switchroom 0.14.83 → 0.14.85

package/dist/cli/autoaccept-poll.js

@@ -176,6 +176,71 @@ function sendKeys2(agentName, keys) {
 
 // src/agents/wedge-watchdog.ts
 var WEDGE_FOOTER_SIGNATURE = /(?=[\s\S]*[Ee]sc(?:ape)?[^\n]*cancel)(?=[\s\S]*(?:to select|to navigate|\u2191\/\u2193))/;
+var RATE_LIMIT_MENU_SIGNATURE = /(?=[\s\S]*\/rate-limit-options)(?=[\s\S]*(?:Switch to usage credits|Upgrade your plan))/;
+var MONTHS = {
+  jan: 0,
+  feb: 1,
+  mar: 2,
+  apr: 3,
+  may: 4,
+  jun: 5,
+  jul: 6,
+  aug: 7,
+  sep: 8,
+  oct: 9,
+  nov: 10,
+  dec: 11
+};
+function parseWeeklyReset(text, nowMs = Date.now()) {
+  const m = text.match(/resets\s+([A-Za-z]{3,9})\s+(\d{1,2}),?\s+(\d{1,2})(?::(\d{2}))?\s*([ap]m)?\s*(?:\(([^)]+)\))?/i);
+  if (!m)
+    return null;
+  const mon = MONTHS[m[1].slice(0, 3).toLowerCase()];
+  if (mon === undefined)
+    return null;
+  const day = Number(m[2]);
+  let hour = Number(m[3]);
+  const minute = m[4] ? Number(m[4]) : 0;
+  const ampm = m[5]?.toLowerCase();
+  if (ampm === "pm" && hour < 12)
+    hour += 12;
+  if (ampm === "am" && hour === 12)
+    hour = 0;
+  if (!Number.isFinite(day) || !Number.isFinite(hour) || day < 1 || day > 31 || hour > 23) {
+    return null;
+  }
+  const tz = m[6]?.trim();
+  const probeYear = new Date(nowMs).getUTCFullYear();
+  for (const year of [probeYear, probeYear + 1]) {
+    const epoch = wallClockToEpoch(year, mon, day, hour, minute, tz);
+    if (epoch != null && epoch > nowMs - 60000)
+      return epoch;
+  }
+  return null;
+}
+function wallClockToEpoch(year, month, day, hour, minute, tz) {
+  const asUtc = Date.UTC(year, month, day, hour, minute, 0);
+  if (!tz)
+    return asUtc;
+  try {
+    const fmt = new Intl.DateTimeFormat("en-US", {
+      timeZone: tz,
+      year: "numeric",
+      month: "2-digit",
+      day: "2-digit",
+      hour: "2-digit",
+      minute: "2-digit",
+      second: "2-digit",
+      hour12: false
+    });
+    const parts = Object.fromEntries(fmt.formatToParts(new Date(asUtc)).filter((p) => p.type !== "literal").map((p) => [p.type, p.value]));
+    const shown = Date.UTC(Number(parts.year), Number(parts.month) - 1, Number(parts.day), Number(parts.hour) % 24, Number(parts.minute), Number(parts.second));
+    const offset = shown - asUtc;
+    return asUtc - offset;
+  } catch {
+    return null;
+  }
+}
 var DEFAULT_POLL_MS2 = 5000;
 var DEFAULT_STABILITY_THRESHOLD = 3;
 var DEFAULT_COOLDOWN_MS = 60000;
@@ -193,6 +258,9 @@ async function runWedgeWatchdog(opts) {
   const cooldownMs = opts.cooldownMs ?? DEFAULT_COOLDOWN_MS;
   const deferToPrompts = opts.deferToPrompts ?? PROMPTS2;
   const signature = opts.wedgeSignature ?? WEDGE_FOOTER_SIGNATURE;
+  const rateLimitSignature = opts.rateLimitSignature === null ? null : opts.rateLimitSignature ?? RATE_LIMIT_MENU_SIGNATURE;
+  const onRateLimitMenu = opts.onRateLimitMenu;
+  const parseReset = opts.parseReset ?? parseWeeklyReset;
   const maxPolls = opts.maxPolls ?? Number.POSITIVE_INFINITY;
   const now = opts.now ?? Date.now;
   const sleep = opts.sleep ?? defaultSleep2;
@@ -202,6 +270,7 @@ async function runWedgeWatchdog(opts) {
   let lastKey = null;
   let cooldownUntil = 0;
   let fires = 0;
+  let rateLimitFires = 0;
   let polls = 0;
   while (polls < maxPolls) {
     polls++;
@@ -212,8 +281,38 @@ async function runWedgeWatchdog(opts) {
       console.error(`[wedge-watchdog] ${opts.agentName}: capture threw: ${err.message}`);
       text = "";
     }
-    const isBlockingModal = !!text && signature.test(text) && !deferToPrompts.some((p) => p.match.test(text));
-    if (isBlockingModal) {
+    const isRateLimitMenu = !!text && rateLimitSignature !== null && rateLimitSignature.test(text);
+    const isBlockingModal = !isRateLimitMenu && !!text && signature.test(text) && !deferToPrompts.some((p) => p.match.test(text));
+    if (isRateLimitMenu) {
+      const key = stabilityKey(text);
+      if (key === lastKey) {
+        stableCount++;
+      } else {
+        stableCount = 1;
+        lastKey = key;
+      }
+      if (stableCount >= stabilityThreshold && now() >= cooldownUntil) {
+        const resetAt = parseReset(text, now());
+        console.error(`[wedge-watchdog] ${opts.agentName}: rate-limit (weekly-quota) menu detected ` + `after ${stableCount} stable polls \u2014 signalling failover` + (resetAt != null ? ` (resets ${new Date(resetAt).toISOString()})` : " (reset unparsed)") + ` then parking with Esc`);
+        if (onRateLimitMenu) {
+          try {
+            onRateLimitMenu(opts.agentName, resetAt);
+          } catch (err) {
+            console.error(`[wedge-watchdog] ${opts.agentName}: onRateLimitMenu threw: ${err.message}`);
+          }
+        }
+        try {
+          send(opts.agentName, ["Escape"]);
+        } catch (err) {
+          console.error(`[wedge-watchdog] ${opts.agentName}: send threw: ${err.message}`);
+        }
+        fires++;
+        rateLimitFires++;
+        cooldownUntil = now() + cooldownMs;
+        stableCount = 0;
+        lastKey = null;
+      }
+    } else if (isBlockingModal) {
       const key = stabilityKey(text);
       if (key === lastKey) {
         stableCount++;
@@ -239,7 +338,74 @@ async function runWedgeWatchdog(opts) {
     }
     await sleep(pollIntervalMs);
   }
-  return { fires, polls, reason: "max-polls" };
+  return { fires, rateLimitFires, polls, reason: "max-polls" };
+}
+
+// src/agents/rate-limit-signal.ts
+import { createConnection } from "node:net";
+import { join } from "node:path";
+function resolveGatewaySocketPath() {
+  const stateDir = process.env.TELEGRAM_STATE_DIR ?? "/state/agent/telegram";
+  return process.env.SWITCHROOM_GATEWAY_SOCKET ?? join(stateDir, "gateway.sock");
+}
+function signalQuotaWall(agentName, resetAt, opts = {}) {
+  const socketPath = opts.socketPath ?? resolveGatewaySocketPath();
+  const connect = opts._connect ?? ((p) => createConnection(p));
+  const log = opts._log ?? ((m) => console.error(m));
+  const connectTimeoutMs = opts.connectTimeoutMs ?? 5000;
+  const msg = { type: "quota_wall_detected", agentName };
+  if (resetAt != null)
+    msg.resetAt = resetAt;
+  const line = JSON.stringify(msg) + `
+`;
+  return new Promise((resolve) => {
+    let settled = false;
+    const done = (ok) => {
+      if (settled)
+        return;
+      settled = true;
+      resolve(ok);
+    };
+    let sock;
+    try {
+      sock = connect(socketPath);
+    } catch (err) {
+      log(`[rate-limit-signal] ${agentName}: connect threw: ${err.message}`);
+      done(false);
+      return;
+    }
+    const timer = setTimeout(() => {
+      log(`[rate-limit-signal] ${agentName}: connect timed out`);
+      try {
+        sock.destroy();
+      } catch {}
+      done(false);
+    }, connectTimeoutMs);
+    sock.on("connect", () => {
+      try {
+        sock.write(line, () => {
+          clearTimeout(timer);
+          try {
+            sock.end();
+          } catch {}
+          log(`[rate-limit-signal] ${agentName}: quota_wall_detected sent`);
+          done(true);
+        });
+      } catch (err) {
+        clearTimeout(timer);
+        log(`[rate-limit-signal] ${agentName}: write threw: ${err.message}`);
+        try {
+          sock.destroy();
+        } catch {}
+        done(false);
+      }
+    });
+    sock.on("error", (err) => {
+      clearTimeout(timer);
+      log(`[rate-limit-signal] ${agentName}: socket error: ${err.message}`);
+      done(false);
+    });
+  });
 }
 
