switchroom 0.15.45 → 0.16.4

package/telegram-plugin/auth-snapshot-format.ts

@@ -19,7 +19,9 @@
  */
 
 import type { QuotaResult, QuotaUtilization } from './quota-check.js';
+import { isProbeThin, refillNormalizedUtils } from '../src/auth/quota.js';
 import type { AccountState, LastQuotaSnapshot, ListStateData } from '../src/auth/broker/client.js';
+import { maskEmail } from './demo-mask.js';
 
 // ── shared types ─────────────────────────────────────────────────────
 
@@ -60,23 +62,76 @@ export interface AccountSnapshot {
 export const THROTTLING_THRESHOLD_PCT = 80;
 
 /**
- * Decide the health verdict for one account. The two "binding" facts:
- *   - 5h or 7d utilization >= 100% (or `representativeClaim` non-null
- *     plus utilization >= 99.5%) → blocked
- *   - either window above 80%, or representativeClaim set with > 50% →
- *     throttling
+ * INFORMATIONAL ALLOWLIST of `overageDisabledReason` values that mean the
+ * account has no overage headroom. Replicated from the broker's
+ * `OVERAGE_EXHAUSTED_REASONS` (src/auth/broker/account-eligibility.ts) because
+ * the plugin can't import across the package boundary — keep the two in sync.
+ *
+ * These are NOT serve-blocking: the fleet runs on quota, not credits. An account
+ * with `out_of_credits` at low util serves fine. `org_level_disabled` → benign
+ * (the live active fleet account: overage off but serving fine off subscription).
+ * `null` / unknown → benign (deny-by-omission).
+ *
+ * MUST NEVER gate serving or failover eligibility — informational annotation
+ * only (e.g. "overage off (out_of_credits) — serving from quota").
+ * Do NOT key on `overageStatus` ("rejected" appears on the healthy account too).
+ * The drift test (overage-allowlist-drift.test.ts) guards these two copies stay
+ * in sync — update BOTH when this list changes.
+ */
+const OVERAGE_EXHAUSTED_REASONS = new Set<string>(['out_of_credits']);
+
+/**
+ * Decide the health verdict for one account. Binding facts (in order):
+ *   - probe failure → unknown
+ *   - thin/headerless probe → unknown (no real utilization signal)
+ *   - 5h or 7d utilization >= 99.5% → blocked (quota wall)
+ *   - either window above 80% → throttling
  *   - everything else → healthy
  *   - probe failure → unknown
+ *
+ * NOTE: `out_of_credits` (overageDisabledReason) is NOT a serve-block here.
+ * The fleet runs on quota, not on overage credits. An account with `out_of_credits`
+ * at low util (e.g. carol@example.com at 5h=0%, 7d=2%) serves fine and is a
+ * valid failover target. Overage fields are informational only — surfaced as an
+ * annotation on healthy/throttling rows, never as a blocked verdict.
+ * Failover safety against a real 429 is preserved via the mark-exhausted path.
  */
-export function classifyHealth(snap: AccountSnapshot): AccountHealth {
+export function classifyHealth(snap: AccountSnapshot, now: Date = new Date()): AccountHealth {
   if (!snap.quota) return 'unknown';
   const q = snap.quota;
-  const max = Math.max(q.fiveHourUtilizationPct, q.sevenDayUtilizationPct);
+  // #2494 Bug C — a thin/headerless probe (no real utilization signal on
+  // EITHER window) must not masquerade as a confident 0% / healthy. Treat it
+  // as unknown so the card surfaces a data-quality gap, not "healthy".
+  if (isProbeThin(q)) return 'unknown';
+  // #2494 Bug A — read utilization through the refill normalization: a window
+  // whose reset has already passed has rolled since the snapshot was captured,
+  // so its stale high utilization must be treated as 0%. A just-refilled
+  // account self-corrects to healthy without an extra probe.
+  const norm = refillNormalizedUtils(q, now);
+  const max = Math.max(norm.fiveHourUtilizationPct, norm.sevenDayUtilizationPct);
   if (max >= 99.5) return 'blocked';
   if (max >= THROTTLING_THRESHOLD_PCT) return 'throttling';
   return 'healthy';
 }
 
