switchroom 0.15.45 → 0.16.5

package/dist/auth-broker/index.js

@@ -11150,7 +11150,7 @@ var TelegramChannelSchema = exports_external.object({
   format: exports_external.enum(["html", "markdownv2", "text"]).optional().describe("Default reply format passed to the plugin"),
   rate_limit_ms: exports_external.number().optional().describe("Minimum delay between outgoing messages in ms"),
   stream_mode: exports_external.enum(["pty", "checklist"]).optional().describe("How live progress is streamed to Telegram during a turn. " + "'pty' (default) surfaces text snapshots of Claude Code's TUI — " + "compatible but can flicker as Ink re-renders. 'checklist' drives " + "a structured progress card from session-tail events — stable " + "order, per-tool status emojis, fires only on semantic transitions."),
-  stream_throttle_ms: exports_external.number().int().nonnegative().optional().describe("Throttle window in ms between successive stream edits (or " + "sendMessageDraft tics) during a turn. Lower = more responsive " + "stream, higher = fewer API calls. Floored at 250 by draft-stream " + "itself. Default 300 for draft transport (DMs) and 1000 for " + "message transport (groups/forums). Override per-agent if a " + "particular agent needs snappier or quieter streaming."),
+  stream_throttle_ms: exports_external.number().int().nonnegative().optional().describe("Throttle window in ms between successive in-place stream edits " + "during a turn. Lower = more responsive stream, higher = fewer API " + "calls. Floored at 250 by draft-stream itself. Default 400 ms for DMs " + "and 1000 ms for groups/forums (respects Telegram's ~1 edit/sec/message " + "practical ceiling). Override per-agent if a particular agent needs " + "snappier or quieter streaming."),
   clear_status_on_completion: exports_external.boolean().optional().describe("When true, the live activity/status feed (the in-place 'what it's " + "doing' message — Reading X, Searching the web for Y, …) is DELETED " + "when the turn's final answer lands, so only the reply remains. " + "Default false: the status message is left in the chat as a record " + "(its last step marked done) — no post-then-delete. Per-agent " + "override; cascades defaults → profile → agent (per-key)."),
   hotReloadStable: exports_external.boolean().optional().describe("If true, the stable workspace prefix (AGENTS.md, SOUL.md, USER.md, " + "IDENTITY.md, TOOLS.md) is re-injected on every turn via " + "the UserPromptSubmit hook instead of baked into --append-system-prompt " + "at session start. Lets workspace edits propagate without a restart. " + "Costs ~5-10% per-turn latency/spend since the stable prefix is no " + "longer prompt-cached."),
   inject_on_change: exports_external.boolean().optional().describe("Context-efficiency gate for per-turn hook injection (default true). " + "When true (the default), the turn-pacing directive and dynamic " + "workspace content are only re-emitted when their content changes or " + "the session_id changes — suppressing redundant injection that " + "otherwise triples compaction frequency. Set to false to revert to " + "the legacy always-emit behaviour (every turn injects the full " + "content regardless of whether it changed)."),
@@ -11238,6 +11238,14 @@ var GoogleWorkspaceConfigSchema = exports_external.object({
   approvers: exports_external.array(ApproverIdSchema).min(1).describe("Array of numeric Telegram user IDs authorized to approve drive onboarding. " + "At least one must be specified."),
   tier: GoogleWorkspaceTierSchema.optional().describe("RFC G Phase 1: which upstream MCP tier to expose. " + "core (default) = ~16 tools (Drive+Docs+Sheets+Calendar). " + "extended = ~40 tools (+Slides, Forms, Tasks, Chat). " + "complete = ~60+ tools (+Gmail; not recommended yet — see RFC G §5).")