 // src/cli/autoaccept-poll.ts
@@ -259,10 +425,17 @@ async function main() {
     console.error(`[autoaccept-poll] ${agentName}: wedge-watchdog disabled (SWITCHROOM_WEDGE_WATCHDOG=0) \u2014 exiting after boot phase`);
     process.exit(0);
   }
+  const rateLimitDetect = process.env.SWITCHROOM_RATE_LIMIT_DETECT !== "0";
   try {
-    console.error(`[autoaccept-poll] ${agentName}: entering wedge-watchdog (continuous)`);
-    const res = await runWedgeWatchdog({ agentName });
-    console.error(`[autoaccept-poll] ${agentName}: wedge-watchdog returned reason=${res.reason} fires=${res.fires}`);
+    console.error(`[autoaccept-poll] ${agentName}: entering wedge-watchdog (continuous)` + (rateLimitDetect ? " +rate-limit-detect" : " (rate-limit-detect OFF)"));
+    const res = await runWedgeWatchdog({
+      agentName,
+      rateLimitSignature: rateLimitDetect ? undefined : null,
+      onRateLimitMenu: rateLimitDetect ? (name, resetAt) => {
+        signalQuotaWall(name, resetAt);
+      } : undefined
+    });
+    console.error(`[autoaccept-poll] ${agentName}: wedge-watchdog returned reason=${res.reason} fires=${res.fires} rateLimitFires=${res.rateLimitFires}`);
   } catch (err) {
     console.error(`[autoaccept-poll] ${agentName}: wedge-watchdog unexpected throw: ${err.message}`);
   }

package/dist/cli/switchroom.js

@@ -49815,8 +49815,8 @@ var {
 } = import__.default;
 