+/**
+ * Why is a BLOCKED account blocked? Only one cause now: quota exhaustion.
+ *   - 'quota-exhausted' — a util window is maxed but recovers when that window
+ *     rolls. Show the reset countdown.
+ *
+ * NOTE: 'billing-dead' has been removed. `out_of_credits` accounts are now
+ * healthy (not blocked) — they appear in the HEALTHY group with an informational
+ * overage annotation. See classifyHealth for the rationale.
+ *
+ * Returns null for non-blocked accounts.
+ */
+export type BlockedReason = 'quota-exhausted';
+
+export function blockedReason(snap: AccountSnapshot, now: Date = new Date()): BlockedReason | null {
+  if (classifyHealth(snap, now) !== 'blocked') return null;
+  return 'quota-exhausted';
+}
+
 /**
  * Which window is the user-visible "binding" one — the one that ran
  * out, or is closer to running out. Returned as a label for headers
@@ -150,6 +205,31 @@ export interface SnapshotRenderOpts {
   /** Refresh stamp shown in the footer; usually `Date.now()` of the
    *  most recent live probe. Omit to suppress. */
   liveProbedAtMs?: number;
+  /**
+   * #2495 Change 2 — the probe-on-open attempted a live refresh but it
+   * FAILED, so the card is rendered off the durable cache. When set, the
+   * footer shows an explicit "⚠ cached Nm ago" warning (age measured from
+   * this `capturedAt`) instead of a false "Live · refreshed 0s ago" stamp.
+   * Takes precedence over `liveProbedAtMs`.
+   */
+  staleCachedAtMs?: number;
+  /**
+   * Demo mode (the `/usage demo` / `/auth demo` suffix). When true, every
+   * account label is run through `maskEmail` before rendering so a screen
+   * recording shows stable realistic fakes instead of the operator's real
+   * account emails. Off by default — normal output is unchanged. Scope is
+   * the email-label PII tier only; topology/percentages/resets are untouched.
+   */
+  demo?: boolean;
+}
+
+/**
+ * Apply demo-mode email masking to an account label when `opts.demo` is set,
+ * otherwise return the label unchanged. Single helper so the three label
+ * render sites stay in lockstep.
+ */
+function displayLabel(label: string, opts: SnapshotRenderOpts): string {
+  return opts.demo ? maskEmail(label) : label;
 }
 
 /**
@@ -184,11 +264,13 @@ const HEALTH_TITLE: Record<AccountHealth, string> = {
  * One-line per-account summary inside its health group.
  *
  *   you@example.com  ● 8% / 20%
- *     5h refills 11:00 AM (in 6m)  ·  7d resets Sun 11:00 AM
+ *     5h refills 11:00 AM (in 6m)
+ *     7d resets Sun 11:00 AM
  *
- * Two lines actually: the label/percent line and a sub-line with the
- * reset details. The blocked variant replaces the sub-line with the
- * recovery countdown.
+ * Three lines for a healthy/throttling row: the label/percent line plus
+ * two reset sub-lines (each window on its own line so the 7d segment
+ * doesn't wrap mid-line on a narrow phone). The blocked variant replaces
+ * the sub-lines with a single recovery countdown.
  */
 function renderAccountRow(
   snap: AccountSnapshot,
@@ -198,10 +280,11 @@ function renderAccountRow(
   const tz = opts.tz ?? 'UTC';
   const lines: string[] = [];
   const marker = snap.isActive ? '● ' : '';
+  const label = displayLabel(snap.label, opts);
 
   if (!snap.quota) {
     lines.push(
-      `${marker}<code>${escapeHtml(snap.label)}</code>  <i>quota probe failed</i>`,
+      `${marker}<code>${escapeHtml(label)}</code>  <i>quota probe failed</i>`,
     );
     if (snap.quotaError) {
       lines.push(`  <i>${escapeHtml(snap.quotaError)}</i>`);
@@ -210,29 +293,41 @@ function renderAccountRow(
   }
 
