switchroom 0.14.79 → 0.14.81

package/dist/auth-broker/index.js

@@ -12286,6 +12286,35 @@ async function fetchQuota(opts) {
   return parsed;
 }
 
+// src/auth/broker/consumer-quota-sensor.ts
+var EXHAUSTION_PCT = 99.5;
+var DEFAULT_CONSUMER_PROBE_INTERVAL_MS = 10 * 60 * 1000;
+function quotaIndicatesExhaustion(result) {
+  if (!result.ok)
+    return { exhausted: false, until: null };
+  const d = result.data;
+  const fiveBlocked = d.fiveHourUtilizationPct >= EXHAUSTION_PCT;
+  const sevenBlocked = d.sevenDayUtilizationPct >= EXHAUSTION_PCT;
+  if (!fiveBlocked && !sevenBlocked)
+    return { exhausted: false, until: null };
+  const fiveReset = fiveBlocked ? d.fiveHourResetAt?.getTime() ?? null : null;
+  const sevenReset = sevenBlocked ? d.sevenDayResetAt?.getTime() ?? null : null;
+  const candidates = [fiveReset, sevenReset].filter((x) => x != null);
+  const until = candidates.length > 0 ? Math.max(...candidates) : null;
+  return { exhausted: true, until };
+}
+function resolveConsumerProbeIntervalMs(env) {
+  if (env.SWITCHROOM_DISABLE_CONSUMER_QUOTA_PROBE === "1")
+    return 0;
+  const raw = env.SWITCHROOM_CONSUMER_QUOTA_PROBE_MS;
+  if (raw !== undefined) {
+    const n = Number(raw);
+    if (Number.isFinite(n) && n >= 0)
+      return n;
+  }
+  return DEFAULT_CONSUMER_PROBE_INTERVAL_MS;
+}
+
 // src/util/atomic.ts
 import { randomBytes } from "node:crypto";
 import { closeSync, constants, fsyncSync, openSync, renameSync, rmSync, writeSync } from "node:fs";
@@ -13340,7 +13369,8 @@ var SetActiveDataSchema = exports_external.object({
 });
 var MarkExhaustedDataSchema = exports_external.object({
   account: exports_external.string(),
-  rolled: exports_external.array(exports_external.string())
+  rolled: exports_external.array(exports_external.string()),
+  rolledTo: exports_external.string().nullable().optional()
 });
 var RefreshAccountDataSchema = exports_external.object({
   account: exports_external.string(),
@@ -13482,6 +13512,8 @@ class AuthBroker {
   config;
   listeners = new Map;
   refreshTimer = null;
+  consumerProbeTimer = null;
+  fetchQuotaImpl;
   stateDir;
   socketRoot;
   home;
@@ -13505,6 +13537,7 @@ class AuthBroker {
     this.now = opts.now ?? nowMs;
     this.operatorUid = opts.operatorUid;
     this.fetcher = opts.fetcher;
+    this.fetchQuotaImpl = opts._testFetchQuota ?? fetchQuota;
     this.stateDir = opts.stateDir ?? resolve7(this.homeRoot(), ".switchroom", "state", "auth-broker");
     this.socketRoot = opts.socketRoot ?? AUTH_BROKER_ROOT;
     this.providers = new ProviderRegistry;
@@ -13551,6 +13584,16 @@ class AuthBroker {
         });
       }, REFRESH_TICK_INTERVAL_MS);
       this.refreshTimer.unref();
+      const probeMs = resolveConsumerProbeIntervalMs(process.env);
+      const hasConsumers = (this.config.auth?.consumers ?? []).length > 0;
+      if (probeMs > 0 && hasConsumers) {
+        this.consumerProbeTimer = setInterval(() => {
+          this.consumerQuotaProbeTick().catch((err) => {
+            this.logErr(`consumer-quota-probe threw: ${err.message}`);
+          });
+        }, probeMs);
