switchroom 0.11.1 → 0.12.1

package/telegram-plugin/format.ts

@@ -380,6 +380,77 @@ export function escapeHtml(text: string): string {
     .replace(/"/g, '"')
 }
 
+/**
+ * Last-resort renderer: turn (possibly malformed) Telegram HTML into
+ * readable plain text. Used by the gateway's send/edit path when
+ * Telegram rejects a chunk with a 400 "can't parse entities" /
+ * "unsupported start tag" — i.e. our HTML prevention (markdownToHtml +
+ * sanitizeForTelegram + splitHtmlChunks) let something through anyway.
+ *
+ * The caller resends the result with `parse_mode` UNSET, so the output
+ * is literal text — we intentionally do NOT re-escape `< > &`. The goal
+ * is "the agent's answer lands unformatted" instead of "the answer
+ * silently vanishes" (visibility + always-on).
+ *
+ * Transforms, in order:
+ *  1. `<a href="u">label</a>` → `label (u)` (or just `u` when label is
+ *     empty or equals the href). href/label are themselves stripped +
+ *     entity-decoded so we never emit nested markup.
+ *  2. Block / break boundaries → newline: `<br>`, `</p>`, `</div>`,
+ *     `</li>`, `</blockquote>`, `</pre>`. (These aren't Telegram-
+ *     supported tags, but a markdown→HTML slip that emits one is a
+ *     prime cause of the parse reject we're recovering from.)
+ *  3. Strip every remaining tag.
+ *  4. Decode the standard HTML entities Telegram uses.
+ *  5. Collapse 3+ blank lines to 2; trim trailing per-line whitespace.
+ */
+export function telegramHtmlToPlainText(html: string): string {
+  const decodeEntities = (s: string): string =>
+    s
+      .replace(/&amp;/g, '&')
+      .replace(/&lt;/g, '<')
+      .replace(/&gt;/g, '>')
+      .replace(/&quot;/g, '"')
+      .replace(/&#0*39;|&#x0*27;|&apos;/gi, "'")
+      .replace(/&nbsp;/g, ' ')
+      .replace(/&#(\d+);/g, (_m, d: string) => {
+        const cp = Number(d)
+        return Number.isFinite(cp) && cp > 0 && cp <= 0x10ffff
+          ? String.fromCodePoint(cp)
+          : _m
+      })
+      .replace(/&#x([0-9a-fA-F]+);/g, (_m, h: string) => {
+        const cp = parseInt(h, 16)
+        return Number.isFinite(cp) && cp > 0 && cp <= 0x10ffff
+          ? String.fromCodePoint(cp)
+          : _m
+      })
+
+  const stripTags = (s: string): string =>
+    decodeEntities(
+      s
+        .replace(/<\s*br\s*\/?\s*>/gi, '\n')
+        .replace(/<\/\s*(?:p|div|li|blockquote|pre|h[1-6])\s*>/gi, '\n')
+        .replace(/<[^>]*>/g, ''),
+    )
+
+  // 1. Anchors → "label (href)". Handle double/single/unquoted href.
+  const withPlainLinks = html.replace(
+    /<a\b[^>]*\bhref\s*=\s*(?:"([^"]*)"|'([^']*)'|([^\s>]+))[^>]*>([\s\S]*?)<\/a>/gi,
+    (_m, dq: string | undefined, sq: string | undefined, uq: string | undefined, label: string) => {
+      const href = decodeEntities((dq ?? sq ?? uq ?? '').trim())
+      const text = stripTags(label).trim()
+      if (!href) return text
+      return !text || text === href ? href : `${text} (${href})`
+    },
+  )
+
+  return stripTags(withPlainLinks)
+    .replace(/[ \t]+$/gm, '')
+    .replace(/\n{3,}/g, '\n\n')
+    .trim()
+}
+
 // ---------------------------------------------------------------------------
 // Output sanitizer — enforces fleet-wide Telegram formatting invariants
 // ---------------------------------------------------------------------------

