail closed
+ * than to attempt a hostd RPC against a daemon that might not exist.
  */
 export function isHostdEnabled(): boolean {
   if (_hostdEnabled !== undefined) return _hostdEnabled;
   try {
     const cfg = loadSwitchroomConfig();
-    _hostdEnabled = cfg.host_control?.enabled === true;
+    _hostdEnabled = cfg.host_control?.enabled !== false;
   } catch {
     _hostdEnabled = false;
   }