switchroom 0.14.82 → 0.14.84

package/dist/cli/autoaccept-poll.js

@@ -176,6 +176,71 @@ function sendKeys2(agentName, keys) {
 
 // src/agents/wedge-watchdog.ts
 var WEDGE_FOOTER_SIGNATURE = /(?=[\s\S]*[Ee]sc(?:ape)?[^\n]*cancel)(?=[\s\S]*(?:to select|to navigate|\u2191\/\u2193))/;
+var RATE_LIMIT_MENU_SIGNATURE = /(?=[\s\S]*\/rate-limit-options)(?=[\s\S]*(?:Switch to usage credits|Upgrade your plan))/;
+var MONTHS = {
+  jan: 0,
+  feb: 1,
+  mar: 2,
+  apr: 3,
+  may: 4,
+  jun: 5,
+  jul: 6,
+  aug: 7,
+  sep: 8,
+  oct: 9,
+  nov: 10,
+  dec: 11
+};
+function parseWeeklyReset(text, nowMs = Date.now()) {
+  const m = text.match(/resets\s+([A-Za-z]{3,9})\s+(\d{1,2}),?\s+(\d{1,2})(?::(\d{2}))?\s*([ap]m)?\s*(?:\(([^)]+)\))?/i);
+  if (!m)
+    return null;
+  const mon = MONTHS[m[1].slice(0, 3).toLowerCase()];
+  if (mon === undefined)
+    return null;
+  const day = Number(m[2]);
+  let hour = Number(m[3]);
+  const minute = m[4] ? Number(m[4]) : 0;
+  const ampm = m[5]?.toLowerCase();
+  if (ampm === "pm" && hour < 12)
+    hour += 12;
+  if (ampm === "am" && hour === 12)
+    hour = 0;
+  if (!Number.isFinite(day) || !Number.isFinite(hour) || day < 1 || day > 31 || hour > 23) {
+    return null;
+  }
+  const tz = m[6]?.trim();
+  const probeYear = new Date(nowMs).getUTCFullYear();
+  for (const year of [probeYear, probeYear + 1]) {
+    const epoch = wallClockToEpoch(year, mon, day, hour, minute, tz);
+    if (epoch != null && epoch > nowMs - 60000)
+      return epoch;
+  }
+  return null;
+}
+function wallClockToEpoch(year, month, day, hour, minute, tz) {
+  const asUtc = Date.UTC(year, month, day, hour, minute, 0);
+  if (!tz)
+    return asUtc;
+  try {
+    const fmt = new Intl.DateTimeFormat("en-US", {
+      timeZone: tz,
+      year: "numeric",
+      month: "2-digit",
+      day: "2-digit",
+      hour: "2-digit",
+      minute: "2-digit",
+      second: "2-digit",
+      hour12: false
+    });
+    const parts = Object.fromEntries(fmt.formatToParts(new Date(asUtc)).filter((p) => p.type !== "literal").map((p) => [p.type, p.value]));
+    const shown = Date.UTC(Number(parts.year), Number(parts.month) - 1, Number(parts.day), Number(parts.hour) % 24, Number(parts.minute), Number(parts.second));
+    const offset = shown - asUtc;
+    return asUtc - offset;
+  } catch {
+    return null;
+  }
+}
 var DEFAULT_POLL_MS2 = 5000;
 var DEFAULT_STABILITY_THRESHOLD = 3;
 var DEFAULT_COOLDOWN_MS = 60000;
@@ -193,6 +258,9 @@ async function runWedgeWatchdog(opts) {
   const cooldownMs = opts.cooldownMs ?? DEFAULT_COOLDOWN_MS;
   const deferToPrompts = opts.deferToPrompts ?? PROMPTS2;
   const signature = opts.wedgeSignature ?? WEDGE_FOOTER_SIGNATURE;
+  const rateLimitSignature = opts.rateLimitSignature === null ? null : opts.rateLimitSignature ?? RATE_LIMIT_MENU_SIGNATURE;
+  const onRateLimitMenu = opts.onRateLimitMenu;
+  const parseReset = opts.parseReset ?? parseWeeklyReset;
   const maxPolls = opts.maxPolls ?? Number.POSITIVE_INFINITY;
   const now = opts.now ?? Date.now;
   const sleep = opts.sleep ?? defaultSleep2;
@@ -202,6 +270,7 @@ async function runWedgeWatchdog(opts) {
   let lastKey = null;
   let cooldownUntil = 0;
   let fires = 0;
+  let rateLimitFires = 0;
   let polls = 0;
   while (polls < maxPolls) {
     polls++;
@@ -212,8 +281,38 @@ async function runWedgeWatchdog(opts) {
       console.error(`[wedge-watchdog] ${opts.agentName}: capture threw: ${err.message}`);
       text = "";
     }
-    const isBlockingModal = !!text && signature.test(text) && !deferToPrompts.some((p) => p.match.test(text));
-    if (isBlockingModal) {
+    const isRateLimitMenu = !!text && rateLimitSignature !== null && rateLimitSignature.test(text);
+    const isBlockingModal = !isRateLimitMenu && !!text && signature.test(text) && !deferToPrompts.some((p) => p.match.test(text));
+    if (isRateLimitMenu) {
+      const key = stabilityKey(text);
+      if (key === lastKey) {
+        stableCount++;
+      } else {
+        stableCount = 1;
+        lastKey = key;
+      }
+      if (stableCount >= stabilityThreshold && now() >= cooldownUntil) {
+        const resetAt = parseReset(text, now());
+        console.error(`[wedge-watchdog] ${opts.agentName}: rate-limit (weekly-quota) menu detected ` + `after ${stableCount} stable polls \u2014 signalling failover` + (resetAt != null ? ` (resets ${new Date(resetAt).toISOString()})` : " (reset unparsed)") + ` then parking with Esc`);
+        if (onRateLimitMenu) {
+          try {
+            onRateLimitMenu(opts.agentName, resetAt);
+          } catch (err) {
+            console.error(`[wedge-watchdog] ${opts.agentName}: onRateLimitMenu threw: ${err.message}`);
+          }
+        }
+        try {
+          send(opts.agentName, ["Escape"]);
+        } catch (err) {
+          console.error(`[wedge-watchdog] ${opts.agentName}: send threw: ${err.message}`);
+        }
+        fires++;
+        rateLimitFires++;
+        cooldownUntil = now() + cooldownMs;
+        stableCount = 0;
+        lastKey = null;
+      }
+    } else if (isBlockingModal) {
       const key = stabilityKey(text);
       if (key === lastKey) {
         stableCount++;
@@ -239,7 +338,74 @@ async function runWedgeWatchdog(opts) {
     }
     await sleep(pollIntervalMs);
   }
-  return { fires, polls, reason: "max-polls" };
+  return { fires, rateLimitFires, polls, reason: "max-polls" };
+}
+
+// src/agents/rate-limit-signal.ts
+import { createConnection } from "node:net";
+import { join } from "node:path";
+function resolveGatewaySocketPath() {
+  const stateDir = process.env.TELEGRAM_STATE_DIR ?? "/state/agent/telegram";
+  return process.env.SWITCHROOM_GATEWAY_SOCKET ?? join(stateDir, "gateway.sock");
+}
+function signalQuotaWall(agentName, resetAt, opts = {}) {
+  const socketPath = opts.socketPath ?? resolveGatewaySocketPath();
+  const connect = opts._connect ?? ((p) => createConnection(p));
+  const log = opts._log ?? ((m) => console.error(m));
+  const connectTimeoutMs = opts.connectTimeoutMs ?? 5000;
+  const msg = { type: "quota_wall_detected", agentName };
+  if (resetAt != null)
+    msg.resetAt = resetAt;
+  const line = JSON.stringify(msg) + `
+`;
+  return new Promise((resolve) => {
+    let settled = false;
+    const done = (ok) => {
+      if (settled)
+        return;
+      settled = true;
+      resolve(ok);
+    };
+    let sock;
+    try {
+      sock = connect(socketPath);
+    } catch (err) {
+      log(`[rate-limit-signal] ${agentName}: connect threw: ${err.message}`);
+      done(false);
+      return;
+    }
+    const timer = setTimeout(() => {
+      log(`[rate-limit-signal] ${agentName}: connect timed out`);
+      try {
+        sock.destroy();
+      } catch {}
+      done(false);
+    }, connectTimeoutMs);
+    sock.on("connect", () => {
+      try {
+        sock.write(line, () => {
+          clearTimeout(timer);
+          try {
+            sock.end();
+          } catch {}
+          log(`[rate-limit-signal] ${agentName}: quota_wall_detected sent`);
+          done(true);
+        });
+      } catch (err) {
+        clearTimeout(timer);
+        log(`[rate-limit-signal] ${agentName}: write threw: ${err.message}`);
+        try {
+          sock.destroy();
+        } catch {}
+        done(false);
+      }
+    });
+    sock.on("error", (err) => {
+      clearTimeout(timer);
+      log(`[rate-limit-signal] ${agentName}: socket error: ${err.message}`);
+      done(false);
+    });
+  });
 }
 