 }).optional();
+var LiteLLMConfigSchema = exports_external.object({
+  enabled: exports_external.boolean().optional().describe("Opt-in toggle. When true, `switchroom apply` provisions a per-agent " + "LiteLLM virtual key and injects routing env into the container. " + "Default OFF."),
+  base_url: exports_external.string().optional().describe("LiteLLM proxy base URL the agent's claude CLI routes through, e.g. " + "'http://127.0.0.1:4010'. Agents use network_mode:host, so loopback " + "reaches a host-bound proxy. Exported as ANTHROPIC_BASE_URL."),
+  admin_key: exports_external.string().optional().describe("LiteLLM master/admin key used at apply time to provision the team + " + "virtual key. Supports a vault reference (e.g. " + "'vault:litellm/master-key') — resolution happens at apply time via " + "the vault-broker. Never injected into the agent container."),
+  team: exports_external.string().optional().describe("LiteLLM team alias the per-agent key is created under. Defaults to " + "'switchroom' (applied in code, not as a schema default)."),
+  small_fast_model: exports_external.string().optional().describe("Model id exported as ANTHROPIC_SMALL_FAST_MODEL for the claude CLI's " + "background/fast lane, e.g. 'claude-haiku-4-5-20251001'."),
+  tags: exports_external.record(exports_external.string(), exports_external.string()).optional().describe("Extra key/value metadata tags attached to the provisioned LiteLLM " + "virtual key. Merged per-key across cascade layers (agent wins).")
+}).optional().describe("LiteLLM routing config — opt-in per-agent virtual-key auto-provisioning " + "+ routing env. Default OFF. See LiteLLMConfigSchema doc for the full flow.");
 var MicrosoftWorkspaceConfigSchema = exports_external.object({
   microsoft_client_id: exports_external.string().min(1).optional().describe("Microsoft OAuth application (client) ID from Entra portal " + "(literal string or vault reference e.g. " + "'vault:microsoft-oauth-client-id'). OPTIONAL — omit it to use " + "switchroom's shipped default Microsoft app (zero-config). " + "Set it only to bring your own Entra app (BYO)."),
   microsoft_client_secret: exports_external.string().min(1).optional().describe("Microsoft OAuth client secret. Optional — public-client apps " + "(Mobile + Desktop platform with 'Allow public client flows' " + "enabled) work without a secret; confidential clients pass " + "one. Either literal or vault reference e.g. " + "'vault:microsoft-oauth-client-secret'."),
@@ -11334,6 +11342,7 @@ var profileFields = {
   mcp_servers: exports_external.record(exports_external.string(), exports_external.unknown()).optional(),
   hooks: AgentHooksSchema,
   env: exports_external.record(exports_external.string(), exports_external.string()).optional(),
+  litellm: LiteLLMConfigSchema,
   system_prompt_append: exports_external.string().optional(),
   skills: exports_external.array(exports_external.string()).optional(),
   bundled_skills: exports_external.record(exports_external.string(), exports_external.boolean()).optional().describe("Opt-out map for switchroom's bundled-default skills " + "(e.g. skill-creator, mcp-builder, webapp-testing, pdf, docx, " + "xlsx, pptx, switchroom-cli, switchroom-status, switchroom-health). " + "Set a key to `false` to suppress that default for this agent. " + "Cascades from defaults.bundled_skills."),
@@ -11406,6 +11415,7 @@ var AgentSchema = exports_external.object({
   mcp_servers: exports_external.record(exports_external.string(), exports_external.unknown()).optional().describe("Additional MCP server configurations"),
   hooks: AgentHooksSchema.describe("Claude Code lifecycle hooks (SessionStart, UserPromptSubmit, Stop, etc). " + "Written to settings.json.hooks in Claude Code's native shape."),
   env: exports_external.record(exports_external.string(), exports_external.string()).optional().describe("Environment variables exported in start.sh before claude runs"),