   const q = snap.quota;
-  const fiveStr = fmtPct(q.fiveHourUtilizationPct);
-  const sevenStr = fmtPct(q.sevenDayUtilizationPct);
+  // #2494 Bug C — a thin/headerless probe carries no real utilization; render
+  // it as a data-quality gap, never a confident "0% / 0%".
+  if (isProbeThin(q)) {
+    lines.push(
+      `${marker}<code>${escapeHtml(label)}</code>  <i>quota unknown (thin probe)</i>`,
+    );
+    return lines;
+  }
+  // #2494 Bug A — show refill-normalized utilization so a window that has
+  // already reset reads its true post-refill 0%, not the stale capture value.
+  const norm = refillNormalizedUtils(q, now);
+  const fiveStr = fmtPct(norm.fiveHourUtilizationPct);
+  const sevenStr = fmtPct(norm.sevenDayUtilizationPct);
   lines.push(
-    `${marker}<code>${escapeHtml(snap.label)}</code>  ${fiveStr} / ${sevenStr}`,
+    `${marker}<code>${escapeHtml(label)}</code>  ${fiveStr} / ${sevenStr}`,
   );
 
-  const health = classifyHealth(snap);
+  const health = classifyHealth(snap, now);
   if (health === 'blocked') {
-    // Surface only the recovery countdown — the binding window's reset
-    // is the only thing that matters until then.
+    // quota-exhausted (recoverable): surface only the recovery countdown — the
+    // binding window's reset is the only thing that matters until then.
     const win = bindingWindow(q);
     const reset = win === '5h' ? q.fiveHourResetAt : q.sevenDayResetAt;
     const winLabel = win === '5h' ? '5-hour' : '7-day';
     lines.push(
-      `  <i>back ${formatAbsolute(reset, tz)} (in ${formatRelative(reset, now)}, ${winLabel} cap)</i>`,
+      `  <i>quota exhausted — back ${formatAbsolute(reset, tz)} (in ${formatRelative(reset, now)}, ${winLabel} cap)</i>`,
     );
     return lines;
   }
 
   // Healthy / throttling: show whichever window is closer to refresh
-  // first, then the other on the same line. Reverses the screenshot's
+  // first, then the other on the next line. Reverses the screenshot's
   // "5h then 7d" ordering when 7d is the more pressing one — the user
-  // wants the imminent number first.
+  // wants the imminent number first. Each window gets its own line so the
+  // second segment doesn't wrap mid-line on a narrow phone screen.
   const fiveResetIn = q.fiveHourResetAt ? q.fiveHourResetAt.getTime() - now.getTime() : Infinity;
   const sevenResetIn = q.sevenDayResetAt ? q.sevenDayResetAt.getTime() - now.getTime() : Infinity;
   const fiveFirst = fiveResetIn <= sevenResetIn;
@@ -242,7 +337,15 @@ function renderAccountRow(
   const sevenSeg = q.sevenDayResetAt
     ? `7d resets ${formatAbsolute(q.sevenDayResetAt, tz)} (in ${formatRelative(q.sevenDayResetAt, now)})`
     : '7d resets —';
-  lines.push(`  <i>${fiveFirst ? fiveSeg : sevenSeg}  ·  ${fiveFirst ? sevenSeg : fiveSeg}</i>`);
+  lines.push(`  <i>${fiveFirst ? fiveSeg : sevenSeg}</i>`);
+  lines.push(`  <i>${fiveFirst ? sevenSeg : fiveSeg}</i>`);
+  // Informational overage annotation: if out_of_credits (no overage headroom),
+  // surface it as a sub-line on a healthy/throttling row — NOT a blocked badge.
+  if (q.overageDisabledReason != null && OVERAGE_EXHAUSTED_REASONS.has(q.overageDisabledReason)) {
+    lines.push(
+      `  <i>overage off (${escapeHtml(q.overageDisabledReason)}) — serving from quota</i>`,
+    );
+  }
   return lines;
 }
 