+        this.consumerProbeTimer.unref();
+      }
     }
     const fanned = this.fanoutAll();
     if (fanned.length > 0) {
@@ -13577,6 +13620,10 @@ class AuthBroker {
       clearInterval(this.refreshTimer);
       this.refreshTimer = null;
     }
+    if (this.consumerProbeTimer) {
+      clearInterval(this.consumerProbeTimer);
+      this.consumerProbeTimer = null;
+    }
     for (const [sock, lis] of this.listeners) {
       try {
         lis.server.close();
@@ -13994,7 +14041,7 @@ class AuthBroker {
         this.audit({ op: "probe-quota", identity: identity2, account: label, ok: false, error: "missing-credentials" });
         return { label, result: result2 };
       }
-      const result = await fetchQuota({ accessToken: token, timeoutMs });
+      const result = await this.fetchQuotaImpl({ accessToken: token, timeoutMs });
       this.audit({
         op: "probe-quota",
         identity: identity2,
@@ -14018,6 +14065,34 @@ class AuthBroker {
     }));
     socket.write(encodeSuccess(id, { results }));
   }
+  async consumerQuotaProbeTick() {
+    const accounts = Array.from(new Set((this.config.auth?.consumers ?? []).map((c) => c.account)));
+    for (const label of accounts) {
+      const creds = readAccountCredentials(label, this.home);
+      const token = creds?.claudeAiOauth?.accessToken;
+      if (!token)
+        continue;
+      let result;
+      try {
+        result = await this.fetchQuotaImpl({ accessToken: token });
+      } catch (err) {
+        this.logErr(`consumer-quota-probe ${label}: ${err.message}`);
+        continue;
+      }
+      const decision = quotaIndicatesExhaustion(result);
+      if (!decision.exhausted)
+        continue;
+      const exhaustedUntil = decision.until ?? this.now() + MARK_EXHAUSTED_DEFAULT_MS;
+      const existing = this.quota[label]?.exhausted_until;
+      if (existing !== undefined && existing >= exhaustedUntil)
+        continue;
+      this.quota[label] = { exhausted_until: exhaustedUntil };
+      this.persistQuota();
+      this.audit({ op: "mark-exhausted", identity: { kind: "operator" }, account: label, ok: true });
+      process.stdout.write(`auth-broker: consumer-quota-sensor marked ${label} exhausted until ${new Date(exhaustedUntil).toISOString()} — consumer(s) fail over
+`);
+    }
+  }
   async opSetActive(socket, id, identity2, account) {
     if (!this.isAdmin(identity2)) {
       this.audit({ op: "set-active", identity: identity2, account, ok: false, error: "FORBIDDEN" });
@@ -14049,8 +14124,9 @@ class AuthBroker {
     this.quota[account] = { exhausted_until: exhaustedUntil };
     this.persistQuota();
     const rolled = this.fanoutFailoverFor(account);
+    const rolledTo = this.nextHealthyAccount(account, this.config.auth?.fallback_order ?? []);
     this.audit({ op: "mark-exhausted", identity: identity2, account, ok: true });
-    socket.write(encodeSuccess(id, { account, rolled }));
+    socket.write(encodeSuccess(id, { account, rolled, rolledTo }));
   }
   async opRefreshAccount(socket, id, identity2, account) {
     if (!this.isAdmin(identity2)) {