+  litellm: LiteLLMConfigSchema.describe("Per-agent LiteLLM routing override. Presence with `enabled: true` opts " + "this agent IN to per-agent virtual-key auto-provisioning + routing env " + "(falls back to the top-level `litellm:` block for base_url/admin_key/" + "team/small_fast_model). Deep-merges one level over defaults/profile; " + "`tags` merge per-key, agent wins. Default OFF."),
   system_prompt_append: exports_external.string().optional().describe("Text passed via claude's --append-system-prompt flag. " + "Appended to the default or CLAUDE.md-derived system prompt."),
   skills: exports_external.array(exports_external.string()).optional().describe("Names of skills from switchroom.skills_dir to symlink into this " + "agent's skills/ directory. Unioned with defaults.skills."),
   bundled_skills: exports_external.record(exports_external.string(), exports_external.boolean()).optional().describe("Per-agent override of switchroom's bundled-default skills " + "(skill-creator, mcp-builder, webapp-testing, pdf, docx, xlsx, " + "pptx, switchroom-cli/status/health). Set a key to `false` to " + "opt out for this agent. Per-agent value wins over defaults.bundled_skills."),
@@ -11531,7 +11541,7 @@ var WebServiceConfigSchema = exports_external.object({
 });
 var HostdConfigSchema = exports_external.object({
   config_edit_enabled: exports_external.boolean().default(false).describe("Opt-in toggle for the `config_propose_edit` hostd verb (RFC " + "admin-agent-config-edit §3). Default false — the verb returns " + "`E_CONFIG_EDIT_DISABLED` until the operator explicitly flips " + "this to true. When true, admin agents can propose unified-diff " + "patches against " + "`/state/config/switchroom.yaml`, gated by an operator approval " + "card in the primary chat. Same trust posture as `update_apply` " + "and `agent_restart`: the human-in-the-loop tap is the security " + "boundary, not the agent's judgement."),
-  config_edit_rate_per_hour: exports_external.number().int().min(1).max(20).default(3).describe("Per-requesting-agent rate cap for `config_propose_edit` cards " + "(RFC admin-agent-config-edit §5). Default 3 cards/hour; min 1, " + "max 20. Configurable now, but the rate limiter is not yet enforced " + "(no `E_RATE_LIMITED` is currently raised); the field is reserved so " + "operators can pin the cap ahead of the limiter going live.")
+  config_edit_rate_per_hour: exports_external.number().int().min(1).max(20).default(3).describe("Per-requesting-agent rate cap for `config_propose_edit` cards " + "(RFC admin-agent-config-edit §5). Default 3 cards/hour; min 1, " + "max 20. ENFORCED server-side: a caller exceeding this in a sliding " + "1-hour window is rejected with `E_RATE_LIMITED` (carrying a " + "`retry_after` fix) instead of posting another operator approval " + "card — so a looping agent is throttled rather than spamming the chat.")
 });
 var CronEgressSchema = exports_external.object({
   allowed_hosts: exports_external.array(exports_external.string().min(1)).default([]).describe("Hosts a poll may reach (exact, https-only). loopback/private/IP-literal are always rejected."),
@@ -11564,11 +11574,14 @@ var SwitchroomConfigSchema = exports_external.object({
         message: "Consumer name must be a path-safe slug (letters, digits, underscore, hyphen)"
       }).describe("Socket-path identity; binds at /run/switchroom/auth-broker/<name>/sock"),
       account: exports_external.string().min(1).describe("Pinned account label for this consumer. `get-credentials` returns " + "this account's credentials; `mark-exhausted` from this consumer " + "only affects this account."),
-      uid: exports_external.number().int().nonnegative().optional().describe("Optional UID to chown the consumer socket to (defaults to 0 = root, " + "suitable for sibling containers running as root).")
-    })).optional().describe("Non-agent peers that hold a broker socket (RFC H §4.8). Each gets " + "its own `/run/switchroom/auth-broker/<name>/sock` chowned to its UID. " + "Consumers cannot be admins; a consumer name that collides with an " + "agent (whether that agent has `admin: true` or not) is a config " + "error caught at schema validation.")