@@ -263,6 +366,14 @@ function renderAccountRow(
  * `buildSnapshotKeyboard` below) — keep the formatting and the
  * keyboard in lockstep so the buttons always reflect current state.
  */
+/** Relative-age stamp shared by the live + degraded footers: "0s ago",
+ *  "3m ago". Measured against `now` (defaults to wall-clock) so tests with
+ *  an injected clock get deterministic output. */
+function formatAgeStamp(atMs: number, now: Date = new Date()): string {
+  const ageSec = Math.max(0, Math.round((now.getTime() - atMs) / 1000));
+  return ageSec < 60 ? `${ageSec}s ago` : `${Math.round(ageSec / 60)}m ago`;
+}
+
 export function renderAuthSnapshotFormat2(
   snapshots: AccountSnapshot[],
   opts: SnapshotRenderOpts = {},
@@ -278,7 +389,7 @@ export function renderAuthSnapshotFormat2(
   const order: AccountHealth[] = ['blocked', 'throttling', 'healthy', 'unknown'];
   const grouped = new Map<AccountHealth, AccountSnapshot[]>();
   for (const s of snapshots) {
-    const h = classifyHealth(s);
+    const h = classifyHealth(s, now);
     if (!grouped.has(h)) grouped.set(h, []);
     grouped.get(h)!.push(s);
   }
@@ -299,11 +410,14 @@ export function renderAuthSnapshotFormat2(
 
   lines.push('');
   lines.push('────────────────────────────');
-  lines.push(`<i>${recommendation(snapshots, now)}</i>`);
-  if (opts.liveProbedAtMs != null) {
-    const ageSec = Math.max(0, Math.round((Date.now() - opts.liveProbedAtMs) / 1000));
-    const ageStr = ageSec < 60 ? `${ageSec}s ago` : `${Math.round(ageSec / 60)}m ago`;
-    lines.push(`<i>Live · refreshed ${ageStr}</i>`);
+  lines.push(`<i>${recommendation(snapshots, now, opts.demo ?? false)}</i>`);
+  // #2495 Change 2 — a failed probe-on-open renders an explicit "cached Nm
+  // ago" warning, never a false live stamp. The degraded variant takes
+  // precedence over the live stamp.
+  if (opts.staleCachedAtMs != null) {
+    lines.push(`<i>⚠ cached ${formatAgeStamp(opts.staleCachedAtMs, now)}</i>`);
+  } else if (opts.liveProbedAtMs != null) {
+    lines.push(`<i>Live · refreshed ${formatAgeStamp(opts.liveProbedAtMs, now)}</i>`);
   } else {
     lines.push('<i>Live</i>');
   }
@@ -321,40 +435,109 @@ export function renderAuthSnapshotFormat2(
  *   "Active <active> is BLOCKED. Switch to <healthy> now."
  *   "All accounts blocked. Earliest recovery: <label> in <eta>."
  */
-export function recommendation(snapshots: AccountSnapshot[], now: Date = new Date()): string {
+export function recommendation(
+  snapshots: AccountSnapshot[],
+  now: Date = new Date(),
+  demo = false,
+): string {
   const active = snapshots.find((s) => s.isActive);
   if (!active) return 'No active account set.';
-  const activeHealth = classifyHealth(active);
+  const activeHealth = classifyHealth(active, now);
   const others = snapshots.filter((s) => !s.isActive);
-  const healthyAlt = others.find((s) => classifyHealth(s) === 'healthy');
+  const healthyAlt = others.find((s) => classifyHealth(s, now) === 'healthy');
+  // Demo mode masks the email labels that appear in the recommendation
+  // sentence, in lockstep with the per-account rows above.
+  const lbl = (s: AccountSnapshot) => (demo ? maskEmail(s.label) : s.label);
+  const activeLabel = lbl(active);
 