 // src/build-info.ts
-var VERSION = "0.14.83";
-var COMMIT_SHA = "057ab099";
+var VERSION = "0.14.85";
+var COMMIT_SHA = "292c683f";
 
 // src/cli/agent.ts
 init_source();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "switchroom",
-  "version": "0.14.83",
+  "version": "0.14.85",
   "description": "Run Claude Code 24/7 on your Claude Pro/Max subscription over Telegram. Open-source alternative to OpenClaw and NanoClaw — no API keys.",
   "type": "module",
   "bin": {

package/telegram-plugin/credits-watch.ts

@@ -27,20 +27,53 @@ import { join } from "path";
 const STATE_FILE = "credits-watch.json";
 
 /**
- * Possible values of `cachedExtraUsageDisabledReason` in `.claude.json`
- * that warrant a user-facing notification. Other values (null,
- * undefined, transient unknowns) are treated as "no notification
- * needed".
+ * Which `cachedExtraUsageDisabledReason` values warrant a user-facing alarm.
  *
- * Conservative list: only fatal-billing reasons. We don't want to fire
- * on every transient API blip the cache happens to write.
+ * IMPORTANT — empty by default (subscription-only model). The flag name says it
+ * all: `cachedExtraUsageDisabledReason` is *always* "why **extra usage** (the
+ * optional pay-as-you-go layer beyond the Pro/Max plan) is disabled." switchroom
+ * is subscription-only by design (compliance pillar 3 — "the plan is the
+ * ceiling, no API/pay-as-you-go"), so extra usage being OFF is the **expected,
+ * desired** state. Every value (`out_of_credits`, `extra_usage_disabled`,
+ * `credits_exhausted`, even `org_level_disabled` = "org admin disabled extra
+ * usage") describes that benign state — none indicates a real switchroom
+ * failure. Firing a "cron + replies will fail, buy credits" card on it is a
+ * false alarm AND advises something that contradicts the subscription-honest
+ * model.
+ *
+ * The genuine failure modes are covered elsewhere:
+ *   - an account's subscription window exhausts → stderr → fleet auto-fallback
+ *     (model-unavailable.ts → fireFleetAutoFallback) rolls to a healthy account;
+ *   - the WHOLE fleet exhausts → the quota-watch all-exhausted operator alert.
+ *
+ * So credits-watch defaults to silent. An operator who actually runs on
+ * pay-as-you-go and wants the alarm can opt specific reasons back in via
+ * `SWITCHROOM_CREDITS_WATCH_FATAL_REASONS` (comma-separated). See
+ * `resolveCreditWatchFatalReasons`.
  */
-const FATAL_REASONS = new Set([
+export const DEFAULT_CREDIT_FATAL_REASONS = new Set<string>();
+
+/** All reason strings recognized for opt-in via the env var. */
+const KNOWN_CREDIT_REASONS = [
   "out_of_credits",
   "org_level_disabled",
   "credits_exhausted",
   "extra_usage_disabled",
-]);
+] as const;
+
+/**
+ * Resolve the active fatal-reason set. Empty by default (subscription-only);
+ * if `SWITCHROOM_CREDITS_WATCH_FATAL_REASONS` is set, parse it as a
+ * comma-separated list (tokens kept verbatim — an unknown token is harmless,
+ * it simply never matches a real reason value). `*` opts in all known reasons.
+ */
+export function resolveCreditWatchFatalReasons(env: NodeJS.ProcessEnv): Set<string> {
+  const raw = env.SWITCHROOM_CREDITS_WATCH_FATAL_REASONS;
+  if (!raw || raw.trim().length === 0) return new Set(DEFAULT_CREDIT_FATAL_REASONS);
+  if (raw.trim() === "*") return new Set(KNOWN_CREDIT_REASONS);
+  const wanted = new Set(raw.split(",").map((s) => s.trim()).filter((s) => s.length > 0));
+  return wanted;
+}
 
 export interface CreditState {
   /** Last reason we notified the user about. null when healthy / never notified. */
@@ -103,15 +136,22 @@ export function evaluateCreditState(args: {
   currentReason: string | null;
   prev: CreditState;
   now: number;
+  /**
+   * Which reasons are treated as fatal (worth alarming). Defaults to
+   * `DEFAULT_CREDIT_FATAL_REASONS` (empty — subscription-only: extra-usage-off
+   * is never a real failure). The gateway passes the env-resolved set.
+   */
+  fatalReasons?: Set<string>;
 }): CreditDecision {
   const { agentName, currentReason, prev, now } = args;
+  const fatalReasons = args.fatalReasons ?? DEFAULT_CREDIT_FATAL_REASONS;
 