+      uid: exports_external.number().int().nonnegative().optional().describe("Optional UID to chown the consumer socket to (defaults to 0 = root, " + "suitable for sibling containers running as root)."),
+      mirror_dir: exports_external.string().optional().describe("Optional host-side directory path. When set, the broker actively " + "writes the consumer's effective-account `.credentials.json` mirror " + "here — in addition to serving creds on demand via `get-credentials`. " + "Use this to eliminate the pull-latency gap: without a mirror the " + "consumer only gets failover creds at its next scheduled re-fetch " + "(up to 30 min). With a mirror the broker pushes failover creds " + "immediately when it detects exhaustion (consumer-quota-sensor tick, " + "or a mark-exhausted RPC on the pinned account). The directory must " + "be accessible to the broker container (bind-mounted from the host) " + "and to the consumer container; the broker writes " + "`<mirror_dir>/.credentials.json` atomically. Chown is attempted to " + "`uid` (default 0) — swallowed when CAP_CHOWN is absent.")
+    })).optional().describe("Non-agent peers that hold a broker socket (RFC H §4.8). Each gets " + "its own `/run/switchroom/auth-broker/<name>/sock` chowned to its UID. " + "Consumers cannot be admins; a consumer name that collides with an " + "agent (whether that agent has `admin: true` or not) is a config " + "error caught at schema validation."),
+    allow_overage_accounts: exports_external.array(exports_external.string().min(1)).optional().describe("Opt-in list of account labels (bare strings matching `auth.active` / " + "`auth.fallback_order` entries) that may be served PAST the weekly " + "utilization wall when Anthropic overage billing is available for the " + "account (`overageStatus === 'allowed'`). Overage is REAL MONEY — " + "default is empty (no account gets this). An account in this list is " + "only kept eligible when its fresh quota snapshot reports " + "`overageStatus: 'allowed'` AND `overageDisabledReason` is NOT " + "'out_of_credits' (i.e. the overage credit has not been exhausted). " + "As soon as `overageDisabledReason` becomes 'out_of_credits', the " + "account is blocked immediately regardless of this flag. Overage lifts " + "ONLY the utilization wall — it cannot lift an active exhaustion mark " + "written by a real 429 (`mark-exhausted`).")
   }).optional().describe("Switchroom-auth-broker configuration (RFC H). Fleet-wide active account, " + "fallback order, admin-agent ACL, and ephemeral-consumer surface. " + "Required from the v0.8+ schema onwards; pre-v0.8 fleets are migrated " + "in-place by `switchroom apply` (see src/auth/migrate-schema.ts)."),
   drive: GoogleWorkspaceConfigSchema.describe("RFC D legacy key — use `google_workspace:` instead. Optional Google " + "Workspace onboarding configuration. When set, supplies Google OAuth " + "client credentials, the approver allowlist for `switchroom drive " + "connect`, and the optional tier knob. Env vars " + "(SWITCHROOM_GOOGLE_CLIENT_ID, SWITCHROOM_GOOGLE_CLIENT_SECRET, " + "SWITCHROOM_APPROVER_USER_ID) take precedence over this block when " + "set, preserving back-compat with the env-only flow shipped in #766."),