package/dist/cli/drive-write-pretool.mjs

@@ -4165,7 +4165,8 @@ var init_protocol = __esm(() => {
   });
   MarkExhaustedDataSchema = exports_external.object({
     account: exports_external.string(),
-    rolled: exports_external.array(exports_external.string())
+    rolled: exports_external.array(exports_external.string()),
+    rolledTo: exports_external.string().nullable().optional()
   });
   RefreshAccountDataSchema = exports_external.object({
     account: exports_external.string(),

package/dist/cli/switchroom.js

@@ -25560,7 +25560,8 @@ var init_protocol2 = __esm(() => {
   });
   MarkExhaustedDataSchema = exports_external.object({
     account: exports_external.string(),
-    rolled: exports_external.array(exports_external.string())
+    rolled: exports_external.array(exports_external.string()),
+    rolledTo: exports_external.string().nullable().optional()
   });
   RefreshAccountDataSchema = exports_external.object({
     account: exports_external.string(),
@@ -49699,8 +49700,8 @@ var {
 } = import__.default;
 
 // src/build-info.ts
-var VERSION = "0.14.79";
-var COMMIT_SHA = "f6c40ab6";
+var VERSION = "0.14.81";
+var COMMIT_SHA = "4ac9cc7d";
 
 // src/cli/agent.ts
 init_source();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "switchroom",
-  "version": "0.14.79",
+  "version": "0.14.81",
   "description": "Run Claude Code 24/7 on your Claude Pro/Max subscription over Telegram. Open-source alternative to OpenClaw and NanoClaw — no API keys.",
   "type": "module",
   "bin": {

package/telegram-plugin/auto-fallback-fleet.ts

@@ -40,7 +40,6 @@ import {
   renderFallbackAnnouncement,
   classifyHealth,
   buildSnapshotsFromState,
-  type AccountSnapshot,
 } from './auth-snapshot-format.js';
 
 export type FleetFallbackOutcome =
@@ -52,10 +51,12 @@ export type FleetFallbackOutcome =
       /** Quota for the OLD account at the moment of failure — caller
        *  may persist this as the broker's `quota.json` so the next
        *  /auth render reflects the freshly-known exhaustion without
-       *  another probe. */
-      oldQuota: QuotaUtilization;
-      /** Quota for the new active account, useful for caller logging. */
-      newQuota: QuotaUtilization;
+       *  another probe. Null when the live probe failed but the broker
+       *  rolled anyway (it owns the authoritative exhaustion state). */
+      oldQuota: QuotaUtilization | null;
+      /** Quota for the new active account, useful for caller logging.
+       *  Null when the rolled-to account had no successful probe. */
+      newQuota: QuotaUtilization | null;
     }
   | {
       kind: 'all-blocked';
@@ -82,8 +83,15 @@ export interface FleetFallbackDeps {
    *  Get via `client.probeQuota(state.accounts.map(a => a.label))`
    *  and map the response back to per-account results (#1336). */
   quotas: QuotaResult[];
-  /** Broker `setActive` invoker. Returns the result for logging. */
-  setActive: (label: string) => Promise<{ active: string; fanned: string[] }>;
+  /** Non-admin failover invoker — the broker's `mark-exhausted` verb. Marks
+   *  the triggering agent's (exhausted) account and rolls every agent on it to
+   *  the next non-exhausted `fallback_order` account, returning that target as
+   *  `rolledTo` (null when every fallback is also exhausted). This is what lets
+   *  auto-fallback work from ANY agent — `set-active` (the admin verb the manual
+   *  /auth button uses) is gated to admin agents, so a non-admin agent that
+   *  429'd could never self-heal. mark-exhausted derives the account from the
+   *  caller's own identity, so it needs no admin. */
+  failover: () => Promise<{ rolledTo: string | null; rolled: string[] }>;
   /** Agent that triggered this fallback (for the announcement byline). */
   triggerAgent: string;
   /** Operator timezone for absolute reset times in the announcement. */
@@ -131,10 +139,18 @@ export async function runFleetAutoFallback(
     };
   }
 
-  const target = pickFallbackTarget(snapshots);
-  if (!target) {
-    // All-blocked path: no eligible target. Still notify the user with
-    // earliest-reset info via the announcement formatter.
+  // Execute the non-admin swap. The broker marks the triggering agent's
+  // (exhausted) account and rolls the fleet to the next non-exhausted
+  // fallback_order account, returning it as `rolledTo`. We trust the broker's
+  // choice (same `nextHealthyAccount` selection /auth rotate uses) rather than
+  // picking here, so the announcement matches what actually happened. Caller
+  // catches and surfaces failures — we don't double-wrap.
+  const { rolledTo } = await deps.failover();
+
+  if (!rolledTo) {
+    // All-blocked path: the broker found no non-exhausted fallback. The active
+    // account IS now marked exhausted (good for consumers/telemetry), but there
+    // was nowhere to roll. Notify with earliest-reset info.
     return {
       kind: 'all-blocked',
       oldLabel: oldSnap.label,
@@ -151,22 +167,22 @@ export async function runFleetAutoFallback(
     };
   }
 