   if (activeHealth === 'healthy') {
-    return `Recommendation: stay on ${active.label}.`;
+    return `Recommendation: stay on ${activeLabel}.`;
   }
 
   if (activeHealth === 'throttling') {
     if (healthyAlt) {
-      return `Recommendation: active ${active.label} is throttling. Switch to ${healthyAlt.label} for headroom.`;
+      return `Recommendation: active ${activeLabel} is throttling. Switch to ${lbl(healthyAlt)} for headroom.`;
     }
-    return `Recommendation: active ${active.label} is throttling; no healthy alternative — wait for refill.`;
+    return `Recommendation: active ${activeLabel} is throttling; no healthy alternative — wait for refill.`;
   }
 
   if (activeHealth === 'blocked') {
     if (healthyAlt) {
-      return `Recommendation: active ${active.label} is BLOCKED — switch to ${healthyAlt.label} now.`;
+      return `Recommendation: active ${activeLabel} is BLOCKED — switch to ${lbl(healthyAlt)} now.`;
+    }
+    // #2494 Bug B — no healthy alternative. Do NOT collapse to "All accounts
+    // blocked": that's only honest when EVERY account is truly walled with no
+    // usable or imminently-refilling slot. Distinguish the buckets first.
+    return summarizeNoHealthyAlt(snapshots, now, demo);
+  }
+
+  // unknown
+  return `Active ${activeLabel}: quota probe failed; broker last_seen unknown.`;
+}
+
+/**
+ * #2494 Bug B — honest fleet summary when the active account is blocked and no
+ * fully-healthy alternative exists. Buckets every account so the summary never
+ * claims "all blocked" while a throttling / imminently-refilling / usable slot
+ * exists. Surfaces the soonest refill ETA across the fleet.
+ */
+function summarizeNoHealthyAlt(snapshots: AccountSnapshot[], now: Date, demo = false): string {
+  const mask = (label: string) => (demo ? maskEmail(label) : label);
+  let throttlingLabel: string | null = null;
+  let allTrulyBlocked = true;
+  for (const s of snapshots) {
+    const h = classifyHealth(s, now);
+    if (h === 'throttling') {
+      // A throttling account is still usable.
+      if (!throttlingLabel) throttlingLabel = s.label;
+      allTrulyBlocked = false;
+    } else if (h === 'healthy' || h === 'unknown') {
+      // Healthy is handled by the caller; unknown is not provably blocked.
+      allTrulyBlocked = false;
+    } else if (h === 'blocked' && blockedReason(s, now) === 'quota-exhausted') {
+      // Quota-exhausted recovers WHEN its window rolls — but only counts as
+      // "refilling" (not terminal) if it actually carries a future reset on the
+      // binding window. A maxed window with no reset timestamp has no imminent
+      // recovery and stays in the truly-blocked bucket (Bug B: "blocked = ≥99.5%
+      // AND no imminent reset").
+      if (s.quota) {
+        const win = bindingWindow(s.quota);
+        const at = win === '5h' ? s.quota.fiveHourResetAt : s.quota.sevenDayResetAt;
+        if (at && at.getTime() > now.getTime()) allTrulyBlocked = false;
+      }
     }
-    // No healthy alternative; surface the earliest recovery time.
-    const earliestRecovery = pickEarliestRecovery(snapshots, now);
+  }
+
+  const earliestRecovery = pickEarliestRecovery(snapshots, now);
+
+  if (throttlingLabel) {
+    // A usable (throttling) slot exists — recommend it, with the soonest refill.
+    const eta = earliestRecovery
+      ? ` Soonest full refill: ${mask(earliestRecovery.label)} in ${formatRelative(earliestRecovery.at, now)}.`
+      : '';
+    return `No fully-healthy account; ${mask(throttlingLabel)} is throttling but still usable.${eta}`;
+  }
+
+  if (!allTrulyBlocked) {
+    // No usable slot now, but at least one account is refilling — not all dead.
     if (earliestRecovery) {
-      return `All accounts blocked. Earliest recovery: ${earliestRecovery.label} in ${formatRelative(earliestRecovery.at, now)}.`;
+      return `All accounts at capacity; soonest refill: ${mask(earliestRecovery.label)} in ${formatRelative(earliestRecovery.at, now)}.`;
     }
-    return `All accounts blocked. Run /auth add to attach another subscription.`;
+    return `All accounts at capacity — waiting on a window refill.`;
   }
 