   google_workspace: GoogleWorkspaceConfigSchema.describe("RFC G canonical key. Top-level Google Workspace configuration — " + "OAuth client credentials, approver allowlist, and tier knob (`core` " + "| `extended` | `complete`, default `core`). Mutually exclusive with " + "`drive:` at the top level (loader fails fast if both are set)."),
+  litellm: LiteLLMConfigSchema.describe("Top-level LiteLLM routing infra — global base_url, admin_key (the " + "LiteLLM master key, supports a `vault:` ref), team alias, and " + "small_fast_model shared by every agent that opts in. Set `enabled: " + "true` here to default the whole fleet on (each agent can still set " + "`litellm.enabled: false` to opt out). Default OFF."),
   microsoft_workspace: MicrosoftWorkspaceConfigSchema.describe("RFC #1873 (Microsoft 365 integration). Top-level Microsoft Workspace " + "configuration — OAuth client credentials (Entra app), authority " + "endpoint (defaults to /common for personal MSA + work), and the " + "org_mode opt-in for Teams/SharePoint surfaces. Block is optional; " + "when omitted the broker does not register the Microsoft provider."),
   notion_workspace: NotionWorkspaceConfigSchema.describe("RFC reference/rfcs/notion-integration.md. Top-level Notion integration " + "config — vault key for the integration token, friendly-name → " + "database UUID map, optional MCP-package version pin, and optional " + "global rate-limit override (default 3 rps, Notion's documented " + "public-API limit). Block is optional; when omitted no agent gets a " + "Notion MCP entry regardless of per-agent config."),
   quota: QuotaConfigSchema.optional().describe("Optional weekly/monthly USD spend budgets rendered in the session " + "greeting. Usage is read from ccusage at runtime; no network calls."),
@@ -11988,6 +12001,24 @@ function mergeAgentConfig(defaultsIn, agentIn) {
       ...merged.env ?? {}
     };
   }
+  if (defaults.litellm || merged.litellm) {
+    const base = defaults.litellm ?? {};
+    const override = merged.litellm ?? {};
+    const combined = { ...base };
+    for (const [k, v] of Object.entries(override)) {
+      if (v === undefined)
+        continue;
+      if (k === "tags" && base.tags && typeof v === "object" && v !== null && !Array.isArray(v)) {
+        combined.tags = {
+          ...base.tags,
+          ...v
+        };
+      } else {
+        combined[k] = v;
+      }
+    }
+    merged.litellm = combined;
+  }
   if (defaults.subagents || merged.subagents) {
     const dSub = defaults.subagents ?? {};
     const mSub = merged.subagents ?? {};
@@ -12357,6 +12388,14 @@ import { dirname as dirname3, join as join4, resolve as resolve7 } from "node:pa
 // src/agents/compose.ts
 import { createHash } from "node:crypto";
 
+// src/config/timezone.ts
+var CONTAINER_DEFAULT_UTC_ZONES = new Set([
+  "UTC",
+  "Etc/UTC",
+  "Etc/Universal",
+  "Universal"
+]);
+
 // src/vault/broker/peercred.ts
 var RESERVED_AGENT_NAMES = new Set(["operator", "hostd"]);
 function isReservedAgentName(name) {
@@ -12387,6 +12426,9 @@ var BIND_MOUNT_EXACT_SOURCE_DENY = new Set(["/var/run/docker.sock"]);
 var OAUTH_BETA = "oauth-2025-04-20";
 var DEFAULT_USER_AGENT = "claude-cli/1.0.0 (external, cli)";
 var DEFAULT_PROBE_MODEL = "claude-haiku-4-5-20251001";
+function isProbeThin(q) {
