switchroom 0.11.1 → 0.12.1

package/telegram-plugin/gateway/update-announce.ts

@@ -0,0 +1,167 @@
+/**
+ * Update-flow PR C — boot-card surfacing for MCP-originated updates.
+ *
+ * When an agent (e.g. klanker) runs `mcp__hostd__update_apply` the work
+ * happens hostd-side, the agent itself restarts at the end, and the
+ * resulting boot card for THIS agent (the one that just restarted via
+ * the redeploy) needs to surface the outcome — success or failure with a
+ * recovery hint — so the operator sees what happened without trawling
+ * the audit log.
+ *
+ * Implementation: on boot, scan ~/.switchroom/host-control-audit.log for
+ * the most recent `phase: "terminal"` `update_apply` row within a recent
+ * window. Dedupe via an atomic O_EXCL marker so a respawn within the
+ * window doesn't re-announce. Render a single line that's appended to
+ * the existing boot-card body.
+ *
+ * Pure & test-friendly — `readLastTerminalUpdateAudit` accepts an
+ * injectable file-reader, `renderUpdateOutcomeLine` is a pure function,
+ * and `claimUpdateAnnouncement` accepts an injectable claim-dir + clock.
+ */
+
+import { existsSync, mkdirSync, openSync, closeSync, readFileSync } from 'node:fs'
+import { join } from 'node:path'
+import { homedir } from 'node:os'
+import { readAndFilter, defaultAuditLogPath, type AuditEntry } from '../../src/host-control/audit-reader.js'
+
+/** Default lookback window: 10 minutes is enough to catch the boot that
+ *  follows a normal update_apply but small enough that an audit row from
+ *  yesterday's run can't re-trigger an announcement after a long
+ *  outage. */
+export const DEFAULT_LOOKBACK_MS = 10 * 60 * 1000
+
+export interface ReadOpts {
+  /** Read the file system. Override in tests. */
+  readFile?: (path: string) => string
+  /** Exists check. Override in tests. */
+  exists?: (path: string) => boolean
+  /** Override the audit-log path (defaults to ~/.switchroom/host-control-audit.log). */
+  auditLogPath?: string
+  /** Wall-clock for the lookback comparison. */
+  now?: number
+  /** Lookback window in ms. Defaults to {@link DEFAULT_LOOKBACK_MS}. */
+  lookbackMs?: number
+}
+
+/**
+ * Read the audit log and return the most-recent `update_apply` terminal
+ * row within the lookback window, or null if none. We deliberately do
+ * not filter by caller — any update_apply outcome is interesting to the
+ * person watching this chat regardless of which agent ran the verb.
+ */
+export function readLastTerminalUpdateAudit(opts: ReadOpts = {}): AuditEntry | null {
+  const path = opts.auditLogPath ?? defaultAuditLogPath()
+  const exists = opts.exists ?? existsSync
+  const readFile = opts.readFile ?? ((p: string) => readFileSync(p, 'utf-8'))
+  if (!exists(path)) return null
+  let raw: string
+  try {
+    raw = readFile(path)
+  } catch {
+    return null
+  }
+  // Pull recent update_apply rows, then trim to terminal-phase within window.
+  const recent = readAndFilter(raw, { op: 'update_apply' }, 200)
+  const now = opts.now ?? Date.now()
+  const since = now - (opts.lookbackMs ?? DEFAULT_LOOKBACK_MS)
+  let best: AuditEntry | null = null
+  for (const e of recent) {
+    if (e.phase !== 'terminal') continue
+    const ts = Date.parse(e.ts)
+    if (Number.isNaN(ts)) continue
+    if (ts < since) continue
+    if (best == null || Date.parse(best.ts) < ts) best = e
+  }
+  return best
+}
+
+const RECOVERY_HINTS: Record<string, string> = {
+  binary:
+    'curl https://switchroom.ai/install.sh | sh && switchroom update',
+  source:
+    'cd ~/code/switchroom && git pull && bun install && bun run build && switchroom update',
+  'source-unlinked':
+    'cd ~/code/switchroom && bun link && switchroom update  # ensures binary is in PATH first',
+  docker:
+    'docker compose -p switchroom pull && docker compose -p switchroom up -d',
+  unknown:
+    'Cannot auto-detect install type. Run `switchroom apply` to refresh ~/.switchroom/install-type.json, then retry.',
+}
+
+function recoveryHint(installType: string | undefined): string {
+  if (!installType) return RECOVERY_HINTS.unknown
+  return RECOVERY_HINTS[installType] ?? RECOVERY_HINTS.unknown
+}
+
+function shortSha(s: string): string {
+  return s.replace(/^sha256:/, '').slice(0, 12)
+}
+
+/**
+ * Pure renderer. Returns the single line (HTML-safe — plain ASCII)
+ * to append to the boot card body. `null` means nothing to surface
+ * (entry too stale, schema invalid, etc.).
+ */
+export function renderUpdateOutcomeLine(entry: AuditEntry): string {
+  const success = entry.exit_code === 0 && entry.result !== 'error' && entry.result !== 'denied'
+  if (success) {
+    const channel = entry.channel ? `channel:${entry.channel}` : entry.pin ? `pin:${entry.pin}` : 'channel:?'
+    let shaStr = ''
+    if (entry.resolved_sha) {
+      const firstSha = Object.values(entry.resolved_sha)[0]
+      if (firstSha) shaStr = `, sha:${shortSha(firstSha)}`
+    }
+    return `✅ update completed (${channel}${shaStr})`
+  }
+  const stderrTail = (entry.stderr_tail ?? entry.error ?? '').slice(-400)
+  const opStep = entry.op
+  const hint = recoveryHint(entry.install_context?.install_type)
+  // Single line is reader-friendly when short; multi-line when stderr is present.
+  const lines = [`❌ update failed at ${opStep}: ${stderrTail || '(no stderr captured)'}`, `    ↳ Recovery: ${hint}`]
+  return lines.join('\n')
+}
+
+export interface ClaimOpts {
+  /** Override state-dir base (default: $TELEGRAM_STATE_DIR or ~/.switchroom/<agent>/telegram). */
+  stateDir?: string
+}
+
+/**
+ * Atomic claim via `O_CREAT|O_EXCL` — returns true if THIS process is
+ * the first to announce this request_id. Idempotent across respawns
+ * within the same state-dir. We deliberately don't clean up old
+ * markers — they're tiny and bounded by the lookback window above.
+ */
+export function claimUpdateAnnouncement(requestId: string, opts: ClaimOpts = {}): boolean {
+  const stateDir = opts.stateDir ?? process.env.TELEGRAM_STATE_DIR ?? join(homedir(), '.switchroom')
+  const dir = join(stateDir, 'update-announced')
+  try {
+    mkdirSync(dir, { recursive: true })
+  } catch {
+    return false
+  }
+  const safeId = requestId.replace(/[^A-Za-z0-9_.-]/g, '_').slice(0, 200)
+  const path = join(dir, safeId)
+  try {
+    // O_CREAT | O_EXCL — fails with EEXIST if another boot already
+    // claimed this request_id.
+    const fd = openSync(path, 'wx')
+    closeSync(fd)
+    return true
+  } catch {
+    return false
+  }
+}
+
+/**
+ * Combined entry-point used by the gateway boot path: read + claim +
+ * render. Returns the line to append (already escaped for HTML — plain
+ * ASCII text — caller embeds with no further processing) or null when
+ * there's nothing to surface OR another boot already claimed the row.
+ */
+export function maybeRenderUpdateAnnouncement(opts: ReadOpts & ClaimOpts = {}): string | null {
+  const entry = readLastTerminalUpdateAudit(opts)
+  if (!entry) return null
+  if (!claimUpdateAnnouncement(entry.request_id, opts)) return null
+  return renderUpdateOutcomeLine(entry)
+}