-  // Execute the broker swap. Caller catches and surfaces the failure
-  // — we don't double-wrap.
-  await deps.setActive(target.label);
+  // Quota for the rolled-to account, looked up from the same probe snapshots
+  // (the broker chose by fallback_order, which may differ from the
+  // lowest-utilization heuristic — the announcement reflects the real target).
+  const newQuota = snapshots.find((s) => s.label === rolledTo)?.quota ?? null;
 
   return {
     kind: 'switched',
     oldLabel: oldSnap.label,
-    newLabel: target.label,
-    oldQuota: oldSnap.quota!, // non-null: only `unknown` health gets here through
-    // the no-target branch, never the switched one
-    newQuota: target.quota!,
+    newLabel: rolledTo,
+    oldQuota: oldSnap.quota,
+    newQuota,
     announcement: renderFallbackAnnouncement({
       oldLabel: oldSnap.label,
       oldQuota: oldSnap.quota,
-      newLabel: target.label,
-      newQuota: target.quota,
+      newLabel: rolledTo,
+      newQuota,
       triggerAgent: deps.triggerAgent,
       tz,
       now,
@@ -174,40 +190,12 @@ export async function runFleetAutoFallback(
   };
 }
 
-/**
- * Pick the best non-active fallback target. Selection order:
- *   1. Healthy accounts, sorted by lowest 5h utilization (most
- *      runway).
- *   2. If no healthy alternative, throttling accounts sorted by
- *      lowest binding-window utilization (least worst).
- *   3. Skip blocked + unknown entirely — never recommend a switch
- *      into a wall, never bet on creds we couldn't probe.
- *
- * Returns null when no eligible target exists.
- */
-export function pickFallbackTarget(
-  snapshots: AccountSnapshot[],
-): AccountSnapshot | null {
-  const candidates = snapshots
-    .filter((s) => !s.isActive && s.quota != null)
-    .map((s) => ({ snap: s, health: classifyHealth(s) }));
-
-  const healthy = candidates
-    .filter((c) => c.health === 'healthy')
-    .sort((a, b) => a.snap.quota!.fiveHourUtilizationPct - b.snap.quota!.fiveHourUtilizationPct);
-  if (healthy.length > 0) return healthy[0]!.snap;
-
-  const throttling = candidates
-    .filter((c) => c.health === 'throttling')
-    .sort((a, b) => maxWindow(a.snap.quota!) - maxWindow(b.snap.quota!));
-  if (throttling.length > 0) return throttling[0]!.snap;
-
-  return null;
-}
-
-function maxWindow(q: QuotaUtilization): number {
-  return Math.max(q.fiveHourUtilizationPct, q.sevenDayUtilizationPct);
-}
+// NOTE: target SELECTION now lives in the broker (`nextHealthyAccount`,
+// fallback_order order — the same selection /auth rotate uses). This module
+// no longer picks a target; it calls the non-admin `failover()` (mark-exhausted)
+// and announces whatever the broker rolled to. A second, divergent selector
+// here (the old lowest-utilization `pickFallbackTarget`) was removed so there's
+// one authoritative chooser.
 