+  return q.fiveHourUtilPresent === false && q.sevenDayUtilPresent === false;
+}
 function parseFloatHeader(headers, name) {
   const v = headers.get(name);
   if (v == null || v.trim().length === 0)
@@ -12417,6 +12459,8 @@ function parseQuotaHeaders(headers) {
     data: {
       fiveHourUtilizationPct: (fiveHour ?? 0) * 100,
       sevenDayUtilizationPct: (sevenDay ?? 0) * 100,
+      fiveHourUtilPresent: fiveHour != null,
+      sevenDayUtilPresent: sevenDay != null,
       fiveHourResetAt: parseEpochHeader(headers, "anthropic-ratelimit-unified-5h-reset"),
       sevenDayResetAt: parseEpochHeader(headers, "anthropic-ratelimit-unified-7d-reset"),
       representativeClaim: headers.get("anthropic-ratelimit-unified-representative-claim"),
@@ -12470,57 +12514,50 @@ async function fetchQuota(opts) {
   return parsed;
 }
 
-// src/auth/broker/consumer-quota-sensor.ts
-var EXHAUSTION_PCT = 99.5;
-var DEFAULT_CONSUMER_PROBE_INTERVAL_MS = 10 * 60 * 1000;
-function quotaIndicatesExhaustion(result) {
-  if (!result.ok)
-    return { exhausted: false, until: null };
-  const d = result.data;
-  const fiveBlocked = d.fiveHourUtilizationPct >= EXHAUSTION_PCT;
-  const sevenBlocked = d.sevenDayUtilizationPct >= EXHAUSTION_PCT;
-  if (!fiveBlocked && !sevenBlocked)
-    return { exhausted: false, until: null };
-  const fiveReset = fiveBlocked ? d.fiveHourResetAt?.getTime() ?? null : null;
-  const sevenReset = sevenBlocked ? d.sevenDayResetAt?.getTime() ?? null : null;
-  const candidates = [fiveReset, sevenReset].filter((x) => x != null);
-  const until = candidates.length > 0 ? Math.max(...candidates) : null;
-  return { exhausted: true, until };
-}
-function resolveConsumerProbeIntervalMs(env) {
-  if (env.SWITCHROOM_DISABLE_CONSUMER_QUOTA_PROBE === "1")
-    return 0;
-  const raw = env.SWITCHROOM_CONSUMER_QUOTA_PROBE_MS;
-  if (raw !== undefined) {
-    const n = Number(raw);
-    if (Number.isFinite(n) && n >= 0)
-      return n;
-  }
-  return DEFAULT_CONSUMER_PROBE_INTERVAL_MS;
-}
-
 // src/auth/broker/account-eligibility.ts
 var WALL_PCT = 99.5;
 var HEALTHY_CLEAR_PCT = 80;
 var SNAPSHOT_STALE_AGE_MS = 24 * 60 * 60 * 1000;
+var OVERAGE_EXHAUSTED_REASONS = new Set(["out_of_credits"]);
 function snapshotFresh(s, now, maxAgeMs = SNAPSHOT_STALE_AGE_MS) {
   return !!s && now - s.capturedAt <= maxAgeMs && s.capturedAt <= now + 60000;
 }
 function snapshotWalled(s) {
   return s.fiveHourUtilizationPct >= WALL_PCT || s.sevenDayUtilizationPct >= WALL_PCT;
 }
+function overageLiftsWall(snapshot, inAllowList) {
+  if (!inAllowList)
+    return false;
+  if (snapshot.overageStatus !== "allowed")
+    return false;
+  const reason = snapshot.overageDisabledReason;
+  if (reason != null && OVERAGE_EXHAUSTED_REASONS.has(reason))
+    return false;
+  return true;
+}
 function snapshotClearlyHealthy(s) {
   return s.fiveHourUtilizationPct < HEALTHY_CLEAR_PCT && s.sevenDayUtilizationPct < HEALTHY_CLEAR_PCT;
 }
-function isAccountBlocked(opts) {
-  const { mark, snapshot, now } = opts;
+function accountEligibility(opts) {
+  const { mark, snapshot, now, allowOverage = false } = opts;
   if (snapshotFresh(snapshot, now)) {
     const markedAt = mark?.marked_at ?? 0;
     if (snapshot.capturedAt >= markedAt) {