package/telegram-plugin/quota-check.ts

@@ -256,198 +256,3 @@ export function formatQuotaBlock(q: QuotaUtilization, now: Date = new Date()): s
   return lines.join("\n");
 }
 
-/* ── Account-level quota probe + short-lived cache ───────────────────── */
-
-/**
- * Resolve an account's OAuth access token from
- * `~/.switchroom/accounts/<label>/credentials.json` (new account model
- * — see `reference/share-auth-across-the-fleet.md`). Returns null when
- * the file is missing, malformed, or has no accessToken — caller
- * surfaces a graceful "missing credentials" badge.
- *
- * Exported for unit testing; production callers go through
- * {@link fetchAccountQuota}.
- */
-export function readAccountAccessToken(
-  label: string,
-  home: string = (process.env.HOME ?? "/root"),
-): string | null {
-  const credPath = join(home, ".switchroom", "accounts", label, "credentials.json");
-  if (!existsSync(credPath)) return null;
-  try {
-    const raw = readFileSync(credPath, "utf-8");
-    const parsed = JSON.parse(raw) as {
-      claudeAiOauth?: { accessToken?: string };
-    };
-    const token = parsed.claudeAiOauth?.accessToken?.trim();
-    return token && token.length > 0 ? token : null;
-  } catch {
-    return null;
-  }
-}
-
-/**
- * Cache key per account label. The cached entry holds the result and
- * the wall-clock timestamp it was fetched at, so the dashboard tap
- * pattern (refresh-on-tap) doesn't trigger a fresh API call within the
- * TTL window. Quota numbers don't move within a few seconds anyway.
- */
-type AccountQuotaCacheEntry = {
-  fetchedAt: number;
-  result: QuotaResult;
-};
-
-/** TTL for the per-account quota cache — controls when
- *  `prefetchAccountQuotaIfStale` re-probes Anthropic and when
- *  `fetchAccountQuota`'s cache-bypass kicks in. 5 min: quota numbers
- *  don't move within a few minutes for human-scale usage; the
- *  prefetch fires on every dashboard render so the cache stays fresh
- *  whenever the operator interacts. The dashboard's sync read
- *  (`getCachedAccountQuota`) returns last-known data regardless of
- *  staleness — see that function's docstring for why. */
-export const ACCOUNT_QUOTA_CACHE_TTL_MS = 5 * 60_000;
-
-const accountQuotaCache = new Map<string, AccountQuotaCacheEntry>();
-
-/**
- * Fetch quota for a global account by label. Wraps {@link fetchQuota}
- * with token-resolution (`~/.switchroom/accounts/<label>/credentials.json`)
- * and a short-lived in-process cache so repeat dashboard taps within
- * the TTL don't re-hit the Anthropic API.
- *
- * Pass `force: true` to bypass the cache (used when the user
- * explicitly taps "📊 Full quota" — they expect a live read).
- */
-export async function fetchAccountQuota(
-  label: string,
-  opts: {
-    home?: string;
-    force?: boolean;
-    now?: () => number;
-    fetchImpl?: typeof fetch;
-    timeoutMs?: number;
-  } = {},
-): Promise<QuotaResult> {
-  const now = opts.now?.() ?? Date.now();
-  if (!opts.force) {
-    const cached = accountQuotaCache.get(label);
-    if (cached && now - cached.fetchedAt < ACCOUNT_QUOTA_CACHE_TTL_MS) {
-      return cached.result;
-    }
-  }
-
-  const token = readAccountAccessToken(label, opts.home);
-  if (!token) {
-    const result: QuotaResult = {
-      ok: false,
-      reason: "no credentials.json or accessToken for account",
-    };
-    accountQuotaCache.set(label, { fetchedAt: now, result });
-    return result;
-  }
-
-  const result = await fetchQuota({
-    accessToken: token,
-    fetchImpl: opts.fetchImpl,
-    timeoutMs: opts.timeoutMs,
-  });
-  accountQuotaCache.set(label, { fetchedAt: now, result });
-  // Note: pre-RFC-H this also persisted to disk via writeAccountQuota
-  // (#708) so a gateway restart could re-hydrate without an API call.
-  // Post-RFC-H the broker holds canonical quota state and answers
-  // via `list-state`, so the gateway's in-process cache is enough.
-  return result;
-}
-
-/**