package/telegram-plugin/gateway/access-validator.test.ts

@@ -2,8 +2,8 @@
  * Unit tests for access-validator.ts — validateStringArray.
  *
  * This function guards access.json fields at load time. The motivating bug:
- * a hand-edit that drops quotes around IDs (`[8248703757]` instead of
- * `["8248703757"]`) produces a valid JSON number array. Array.includes() uses
+ * a hand-edit that drops quotes around IDs (`[12345]` instead of
+ * `["12345"]`) produces a valid JSON number array. Array.includes() uses
  * strict equality, so number entries never match the string comparison in the
  * gate — every DM is silently dropped.
  *
@@ -27,7 +27,7 @@ describe('validateStringArray', () => {
   // ─── Happy path ────────────────────────────────────────────────────────────
 
   it('returns the array unchanged for a valid string array', () => {
-    expect(validateStringArray('allowFrom', ['8248703757', '9999'])).toEqual(['8248703757', '9999'])
+    expect(validateStringArray('allowFrom', ['12345', '9999'])).toEqual(['12345', '9999'])
     expect(stderrSpy).not.toHaveBeenCalled()
   })
 
@@ -49,21 +49,21 @@ describe('validateStringArray', () => {
   // ─── Bug reproduction: number array ────────────────────────────────────────
 
   it('rejects a number array (the hand-edit bug) and returns []', () => {
-    // This is the exact bug: [8248703757] parses as a number, not a string.
-    // Array.includes("8248703757") === false for a number entry — silently drops DMs.
-    const result = validateStringArray('allowFrom', [8248703757])
+    // This is the exact bug: [12345] parses as a number, not a string.
+    // Array.includes("12345") === false for a number entry — silently drops DMs.
+    const result = validateStringArray('allowFrom', [12345])
     expect(result).toEqual([])
     expect(stderrSpy).toHaveBeenCalled()
     const msg = String(stderrSpy.mock.calls[0][0])
     expect(msg).toContain('allowFrom')
     expect(msg).toContain('non-string entries')
-    expect(msg).toContain('8248703757')
+    expect(msg).toContain('12345')
   })
 
   // ─── Mixed array ──────────────────────────────────────────────────────────
 
   it('rejects a mixed array (some strings, some numbers) and returns []', () => {
-    const result = validateStringArray('allowFrom', ['8248703757', 9999])
+    const result = validateStringArray('allowFrom', ['12345', 9999])
     expect(result).toEqual([])
     expect(stderrSpy).toHaveBeenCalled()
     const msg = String(stderrSpy.mock.calls[0][0])

package/telegram-plugin/gateway/access-validator.ts

@@ -2,7 +2,7 @@
  * Validates fields loaded from access.json, failing loudly on type mismatches.
  *
  * JSON has no type system — a hand-edit that drops quotes around IDs
- * (e.g. `[8248703757]` instead of `["8248703757"]`) parses without error
+ * (e.g. `[12345]` instead of `["12345"]`) parses without error
  * but produces a number array. The gate compares with strict equality via
  * Array.includes(), so number entries silently drop every matching DM.
  *

package/telegram-plugin/gateway/approval-card.test.ts

@@ -12,7 +12,7 @@ import {
 describe("approval card", () => {
   it("renders the pristine card with default buttons", () => {
     const card = buildApprovalCard({
-      request_id: "a3f1b9c2",
+      request_id: "a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2",
       agent: "klanker",
       scope_humanized: "secret:OPENAI_API_KEY",
       why: "needs to call OpenAI",
@@ -24,14 +24,14 @@ describe("approval card", () => {
     // Validate the inline_keyboard structure carries our four callback shapes
     const flat = card.reply_markup.inline_keyboard.flat();
     const datas = flat.map((b) => ("callback_data" in b ? b.callback_data : ""));
-    expect(datas).toContain("apv:a3f1b9c2:once");
-    expect(datas).toContain("apv:a3f1b9c2:deny");
-    expect(datas).toContain("apv:a3f1b9c2:always");
+    expect(datas).toContain("apv:a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2:once");
+    expect(datas).toContain("apv:a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2:deny");
+    expect(datas).toContain("apv:a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2:always");
   });
 