 // src/cli/autoaccept-poll.ts
@@ -259,10 +425,17 @@ async function main() {
     console.error(`[autoaccept-poll] ${agentName}: wedge-watchdog disabled (SWITCHROOM_WEDGE_WATCHDOG=0) \u2014 exiting after boot phase`);
     process.exit(0);
   }
+  const rateLimitDetect = process.env.SWITCHROOM_RATE_LIMIT_DETECT !== "0";
   try {
-    console.error(`[autoaccept-poll] ${agentName}: entering wedge-watchdog (continuous)`);
-    const res = await runWedgeWatchdog({ agentName });
-    console.error(`[autoaccept-poll] ${agentName}: wedge-watchdog returned reason=${res.reason} fires=${res.fires}`);
+    console.error(`[autoaccept-poll] ${agentName}: entering wedge-watchdog (continuous)` + (rateLimitDetect ? " +rate-limit-detect" : " (rate-limit-detect OFF)"));
+    const res = await runWedgeWatchdog({
+      agentName,
+      rateLimitSignature: rateLimitDetect ? undefined : null,
+      onRateLimitMenu: rateLimitDetect ? (name, resetAt) => {
+        signalQuotaWall(name, resetAt);
+      } : undefined
+    });
+    console.error(`[autoaccept-poll] ${agentName}: wedge-watchdog returned reason=${res.reason} fires=${res.fires} rateLimitFires=${res.rateLimitFires}`);
   } catch (err) {
     console.error(`[autoaccept-poll] ${agentName}: wedge-watchdog unexpected throw: ${err.message}`);
   }

package/dist/cli/switchroom.js

@@ -14863,6 +14863,39 @@ async function parseSseOrJson(resp) {
   const payload = dataLine ? dataLine.slice("data: ".length) : text;
   return JSON.parse(payload);
 }
+async function fetchHindsightToolsList(apiUrl, opts) {
+  const fetchImpl = opts?.fetchImpl ?? fetch;
+  const timeoutMs = opts?.timeoutMs ?? 4000;
+  const bankId = opts?.bankId ?? "__doctor_probe__";
+  const controller = new AbortController;
+  const timeout = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const resp = await fetchImpl(`${apiUrl}`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Accept: "application/json, text/event-stream",
+        "X-Bank-Id": bankId
+      },
+      body: JSON.stringify({ jsonrpc: "2.0", id: 1, method: "tools/list" }),
+      signal: controller.signal
+    });
+    clearTimeout(timeout);
+    if (!resp.ok)
+      return { ok: false, reason: `HTTP ${resp.status}` };
+    const parsed = await parseSseOrJson(resp);
+    const raw = parsed.result?.tools;
+    if (!Array.isArray(raw))
+      return { ok: false, reason: "no tools in tools/list response" };
+    const tools = raw.filter((t) => typeof t?.name === "string").map((t) => ({ name: t.name, required: t.inputSchema?.required ?? [] }));
+    return { ok: true, tools };
+  } catch (err) {
+    clearTimeout(timeout);
+    if (err.name === "AbortError")
+      return { ok: false, reason: "Timeout" };
+    return { ok: false, reason: String(err.message ?? err) };
+  }
+}
 async function probeHindsight(apiUrl, opts) {
   const fetchImpl = opts?.fetchImpl ?? fetch;
   const timeoutMs = opts?.timeoutMs ?? 3000;
@@ -14991,8 +15024,7 @@ async function ensureUserProfileMentalModel(apiUrl, bankId, opts) {
           name: "create_mental_model",
           arguments: {
             name: "user-profile",
-            source_query: "What are the key facts, preferences, context, and communication style about the user I talk to? Summarize what matters for making the agent feel like it knows them.",
-            types: ["world", "experience"]
+            source_query: "What are the key facts, preferences, context, and communication style about the user I talk to? Summarize what matters for making the agent feel like it knows them."
           }
         }
       }),
@@ -15077,6 +15109,12 @@ async function createBank(apiUrl, bankId, opts) {
     if (!toolResponse.ok) {
       return { ok: false, reason: `Tool call HTTP ${toolResponse.status}` };
     }
+    try {
+      const created = await parseSseOrJson(toolResponse);
+      if (created.result?.isError === true) {
+        return { ok: false, reason: created.result.content?.[0]?.text ?? "create_bank returned isError" };
+      }
+    } catch {}
     return { ok: true };
   } catch (err) {
     if (err.name === "AbortError") {
@@ -15137,8 +15175,8 @@ async function updateBankMissions(apiUrl, bankId, missions, opts) {
           name: "update_bank",
           arguments: {
             bank_id: bankId,
-            mission: missions.bank_mission,
-            retain_mission: missions.retain_mission
+            ...missions.bank_mission != null ? { mission: missions.bank_mission } : {},
+            ...missions.retain_mission != null ? { config_updates: { retain_mission: missions.retain_mission } } : {}
           }
         }
       }),
@@ -15148,6 +15186,12 @@ async function updateBankMissions(apiUrl, bankId, missions, opts) {
     if (!toolResponse.ok) {
       return { ok: false, reason: `Tool call HTTP ${toolResponse.status}` };
     }
+    try {
+      const updated = await parseSseOrJson(toolResponse);
+      if (updated.result?.isError === true) {
+        return { ok: false, reason: updated.result.content?.[0]?.text ?? "update_bank returned isError" };
+      }
+    } catch {}
     return { ok: true };
   } catch (err) {
     if (err.name === "AbortError") {
@@ -28959,6 +29003,30 @@ var init_manifest = __esm(() => {
   ]);
 });
 