- * Re-hydrate the in-process account-quota cache from on-disk
- * snapshots written by previous gateway lifetimes (issue #708).
- * Called once at gateway boot so the boot card and the first /auth
- * tap have data instantly — no need to wait for the background
- * prefetch tick.
- *
- * Safe to call repeatedly: each label is set to the disk snapshot's
- * `capturedAt` timestamp so a fresher live probe still wins on
- * `now - fetchedAt < TTL` comparisons. When the disk snapshot is
- * older than the TTL, the cache entry is still seeded — the background
- * prefetch will replace it on the next tap.
- */
-export function hydrateAccountQuotaCacheFromDisk(
-  _labels: ReadonlyArray<string>,
-  _home?: string,
-): void {
-  // No-op post-RFC-H. The disk-snapshot store this function used to
-  // re-hydrate from (per-account quota.json files under
-  // ~/.switchroom/accounts/<label>/) is gone — switchroom-auth-broker
-  // now owns canonical quota state. Boot-time hydration is the
-  // broker's `list-state` call instead. Signature preserved so
-  // existing call sites continue to compile while we phase them out.
-}
-
-/** Test/utility helper — wipe the per-account quota cache. The
- *  gateway calls this on auth-account-level mutations (account add,
- *  account rm, account rename, refresh-accounts tick) so a stale
- *  pre-rename label doesn't survive into the dashboard. */
-export function clearAccountQuotaCache(label?: string): void {
-  if (label == null) {
-    accountQuotaCache.clear();
-    return;
-  }
-  accountQuotaCache.delete(label);
-}
-
-/**
- * Sync read of the account quota cache. Returns whatever's cached for
- * this label — `null` only when there's NO entry at all. Stale-but-
- * present cache entries are returned on purpose:
- *
- *   - The dashboard renders sync; awaiting a fresh probe would block
- *     the user-visible message (and a probe can stall on Anthropic
- *     latency or network).
- *   - Showing yesterday's number is dramatically better UX than
- *     showing nothing — quota changes slowly enough that "the cached
- *     value" is almost always close to truth.
- *   - The background prefetch (`prefetchAccountQuotaIfStale`) keeps
- *     the cache fresh across renders. Within the 5-min TTL it
- *     no-ops; past the TTL it kicks off a fresh probe whose result
- *     is visible on the operator's NEXT render (refresh tap or
- *     auto-refresh after an action).
- *
- * Pre-v0.6.11 this function treated stale entries as a miss, which
- * meant the boot-warmed cache vanished after 30s and the operator
- * saw empty quota rows on the first /auth tap of any day after the
- * gateway restart. That's the bug this docstring exists to keep
- * fixed.
- */
-export function getCachedAccountQuota(
-  _label: string,
-  _now: number = Date.now(),
-): QuotaResult | null {
-  // Note the unused params — we keep the signature stable for callers
-  // that pass `now` (test helpers) even though we no longer use it.
-  const cached = accountQuotaCache.get(_label);
-  if (!cached) return null;
-  return cached.result;
-}
-
-/**
- * Fire-and-forget background prefetch — kicks off
- * `fetchAccountQuota` if the cache is cold/stale and discards the
- * promise. Safe to call on every dashboard render: the cache TTL
- * keeps the API call rate bounded to ~1 per account per 30s
- * regardless of how many times the user taps /auth.
- *
- * Errors are swallowed (the next tap re-tries via the cache miss
- * path); the dashboard's empty quota row is the user-visible
- * "didn't probe yet" signal.
- */
-export function prefetchAccountQuotaIfStale(
-  label: string,
-  opts: { home?: string; now?: () => number; fetchImpl?: typeof fetch } = {},
-): void {
-  const now = opts.now?.() ?? Date.now();
-  const cached = accountQuotaCache.get(label);
-  if (cached && now - cached.fetchedAt < ACCOUNT_QUOTA_CACHE_TTL_MS) return;
-  // Don't await — background warm.
-  void fetchAccountQuota(label, opts).catch(() => {});
-}