-  // unknown
-  return `Active ${active.label}: quota probe failed; broker last_seen unknown.`;
+  // Genuinely all blocked (quota-exhausted with no upcoming reset, or no data).
+  if (earliestRecovery) {
+    return `All accounts blocked. Earliest recovery: ${mask(earliestRecovery.label)} in ${formatRelative(earliestRecovery.at, now)}.`;
+  }
+  return `All accounts blocked. Run /auth add to attach another subscription.`;
 }
 
+/**
+ * Earliest refill ETA across the fleet. #2494 Bug A/B — only counts a future
+ * reset on the binding window; a window whose reset has already passed has
+ * refilled (handled by refill normalization) and is not "recovery pending".
+ */
 function pickEarliestRecovery(
   snapshots: AccountSnapshot[],
   now: Date,
@@ -362,6 +545,7 @@ function pickEarliestRecovery(
   let best: { label: string; at: Date } | null = null;
   for (const s of snapshots) {
     if (!s.quota) continue;
+    if (isProbeThin(s.quota)) continue;
     const win = bindingWindow(s.quota);
     const at = win === '5h' ? s.quota.fiveHourResetAt : s.quota.sevenDayResetAt;
     if (!at || at.getTime() <= now.getTime()) continue;
@@ -387,6 +571,17 @@ export interface FallbackAnnouncementInput {
   /** Agent that triggered the fallback (for context — fleet swap
    *  affects all agents but the user wants to know which one tripped). */
   triggerAgent: string;
+  /**
+   * Bug 3 — the full per-account fleet snapshot, threaded in so the all-blocked
+   * card can enumerate EVERY account (5h%/7d% + recovery ETA), not just the one
+   * triggering account. Built by `buildSnapshotsFromState` one frame up in
+   * `runFleetAutoFallback`. Optional/back-compat: when absent (or empty), the
+   * all-blocked branch falls back to the old single-account shape.
+   *
+   * ONLY consumed on the all-blocked branch. The successful-swap branch already
+   * shows the target's headroom and is unchanged.
+   */
+  fleetSnapshots?: AccountSnapshot[];
   tz?: string;
   now?: Date;
 }
@@ -414,14 +609,42 @@ export function renderFallbackAnnouncement(input: FallbackAnnouncementInput): st
   const headerLimit = limitWord === 'quota' ? 'quota cap' : `${limitWord} limit`;
 