   // Non-fatal current state (null, or some unknown reason) — no
   // notification regardless of prev (we already notified on entry to
   // fatal; recovery from a known-fatal state below is the only path
   // that fires when current is null).
-  const currentIsFatal = currentReason != null && FATAL_REASONS.has(currentReason);
-  const prevIsFatal = prev.lastNotifiedReason != null && FATAL_REASONS.has(prev.lastNotifiedReason);
+  const currentIsFatal = currentReason != null && fatalReasons.has(currentReason);
+  const prevIsFatal = prev.lastNotifiedReason != null && fatalReasons.has(prev.lastNotifiedReason);
 
   // Recovery path: last-notified was fatal, current is null/non-fatal.
   if (!currentIsFatal && prevIsFatal) {

package/telegram-plugin/dist/gateway/gateway.js

@@ -46487,6 +46487,13 @@ function validateClientMessage(msg) {
       const inb = m.inbound;
       return inb.type === "inbound" && typeof inb.chatId === "string" && inb.chatId.length > 0 && typeof inb.text === "string" && typeof inb.messageId === "number" && typeof inb.user === "string" && typeof inb.userId === "number" && typeof inb.ts === "number" && typeof inb.meta === "object" && inb.meta !== null;
     }
+    case "quota_wall_detected": {
+      if (typeof m.agentName !== "string" || !AGENT_NAME_RE3.test(m.agentName))
+        return false;
+      if (m.resetAt !== undefined && (typeof m.resetAt !== "number" || !Number.isFinite(m.resetAt)))
+        return false;
+      return true;
+    }
     case "request_config_approval": {
       if (typeof m.requestId !== "string" || m.requestId.length === 0 || m.requestId.length > 64)
         return false;
@@ -46548,6 +46555,7 @@ function createIpcServer(options) {
     onOperatorEvent,
     onPtyPartial,
     onInjectInbound,
+    onQuotaWallDetected,
     onRequestDriveApproval,
     onRequestMs365Approval,
     onRequestConfigApproval,
@@ -46632,6 +46640,10 @@ function createIpcServer(options) {
         if (onInjectInbound)
           onInjectInbound(client3, msg);
         break;
+      case "quota_wall_detected":
+        if (onQuotaWallDetected)
+          onQuotaWallDetected(client3, msg);
+        break;
       case "request_drive_approval":
         if (onRequestDriveApproval) {
           onRequestDriveApproval(client3, msg).catch((err) => {
@@ -52495,12 +52507,22 @@ function extractFlowItems(line) {
 import { readFileSync as readFileSync32, writeFileSync as writeFileSync21, existsSync as existsSync33, mkdirSync as mkdirSync21 } from "fs";
 import { join as join30 } from "path";
 var STATE_FILE = "credits-watch.json";
-var FATAL_REASONS = new Set([
+var DEFAULT_CREDIT_FATAL_REASONS = new Set;
+var KNOWN_CREDIT_REASONS = [
   "out_of_credits",
   "org_level_disabled",
   "credits_exhausted",
   "extra_usage_disabled"
-]);
+];
+function resolveCreditWatchFatalReasons(env) {
+  const raw = env.SWITCHROOM_CREDITS_WATCH_FATAL_REASONS;
+  if (!raw || raw.trim().length === 0)
+    return new Set(DEFAULT_CREDIT_FATAL_REASONS);
+  if (raw.trim() === "*")
+    return new Set(KNOWN_CREDIT_REASONS);
+  const wanted = new Set(raw.split(",").map((s) => s.trim()).filter((s) => s.length > 0));
+  return wanted;
+}
 function emptyCreditState() {
   return { lastNotifiedReason: null, lastNotifiedAt: 0 };
 }
@@ -52529,8 +52551,9 @@ function readClaudeJsonOverage(claudeConfigDir) {
 }
 function evaluateCreditState(args) {
   const { agentName: agentName3, currentReason, prev, now } = args;
-  const currentIsFatal = currentReason != null && FATAL_REASONS.has(currentReason);
-  const prevIsFatal = prev.lastNotifiedReason != null && FATAL_REASONS.has(prev.lastNotifiedReason);
+  const fatalReasons = args.fatalReasons ?? DEFAULT_CREDIT_FATAL_REASONS;
+  const currentIsFatal = currentReason != null && fatalReasons.has(currentReason);
+  const prevIsFatal = prev.lastNotifiedReason != null && fatalReasons.has(prev.lastNotifiedReason);
   if (!currentIsFatal && prevIsFatal) {
     return {
       kind: "notify",
@@ -52857,11 +52880,11 @@ function sweepStaleTurnActiveMarker(stateDir, opts) {
 }
 
 // ../src/build-info.ts
-var VERSION = "0.14.83";
-var COMMIT_SHA = "057ab099";
-var COMMIT_DATE = "2026-06-07T12:57:08+10:00";
+var VERSION = "0.14.85";
+var COMMIT_SHA = "292c683f";
+var COMMIT_DATE = "2026-06-07T14:50:17+10:00";
 var LATEST_PR = null;
-var COMMITS_AHEAD_OF_TAG = 4;
+var COMMITS_AHEAD_OF_TAG = 2;
 