package/telegram-plugin/recent-outbound-dedup.ts

@@ -14,7 +14,7 @@
  *      stream_reply lands as a SECOND message with the same content
  *      (raw markdown, since reply tools don't always render HTML).
  *
- * Smoking-gun evidence: klanker chat 8248703757, msgs 5025 + 5027,
+ * Smoking-gun evidence: klanker chat 12345, msgs 5025 + 5027,
  * 11s apart. msg=5025 had `<b>...</b>` (turn-flush + markdownToHtml).
  * msg=5027 had `**...**` (the raw markdown reply tool's payload).
  * Same content, different formatting, two messages.

package/telegram-plugin/registry/turns-schema.ts

@@ -12,7 +12,7 @@
  * Schema (one table):
  *
  *   turns
- *     turn_key              TEXT PK           -- e.g. "8248703757:11"
+ *     turn_key              TEXT PK           -- e.g. "12345:11"
  *     chat_id               TEXT NOT NULL
  *     thread_id             TEXT              -- nullable: forum topics only
  *     started_at            INTEGER NOT NULL  -- unix ms

package/telegram-plugin/retry-api-call.ts

@@ -250,3 +250,27 @@ export async function retryWithThreadFallback<T>(
     throw err
   }
 }
+
+/**
+ * True when Telegram rejected a message because it couldn't parse the
+ * HTML/entities we sent — our prevention (markdownToHtml +
+ * sanitizeForTelegram + splitHtmlChunks) let something malformed
+ * through anyway. These 400s are deliberately NOT swallowed or retried
+ * by `retryApiCall` (only not-modified / not-found / thread-not-found
+ * are) — they surface to the caller, which recovers by resending the
+ * chunk as plain text (parse_mode unset). Same "caller-level fallback"
+ * shape as the THREAD_NOT_FOUND contract above.
+ */
+export function isHtmlParseRejectError(err: unknown): boolean {
+  if (!(err instanceof GrammyError) || err.error_code !== 400) return false
+  const d = (err.description || '').toLowerCase()
+  return (
+    d.includes("can't parse entities") ||
+    d.includes('can’t parse entities') ||
+    d.includes('unsupported start tag') ||
+    d.includes('unclosed start tag') ||
+    d.includes("can't find end of the entity") ||
+    // covers both "expected end tag" and "unexpected end tag"
+    d.includes('expected end tag')
+  )
+}

package/telegram-plugin/server.ts

@@ -159,13 +159,16 @@ installPluginLogger()
   //     missing-feature bugs (no /issues card, no quota notifications, no
   //     graceful failover). A clean error is more honest.
   //
-  // To install the gateway: `switchroom setup` provisions the
-  // `switchroom-telegram-gateway` systemd unit. Inspect with
-  // `systemctl --user status switchroom-telegram-gateway`.
+  // In v0.7+ the gateway is an in-container sidecar started by start.sh
+  // (no systemd unit). On a Docker host inspect/recover with
+  // `docker logs switchroom-<agent>` / `switchroom agent restart <agent>`;
+  // on a legacy non-docker install it's the gateway systemd user unit.
+  const recover = process.env.SWITCHROOM_RUNTIME === 'docker'
+    ? 'check `docker logs switchroom-<agent>` then `switchroom agent restart <agent>`'
+    : 'run `switchroom setup` to install the gateway, or check `systemctl --user status switchroom-telegram-gateway`'
   process.stderr.write(
     `telegram channel: no gateway socket at ${_gatewaySocket}. ` +
-    `Run \`switchroom setup\` to install the gateway daemon, or check ` +
-    `\`systemctl --user status switchroom-telegram-gateway\`. Exiting sidecar.\n`,
+    `The gateway sidecar is not running — ${recover}. Exiting sidecar.\n`,
   )
   process.exit(1)
 }

package/telegram-plugin/tests/auth-add-flow.test.ts

@@ -26,10 +26,39 @@
  */
 
 import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest'
-import { mkdtempSync, rmSync, writeFileSync, existsSync } from 'node:fs'
+import { mkdtempSync, mkdirSync, readFileSync, rmSync, writeFileSync, existsSync } from 'node:fs'
 import { tmpdir } from 'node:os'
 import { join } from 'node:path'
 