 function pctSummary(q: QuotaUtilization | null): string {
   if (!q) return 'no probe';

package/telegram-plugin/dist/gateway/gateway.js

@@ -16325,7 +16325,8 @@ var init_protocol = __esm(() => {
   });
   MarkExhaustedDataSchema = exports_external.object({
     account: exports_external.string(),
-    rolled: exports_external.array(exports_external.string())
+    rolled: exports_external.array(exports_external.string()),
+    rolledTo: exports_external.string().nullable().optional()
   });
   RefreshAccountDataSchema = exports_external.object({
     account: exports_external.string(),
@@ -40749,6 +40750,7 @@ function createAuthBrokerClient() {
   const client3 = {
     listState: () => broker.listState(),
     setActive: (label) => broker.setActive(label),
+    markExhausted: (until) => broker.markExhausted(until),
     rmAccount: (label) => broker.rmAccount(label),
     refreshAccount: (label) => broker.refreshAccount(label),
     setOverride: (agent, account) => broker.setOverride(agent, account),
@@ -42047,8 +42049,8 @@ async function runFleetAutoFallback(deps) {
       announcement: `<i>Auto-fallback skipped: ${oldSnap.label} probed healthy ` + `(${pctSummary(oldSnap.quota)}). Stale event?</i>`
     };
   }
-  const target = pickFallbackTarget(snapshots);
-  if (!target) {
+  const { rolledTo } = await deps.failover();
+  if (!rolledTo) {
     return {
       kind: "all-blocked",
       oldLabel: oldSnap.label,
@@ -42064,37 +42066,24 @@ async function runFleetAutoFallback(deps) {
       })
     };
   }
-  await deps.setActive(target.label);
+  const newQuota = snapshots.find((s) => s.label === rolledTo)?.quota ?? null;
   return {
     kind: "switched",
     oldLabel: oldSnap.label,
-    newLabel: target.label,
+    newLabel: rolledTo,
     oldQuota: oldSnap.quota,
-    newQuota: target.quota,
+    newQuota,
     announcement: renderFallbackAnnouncement({
       oldLabel: oldSnap.label,
       oldQuota: oldSnap.quota,
-      newLabel: target.label,
-      newQuota: target.quota,
+      newLabel: rolledTo,
+      newQuota,
       triggerAgent: deps.triggerAgent,
       tz,
       now
     })
   };
 }
-function pickFallbackTarget(snapshots) {
-  const candidates = snapshots.filter((s) => !s.isActive && s.quota != null).map((s) => ({ snap: s, health: classifyHealth(s) }));
-  const healthy = candidates.filter((c) => c.health === "healthy").sort((a, b) => a.snap.quota.fiveHourUtilizationPct - b.snap.quota.fiveHourUtilizationPct);
-  if (healthy.length > 0)
-    return healthy[0].snap;
-  const throttling = candidates.filter((c) => c.health === "throttling").sort((a, b) => maxWindow(a.snap.quota) - maxWindow(b.snap.quota));
-  if (throttling.length > 0)
-    return throttling[0].snap;
-  return null;
-}
-function maxWindow(q) {
-  return Math.max(q.fiveHourUtilizationPct, q.sevenDayUtilizationPct);
-}
 function pctSummary(q) {
   if (!q)
     return "no probe";
@@ -52821,9 +52810,9 @@ function sweepStaleTurnActiveMarker(stateDir, opts) {
 }
 
 // ../src/build-info.ts
-var VERSION = "0.14.79";
-var COMMIT_SHA = "f6c40ab6";
-var COMMIT_DATE = "2026-06-07T09:32:15+10:00";
+var VERSION = "0.14.81";
+var COMMIT_SHA = "4ac9cc7d";
+var COMMIT_DATE = "2026-06-07T10:43:55+10:00";
 var LATEST_PR = null;
 var COMMITS_AHEAD_OF_TAG = 2;
 
@@ -60949,7 +60938,10 @@ async function doFireFleetAutoFallback(triggerAgent) {
     const outcome = await runFleetAutoFallback({
       state: state4,
       quotas,
-      setActive: (label) => client3.setActive(label),
+      failover: async () => {
+        const r = await client3.markExhausted();
+        return { rolledTo: r.rolledTo ?? null, rolled: r.rolled };
+      },
       triggerAgent,
       tz
     });

package/telegram-plugin/gateway/auth-broker-client.ts

@@ -27,6 +27,7 @@ export function createAuthBrokerClient(): {
   const client: AuthBrokerClient = {
     listState: () => broker.listState(),
     setActive: (label: string) => broker.setActive(label),
+    markExhausted: (until?: number) => broker.markExhausted(until),
     rmAccount: (label: string) => broker.rmAccount(label),
     refreshAccount: (label: string) => broker.refreshAccount(label),
     setOverride: (agent: string, account: string | null) =>