 // gateway/boot-version.ts
 function formatRelativeAgo(iso) {
@@ -56158,6 +56181,13 @@ var ipcServer = createIpcServer({
       pendingInboundBuffer.push(msg.agentName, msg.inbound);
     }
   },
+  onQuotaWallDetected(_client, msg) {
+    const WEEKLY_MS = 604800000;
+    const untilMs = typeof msg.resetAt === "number" && Number.isFinite(msg.resetAt) && msg.resetAt > Date.now() ? msg.resetAt : Date.now() + WEEKLY_MS;
+    process.stderr.write(`telegram gateway: quota_wall_detected agent=${msg.agentName} until=${new Date(untilMs).toISOString()}` + (msg.resetAt == null ? " (reset unparsed \u2192 +7d default)" : "") + ` \u2014 triggering fleet auto-fallback
+`);
+    fireFleetAutoFallback(msg.agentName, untilMs);
+  },
   log: (msg) => process.stderr.write(`telegram gateway: ipc \u2014 ${msg}
 `)
 });
@@ -60961,13 +60991,13 @@ var fleetFallbackGate = createFleetFallbackGate({
 function wouldFireFleetAutoFallback() {
   return fleetFallbackGate.wouldFire();
 }
-async function fireFleetAutoFallback(triggerAgent) {
-  return fleetFallbackGate.fire(() => doFireFleetAutoFallback(triggerAgent), (err) => {
+async function fireFleetAutoFallback(triggerAgent, untilMs) {
+  return fleetFallbackGate.fire(() => doFireFleetAutoFallback(triggerAgent, untilMs), (err) => {
     process.stderr.write(`telegram gateway: [fleet-fallback] error agent=${triggerAgent}: ${err?.message ?? err}
 `);
   });
 }
-async function doFireFleetAutoFallback(triggerAgent) {
+async function doFireFleetAutoFallback(triggerAgent, untilMs) {
   try {
     const client3 = await getAuthBrokerClient(triggerAgent);
     if (!client3) {
@@ -60986,7 +61016,7 @@ async function doFireFleetAutoFallback(triggerAgent) {
       state: state4,
       quotas,
       failover: async () => {
-        const r = await client3.markExhausted();
+        const r = await client3.markExhausted(untilMs);
         return { rolledTo: r.rolledTo ?? null, rolled: r.rolled };
       },
       triggerAgent,
@@ -61021,7 +61051,8 @@ async function runCreditWatch() {
     agentName: agentName3,
     currentReason: reason,
     prev,
-    now: Date.now()
+    now: Date.now(),
+    fatalReasons: resolveCreditWatchFatalReasons(process.env)
   });
   if (decision.kind === "skip") {
     return;

package/telegram-plugin/gateway/gateway.ts

@@ -348,6 +348,7 @@ import type {
   PtyPartialForward,
   InboundMessage,
   InjectInboundMessage,
+  QuotaWallDetectedMessage,
   PermissionEvent,
 } from './ipc-protocol.js'
 import { DebounceBuffer, HourCap, buildReactionInboundMeta, buildReactionInboundText, evaluateTriggerCandidate, isGroupChat, resolveReactionsConfig, truncatePreview, type PendingReaction, type ReactionBatch, type ReactionsResolvedConfig } from './reaction-trigger.js'
@@ -407,6 +408,7 @@ import { synthesizeAllowRuleDiff, extractAddedAllowRule } from '../permission-di
 import {
   readClaudeJsonOverage,
   evaluateCreditState,
+  resolveCreditWatchFatalReasons,
   loadCreditState,
   saveCreditState,
 } from '../credits-watch.js'
@@ -6259,6 +6261,30 @@ const ipcServer: IpcServer = createIpcServer({
     }
   },
 
+  // The wedge-watchdog detected claude's /rate-limit-options weekly-quota menu
+  // (a TUI wall that never produced a 429, so the inference-path auto-fallback
+  // never fired). Trigger the SAME fleet auto-fallback the 429 path uses,
+  // threading the parsed weekly reset as markExhausted's `until` — with a
+  // weekly-scale FALLBACK when the sidecar couldn't parse it (resetAt absent):
+  // passing undefined would let markExhausted use its ~5h default, which would
+  // un-exhaust a weekly-walled account and re-wedge it within hours. The
+  // existing chain handles the rest (roll to a fallback subscription account,
+  // or the all-exhausted operator alert when none has quota). Fire-and-forget.
+  onQuotaWallDetected(_client: IpcClient, msg: QuotaWallDetectedMessage) {
+    const WEEKLY_MS = 7 * 24 * 60 * 60 * 1000
+    const untilMs =
+      typeof msg.resetAt === 'number' && Number.isFinite(msg.resetAt) && msg.resetAt > Date.now()
+        ? msg.resetAt
+        : Date.now() + WEEKLY_MS
+    process.stderr.write(
+      `telegram gateway: quota_wall_detected agent=${msg.agentName} ` +
+        `until=${new Date(untilMs).toISOString()}` +
+        (msg.resetAt == null ? ' (reset unparsed → +7d default)' : '') +
+        ' — triggering fleet auto-fallback\n',
+    )
+    void fireFleetAutoFallback(msg.agentName, untilMs)
+  },
+
   log: (msg) => process.stderr.write(`telegram gateway: ipc — ${msg}\n`),
 })
 