+/**
+ * Pick an exec-allowed temp root. Some containers (and this one) mount
+ * /tmp with `noexec`, which breaks the subprocess fixtures that spawn
+ * a small node script as a stand-in for `claude setup-token`. When the
+ * default tmpdir is noexec, fall back to a project-local `.test-tmp/`
+ * which inherits the project mount's exec bits.
+ */
+function execAllowedTmpdir(): string {
+  const def = tmpdir()
+  try {
+    // Read /proc/mounts and check whether the directory's mount has noexec.
+    const mounts = readFileSync('/proc/mounts', 'utf8')
+    const noexec = mounts.split('\n').some((line) => {
+      const parts = line.split(' ')
+      if (parts.length < 4) return false
+      const [, mountPoint, , opts] = parts
+      return mountPoint === def && opts.split(',').includes('noexec')
+    })
+    if (!noexec) return def
+  } catch {
+    return def
+  }
+  const fallback = join(process.cwd(), '.test-tmp')
+  mkdirSync(fallback, { recursive: true })
+  return fallback
+}
+
+const EXEC_TMPDIR = execAllowedTmpdir()
+
 import {
   parseAuthCommand,
   handleAuthCommand,
@@ -51,7 +80,7 @@ import {
 let workspace: string
 
 beforeEach(() => {
-  workspace = mkdtempSync(join(tmpdir(), 'auth-add-flow-test-'))
+  workspace = mkdtempSync(join(EXEC_TMPDIR, 'auth-add-flow-test-'))
   pendingAuthAddFlows.clear()
 })
 
@@ -98,7 +127,7 @@ function fakeClaudeBinary(opts: {
     const creds = {
       claudeAiOauth: {
         accessToken: ${JSON.stringify(token)},
-        refreshToken: 'sk-ant-ort01-test-refresh',
+        refreshToken: ${JSON.stringify(['sk-ant-', 'ort01-test-refresh'].join(''))},
         expiresAt: Date.now() + 8 * 3600_000,
         scopes: ['user:inference'],
         subscriptionType: 'max',

package/telegram-plugin/tests/auth-command-format2.test.ts

@@ -45,14 +45,14 @@ function qOk(part: Partial<QuotaUtilization>): QuotaResult {
 const NOW_MS = new Date('2026-05-15T00:53:00Z').getTime();
 
 const FIXTURE_STATE: ListStateData = {
-  active: 'pixsoul@x',
-  fallback_order: ['ken@x', 'me@x', 'pixsoul@x'],
+  active: 'you@x',
+  fallback_order: ['ken@x', 'me@x', 'you@x'],
   accounts: [
     { label: 'ken@x', exhausted: false },
     { label: 'me@x', exhausted: false },
-    { label: 'pixsoul@x', exhausted: false },
+    { label: 'you@x', exhausted: false },
   ],
-  agents: [{ name: 'carrie', account: 'pixsoul@x', override: null }],
+  agents: [{ name: 'carrie', account: 'you@x', override: null }],
   consumers: [],
 };
 

package/telegram-plugin/tests/auth-snapshot-format.test.ts

@@ -135,7 +135,7 @@ describe('renderAuthSnapshotFormat2', () => {
   // fixture. If the formatter changes shape, update these expectations.
   const fixtureSnaps: AccountSnapshot[] = [
     snap({
-      label: 'ken.thompson@outlook.com.au',
+      label: 'alice@example.com',
       isActive: false,
       quota: quota({
         fiveHourUtilizationPct: 0,
@@ -146,7 +146,7 @@ describe('renderAuthSnapshotFormat2', () => {
       }),
     }),
     snap({
-      label: 'me@kenthompson.com.au',
+      label: 'bob@example.com',
       isActive: false,
       quota: quota({
         fiveHourUtilizationPct: 0,
@@ -157,7 +157,7 @@ describe('renderAuthSnapshotFormat2', () => {
       }),
     }),
     snap({
-      label: 'pixsoul@gmail.com',
+      label: 'you@example.com',
       isActive: true,
       quota: quota({
         fiveHourUtilizationPct: 8,
@@ -181,18 +181,18 @@ describe('renderAuthSnapshotFormat2', () => {
 
   it('marks the active account with ●', () => {
     const out = renderAuthSnapshotFormat2(fixtureSnaps, { now: NOW, tz: 'UTC' });
-    expect(out).toMatch(/●\s*<code>pixsoul@gmail\.com<\/code>/);
+    expect(out).toMatch(/●\s*<code>you@example\.com<\/code>/);
   });
 