package/telegram-plugin/gateway/auth-command.ts

@@ -214,6 +214,14 @@ export function parseAuthCommand(text: string): ParsedAuthCommand | null {
 export interface AuthBrokerClient {
   listState(): Promise<ListStateData>
   setActive(label: string): Promise<{ active: string; fanned: string[] }>
+  /**
+   * Non-admin failover (broker `mark-exhausted`). Marks the CALLER's own
+   * account exhausted and rolls every agent on it to the next non-exhausted
+   * `fallback_order` account, returned as `rolledTo` (null when none). Unlike
+   * `setActive` this needs no admin — the account is derived from the caller's
+   * identity — so auto-fallback works from any agent.
+   */
+  markExhausted(until?: number): Promise<{ account: string; rolled: string[]; rolledTo?: string | null }>
   rmAccount(label: string): Promise<{ label: string }>
   refreshAccount(label: string): Promise<{ account: string; expiresAt?: number }>
   setOverride(

package/telegram-plugin/gateway/gateway.ts

@@ -14644,7 +14644,18 @@ async function doFireFleetAutoFallback(triggerAgent: string): Promise<boolean> {
     const outcome = await runFleetAutoFallback({
       state,
       quotas,
-      setActive: (label) => client.setActive(label),
+      // Non-admin swap: mark-exhausted derives the account from THIS agent's
+      // own identity and rolls the fleet to the next fallback. Replaces the
+      // admin-gated client.setActive(), which 403'd ("set-active requires
+      // admin") for every non-admin agent — i.e. the whole production fleet —
+      // so auto-fallback only ever worked when an admin agent happened to be
+      // the one that 429'd. The manual /auth button stays on set-active (the
+      // operator is explicitly choosing, and is admin); only this automatic
+      // path moves to the non-admin verb.
+      failover: async () => {
+        const r = await client.markExhausted()
+        return { rolledTo: r.rolledTo ?? null, rolled: r.rolled }
+      },
       triggerAgent,
       tz,
     })

package/telegram-plugin/tests/auto-fallback-fleet.test.ts

@@ -1,10 +1,17 @@
 /**
  * Tests for the fleet-wide auto-fallback planner. Pure-data —
- * no broker UDS, no Telegram bot. The injected `setActive` is a
- * vi.fn we assert on.
+ * no broker UDS, no Telegram bot.
+ *
+ * Contract change (fix/auto-fallback-non-admin): the swap now goes through
+ * the broker's NON-ADMIN `mark-exhausted` verb via the injected `failover()`
+ * dep, which returns the account the broker rolled TO (`rolledTo`). Target
+ * SELECTION moved to the broker (`nextHealthyAccount`, fallback_order order —
+ * what /auth rotate uses); this module no longer picks, it announces whatever
+ * the broker rolled to. The old admin-gated `setActive` dep is gone — that
+ * gate is exactly why a non-admin agent that 429'd could never self-heal.
  */
 import { describe, it, expect, vi } from 'vitest';
-import { runFleetAutoFallback, pickFallbackTarget } from '../auto-fallback-fleet.js';
+import { runFleetAutoFallback } from '../auto-fallback-fleet.js';
 import type { QuotaResult, QuotaUtilization } from '../quota-check.js';
 import type { ListStateData } from '../../src/auth/broker/client.js';
 