+// src/memory/hindsight-tools.ts
+var EXPECTED_HINDSIGHT_TOOLS;
+var init_hindsight_tools = __esm(() => {
+  EXPECTED_HINDSIGHT_TOOLS = {
+    recall: { required: ["query"] },
+    reflect: { required: ["query"] },
+    retain: { required: ["content"] },
+    sync_retain: { required: ["content"] },
+    delete_document: { required: ["document_id"] },
+    create_directive: { required: ["content", "name"] },
+    list_directives: { required: [] },
+    delete_directive: { required: ["directive_id"] },
+    create_bank: { required: ["bank_id"] },
+    update_bank: { required: [] },
+    list_banks: { required: [] },
+    create_mental_model: { required: ["name", "source_query"] },
+    list_mental_models: { required: [] },
+    update_mental_model: { required: ["mental_model_id"] },
+    refresh_mental_model: { required: ["mental_model_id"] },
+    list_memories: { required: [] },
+    get_memory: { required: ["memory_id"] }
+  };
+});
+
 // src/cli/doctor-memory.ts
 import { execFileSync as execFileSync17 } from "node:child_process";
 function classifyShmSize(bytes) {
@@ -29030,8 +29098,51 @@ function checkHindsightContainerHealth(opts) {
   } catch {}
   return results;
 }
+function classifyToolContract(advertised) {
+  const byName = new Map(advertised.map((t) => [t.name, t]));
+  const results = [];
+  for (const [tool, spec] of Object.entries(EXPECTED_HINDSIGHT_TOOLS)) {
+    const real = byName.get(tool);
+    if (real === undefined) {
+      results.push({
+        name: `hindsight contract: ${tool}`,
+        status: "fail",
+        detail: `switchroom calls \`${tool}\` but the server no longer advertises it ` + `(renamed/removed upstream) \u2014 every callsite silently no-ops`,
+        fix: "Upstream hindsight changed its MCP tool contract. Update the callsite " + "+ EXPECTED_HINDSIGHT_TOOLS (src/memory/hindsight-tools.ts) to the new " + "name, refresh tests/fixtures/hindsight-tools-list.snapshot.json, or pin " + "the prior hindsight image."
+      });
+      continue;
+    }
+    const missing = spec.required.filter((arg) => !real.required.includes(arg));
+    const added = real.required.filter((arg) => !spec.required.includes(arg));
+    if (added.length > 0) {
+      results.push({
+        name: `hindsight contract: ${tool}`,
+        status: "fail",
+        detail: `server now requires [${added.join(", ")}] on \`${tool}\` which ` + `switchroom does not track \u2014 calls may silently no-op`,
+        fix: "Reconcile EXPECTED_HINDSIGHT_TOOLS + the callsite args with the new " + "server schema, then refresh the snapshot fixture."
+      });
+    } else if (missing.length > 0) {
+      results.push({
+        name: `hindsight contract: ${tool}`,
+        status: "warn",
+        detail: `switchroom treats [${missing.join(", ")}] as required on \`${tool}\` ` + `but the server no longer does (loosened upstream) \u2014 harmless, but the ` + `fixture is stale`,
+        fix: "Refresh EXPECTED_HINDSIGHT_TOOLS + the snapshot fixture."
+      });
+    }
+  }
+  if (results.length === 0) {
+    const used = Object.keys(EXPECTED_HINDSIGHT_TOOLS).length;
+    results.push({
+      name: "hindsight contract",
+      status: "ok",
+      detail: `${used} used tools present, required args satisfied (${advertised.length} advertised)`
+    });
+  }
+  return results;
+}
 var MIN_HINDSIGHT_SHM_BYTES;
 var init_doctor_memory = __esm(() => {
+  init_hindsight_tools();
   MIN_HINDSIGHT_SHM_BYTES = 1024 * 1024 * 1024;
 });
 
@@ -32043,6 +32154,10 @@ async function checkHindsight(config) {
     status: "ok",
     detail: `${probe2.serverName} ${probe2.serverVersion} at ${host}:${port}`
   });
+  const toolsList = await fetchHindsightToolsList(url);
+  if (toolsList.ok) {
+    results.push(...classifyToolContract(toolsList.tools));
+  }
   results.push(checkHindsightConsumer(config));
   results.push(...checkHindsightContainerHealth());
   for (const [agentName, agentConfig] of Object.entries(config.agents)) {
@@ -49700,8 +49815,8 @@ var {
 } = import__.default;
 
 // src/build-info.ts
-var VERSION = "0.14.82";
-var COMMIT_SHA = "91bc41d1";
+var VERSION = "0.14.84";
+var COMMIT_SHA = "af97bc41";
 
 // src/cli/agent.ts
 init_source();