   it("respects offer_always=false and offer_ttl=true", () => {
     const card = buildApprovalCard({
-      request_id: "a3f1b9c2",
+      request_id: "a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2",
       agent: "k",
       scope_humanized: "x",
       offer_always: false,
@@ -40,13 +40,13 @@ describe("approval card", () => {
     const datas = card.reply_markup.inline_keyboard
       .flat()
       .map((b) => ("callback_data" in b ? b.callback_data : ""));
-    expect(datas).not.toContain("apv:a3f1b9c2:always");
-    expect(datas).toContain("apv:a3f1b9c2:ttl:1h");
+    expect(datas).not.toContain("apv:a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2:always");
+    expect(datas).toContain("apv:a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2:ttl:1h");
   });
 
   it("escapes HTML metacharacters in agent and scope", () => {
     const card = buildApprovalCard({
-      request_id: "deadbeef",
+      request_id: "deadbeefdeadbeefdeadbeefdeadbeef",
       agent: "<script>",
       scope_humanized: "a&b",
     });
@@ -58,21 +58,21 @@ describe("approval card", () => {
 
 describe("parseApprovalCallback", () => {
   it("parses every choice variant", () => {
-    expect(parseApprovalCallback("apv:a3f1b9c2:once"))
-      .toEqual({ request_id: "a3f1b9c2", choice: { kind: "once" } });
-    expect(parseApprovalCallback("apv:a3f1b9c2:always"))
-      .toEqual({ request_id: "a3f1b9c2", choice: { kind: "always" } });
-    expect(parseApprovalCallback("apv:a3f1b9c2:deny"))
-      .toEqual({ request_id: "a3f1b9c2", choice: { kind: "deny" } });
-    expect(parseApprovalCallback("apv:a3f1b9c2:ttl:1h"))
-      .toEqual({ request_id: "a3f1b9c2", choice: { kind: "ttl", param: "1h" } });
+    expect(parseApprovalCallback("apv:a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2:once"))
+      .toEqual({ request_id: "a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2", choice: { kind: "once" } });
+    expect(parseApprovalCallback("apv:a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2:always"))
+      .toEqual({ request_id: "a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2", choice: { kind: "always" } });
+    expect(parseApprovalCallback("apv:a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2:deny"))
+      .toEqual({ request_id: "a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2", choice: { kind: "deny" } });
+    expect(parseApprovalCallback("apv:a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2:ttl:1h"))
+      .toEqual({ request_id: "a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2", choice: { kind: "ttl", param: "1h" } });
   });
 
   it("rejects malformed prefixes and bad ids", () => {
     expect(parseApprovalCallback("perm:more:abc")).toBeNull();
     expect(parseApprovalCallback("apv:NOTHEX12:once")).toBeNull();
-    expect(parseApprovalCallback("apv:a3f1b9c2:bogus")).toBeNull();
-    expect(parseApprovalCallback("apv:a3f1b9c2:ttl")).toBeNull();
+    expect(parseApprovalCallback("apv:a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2:bogus")).toBeNull();
+    expect(parseApprovalCallback("apv:a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2:ttl")).toBeNull();
   });
 });
 

package/telegram-plugin/gateway/approval-card.ts

@@ -89,7 +89,7 @@ export function parseApprovalCallback(data: string): ParsedApprovalCallback | nu
   if (parts.length < 3) return null;
   const request_id = parts[1];
   const choiceStr = parts[2];
-  if (!/^[0-9a-f]{8}$/.test(request_id ?? "")) return null;
+  if (!/^[0-9a-f]{32}$/.test(request_id ?? "")) return null;
   switch (choiceStr) {
     case "once":
       return { request_id: request_id as string, choice: { kind: "once" } };

package/telegram-plugin/gateway/auth-command.ts

@@ -260,8 +260,8 @@ export interface AuthCommandContext {
    * working without spinning up the Anthropic API path.
    *
    * Returns a parallel array (same length, same order as
-   * `state.accounts`) of QuotaResult — the gateway passes
-   * `accounts.map(a => fetchAccountQuota(a.label, {force: true}))`.
+   * `state.accounts`) of QuotaResult — sourced from the broker
+   * `probe-quota` op (#1336).
    */
   liveQuotas?: (
     accounts: AccountState[],