@@ -38,38 +45,35 @@ function state(active: string, accounts: string[]): ListStateData {
 }
 
 describe('runFleetAutoFallback', () => {
-  it('switches to the lowest-utilization healthy account via broker.setActive', async () => {
-    const setActive = vi.fn(async (label: string) => ({
-      active: label,
-      fanned: ['alice', 'bob'],
-    }));
+  it('swaps via the non-admin failover() and announces the broker’s rolledTo', async () => {
+    // The broker (mark-exhausted → nextHealthyAccount) chose you@x.
+    const failover = vi.fn(async () => ({ rolledTo: 'you@x', rolled: ['alice', 'bob'] }));
     const out = await runFleetAutoFallback({
       state: state('ken@x', ['ken@x', 'me@x', 'you@x']),
       quotas: [
-        // ken: just blew 5h
+        // ken: just blew 5h (the trigger)
         qOk({
           fiveHourUtilizationPct: 100,
           fiveHourResetAt: new Date('2026-05-15T05:50:00Z'),
           representativeClaim: 'five_hour',
         }),
-        // me: dead on 7d for 2 days
+        // me: dead on 7d
         qOk({
           sevenDayUtilizationPct: 100,
           sevenDayResetAt: new Date('2026-05-17T10:00:00Z'),
           representativeClaim: 'seven_day',
         }),
-        // you: healthy 5h/7d
+        // you: healthy — the rolled-to account, used for the headroom line
         qOk({ fiveHourUtilizationPct: 8, sevenDayUtilizationPct: 20 }),
       ],
-      setActive,
+      failover,
       triggerAgent: 'carrie',
       now: NOW,
       tz: 'UTC',
     });
 
     expect(out.kind).toBe('switched');
-    expect(setActive).toHaveBeenCalledTimes(1);
-    expect(setActive).toHaveBeenCalledWith('you@x');
+    expect(failover).toHaveBeenCalledTimes(1);
     if (out.kind === 'switched') {
       expect(out.oldLabel).toBe('ken@x');
       expect(out.newLabel).toBe('you@x');
@@ -79,8 +83,8 @@ describe('runFleetAutoFallback', () => {
     }
   });
 
-  it('returns all-blocked WITHOUT calling setActive when every alternative is blocked', async () => {
-    const setActive = vi.fn();
+  it('returns all-blocked when the broker reports rolledTo=null (nowhere to roll)', async () => {
+    const failover = vi.fn(async () => ({ rolledTo: null, rolled: [] }));
     const out = await runFleetAutoFallback({
       state: state('ken@x', ['ken@x', 'me@x']),
       quotas: [
@@ -95,117 +99,77 @@ describe('runFleetAutoFallback', () => {
           representativeClaim: 'seven_day',
         }),
       ],
-      setActive,
+      failover,
       triggerAgent: 'carrie',
       now: NOW,
       tz: 'UTC',
     });
 
     expect(out.kind).toBe('all-blocked');
-    expect(setActive).not.toHaveBeenCalled();
+    // failover IS called even on all-blocked — marking the active exhausted is
+    // correct (consumers/telemetry); there was just nowhere to roll.
+    expect(failover).toHaveBeenCalledTimes(1);
     if (out.kind === 'all-blocked') {
       expect(out.announcement).toContain('All accounts blocked');
       expect(out.announcement).toContain('/auth add');
     }
   });
 
-  it('idempotency: skips swap when active probes healthy (stale event)', async () => {
-    const setActive = vi.fn();
+  it('idempotency: skips the swap WITHOUT calling failover when active probes healthy', async () => {
+    const failover = vi.fn();
     const out = await runFleetAutoFallback({
       state: state('ken@x', ['ken@x', 'you@x']),
       quotas: [
         qOk({ fiveHourUtilizationPct: 5, sevenDayUtilizationPct: 10 }),
         qOk({ fiveHourUtilizationPct: 5, sevenDayUtilizationPct: 10 }),
       ],
-      setActive,
+      failover,
       triggerAgent: 'carrie',
       now: NOW,
       tz: 'UTC',
     });
 
     expect(out.kind).toBe('no-eligible-target');
-    expect(setActive).not.toHaveBeenCalled();
+    expect(failover).not.toHaveBeenCalled();
     expect(out.announcement).toContain('skipped');
     expect(out.announcement).toContain('Stale event?');
   });
 