package/dist/cli/ui/index.html

@@ -559,16 +559,42 @@
       }
     }
 
+    // Guards a second click from starting a second device-code flow (each
+    // start makes Microsoft send a sign-in email → the "2 emails" bug).
+    let msConnecting = false;
+
+    // The set of Microsoft account emails currently known to the broker.
+    // Used as a resilience baseline: the connect status lives only in the web
+    // process's memory, so if that process restarts mid-connect the status
+    // reads 'unknown' even when the token WAS stored. Diffing this list tells
+    // us the account really connected regardless of the lost status.
+    async function fetchMicrosoftAccountEmails() {
+      try {
+        const r = await fetch(`${API}/api/microsoft-accounts`, { headers: authHeaders() });
+        if (!r.ok) return new Set();
+        const list = await r.json();
+        return new Set((list || []).filter(a => a.brokerKnown).map(a => String(a.account).toLowerCase()));
+      } catch { return new Set(); }
+    }
+
     // Start an in-browser Microsoft connect: show the device code + link,
     // then poll until the operator completes sign-in on Microsoft's site.
     async function connectMicrosoft() {
+      if (msConnecting) return;              // double-submit guard
+      msConnecting = true;
+      const btn = document.getElementById('ms-connect-btn');
+      if (btn) btn.disabled = true;
+      const done = () => { msConnecting = false; const b = document.getElementById('ms-connect-btn'); if (b) b.disabled = false; };
       const card = document.getElementById('ms-connect-card');
       const show = (html) => { if (card) card.innerHTML = html; };
       show('<div class="loading" style="padding:.8rem">Starting…</div>');
+      // Snapshot already-connected accounts BEFORE starting, for the
+      // restart-resilient terminal check below.
+      const before = await fetchMicrosoftAccountEmails();
       try {
         const res = await fetch(`${API}/api/connections/microsoft/connect`, { method: 'POST', headers: authHeaders() });
         const data = await res.json();
-        if (!res.ok || !data.ok) { show(''); showError(data.error || `HTTP ${res.status}`); return; }
+        if (!res.ok || !data.ok) { show(''); showError(data.error || `HTTP ${res.status}`); done(); return; }
         const url = data.verificationUri, code = data.userCode;
         show(`<div class="account-card" style="border-color:var(--accent)">
             <div class="account-card-header"><div class="account-label">Connect a Microsoft account</div></div>
@@ -580,27 +606,58 @@
             <div id="ms-connect-status" style="color:var(--text-dim);margin-top:.3rem">Waiting for sign-in… (this card expires in ~15 min)</div>
           </div>`);
         const statusEl = () => document.getElementById('ms-connect-status');
-        const started = Date.now();
+        const deadline = Date.now() + ((data.expiresInSec || 900) * 1000 + 30000);
+        const showConnected = (label) => {
+          show(`<div class="loading" style="padding:.8rem;color:var(--green)">✓ Connected ${escapeHtml(label)}. Use the access toggles below to grant an agent.</div>`);
+          fetchConnections();
+        };
+        // On any non-'connected' terminal state ('failed' or 'unknown'),
+        // re-check the broker's actual account list before declaring failure:
+        // a new account appearing means the connect really succeeded (e.g. the
+        // status was lost to a web restart). Only error if nothing new landed.
+        // Limitations (acceptable — the in-memory 'connected' state is the
+        // primary signal; this is only the lost-status fallback): a concurrent
+        // connect of a DIFFERENT account in another tab/CLI could be mistaken
+        // for this one; and re-connecting an ALREADY-known account (token
+        // refresh) shows no new account so falls through to the error.
+        const settleNonConnected = async (reason) => {
+          const after = await fetchMicrosoftAccountEmails();
+          const fresh = [...after].find(a => !before.has(a));
+          if (fresh) { showConnected(fresh); } else { show(''); showError(reason || 'connect failed'); }
+          done();
+        };
         const poll = async () => {
-          const sres = await fetch(`${API}/api/connections/microsoft/connect/${encodeURIComponent(data.requestId)}`, { headers: authHeaders() });
-          const s = sres.ok ? await sres.json() : { state: 'failed', reason: `HTTP ${sres.status}` };
+          let s;
+          try {
+            const sres = await fetch(`${API}/api/connections/microsoft/connect/${encodeURIComponent(data.requestId)}`, { headers: authHeaders() });
+            s = sres.ok ? await sres.json() : { state: 'failed', reason: `HTTP ${sres.status}` };
+          } catch {
+            // Transient fetch failure — most likely the web process restarting
+            // mid-connect (the exact case this flow must survive). Don't die
+            // (that would strand msConnecting=true and lock the button): keep
+            // polling until the device-code deadline, then settle via the
+            // broker re-check (which recovers a token stored before the restart).
+            if (Date.now() > deadline) { await settleNonConnected('connection lost'); return; }
+            setTimeout(poll, 3000);
+            return;
+          }
           if (s.state === 'pending') {
-            if (Date.now() - started > ((data.expiresInSec || 900) * 1000 + 30000)) { const e = statusEl(); if (e) e.textContent = 'Expired — click Connect to try again.'; return; }
+            if (Date.now() > deadline) { const e = statusEl(); if (e) e.textContent = 'Expired — click Connect to try again.'; done(); return; }
             setTimeout(poll, 3000);
             return;
           }
           if (s.state === 'connected') {
-            show(`<div class="loading" style="padding:.8rem;color:var(--green)">✓ Connected ${escapeHtml(s.account)} (${escapeHtml(s.accountType)}). Use the access toggles below to grant an agent.</div>`);
-            fetchConnections();
+            showConnected(`${s.account} (${s.accountType})`);
+            done();
           } else {
-            show('');
-            showError(s.reason || 'connect failed');
+            await settleNonConnected(s.reason);
           }
         };
         setTimeout(poll, 3000);
       } catch (err) {
         show('');
         showError(err.message);
+        done();
       }
     }
 
@@ -1165,7 +1222,7 @@
         <div style="margin-bottom:1.5rem">
           <h3 style="margin:0 0 .6rem;font-size:.95rem;color:var(--text-dim);text-transform:uppercase;letter-spacing:.04em">
             Microsoft 365
-            <button onclick="connectMicrosoft()" class="usage-pill primary" style="margin-left:.6rem;cursor:pointer;border:none;text-transform:none;font-weight:600">+ Connect a Microsoft account</button>
+            <button id="ms-connect-btn" onclick="connectMicrosoft()" class="usage-pill primary" style="margin-left:.6rem;cursor:pointer;border:none;text-transform:none;font-weight:600">+ Connect a Microsoft account</button>
           </h3>
           <div id="ms-connect-card"></div>
           ${msCards

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "switchroom",
-  "version": "0.14.82",
+  "version": "0.14.84",
   "description": "Run Claude Code 24/7 on your Claude Pro/Max subscription over Telegram. Open-source alternative to OpenClaw and NanoClaw — no API keys.",
   "type": "module",
   "bin": {