package/telegram-plugin/gateway/boot-card.ts

@@ -33,6 +33,7 @@
  */
 
 import type { ProbeResult, GatewayRuntimeInfo } from './boot-probes.js'
+import type { QuotaResult } from '../quota-check.js'
 import type { ListStateData } from './auth-line.js'
 import { renderAuthLine } from './auth-line.js'
 import {
@@ -291,6 +292,12 @@ export interface RenderBootCardOpts {
   snoozeRows?: ReadonlyArray<ProbeKey>
   /** Clock injection point for tests; defaults to `new Date()`. */
   now?: Date
+  /** PR C update-flow: outcome line for the most recent terminal
+   *  update_apply audit row (rendered by `update-announce.ts`). When
+   *  present, appended as a stand-alone section below the probe rows so
+   *  the operator sees what happened with the update that triggered
+   *  this boot without trawling the audit log. */
+  updateOutcomeLine?: string
 }
 
 /**
@@ -348,8 +355,13 @@ export function renderBootCard(opts: RenderBootCardOpts): string {
       : ''
     degradedRows.push(`⚠️ <b>Restart</b>  ${escapeHtml(REASON_LABEL.crash)}${ageStr}`)
     // Principle 1: every failure carries its next step. The crash row
-    // tells the user how to inspect why.
-    degradedRows.push(`    ↳ Tail logs: <code>journalctl --user -u switchroom-${escapeHtml(agentSlug)} -n 100</code>`)
+    // tells the user how to inspect why. Runtime-aware: v0.7+ agents run
+    // in Docker (no systemd/journalctl in-container) — the canonical
+    // detection is SWITCHROOM_RUNTIME (see doctor-docker.ts).
+    const tailCmd = process.env.SWITCHROOM_RUNTIME === 'docker'
+      ? `docker logs --tail 100 switchroom-${escapeHtml(agentSlug)}`
+      : `journalctl --user -u switchroom-${escapeHtml(agentSlug)} -n 100`
+    degradedRows.push(`    ↳ Tail logs: <code>${tailCmd}</code>`)
   }
 
   // Probe rows — only those that surfaced as degraded/fail. Healthy
@@ -394,6 +406,12 @@ export function renderBootCard(opts: RenderBootCardOpts): string {
   const sections: string[] = [ack]
   if (degradedRows.length > 0) sections.push('', ...degradedRows)
   if (accountRows.length > 0) sections.push('', ...accountRows)
+  if (opts.updateOutcomeLine) {
+    // PR C: each line of the update-outcome blob is its own row in the
+    // sections array so the join('\n') below renders the multi-line
+    // failure-with-recovery hint cleanly.
+    sections.push('', ...opts.updateOutcomeLine.split('\n'))
+  }
   if (sections.length === 1) return ack
   return sections.join('\n')
 }
@@ -469,6 +487,15 @@ export interface RunProbesOpts {
     | ListStateData
     | null
     | Promise<ListStateData | null>
+  /**
+   * Canonical quota source (#1336): probes this agent's effective
+   * account via the broker (server-side /v1/messages). Returns null
+   * when the broker is unreachable / no active account → `probeQuota`
+   * falls back to a direct probe. Wired from gateway.ts
+   * (`probeQuotaForBootCard`); omitted in non-docker / unit tests where
+   * the direct fallback preserves prior behaviour.
+   */
+  probeQuotaViaBroker?: (timeoutMs?: number) => Promise<QuotaResult | null>
   /** When true, resolve the agent PID via cgroup walk instead of MainPID
    *  (which is the tmux server pid under tmux supervisor). */
   tmuxSupervisor?: boolean
@@ -486,6 +513,13 @@ export interface RunProbesOpts {
    *  and externally-managed surface text instead of execing systemctl
    *  (which doesn't exist in the agent image). See `runtime-mode.ts`. */
   dockerMode?: boolean
+  /** PR C: pass-through to the renderer. When the gateway boot path
+   *  detects a recent terminal `update_apply` audit row, it computes the
+   *  outcome line via `update-announce.ts` and passes it here so the
+   *  card surfaces "✅ update completed (channel:dev, sha:…)" or the
+   *  failure body with a recovery hint. Append-only — never replaces
+   *  the existing ack/probe sections. */
+  updateOutcomeLine?: string
 }
 