@@ -14605,9 +14631,9 @@ function wouldFireFleetAutoFallback(): boolean {
  * so the user sees the outcome inline with the original "Model
  * unavailable" card.
  */
-async function fireFleetAutoFallback(triggerAgent: string): Promise<void> {
+async function fireFleetAutoFallback(triggerAgent: string, untilMs?: number): Promise<void> {
   return fleetFallbackGate.fire(
-    () => doFireFleetAutoFallback(triggerAgent),
+    () => doFireFleetAutoFallback(triggerAgent, untilMs),
     (err) => {
       process.stderr.write(
         `telegram gateway: [fleet-fallback] error agent=${triggerAgent}: ${(err as Error)?.message ?? err}\n`,
@@ -14620,7 +14646,7 @@ async function fireFleetAutoFallback(triggerAgent: string): Promise<void> {
  *  user-visible announcement was broadcast). False on no-op /
  *  error / idempotent-skip — caller uses this to decide whether to
  *  arm the post-fire suppression window. */
-async function doFireFleetAutoFallback(triggerAgent: string): Promise<boolean> {
+async function doFireFleetAutoFallback(triggerAgent: string, untilMs?: number): Promise<boolean> {
   try {
     const client = await getAuthBrokerClient(triggerAgent)
     if (!client) {
@@ -14655,7 +14681,11 @@ async function doFireFleetAutoFallback(triggerAgent: string): Promise<boolean> {
       // operator is explicitly choosing, and is admin); only this automatic
       // path moves to the non-admin verb.
       failover: async () => {
-        const r = await client.markExhausted()
+        // The 429 inference path passes no `until` (broker ~5h default). The
+        // rate-limit-MENU path (quota_wall_detected) passes the parsed WEEKLY
+        // reset, so the walled account isn't re-probed (and re-wedged) within
+        // the 5h default while it's weekly-capped.
+        const r = await client.markExhausted(untilMs)
         return { rolledTo: r.rolledTo ?? null, rolled: r.rolled }
       },
       triggerAgent,
@@ -14713,6 +14743,9 @@ async function runCreditWatch(): Promise<void> {
     currentReason: reason,
     prev,
     now: Date.now(),
+    // Subscription-only: empty by default → extra-usage-off never alarms.
+    // Opt back in via SWITCHROOM_CREDITS_WATCH_FATAL_REASONS. See credits-watch.ts.
+    fatalReasons: resolveCreditWatchFatalReasons(process.env),
   })
   if (decision.kind === 'skip') {
     return

package/telegram-plugin/gateway/ipc-protocol.ts

@@ -393,6 +393,26 @@ export interface RequestConfigFinalizeMessage {
   detail?: string;
 }
 
+/**
+ * The autoaccept-poll wedge-watchdog detected claude's `/rate-limit-options`
+ * weekly-quota menu (a TUI wall that never produced a 429 the gateway could
+ * see). Asks the gateway to trigger the EXISTING account-failover chain
+ * (markExhausted → roll to a fallback subscription account, or the
+ * all-exhausted operator alert). Fire-and-forget; no reply.
+ *
+ * Trust model (same as inject_inbound): the socket is per-agent inside the
+ * container, but `agentName` is still validated server-side and never trusted
+ * to authorize anything beyond triggering the agent's own failover.
+ */
+export interface QuotaWallDetectedMessage {
+  type: "quota_wall_detected";
+  agentName: string;
+  /** Parsed weekly-reset epoch-ms. Omitted when the sidecar couldn't parse it;
+   *  the gateway then uses a weekly-scale default for markExhausted's `until`
+   *  (NOT the ~5h default, which would un-exhaust a weekly wall and re-wedge). */
+  resetAt?: number;
+}
+
 export type ClientToGateway =
   | RegisterMessage
   | ToolCallMessage
@@ -407,4 +427,5 @@ export type ClientToGateway =
   | RequestDriveApprovalMessage
   | RequestMs365ApprovalMessage
   | RequestConfigApprovalMessage
-  | RequestConfigFinalizeMessage;
+  | RequestConfigFinalizeMessage
+  | QuotaWallDetectedMessage;