package/telegram-plugin/dist/gateway/gateway.js

@@ -46487,6 +46487,13 @@ function validateClientMessage(msg) {
       const inb = m.inbound;
       return inb.type === "inbound" && typeof inb.chatId === "string" && inb.chatId.length > 0 && typeof inb.text === "string" && typeof inb.messageId === "number" && typeof inb.user === "string" && typeof inb.userId === "number" && typeof inb.ts === "number" && typeof inb.meta === "object" && inb.meta !== null;
     }
+    case "quota_wall_detected": {
+      if (typeof m.agentName !== "string" || !AGENT_NAME_RE3.test(m.agentName))
+        return false;
+      if (m.resetAt !== undefined && (typeof m.resetAt !== "number" || !Number.isFinite(m.resetAt)))
+        return false;
+      return true;
+    }
     case "request_config_approval": {
       if (typeof m.requestId !== "string" || m.requestId.length === 0 || m.requestId.length > 64)
         return false;
@@ -46548,6 +46555,7 @@ function createIpcServer(options) {
     onOperatorEvent,
     onPtyPartial,
     onInjectInbound,
+    onQuotaWallDetected,
     onRequestDriveApproval,
     onRequestMs365Approval,
     onRequestConfigApproval,
@@ -46632,6 +46640,10 @@ function createIpcServer(options) {
         if (onInjectInbound)
           onInjectInbound(client3, msg);
         break;
+      case "quota_wall_detected":
+        if (onQuotaWallDetected)
+          onQuotaWallDetected(client3, msg);
+        break;
       case "request_drive_approval":
         if (onRequestDriveApproval) {
           onRequestDriveApproval(client3, msg).catch((err) => {
@@ -52661,6 +52673,53 @@ function evaluateQuotaWatchAccount(args) {
   }
   return { kind: "skip", accountLabel: label, reason: "no-matching-transition" };
 }
+var FLEET_ALL_EXHAUSTED_KEY = "__fleet_all_exhausted__";
+function evaluateFleetAllExhausted(args) {
+  const { accounts, prev, now } = args;
+  const allExhausted = accounts.length > 0 && accounts.every((a) => a.exhausted);
+  const wasAlerting = prev.lastNotifiedHealth === "throttling";
+  if (allExhausted && !wasAlerting) {
+    return {
+      kind: "notify",
+      message: buildAllExhaustedMessage(accounts, now),
+      newState: { lastNotifiedHealth: "throttling", lastNotifiedAt: now },
+      transition: "entered"
+    };
+  }
+  if (!allExhausted && wasAlerting) {
+    return {
+      kind: "notify",
+      message: buildFleetRecoveredMessage(accounts),
+      newState: { lastNotifiedHealth: "healthy", lastNotifiedAt: now },
+      transition: "recovered"
+    };
+  }
+  return { kind: "skip", reason: allExhausted ? "still-all-exhausted" : "not-all-exhausted" };
+}
+function buildAllExhaustedMessage(accounts, now) {
+  const resets = accounts.map((a) => a.exhausted_until).filter((x) => typeof x === "number" && x > now);
+  const earliest = resets.length > 0 ? Math.min(...resets) : null;
+  const resetLine = earliest ? `Earliest reset: ${formatRelative(new Date(earliest), new Date(now))}.` : `Reset time unknown (no window data).`;
+  return [
+    `\uD83D\uDD34 <b>All accounts exhausted</b>`,
+    ``,
+    `Every Anthropic account (${accounts.length}) is quota-walled \u2014 there is no healthy account to fail over to.`,
+    resetLine,
+    ``,
+    `<i>This is self-healing: agents resume and deferred scheduled jobs run automatically once a window resets. Nothing is lost. Add headroom with <code>/auth add</code> if this recurs.</i>`
+  ].join(`
+`);
+}
+function buildFleetRecoveredMessage(accounts) {
+  const healthy = accounts.filter((a) => !a.exhausted).map((a) => a.label);
+  const which = healthy.length > 0 ? ` (<code>${escapeHtml10(healthy[0])}</code>)` : "";
+  return [
+    `\uD83D\uDFE2 <b>Fleet recovered</b> \u2014 at least one account is healthy again${which}.`,
+    ``,
+    `<i>Agents are back; any deferred scheduled jobs will run on their next occurrence.</i>`
+  ].join(`
+`);
+}
 function buildThrottlingMessage(agentName3, snap) {
   const q = snap.quota;
   const fiveStr = fmtPct(q.fiveHourUtilizationPct);
@@ -52810,9 +52869,9 @@ function sweepStaleTurnActiveMarker(stateDir, opts) {
 }
 
 // ../src/build-info.ts
-var VERSION = "0.14.82";
-var COMMIT_SHA = "91bc41d1";
-var COMMIT_DATE = "2026-06-07T12:22:49+10:00";
+var VERSION = "0.14.84";
+var COMMIT_SHA = "af97bc41";
+var COMMIT_DATE = "2026-06-07T13:38:19+10:00";
 var LATEST_PR = null;
 var COMMITS_AHEAD_OF_TAG = 2;
 
@@ -56111,6 +56170,13 @@ var ipcServer = createIpcServer({
       pendingInboundBuffer.push(msg.agentName, msg.inbound);
     }
   },
+  onQuotaWallDetected(_client, msg) {
+    const WEEKLY_MS = 604800000;
+    const untilMs = typeof msg.resetAt === "number" && Number.isFinite(msg.resetAt) && msg.resetAt > Date.now() ? msg.resetAt : Date.now() + WEEKLY_MS;
+    process.stderr.write(`telegram gateway: quota_wall_detected agent=${msg.agentName} until=${new Date(untilMs).toISOString()}` + (msg.resetAt == null ? " (reset unparsed \u2192 +7d default)" : "") + ` \u2014 triggering fleet auto-fallback
+`);
+    fireFleetAutoFallback(msg.agentName, untilMs);
+  },
   log: (msg) => process.stderr.write(`telegram gateway: ipc \u2014 ${msg}
 `)
 });
@@ -60914,13 +60980,13 @@ var fleetFallbackGate = createFleetFallbackGate({
 function wouldFireFleetAutoFallback() {
   return fleetFallbackGate.wouldFire();
 }
-async function fireFleetAutoFallback(triggerAgent) {
-  return fleetFallbackGate.fire(() => doFireFleetAutoFallback(triggerAgent), (err) => {
+async function fireFleetAutoFallback(triggerAgent, untilMs) {
+  return fleetFallbackGate.fire(() => doFireFleetAutoFallback(triggerAgent, untilMs), (err) => {
     process.stderr.write(`telegram gateway: [fleet-fallback] error agent=${triggerAgent}: ${err?.message ?? err}
 `);
   });
 }
-async function doFireFleetAutoFallback(triggerAgent) {
+async function doFireFleetAutoFallback(triggerAgent, untilMs) {
   try {
     const client3 = await getAuthBrokerClient(triggerAgent);
     if (!client3) {
@@ -60939,7 +61005,7 @@ async function doFireFleetAutoFallback(triggerAgent) {
       state: state4,
       quotas,
       failover: async () => {
-        const r = await client3.markExhausted();
+        const r = await client3.markExhausted(untilMs);
         return { rolledTo: r.rolledTo ?? null, rolled: r.rolled };
       },
       triggerAgent,
@@ -61017,6 +61083,31 @@ async function runQuotaWatch() {
   let watchState = loadQuotaWatchState(stateDir);
   const now = Date.now();
   const access = loadAccess();
+  {
+    const fleetPrev = watchState[FLEET_ALL_EXHAUSTED_KEY] ?? emptyAccountState();
+    const fleetDecision = evaluateFleetAllExhausted({
+      accounts: listStateData.accounts,
+      prev: fleetPrev,
+      now
+    });
+    if (fleetDecision.kind === "notify") {
+      for (const chat_id of access.allowFrom) {
+        await swallowingApiCall(() => bot.api.sendMessage(chat_id, fleetDecision.message, {
+          parse_mode: "HTML",
+          link_preview_options: { is_disabled: true }
+        }), { chat_id, verb: "quota-watch.fleet-all-exhausted" });
+      }
+      watchState = patchQuotaWatchState(watchState, FLEET_ALL_EXHAUSTED_KEY, fleetDecision.newState);
+      try {
+        saveQuotaWatchState(stateDir, watchState);
+      } catch (err) {
+        process.stderr.write(`telegram gateway: quota-watch: fleet-state save failed: ${err}
+`);
+      }
+      process.stderr.write(`telegram gateway: quota-watch: fleet all-exhausted ${fleetDecision.transition}
+`);
+    }
+  }
   const pendingTransitions = [];
   const labelToSnapIndex = new Map(snapshots.map((s, i) => [s.label, i]));
   for (const snap of snapshots) {

package/telegram-plugin/gateway/gateway.ts

@@ -348,6 +348,7 @@ import type {
   PtyPartialForward,
   InboundMessage,
   InjectInboundMessage,
+  QuotaWallDetectedMessage,
   PermissionEvent,
 } from './ipc-protocol.js'
 import { DebounceBuffer, HourCap, buildReactionInboundMeta, buildReactionInboundText, evaluateTriggerCandidate, isGroupChat, resolveReactionsConfig, truncatePreview, type PendingReaction, type ReactionBatch, type ReactionsResolvedConfig } from './reaction-trigger.js'
@@ -412,6 +413,8 @@ import {
 } from '../credits-watch.js'
 import {
   evaluateQuotaWatchAccount,
+  evaluateFleetAllExhausted,
+  FLEET_ALL_EXHAUSTED_KEY,
   loadQuotaWatchState,
   saveQuotaWatchState,
   patchQuotaWatchState,
@@ -6257,6 +6260,30 @@ const ipcServer: IpcServer = createIpcServer({
     }
   },
 