 /** Run all six probes concurrently with their own per-probe timeouts.
@@ -502,7 +536,7 @@ export async function runAllProbes(opts: RunProbesOpts): Promise<ProbeMap> {
     probeAccount(opts.agentDir).then(r => { probes.account = r }),
     probeAgentProcess(slug, { execFileImpl: opts.probeExecFileImpl, tmuxSupervisor: opts.tmuxSupervisor, dockerMode: opts.dockerMode }).then(r => { probes.agent = r }),
     probeGateway(opts.gatewayInfo).then(r => { probes.gateway = r }),
-    probeQuota(claudeDir, opts.agentDir, opts.fetchImpl).then(r => { probes.quota = r }),
+    probeQuota(claudeDir, opts.agentDir, opts.fetchImpl, { brokerProbe: opts.probeQuotaViaBroker }).then(r => { probes.quota = r }),
     probeHindsight(opts.bankName, opts.fetchImpl).then(r => { probes.hindsight = r }),
     probeScheduler(slug, { dockerMode: opts.dockerMode }).then(r => { probes.scheduler = r }),
     probeBroker(undefined, { dockerMode: opts.dockerMode }).then(r => { probes.broker = r }),
@@ -540,6 +574,7 @@ export async function startBootCard(
     version: opts.version,
     restartReason: opts.restartReason,
     restartAgeMs: opts.restartAgeMs,
+    ...(opts.updateOutcomeLine ? { updateOutcomeLine: opts.updateOutcomeLine } : {}),
   })
 
   // Silence the notification for operator-initiated redeploys. A
@@ -646,6 +681,7 @@ export async function startBootCard(
           ...(accountRows ? { accounts: accountRows } : {}),
           ...(resolvedRows.length > 0 ? { resolvedRows } : {}),
           ...(snoozeRows.length > 0 ? { snoozeRows } : {}),
+          ...(opts.updateOutcomeLine ? { updateOutcomeLine: opts.updateOutcomeLine } : {}),
         })
 
         if (currentText !== ackText) {
@@ -697,6 +733,7 @@ export async function startBootCard(
             // cache write from the live-watch loop.
             ...(resolvedRows.length > 0 ? { resolvedRows } : {}),
             ...(snoozeRows.length > 0 ? { snoozeRows } : {}),
+            ...(opts.updateOutcomeLine ? { updateOutcomeLine: opts.updateOutcomeLine } : {}),
           })
 
           if (updatedText === currentText) continue

package/telegram-plugin/gateway/boot-probes.ts

@@ -17,7 +17,7 @@ import { execFile as execFileCb } from 'child_process'
 import { promisify } from 'util'
 
 import { readQuotaCache, writeQuotaCache } from './quota-cache.js'
-import { fetchQuota, formatQuotaLine } from '../quota-check.js'
+import { fetchQuota, formatQuotaLine, type QuotaResult } from '../quota-check.js'
 
 const execFile = promisify(execFileCb)
 
@@ -47,6 +47,25 @@ export interface ProbeResult {
 
 const PROBE_TIMEOUT_MS = 2000
 
+/**
+ * Quota is the one probe that legitimately needs a network round-trip.
+ * The boot card is NOT blocked on probes — it's posted immediately and
+ * probe rows edit in at the 6s settle window (see boot-card.ts
+ * SETTLE_WINDOW_MS) — so the old 1.8s direct-fetch budget was a
+ * self-inflicted abort, not a real constraint. Post-#1336 the broker
+ * owns the canonical probe; the gateway just awaits a local UDS
+ * round-trip while the broker does the Anthropic call server-side.
+ *
+ *   BROKER   — passed to client.probeQuota(); the broker's server-side
+ *              /v1/messages timeout.
+ *   DIRECT   — fallback direct fetch when the broker is unreachable
+ *              (non-docker, boot-time socket race). Still bounded.
+ *   OUTER    — withTimeout() guard; must exceed BROKER + UDS RTT.
+ */
+const QUOTA_BROKER_TIMEOUT_MS = 7000
+const QUOTA_DIRECT_FALLBACK_TIMEOUT_MS = 5000
+const QUOTA_PROBE_OUTER_TIMEOUT_MS = 9000
+
 /**
  * Race a probe against a hard timeout. Returns a fail ProbeResult if the
  * probe doesn't settle within timeoutMs.
@@ -831,6 +850,14 @@ export async function probeQuota(
   claudeConfigDir: string,
   _agentDir: string,
   fetchImpl: typeof fetch = fetch,
+  opts: {
+    /** Canonical path (#1336): the broker probes Anthropic server-side
+     *  for this agent's effective account. Returns null when the broker
+     *  is unreachable / no active account → caller falls back to a
+     *  direct probe. Injected from gateway.ts (probeQuotaForBootCard);
+     *  omitted in non-docker / unit tests. */
+    brokerProbe?: (timeoutMs?: number) => Promise<QuotaResult | null>
+  } = {},
 ): Promise<ProbeResult> {
   return withTimeout('Quota', (async (): Promise<ProbeResult> => {
     const cached = readQuotaCache()
@@ -838,35 +865,50 @@ export async function probeQuota(
       return cached
     }
 