package/telegram-plugin/gateway/ipc-server.ts

@@ -4,6 +4,7 @@ import type {
   GatewayToClient,
   HeartbeatMessage,
   InjectInboundMessage,
+  QuotaWallDetectedMessage,
   OperatorEventForward,
   PermissionRequestForward,
   PtyPartialForward,
@@ -44,6 +45,14 @@ export interface IpcServerOptions {
    * inline scheduler simply ignore inject_inbound messages.
    */
   onInjectInbound?: (client: IpcClient, msg: InjectInboundMessage) => void;
+  /**
+   * The autoaccept-poll wedge-watchdog detected claude's `/rate-limit-options`
+   * weekly-quota menu (no 429 ever reached the gateway). Handler is expected to
+   * trigger the existing fleet auto-fallback for `msg.agentName`, threading
+   * `msg.resetAt` as the markExhausted `until`. Fire-and-forget; gateways that
+   * don't run failover simply ignore it.
+   */
+  onQuotaWallDetected?: (client: IpcClient, msg: QuotaWallDetectedMessage) => void;
   /**
    * RFC E §4.2 Cut 2 — Drive-write PreToolUse hook asks the gateway
    * to register a kernel approval request + post a diff-preview
@@ -237,6 +246,15 @@ export function validateClientMessage(msg: unknown): msg is ClientToGateway {
         && typeof inb.meta === "object"
         && inb.meta !== null;
     }
+    case "quota_wall_detected": {
+      // wedge-watchdog detected the /rate-limit-options weekly-quota menu.
+      if (typeof m.agentName !== "string"
+        || !AGENT_NAME_RE.test(m.agentName as string)) return false;
+      // resetAt optional; when present it must be a finite epoch-ms.
+      if (m.resetAt !== undefined
+        && (typeof m.resetAt !== "number" || !Number.isFinite(m.resetAt as number))) return false;
+      return true;
+    }
     case "request_config_approval": {
       // #1623 — hostd-initiated config-edit approval card. Wire shape
       // only; the handler module validates the diff content.
@@ -317,6 +335,7 @@ export function createIpcServer(options: IpcServerOptions): IpcServer {
     onOperatorEvent,
     onPtyPartial,
     onInjectInbound,
+    onQuotaWallDetected,
     onRequestDriveApproval,
     onRequestMs365Approval,
     onRequestConfigApproval,
@@ -425,6 +444,9 @@ export function createIpcServer(options: IpcServerOptions): IpcServer {
       case "inject_inbound":
         if (onInjectInbound) onInjectInbound(client, msg as InjectInboundMessage);
         break;
+      case "quota_wall_detected":
+        if (onQuotaWallDetected) onQuotaWallDetected(client, msg as QuotaWallDetectedMessage);
+        break;
       case "request_drive_approval":
         if (onRequestDriveApproval) {
           // Handler is async — fire-and-forget here; the handler

package/telegram-plugin/tests/credits-watch.test.ts

@@ -13,6 +13,7 @@ import { join } from "path";
 import {
   readClaudeJsonOverage,
   evaluateCreditState,
+  resolveCreditWatchFatalReasons,
   loadCreditState,
   saveCreditState,
   emptyCreditState,
@@ -81,10 +82,14 @@ describe("readClaudeJsonOverage", () => {
   });
 });
 
-describe("evaluateCreditState — transition decisions", () => {
+describe("evaluateCreditState — transition decisions (machinery, explicit fatal set)", () => {
   const NOW = 1_780_000_000_000;
   const HEALTHY = emptyCreditState();
   const FATAL_OUT = { lastNotifiedReason: "out_of_credits", lastNotifiedAt: NOW - 1000 };
+  // The transition machinery is policy-agnostic — pass an explicit fatal set so
+  // these tests pin entered/changed/exited behaviour independent of the (now
+  // empty) subscription-only default.
+  const FATAL = new Set(["out_of_credits", "org_level_disabled", "credits_exhausted", "extra_usage_disabled"]);
 
   it("entry: healthy → fatal triggers a notify", () => {
     const d = evaluateCreditState({
@@ -92,6 +97,7 @@ describe("evaluateCreditState — transition decisions", () => {
       currentReason: "out_of_credits",
       prev: HEALTHY,
       now: NOW,
+      fatalReasons: FATAL,
     });
     expect(d.kind).toBe("notify");
     if (d.kind !== "notify") return;
@@ -108,6 +114,7 @@ describe("evaluateCreditState — transition decisions", () => {
       currentReason: "out_of_credits",
       prev: FATAL_OUT,
       now: NOW,
+      fatalReasons: FATAL,
     });
     expect(d.kind).toBe("skip");
     if (d.kind !== "skip") return;
@@ -120,6 +127,7 @@ describe("evaluateCreditState — transition decisions", () => {
       currentReason: "org_level_disabled",
       prev: FATAL_OUT,
       now: NOW,
+      fatalReasons: FATAL,
     });
     expect(d.kind).toBe("notify");
     if (d.kind !== "notify") return;
@@ -134,6 +142,7 @@ describe("evaluateCreditState — transition decisions", () => {
       currentReason: null,
       prev: FATAL_OUT,
       now: NOW,
+      fatalReasons: FATAL,
     });
     expect(d.kind).toBe("notify");
     if (d.kind !== "notify") return;
@@ -148,6 +157,7 @@ describe("evaluateCreditState — transition decisions", () => {
       currentReason: "some_unknown_transient_reason",
       prev: HEALTHY,
       now: NOW,
+      fatalReasons: FATAL,
     });
     expect(d.kind).toBe("skip");
     if (d.kind !== "skip") return;
@@ -160,6 +170,7 @@ describe("evaluateCreditState — transition decisions", () => {
       currentReason: null,
       prev: HEALTHY,
       now: NOW,
+      fatalReasons: FATAL,
     });
     expect(d.kind).toBe("skip");
   });
@@ -170,6 +181,7 @@ describe("evaluateCreditState — transition decisions", () => {
       currentReason: "out_of_credits",
       prev: HEALTHY,
       now: NOW,
+      fatalReasons: FATAL,
     });
     expect(d.kind).toBe("notify");
     if (d.kind !== "notify") return;
@@ -178,6 +190,58 @@ describe("evaluateCreditState — transition decisions", () => {
   });
 });
 