+  // The wedge-watchdog detected claude's /rate-limit-options weekly-quota menu
+  // (a TUI wall that never produced a 429, so the inference-path auto-fallback
+  // never fired). Trigger the SAME fleet auto-fallback the 429 path uses,
+  // threading the parsed weekly reset as markExhausted's `until` — with a
+  // weekly-scale FALLBACK when the sidecar couldn't parse it (resetAt absent):
+  // passing undefined would let markExhausted use its ~5h default, which would
+  // un-exhaust a weekly-walled account and re-wedge it within hours. The
+  // existing chain handles the rest (roll to a fallback subscription account,
+  // or the all-exhausted operator alert when none has quota). Fire-and-forget.
+  onQuotaWallDetected(_client: IpcClient, msg: QuotaWallDetectedMessage) {
+    const WEEKLY_MS = 7 * 24 * 60 * 60 * 1000
+    const untilMs =
+      typeof msg.resetAt === 'number' && Number.isFinite(msg.resetAt) && msg.resetAt > Date.now()
+        ? msg.resetAt
+        : Date.now() + WEEKLY_MS
+    process.stderr.write(
+      `telegram gateway: quota_wall_detected agent=${msg.agentName} ` +
+        `until=${new Date(untilMs).toISOString()}` +
+        (msg.resetAt == null ? ' (reset unparsed → +7d default)' : '') +
+        ' — triggering fleet auto-fallback\n',
+    )
+    void fireFleetAutoFallback(msg.agentName, untilMs)
+  },
+
   log: (msg) => process.stderr.write(`telegram gateway: ipc — ${msg}\n`),
 })
 
@@ -14603,9 +14630,9 @@ function wouldFireFleetAutoFallback(): boolean {
  * so the user sees the outcome inline with the original "Model
  * unavailable" card.
  */
-async function fireFleetAutoFallback(triggerAgent: string): Promise<void> {
+async function fireFleetAutoFallback(triggerAgent: string, untilMs?: number): Promise<void> {
   return fleetFallbackGate.fire(
-    () => doFireFleetAutoFallback(triggerAgent),
+    () => doFireFleetAutoFallback(triggerAgent, untilMs),
     (err) => {
       process.stderr.write(
         `telegram gateway: [fleet-fallback] error agent=${triggerAgent}: ${(err as Error)?.message ?? err}\n`,
@@ -14618,7 +14645,7 @@ async function fireFleetAutoFallback(triggerAgent: string): Promise<void> {
  *  user-visible announcement was broadcast). False on no-op /
  *  error / idempotent-skip — caller uses this to decide whether to
  *  arm the post-fire suppression window. */
-async function doFireFleetAutoFallback(triggerAgent: string): Promise<boolean> {
+async function doFireFleetAutoFallback(triggerAgent: string, untilMs?: number): Promise<boolean> {
   try {
     const client = await getAuthBrokerClient(triggerAgent)
     if (!client) {
@@ -14653,7 +14680,11 @@ async function doFireFleetAutoFallback(triggerAgent: string): Promise<boolean> {
       // operator is explicitly choosing, and is admin); only this automatic
       // path moves to the non-admin verb.
       failover: async () => {
-        const r = await client.markExhausted()
+        // The 429 inference path passes no `until` (broker ~5h default). The
+        // rate-limit-MENU path (quota_wall_detected) passes the parsed WEEKLY
+        // reset, so the walled account isn't re-probed (and re-wedged) within
+        // the 5h default while it's weekly-capped.
+        const r = await client.markExhausted(untilMs)
         return { rolledTo: r.rolledTo ?? null, rolled: r.rolled }
       },
       triggerAgent,
@@ -14805,6 +14836,44 @@ async function runQuotaWatch(): Promise<void> {
   const now = Date.now()
   const access = loadAccess()
 
+  // Fleet-wide all-exhausted check FIRST — must run before the per-account
+  // early-return below. When every account is exhausted, the per-account loop
+  // produces only 'blocked' skips → pendingTransitions empty → early return;
+  // so this fleet-level alert (the one the trigger-based all-blocked card
+  // misses during quiet periods / for the consumer+cron paths) would never
+  // fire if placed after. Authoritative source: broker `exhausted` flags.
+  {
+    const fleetPrev = watchState[FLEET_ALL_EXHAUSTED_KEY] ?? emptyAccountState()
+    const fleetDecision = evaluateFleetAllExhausted({
+      accounts: listStateData.accounts,
+      prev: fleetPrev,
+      now,
+    })
+    if (fleetDecision.kind === 'notify') {
+      for (const chat_id of access.allowFrom) {
+        await swallowingApiCall(
+          () =>
+            bot.api.sendMessage(chat_id, fleetDecision.message, {
+              parse_mode: 'HTML',
+              link_preview_options: { is_disabled: true },
+            }),
+          { chat_id, verb: 'quota-watch.fleet-all-exhausted' },
+        )
+      }
+      // Persist immediately — the per-account early-return path below would
+      // otherwise drop this flag change (edge-trigger would re-fire next poll).
+      watchState = patchQuotaWatchState(watchState, FLEET_ALL_EXHAUSTED_KEY, fleetDecision.newState)
+      try {
+        saveQuotaWatchState(stateDir, watchState)
+      } catch (err) {
+        process.stderr.write(`telegram gateway: quota-watch: fleet-state save failed: ${err}\n`)
+      }
+      process.stderr.write(
+        `telegram gateway: quota-watch: fleet all-exhausted ${fleetDecision.transition}\n`,
+      )
+    }
+  }
+
   // First pass: evaluate all accounts against cached state. Collect
   // labels that need a live probe (i.e. accounts with a detected transition
   // that we're about to notify about). We probe those to get fresh

package/telegram-plugin/gateway/ipc-protocol.ts

@@ -393,6 +393,26 @@ export interface RequestConfigFinalizeMessage {
   detail?: string;
 }
 