   if (!input.newLabel) {
-    // All-blocked path — no swap occurred. Tell user what's broken
-    // and when the earliest reset is.
+    // All-blocked path — no swap occurred. Tell user what's broken and, so they
+    // can VERIFY the fleet is truly exhausted, enumerate EVERY account's 5h%/7d%
+    // + recovery ETA (Bug 3) — not just the one triggering account. Reuses the
+    // same per-account row + earliest-recovery helpers the /auth table uses so
+    // the formatting stays consistent with the rest of the auth surface.
     lines.push(
       `🔴 <b>All accounts blocked · ${headerLimit} on ${escapeHtml(input.oldLabel)}</b>`,
     );
     lines.push('');
     lines.push(`Triggered by: agent <b>${escapeHtml(input.triggerAgent)}</b>`);
-    if (input.oldQuota) {
+
+    const fleet = input.fleetSnapshots ?? [];
+    if (fleet.length > 0) {
+      lines.push('');
+      const rowOpts: SnapshotRenderOpts = { now, tz };
+      // Blocked-first ordering mirrors renderAuthSnapshotFormat2 — the user
+      // scans the walled accounts (and their recovery times) at the top, with
+      // the active account floating first within its group.
+      const healthOrder: AccountHealth[] = ['blocked', 'throttling', 'healthy', 'unknown'];
+      const rank = (s: AccountSnapshot): number => healthOrder.indexOf(classifyHealth(s, now));
+      const ordered = [...fleet].sort(
+        (a, b) => rank(a) - rank(b) || Number(b.isActive) - Number(a.isActive),
+      );
+      for (const snap of ordered) {
+        for (const ln of renderAccountRow(snap, rowOpts)) lines.push(ln);
+      }
+      const earliest = pickEarliestRecovery(fleet, now);
+      if (earliest) {
+        lines.push('');
+        lines.push(
+          `Earliest recovery: <code>${escapeHtml(earliest.label)}</code> ` +
+            `${formatAbsolute(earliest.at, tz)} (in ${formatRelative(earliest.at, now)})`,
+        );
+      }
+    } else if (input.oldQuota) {
+      // Back-compat: no fleet snapshot supplied → old single-account shape.
       const recovery = recoveryAtFor(input.oldQuota);
       if (recovery) {
         lines.push(
@@ -522,6 +745,10 @@ export interface SnapshotKeyboardOpts {
   /** Limit how many "Switch → X" buttons we render. Beyond this, the
    *  user can drill in via /usage. Default 3. */
   maxSwitchButtons?: number;
+  /** #2495 folded nit A — clock for health classification, threaded so the
+   *  keyboard agrees with the card body instead of defaulting to a second
+   *  `new Date()`. Defaults to wall-clock. */
+  now?: Date;
 }
 
 /**
@@ -540,14 +767,15 @@ export function buildSnapshotKeyboard(
   opts: SnapshotKeyboardOpts = {},
 ): KeyboardRow[] {
   const max = opts.maxSwitchButtons ?? 3;
+  const now = opts.now ?? new Date();
   const rows: KeyboardRow[] = [];
 
   // Switch buttons — healthy non-active first, then throttling
   // non-active. Skip blocked entirely.
   const switchTargets = snapshots
     .filter((s) => !s.isActive)
-    .sort((a, b) => switchPriority(a) - switchPriority(b))
-    .filter((s) => classifyHealth(s) !== 'blocked' && classifyHealth(s) !== 'unknown')
+    .sort((a, b) => switchPriority(a, now) - switchPriority(b, now))
+    .filter((s) => classifyHealth(s, now) !== 'blocked' && classifyHealth(s, now) !== 'unknown')
     .slice(0, max);
 
   for (const t of switchTargets) {
@@ -569,8 +797,8 @@ export function buildSnapshotKeyboard(
 }
 
 /** Lower number = higher priority for "switch to me" button. */
-function switchPriority(s: AccountSnapshot): number {
-  const h = classifyHealth(s);
+function switchPriority(s: AccountSnapshot, now: Date = new Date()): number {
+  const h = classifyHealth(s, now);
   if (h === 'healthy') return 0;
   if (h === 'throttling') return 1;
   if (h === 'unknown') return 2;
@@ -634,6 +862,10 @@ export function reviveLastQuota(snap: LastQuotaSnapshot | null | undefined): Quo
     representativeClaim: snap.representativeClaim,
     overageStatus: snap.overageStatus,
     overageDisabledReason: snap.overageDisabledReason,
+    // #2494 Bug C — forward the header-presence markers so a cached thin probe
+    // still renders as `unknown`, not a confident 0%.
+    fiveHourUtilPresent: snap.fiveHourUtilPresent,
+    sevenDayUtilPresent: snap.sevenDayUtilPresent,
   };
 }
 

package/telegram-plugin/auto-fallback-fleet.ts

@@ -101,6 +101,41 @@ export function evaluateFallbackFailureNotice(
   return { send: false, next: prev };
 }
 