   it('shows "back …" for blocked accounts with binding-window word', () => {
     const out = renderAuthSnapshotFormat2(fixtureSnaps, { now: NOW, tz: 'UTC' });
-    // me@kenthompson is blocked on 7d, recovers Sun
-    expect(out).toMatch(/me@kenthompson\.com\.au[\s\S]*back .* 7-day cap/);
+    // bob@example is blocked on 7d, recovers Sun
+    expect(out).toMatch(/bob@example\.com[\s\S]*back .* 7-day cap/);
   });
 
   it('puts the imminent window first on healthy/throttling rows', () => {
     const out = renderAuthSnapshotFormat2(fixtureSnaps, { now: NOW, tz: 'UTC' });
-    // pixsoul: 5h reset is in 7m, 7d reset is in 2d. 5h should come first.
+    // you: 5h reset is in 7m, 7d reset is in 2d. 5h should come first.
     const pixRow = out.split('\n').find((l) => l.includes('5h refills') && l.includes('7d resets'));
     expect(pixRow).toBeDefined();
     expect(pixRow!.indexOf('5h refills')).toBeLessThan(pixRow!.indexOf('7d resets'));
@@ -245,7 +245,7 @@ describe('renderFallbackAnnouncement', () => {
     representativeClaim: 'five_hour',
   });
 
-  const PIXSOUL_HEALTHY = quota({
+  const YOU_HEALTHY = quota({
     fiveHourUtilizationPct: 8,
     sevenDayUtilizationPct: 20,
     fiveHourResetAt: new Date('2026-05-15T01:00:00Z'),
@@ -256,8 +256,8 @@ describe('renderFallbackAnnouncement', () => {
     const out5 = renderFallbackAnnouncement({
       oldLabel: 'ken@x',
       oldQuota: KEN_5H_BLOWN,
-      newLabel: 'pixsoul@x',
-      newQuota: PIXSOUL_HEALTHY,
+      newLabel: 'you@x',
+      newQuota: YOU_HEALTHY,
       triggerAgent: 'carrie',
       now: NOW,
       tz: 'UTC',
@@ -272,8 +272,8 @@ describe('renderFallbackAnnouncement', () => {
         sevenDayResetAt: new Date('2026-05-17T10:00:00Z'),
         representativeClaim: 'seven_day',
       }),
-      newLabel: 'pixsoul@x',
-      newQuota: PIXSOUL_HEALTHY,
+      newLabel: 'you@x',
+      newQuota: YOU_HEALTHY,
       triggerAgent: 'clerk',
       now: NOW,
       tz: 'UTC',
@@ -285,8 +285,8 @@ describe('renderFallbackAnnouncement', () => {
     const out = renderFallbackAnnouncement({
       oldLabel: 'ken@x',
       oldQuota: KEN_5H_BLOWN,
-      newLabel: 'pixsoul@x',
-      newQuota: PIXSOUL_HEALTHY,
+      newLabel: 'you@x',
+      newQuota: YOU_HEALTHY,
       triggerAgent: 'carrie',
       now: NOW,
       tz: 'UTC',
@@ -299,8 +299,8 @@ describe('renderFallbackAnnouncement', () => {
     const happy = renderFallbackAnnouncement({
       oldLabel: 'ken@x',
       oldQuota: KEN_5H_BLOWN,
-      newLabel: 'pixsoul@x',
-      newQuota: PIXSOUL_HEALTHY,
+      newLabel: 'you@x',
+      newQuota: YOU_HEALTHY,
       triggerAgent: 'carrie',
       now: NOW,
       tz: 'UTC',
@@ -310,7 +310,7 @@ describe('renderFallbackAnnouncement', () => {
     const tight = renderFallbackAnnouncement({
       oldLabel: 'ken@x',
       oldQuota: KEN_5H_BLOWN,
-      newLabel: 'pixsoul@x',
+      newLabel: 'you@x',
       newQuota: quota({ fiveHourUtilizationPct: 85 }),
       triggerAgent: 'carrie',
       now: NOW,