+/**
+ * The autoaccept-poll wedge-watchdog detected claude's `/rate-limit-options`
+ * weekly-quota menu (a TUI wall that never produced a 429 the gateway could
+ * see). Asks the gateway to trigger the EXISTING account-failover chain
+ * (markExhausted → roll to a fallback subscription account, or the
+ * all-exhausted operator alert). Fire-and-forget; no reply.
+ *
+ * Trust model (same as inject_inbound): the socket is per-agent inside the
+ * container, but `agentName` is still validated server-side and never trusted
+ * to authorize anything beyond triggering the agent's own failover.
+ */
+export interface QuotaWallDetectedMessage {
+  type: "quota_wall_detected";
+  agentName: string;
+  /** Parsed weekly-reset epoch-ms. Omitted when the sidecar couldn't parse it;
+   *  the gateway then uses a weekly-scale default for markExhausted's `until`
+   *  (NOT the ~5h default, which would un-exhaust a weekly wall and re-wedge). */
+  resetAt?: number;
+}
+
 export type ClientToGateway =
   | RegisterMessage
   | ToolCallMessage
@@ -407,4 +427,5 @@ export type ClientToGateway =
   | RequestDriveApprovalMessage
   | RequestMs365ApprovalMessage
   | RequestConfigApprovalMessage
-  | RequestConfigFinalizeMessage;
+  | RequestConfigFinalizeMessage
+  | QuotaWallDetectedMessage;

package/telegram-plugin/gateway/ipc-server.ts

@@ -4,6 +4,7 @@ import type {
   GatewayToClient,
   HeartbeatMessage,
   InjectInboundMessage,
+  QuotaWallDetectedMessage,
   OperatorEventForward,
   PermissionRequestForward,
   PtyPartialForward,
@@ -44,6 +45,14 @@ export interface IpcServerOptions {
    * inline scheduler simply ignore inject_inbound messages.
    */
   onInjectInbound?: (client: IpcClient, msg: InjectInboundMessage) => void;
+  /**
+   * The autoaccept-poll wedge-watchdog detected claude's `/rate-limit-options`
+   * weekly-quota menu (no 429 ever reached the gateway). Handler is expected to
+   * trigger the existing fleet auto-fallback for `msg.agentName`, threading
+   * `msg.resetAt` as the markExhausted `until`. Fire-and-forget; gateways that
+   * don't run failover simply ignore it.
+   */
+  onQuotaWallDetected?: (client: IpcClient, msg: QuotaWallDetectedMessage) => void;
   /**
    * RFC E §4.2 Cut 2 — Drive-write PreToolUse hook asks the gateway
    * to register a kernel approval request + post a diff-preview
@@ -237,6 +246,15 @@ export function validateClientMessage(msg: unknown): msg is ClientToGateway {
         && typeof inb.meta === "object"
         && inb.meta !== null;
     }
+    case "quota_wall_detected": {
+      // wedge-watchdog detected the /rate-limit-options weekly-quota menu.
+      if (typeof m.agentName !== "string"
+        || !AGENT_NAME_RE.test(m.agentName as string)) return false;
+      // resetAt optional; when present it must be a finite epoch-ms.
+      if (m.resetAt !== undefined
+        && (typeof m.resetAt !== "number" || !Number.isFinite(m.resetAt as number))) return false;
+      return true;
+    }
     case "request_config_approval": {
       // #1623 — hostd-initiated config-edit approval card. Wire shape
       // only; the handler module validates the diff content.
@@ -317,6 +335,7 @@ export function createIpcServer(options: IpcServerOptions): IpcServer {
     onOperatorEvent,
     onPtyPartial,
     onInjectInbound,
+    onQuotaWallDetected,
     onRequestDriveApproval,
     onRequestMs365Approval,
     onRequestConfigApproval,
@@ -425,6 +444,9 @@ export function createIpcServer(options: IpcServerOptions): IpcServer {
       case "inject_inbound":
         if (onInjectInbound) onInjectInbound(client, msg as InjectInboundMessage);
         break;
+      case "quota_wall_detected":
+        if (onQuotaWallDetected) onQuotaWallDetected(client, msg as QuotaWallDetectedMessage);
+        break;
       case "request_drive_approval":
         if (onRequestDriveApproval) {
           // Handler is async — fire-and-forget here; the handler

package/telegram-plugin/quota-watch.ts

@@ -160,6 +160,99 @@ export function evaluateQuotaWatchAccount(args: {
   return { kind: "skip", accountLabel: label, reason: "no-matching-transition" };
 }
 
+// ─── Fleet-level: all accounts exhausted ───────────────────────────────────────
+
+/**
+ * Reserved key under which the fleet-wide "all accounts exhausted" alert state
+ * is stored in the same quota-watch.json map. Not a valid account label (emails
+ * can't contain this), so it never collides with a per-account entry, and the
+ * per-account loop (which iterates account snapshots, not state-map keys) never
+ * sees it. Encoded as a QuotaWatchAccountState so the existing load validator
+ * accepts it: lastNotifiedHealth "throttling" = currently alerting all-exhausted,
+ * "healthy"/null = not. Backward-compatible — old files simply lack the key.
+ */
+export const FLEET_ALL_EXHAUSTED_KEY = "__fleet_all_exhausted__";
+
+export type FleetAllExhaustedDecision =
+  | { kind: "notify"; message: string; newState: QuotaWatchAccountState; transition: "entered" | "recovered" }
+  | { kind: "skip"; reason: string };
+
+/**
+ * Fleet-wide all-exhausted alert (edge-triggered).
+ *
+ * Fires ONCE when every account enters the broker's exhausted state (no healthy
+ * account to fail over to — agents go quiet, crons defer, consumers/hindsight
+ * silently serve an exhausted account), and ONCE on recovery. This catches the
+ * cases the trigger-based interactive all-blocked card misses: a quiet period
+ * (no agent happens to 429 into the wall) and the consumer/cron paths.
+ *
+ * Authoritative source: the broker's per-account `exhausted` flag (set by
+ * mark-exhausted via failover + the consumer sensor), NOT probe-derived health
+ * — so there is no probe-failure false-alarm. Requires at least one account;
+ * an empty fleet never alerts.
+ */
+export function evaluateFleetAllExhausted(args: {
+  accounts: Array<{ label: string; exhausted: boolean; exhausted_until?: number }>;
+  prev: QuotaWatchAccountState;
+  now: number;
+}): FleetAllExhaustedDecision {
+  const { accounts, prev, now } = args;
+  const allExhausted = accounts.length > 0 && accounts.every((a) => a.exhausted);
+  // "throttling" doubles as the "currently alerting all-exhausted" marker.
+  const wasAlerting = prev.lastNotifiedHealth === "throttling";
+
+  if (allExhausted && !wasAlerting) {
+    return {
+      kind: "notify",
+      message: buildAllExhaustedMessage(accounts, now),
+      newState: { lastNotifiedHealth: "throttling", lastNotifiedAt: now },
+      transition: "entered",
+    };
+  }
+  if (!allExhausted && wasAlerting) {
+    return {
+      kind: "notify",
+      message: buildFleetRecoveredMessage(accounts),
+      newState: { lastNotifiedHealth: "healthy", lastNotifiedAt: now },
+      transition: "recovered",
+    };
+  }
+  return { kind: "skip", reason: allExhausted ? "still-all-exhausted" : "not-all-exhausted" };
+}
+
+function buildAllExhaustedMessage(
+  accounts: Array<{ label: string; exhausted_until?: number }>,
+  now: number,
+): string {
+  const resets = accounts
+    .map((a) => a.exhausted_until)
+    .filter((x): x is number => typeof x === "number" && x > now);
+  const earliest = resets.length > 0 ? Math.min(...resets) : null;
+  const resetLine = earliest
+    ? `Earliest reset: ${formatRelative(new Date(earliest), new Date(now))}.`
+    : `Reset time unknown (no window data).`;
+  return [
+    `🔴 <b>All accounts exhausted</b>`,
+    ``,
+    `Every Anthropic account (${accounts.length}) is quota-walled — there is no healthy account to fail over to.`,
+    resetLine,
+    ``,
+    `<i>This is self-healing: agents resume and deferred scheduled jobs run automatically once a window resets. Nothing is lost. Add headroom with <code>/auth add</code> if this recurs.</i>`,
+  ].join("\n");
+}
+
+function buildFleetRecoveredMessage(
+  accounts: Array<{ label: string; exhausted: boolean }>,
+): string {
+  const healthy = accounts.filter((a) => !a.exhausted).map((a) => a.label);
+  const which = healthy.length > 0 ? ` (<code>${escapeHtml(healthy[0]!)}</code>)` : "";
+  return [
+    `🟢 <b>Fleet recovered</b> — at least one account is healthy again${which}.`,
+    ``,
+    `<i>Agents are back; any deferred scheduled jobs will run on their next occurrence.</i>`,
+  ].join("\n");
+}
+
 // ─── Message builders ─────────────────────────────────────────────────────────
 