+/**
+ * Cooldown for the "All accounts blocked" card (Bug 2). The all-blocked outcome
+ * is a NO-OP swap — `doFireFleetAutoFallback` returns false on it, so the
+ * fleetFallbackGate's dedup window (which arms ONLY on a successful swap) never
+ * arms. Meanwhile the card-less `quota_wall_detected` trigger re-signals every
+ * ~60s for the whole duration of a weekly wall, so the identical all-blocked
+ * card re-broadcasts every minute. This is the notice-level bound that the swap
+ * dedup window can't provide for the no-op path — same shape and rationale as
+ * the failure-notice cooldown above.
+ *
+ * Deliberately a plain per-gateway time cooldown (not keyed by trigger account /
+ * earliest-recovery): the all-blocked condition is fleet-wide, so a single
+ * window suppresses the repeat regardless of which agent's wall re-fired it.
+ * A genuinely NEW state transition is NOT suppressed by this: a later SUCCESSFUL
+ * swap arms the separate gate window and the next all-blocked (a real new
+ * exhaustion) is bounded only by this window, not silenced.
+ */
+export const FALLBACK_ALL_BLOCKED_NOTICE_COOLDOWN_MS = 30 * 60_000;
+
+export interface FallbackAllBlockedNoticeState {
+  /** Unix ms of the last all-blocked card this gateway sent. 0 = never. */
+  lastSentAtMs: number;
+}
+
+export function evaluateAllBlockedNotice(
+  prev: FallbackAllBlockedNoticeState,
+  now: number,
+  cooldownMs: number = FALLBACK_ALL_BLOCKED_NOTICE_COOLDOWN_MS,
+): { send: boolean; next: FallbackAllBlockedNoticeState } {
+  if (now - prev.lastSentAtMs >= cooldownMs) {
+    return { send: true, next: { lastSentAtMs: now } };
+  }
+  return { send: false, next: prev };
+}
+
 export type FleetFallbackOutcome =
   | {
       kind: 'switched';
@@ -186,7 +221,11 @@ export async function runFleetAutoFallback(
   // Idempotency guard: don't swap a healthy active account, even if
   // the trigger event said quota_exhausted. The event may be stale
   // (event posted, window rolled over, gateway picked it up late).
-  const oldHealth = classifyHealth(oldSnap);
+  // #2494 Bug A — classify against this run's `now` so the refill
+  // normalization uses the same clock as the rest of the decision (a default
+  // `new Date()` would diverge from `deps.now` and could mis-zero a window
+  // whose reset is still future relative to the event's clock).
+  const oldHealth = classifyHealth(oldSnap, now);
   if (oldHealth === 'healthy') {
     return {
       kind: 'no-eligible-target',
@@ -220,6 +259,10 @@ export async function runFleetAutoFallback(
         newLabel: null,
         newQuota: null,
         triggerAgent: deps.triggerAgent,
+        // Bug 3 — thread the full per-account fleet snapshot so the all-blocked
+        // card enumerates EVERY account (5h%/7d% + recovery ETA), letting the
+        // user verify the fleet is truly exhausted, not just the trigger account.
+        fleetSnapshots: snapshots,
         tz,
         now,
       }),

package/telegram-plugin/context-exhaustion.ts

@@ -14,6 +14,18 @@
 export const CONTEXT_EXHAUSTION_MARKER = 'Prompt is too long'
 export const ORPHANED_REPLY_TIMEOUT_MS = 30_000
 
+/**
+ * Maximum number of times the orphaned-reply backstop timer may re-arm
+ * itself when a tool call is in flight, before it fires a synthetic turn_end
+ * anyway (to surface a genuinely hung tool).
+ *
+ * Math: 20 re-arms × 30 s fuse = 10 min of genuine tool activity before the
+ * backstop surfaces. Chosen to cover multi-phase agent turns (write → compile
+ * → test → fix loop) while still catching a truly wedged single tool within a
+ * reasonable wall-clock bound.
+ */
+export const ORPHANED_REPLY_MAX_REARMS = 20
+
 export function isContextExhaustionText(text: string): boolean {
   return text.includes(CONTEXT_EXHAUSTION_MARKER)
 }