-  it('returns no-old-active when broker has no active account (corrupt state)', async () => {
-    const setActive = vi.fn();
+  it('returns no-old-active (no failover) when broker has no active account', async () => {
+    const failover = vi.fn();
     const out = await runFleetAutoFallback({
       state: { active: '', fallback_order: [], accounts: [], agents: [], consumers: [] },
       quotas: [],
-      setActive,
+      failover,
       triggerAgent: 'carrie',
       now: NOW,
       tz: 'UTC',
     });
 
     expect(out.kind).toBe('no-old-active');
-    expect(setActive).not.toHaveBeenCalled();
+    expect(failover).not.toHaveBeenCalled();
   });
 
-  it('falls back to a throttling alternative when no healthy one exists', async () => {
-    const setActive = vi.fn(async (label: string) => ({ active: label, fanned: [] }));
+  it('announces even when the live probe of the active account failed (broker still rolled)', async () => {
+    // Probe failure for the active account → oldQuota null, but the broker
+    // (authoritative exhaustion state) still rolled. We must still announce.
+    const failover = vi.fn(async () => ({ rolledTo: 'you@x', rolled: ['alice'] }));
     const out = await runFleetAutoFallback({
       state: state('ken@x', ['ken@x', 'you@x']),
       quotas: [
-        qOk({
-          fiveHourUtilizationPct: 100,
-          fiveHourResetAt: new Date('2026-05-15T05:50:00Z'),
-          representativeClaim: 'five_hour',
-        }),
-        // you throttling at 85% but not blocked
-        qOk({ fiveHourUtilizationPct: 85, sevenDayUtilizationPct: 20 }),
+        { ok: false, reason: 'HTTP 401' }, // active probe failed → unknown health (not 'healthy', so we proceed)
+        qOk({ fiveHourUtilizationPct: 5 }),
       ],
-      setActive,
+      failover,
       triggerAgent: 'carrie',
       now: NOW,
       tz: 'UTC',
     });
 
     expect(out.kind).toBe('switched');
-    expect(setActive).toHaveBeenCalledWith('you@x');
+    expect(failover).toHaveBeenCalledTimes(1);
     if (out.kind === 'switched') {
-      expect(out.announcement).toContain('near limit — watch this');
+      expect(out.newLabel).toBe('you@x');
     }
   });
-
-  it('skips unknown-health (probe failed) when picking a target', async () => {
-    const setActive = vi.fn(async (label: string) => ({ active: label, fanned: [] }));
-    const out = await runFleetAutoFallback({
-      state: state('ken@x', ['ken@x', 'broken@x', 'you@x']),
-      quotas: [
-        qOk({ fiveHourUtilizationPct: 100, fiveHourResetAt: new Date('2026-05-15T05:50:00Z') }),
-        { ok: false, reason: 'HTTP 401' },
-        qOk({ fiveHourUtilizationPct: 5 }),
-      ],
-      setActive,
-      triggerAgent: 'carrie',
-      now: NOW,
-      tz: 'UTC',
-    });
-
-    expect(out.kind).toBe('switched');
-    expect(setActive).toHaveBeenCalledWith('you@x');
-  });
-});
-
-describe('pickFallbackTarget', () => {
-  it('prefers lower-5h-utilization healthy account', () => {
-    const snaps = [
-      { label: 'a@x', isActive: true, quota: quota({ fiveHourUtilizationPct: 100 }) },
-      { label: 'low@x', isActive: false, quota: quota({ fiveHourUtilizationPct: 5 }) },
-      { label: 'med@x', isActive: false, quota: quota({ fiveHourUtilizationPct: 30 }) },
-    ];
-    const target = pickFallbackTarget(snaps);
-    expect(target?.label).toBe('low@x');
-  });
-
-  it('returns null when only blocked alternatives exist', () => {
-    const snaps = [
-      { label: 'a@x', isActive: true, quota: quota({ fiveHourUtilizationPct: 100 }) },
-      { label: 'b@x', isActive: false, quota: quota({ sevenDayUtilizationPct: 100 }) },
-    ];
-    expect(pickFallbackTarget(snaps)).toBeNull();
-  });
 });