-    // The fallback per-agent token path is `accounts/default/.oauth-token`;
-    // fetchQuota's own resolver only checks the top-level `.oauth-token`,
-    // so prefer that, and if it's missing surface the same degraded row
-    // we did before (no live probe — that's a setup issue, not a runtime
-    // one).
-    let claudeDirForProbe: string | null = null
-    for (const candidate of [
-      claudeConfigDir,
-      join(claudeConfigDir, 'accounts', 'default'),
-    ]) {
-      if (existsSync(join(candidate, '.oauth-token'))) {
-        claudeDirForProbe = candidate
-        break
+    // Prefer the broker (canonical since #1336). It does the /v1/messages
+    // call server-side with its own timeout; we just await the local UDS
+    // round-trip. Reset Dates are revived at the client boundary
+    // (src/auth/broker/client.ts) so formatQuotaLine is safe.
+    let probe: QuotaResult | null = null
+    if (opts.brokerProbe) {
+      try {
+        probe = await opts.brokerProbe(QUOTA_BROKER_TIMEOUT_MS)
+      } catch {
+        probe = null
       }
     }
-    if (!claudeDirForProbe) {
-      return {
-        status: 'degraded',
-        label: 'Quota',
-        detail: 'no OAuth token',
-        nextStep: 'No OAuth token on disk — register a fleet account: `switchroom auth add <label> --from-oauth` then `switchroom auth use <label>` (RFC H)',
+
+    if (!probe) {
+      // Fallback: broker absent/unreachable (non-docker install, or a
+      // boot-time socket race). Direct probe — the per-agent token path
+      // is `accounts/default/.oauth-token`; fetchQuota's resolver only
+      // checks the top-level `.oauth-token`, so prefer that. Missing
+      // token is a setup issue, surfaced as the same degraded row.
+      let claudeDirForProbe: string | null = null
+      for (const candidate of [
+        claudeConfigDir,
+        join(claudeConfigDir, 'accounts', 'default'),
+      ]) {
+        if (existsSync(join(candidate, '.oauth-token'))) {
+          claudeDirForProbe = candidate
+          break
+        }
       }
+      if (!claudeDirForProbe) {
+        return {
+          status: 'degraded',
+          label: 'Quota',
+          detail: 'no OAuth token',
+          nextStep: 'No OAuth token on disk — register a fleet account: `switchroom auth add <label> --from-oauth` then `switchroom auth use <label>` (RFC H)',
+        }
+      }
+      probe = await fetchQuota({
+        claudeConfigDir: claudeDirForProbe,
+        fetchImpl,
+        timeoutMs: QUOTA_DIRECT_FALLBACK_TIMEOUT_MS,
+      })
     }
 
-    const probe = await fetchQuota({
-      claudeConfigDir: claudeDirForProbe,
-      fetchImpl,
-      timeoutMs: 1800,
-    })
     if (!probe.ok) {
       // Auth rejection from /v1/messages is a strong signal — the same
       // endpoint claude itself uses. Other errors are surfaced verbatim
@@ -889,7 +931,7 @@ export async function probeQuota(
     }
     writeQuotaCache(result)
     return result
-  })())
+  })(), QUOTA_PROBE_OUTER_TIMEOUT_MS)
 }
 