 function buildThrottlingMessage(agentName: string, snap: AccountSnapshot): string {

package/telegram-plugin/tests/ipc-server-validate-quota-wall.test.ts

@@ -0,0 +1,37 @@
+/**
+ * Validation contract for the `quota_wall_detected` IPC verb — the signal the
+ * autoaccept-poll wedge-watchdog sends when it sees claude's /rate-limit-options
+ * weekly-quota menu, asking the gateway to trigger account failover.
+ *
+ * A rogue process on the same UDS must not be able to inject a malformed
+ * payload: agentName is required + name-shaped, resetAt (optional) must be a
+ * finite number.
+ */
+import { describe, it, expect } from "vitest";
+import { validateClientMessage } from "../gateway/ipc-server.js";
+
+describe("validateClientMessage — quota_wall_detected", () => {
+  it("accepts a well-formed signal (with resetAt)", () => {
+    expect(
+      validateClientMessage({ type: "quota_wall_detected", agentName: "finn", resetAt: 1_780_000_000_000 }),
+    ).toBe(true);
+  });
+
+  it("accepts a well-formed signal WITHOUT resetAt (optional)", () => {
+    expect(validateClientMessage({ type: "quota_wall_detected", agentName: "finn" })).toBe(true);
+  });
+
+  it("rejects a missing / non-string / malformed agentName", () => {
+    expect(validateClientMessage({ type: "quota_wall_detected" })).toBe(false);
+    expect(validateClientMessage({ type: "quota_wall_detected", agentName: 123 })).toBe(false);
+    expect(validateClientMessage({ type: "quota_wall_detected", agentName: "" })).toBe(false);
+    expect(validateClientMessage({ type: "quota_wall_detected", agentName: "../etc" })).toBe(false);
+    expect(validateClientMessage({ type: "quota_wall_detected", agentName: "Finn UPPER" })).toBe(false);
+  });
+
+  it("rejects a non-finite / non-number resetAt", () => {
+    expect(validateClientMessage({ type: "quota_wall_detected", agentName: "finn", resetAt: "soon" })).toBe(false);
+    expect(validateClientMessage({ type: "quota_wall_detected", agentName: "finn", resetAt: NaN })).toBe(false);
+    expect(validateClientMessage({ type: "quota_wall_detected", agentName: "finn", resetAt: Infinity })).toBe(false);
+  });
+});

package/telegram-plugin/tests/quota-watch.test.ts

@@ -12,6 +12,7 @@ import { tmpdir } from "os";
 import { join } from "path";
 import {
   evaluateQuotaWatchAccount,
+  evaluateFleetAllExhausted,
   loadQuotaWatchState,
   saveQuotaWatchState,
   patchQuotaWatchState,
@@ -364,3 +365,74 @@ describe("patchQuotaWatchState", () => {
     expect(current["bob@example.com"]).toBeUndefined();
   });
 });
+
+describe("evaluateFleetAllExhausted", () => {
+  const notAlerting = { lastNotifiedHealth: null, lastNotifiedAt: 0 };
+  const alerting = { lastNotifiedHealth: "throttling" as const, lastNotifiedAt: 1000 };
+
+  it("notifies (entered) when every account is exhausted and we weren't alerting", () => {
+    const d = evaluateFleetAllExhausted({
+      accounts: [
+        { label: "a", exhausted: true, exhausted_until: 5_000 },
+        { label: "b", exhausted: true, exhausted_until: 9_000 },
+      ],
+      prev: notAlerting,
+      now: 1_000,
+    });
+    expect(d.kind).toBe("notify");
+    if (d.kind === "notify") {
+      expect(d.transition).toBe("entered");
+      expect(d.newState.lastNotifiedHealth).toBe("throttling");
+      expect(d.message).toContain("All accounts exhausted");
+      // earliest reset is the 5_000 one
+      expect(d.message).toContain("Earliest reset");
+    }
+  });
+
+  it("skips (still) when all exhausted and already alerting — no re-spam", () => {
+    const d = evaluateFleetAllExhausted({
+      accounts: [{ label: "a", exhausted: true }, { label: "b", exhausted: true }],
+      prev: alerting,
+      now: 2_000,
+    });
+    expect(d.kind).toBe("skip");
+  });
+
+  it("notifies (recovered) when one account frees after we were alerting", () => {
+    const d = evaluateFleetAllExhausted({
+      accounts: [{ label: "a", exhausted: false }, { label: "b", exhausted: true }],
+      prev: alerting,
+      now: 3_000,
+    });
+    expect(d.kind).toBe("notify");
+    if (d.kind === "notify") {
+      expect(d.transition).toBe("recovered");
+      expect(d.newState.lastNotifiedHealth).toBe("healthy");
+      expect(d.message).toContain("Fleet recovered");
+      expect(d.message).toContain("a"); // names the healthy account
+    }
+  });
+
+  it("skips (not-all) when some account is healthy and we weren't alerting", () => {
+    const d = evaluateFleetAllExhausted({
+      accounts: [{ label: "a", exhausted: false }, { label: "b", exhausted: true }],
+      prev: notAlerting,
+      now: 4_000,
+    });
+    expect(d.kind).toBe("skip");
+  });
+
+  it("never alerts on an empty fleet", () => {
+    expect(evaluateFleetAllExhausted({ accounts: [], prev: notAlerting, now: 1 }).kind).toBe("skip");
+  });
+
+  it("shows reset-unknown when no exhausted_until is present", () => {
+    const d = evaluateFleetAllExhausted({
+      accounts: [{ label: "a", exhausted: true }],
+      prev: notAlerting,
+      now: 1_000,
+    });
+    expect(d.kind).toBe("notify");
+    if (d.kind === "notify") expect(d.message).toContain("Reset time unknown");
+  });
+});