+describe("evaluateCreditState — subscription-only default (the fix)", () => {
+  const NOW = 1_780_000_000_000;
+  const HEALTHY = emptyCreditState();
+
+  // With the default (empty) fatal set, NONE of the extra-usage reasons alarm —
+  // because for subscription-only switchroom, extra-usage-off is the expected
+  // state and real exhaustion is handled by failover. This is the bug fix.
+  for (const reason of ["out_of_credits", "extra_usage_disabled", "credits_exhausted", "org_level_disabled"]) {
+    it(`default: '${reason}' does NOT alarm (no false 'out of credits' card)`, () => {
+      const d = evaluateCreditState({
+        agentName: "clerk",
+        currentReason: reason,
+        prev: HEALTHY,
+        now: NOW,
+        // fatalReasons omitted → DEFAULT_CREDIT_FATAL_REASONS (empty)
+      });
+      expect(d.kind).toBe("skip");
+    });
+  }
+
+  it("opt-in via explicit set restores the alarm (operator on pay-as-you-go)", () => {
+    const d = evaluateCreditState({
+      agentName: "clerk",
+      currentReason: "out_of_credits",
+      prev: HEALTHY,
+      now: NOW,
+      fatalReasons: new Set(["out_of_credits"]),
+    });
+    expect(d.kind).toBe("notify");
+  });
+});
+
+describe("resolveCreditWatchFatalReasons", () => {
+  it("defaults to EMPTY (subscription-only)", () => {
+    expect(resolveCreditWatchFatalReasons({}).size).toBe(0);
+  });
+  it("parses a comma-separated opt-in list", () => {
+    const s = resolveCreditWatchFatalReasons({ SWITCHROOM_CREDITS_WATCH_FATAL_REASONS: "out_of_credits, org_level_disabled" });
+    expect(s.has("out_of_credits")).toBe(true);
+    expect(s.has("org_level_disabled")).toBe(true);
+    expect(s.size).toBe(2);
+  });
+  it("'*' opts in all known reasons", () => {
+    const s = resolveCreditWatchFatalReasons({ SWITCHROOM_CREDITS_WATCH_FATAL_REASONS: "*" });
+    expect(s.has("out_of_credits")).toBe(true);
+    expect(s.size).toBeGreaterThanOrEqual(4);
+  });
+  it("blank/whitespace → empty", () => {
+    expect(resolveCreditWatchFatalReasons({ SWITCHROOM_CREDITS_WATCH_FATAL_REASONS: "  " }).size).toBe(0);
+  });
+});
+
 describe("loadCreditState / saveCreditState — round-trip", () => {
   let tmp: string;
 

package/telegram-plugin/tests/ipc-server-validate-quota-wall.test.ts

@@ -0,0 +1,37 @@
+/**
+ * Validation contract for the `quota_wall_detected` IPC verb — the signal the
+ * autoaccept-poll wedge-watchdog sends when it sees claude's /rate-limit-options
+ * weekly-quota menu, asking the gateway to trigger account failover.
+ *
+ * A rogue process on the same UDS must not be able to inject a malformed
+ * payload: agentName is required + name-shaped, resetAt (optional) must be a
+ * finite number.
+ */
+import { describe, it, expect } from "vitest";
+import { validateClientMessage } from "../gateway/ipc-server.js";
+
+describe("validateClientMessage — quota_wall_detected", () => {
+  it("accepts a well-formed signal (with resetAt)", () => {
+    expect(
+      validateClientMessage({ type: "quota_wall_detected", agentName: "finn", resetAt: 1_780_000_000_000 }),
+    ).toBe(true);
+  });
+
+  it("accepts a well-formed signal WITHOUT resetAt (optional)", () => {
+    expect(validateClientMessage({ type: "quota_wall_detected", agentName: "finn" })).toBe(true);
+  });
+
+  it("rejects a missing / non-string / malformed agentName", () => {
+    expect(validateClientMessage({ type: "quota_wall_detected" })).toBe(false);
+    expect(validateClientMessage({ type: "quota_wall_detected", agentName: 123 })).toBe(false);
+    expect(validateClientMessage({ type: "quota_wall_detected", agentName: "" })).toBe(false);
+    expect(validateClientMessage({ type: "quota_wall_detected", agentName: "../etc" })).toBe(false);
+    expect(validateClientMessage({ type: "quota_wall_detected", agentName: "Finn UPPER" })).toBe(false);
+  });
+
+  it("rejects a non-finite / non-number resetAt", () => {
+    expect(validateClientMessage({ type: "quota_wall_detected", agentName: "finn", resetAt: "soon" })).toBe(false);
+    expect(validateClientMessage({ type: "quota_wall_detected", agentName: "finn", resetAt: NaN })).toBe(false);
+    expect(validateClientMessage({ type: "quota_wall_detected", agentName: "finn", resetAt: Infinity })).toBe(false);
+  });
+});