 // ─── Probe: Hindsight ────────────────────────────────────────────────────────
@@ -917,7 +959,9 @@ export async function probeHindsight(
         status: 'fail',
         label: 'Hindsight',
         detail: 'unreachable',
-        nextStep: 'Hindsight server not responding on 127.0.0.1:18888 — start it with `hindsight serve` or check `systemctl --user status hindsight`',
+        nextStep: process.env.SWITCHROOM_RUNTIME === 'docker'
+          ? 'Hindsight server not responding on 127.0.0.1:18888 — check the hindsight container (`docker ps` / `docker logs`); it must be reachable on the host network.'
+          : 'Hindsight server not responding on 127.0.0.1:18888 — start it with `hindsight serve` (or check `systemctl --user status hindsight`).',
       }
     }
 
@@ -1274,7 +1318,14 @@ export async function probeKernel(
  */
 export async function probeSkills(
   agentDir: string,
-  opts: { fs?: SkillsFsImpl; maxNamesShown?: number; agentName?: string } = {},
+  opts: {
+    fs?: SkillsFsImpl
+    maxNamesShown?: number
+    agentName?: string
+    /** Override skills.d overlay dir. Defaults to `<agentDir>/skills.d`
+     *  on host installs; tests inject a path. */
+    overlaySkillsDir?: string
+  } = {},
 ): Promise<ProbeResult> {
   return withTimeout('Skills', (async (): Promise<ProbeResult> => {
     const fs = opts.fs ?? realSkillsFs
@@ -1315,8 +1366,32 @@ export async function probeSkills(
         continue
       }
     }
+
+    // Bucket entries by source: agent-overlay slugs come from filenames
+    // under <agentRoot>/skills.d/<slug>.yaml (written by skill_install).
+    // Everything else is operator-baseline from switchroom.yaml.
+    const overlayDir = opts.overlaySkillsDir ?? join(agentDir, 'skills.d')
+    const overlaySlugs = new Set<string>()
+    if (fs.exists(overlayDir)) {
+      let overlayEntries: string[] = []
+      try {
+        overlayEntries = fs.readdir(overlayDir)
+      } catch {
+        /* unreadable overlay — fall through with empty set */
+      }
+      for (const name of overlayEntries) {
+        const m = name.match(/^(.+)\.ya?ml$/i)
+        if (!m) continue
+        overlaySlugs.add(m[1])
+      }
+    }
+    const liveEntries = entries.filter(n => !dangling.includes(n)).sort()
+    const switchroomSkills = liveEntries.filter(n => !overlaySlugs.has(n))
+    const agentSkills = liveEntries.filter(n => overlaySlugs.has(n))
+    const bucketed = renderBucketedSkills(switchroomSkills, agentSkills)
+
     if (dangling.length === 0) {
-      return { status: 'ok', label: 'Skills', detail: `${entries.length} resolved` }
+      return { status: 'ok', label: 'Skills', detail: bucketed }
     }
     const named = dangling.slice(0, max).join(', ')
     const more = dangling.length > max ? ` +${dangling.length - max} more` : ''
@@ -1324,12 +1399,21 @@ export async function probeSkills(
     return {
       status: 'degraded',
       label: 'Skills',
-      detail: `${dangling.length}/${entries.length} dangling: ${named}${more}`,
+      detail: `${dangling.length}/${entries.length} dangling: ${named}${more} · ${bucketed}`,
       nextStep: `Run \`switchroom agent reconcile${reconcileTarget}\` to rebuild symlinks, or remove unused entries from switchroom.yaml`,
     }
   })())
 }
 
+/** Format the two source-buckets into a single mobile-readable line.
+ *  Empty buckets are omitted. `none` covers the all-dangling edge case. */
+function renderBucketedSkills(switchroom: string[], agent: string[]): string {
+  const parts: string[] = []
+  if (switchroom.length > 0) parts.push(`Switchroom: ${switchroom.join(', ')}`)
+  if (agent.length > 0) parts.push(`Agent: ${agent.join(', ')}`)
+  return parts.length === 0 ? 'none resolved' : parts.join(' · ')
+}
+
 export interface SkillsFsImpl {
   readdir: (p: string) => string[]
   exists: (p: string) => boolean