-      return snapshotWalled(snapshot);
+      if (snapshotWalled(snapshot)) {
+        if (overageLiftsWall(snapshot, allowOverage)) {
+          return "eligible";
+        }
+        return "blocked";
+      }
+      return "eligible";
     }
   }
-  return mark !== undefined && mark.exhausted_until > now;
+  if (mark !== undefined && mark.exhausted_until > now)
+    return "blocked";
+  return "unknown";
+}
+function isAccountBlocked(opts) {
+  return accountEligibility(opts) === "blocked";
 }
 function snapshotShouldClearMark(snapshot, mark, now) {
   if (!mark)
@@ -12529,6 +12566,8 @@ function snapshotShouldClearMark(snapshot, mark, now) {
     return false;
   if (snapshot.capturedAt < (mark.marked_at ?? 0))
     return false;
+  if (isProbeThin(snapshot))
+    return false;
   return snapshotClearlyHealthy(snapshot);
 }
 function clampMarkExpiry(opts) {
@@ -12540,6 +12579,46 @@ function clampMarkExpiry(opts) {
   return liveContradictsWeeklyWall ? shortCeil : proposedUntil;
 }
 
+// src/auth/broker/consumer-quota-sensor.ts
+var EXHAUSTION_PCT = 99.5;
+var DEFAULT_CONSUMER_PROBE_INTERVAL_MS = 10 * 60 * 1000;
+function quotaIndicatesExhaustion(result, allowOverage = false) {
+  if (!result.ok)
+    return { exhausted: false, until: null };
+  const d = result.data;
+  const fiveBlocked = d.fiveHourUtilizationPct >= EXHAUSTION_PCT;
+  const sevenBlocked = d.sevenDayUtilizationPct >= EXHAUSTION_PCT;
+  if (!fiveBlocked && !sevenBlocked)
+    return { exhausted: false, until: null };
+  if (allowOverage) {
+    const snap = {
+      fiveHourUtilizationPct: d.fiveHourUtilizationPct,
+      sevenDayUtilizationPct: d.sevenDayUtilizationPct,
+      capturedAt: Date.now(),
+      overageStatus: d.overageStatus,
+      overageDisabledReason: d.overageDisabledReason
+    };
+    if (overageLiftsWall(snap, true))
+      return { exhausted: false, until: null };
+  }
+  const fiveReset = fiveBlocked ? d.fiveHourResetAt?.getTime() ?? null : null;
+  const sevenReset = sevenBlocked ? d.sevenDayResetAt?.getTime() ?? null : null;
+  const candidates = [fiveReset, sevenReset].filter((x) => x != null);
+  const until = candidates.length > 0 ? Math.max(...candidates) : null;
+  return { exhausted: true, until };
+}
+function resolveConsumerProbeIntervalMs(env) {
+  if (env.SWITCHROOM_DISABLE_CONSUMER_QUOTA_PROBE === "1")
+    return 0;
+  const raw = env.SWITCHROOM_CONSUMER_QUOTA_PROBE_MS;
+  if (raw !== undefined) {
+    const n = Number(raw);
+    if (Number.isFinite(n) && n >= 0)
+      return n;
+  }
+  return DEFAULT_CONSUMER_PROBE_INTERVAL_MS;
+}
+
 // src/util/atomic.ts
 import { randomBytes } from "node:crypto";
 import { closeSync, constants, fsyncSync, openSync, renameSync, rmSync, writeSync } from "node:fs";
@@ -12721,7 +12800,7 @@ function atomicWriteJson(destPath, value, mode = 384) {
 // src/auth/account-refresh.ts
 var REFRESH_THRESHOLD_MS = 60 * 60 * 1000;
 var DEFAULT_TOKEN_URL = process.env.SWITCHROOM_OAUTH_TOKEN_URL ?? "https://console.anthropic.com/v1/oauth/token";
-var DEFAULT_CLIENT_ID = process.env.SWITCHROOM_OAUTH_CLIENT_ID ?? "9d1cd16e-bcb9-40c9-a915-196412f27aa6";
+var DEFAULT_CLIENT_ID = process.env.SWITCHROOM_OAUTH_CLIENT_ID ?? "9d1c250a-e61b-44d9-88ed-5944d1962f5e";
 var defaultFetcher = async (url, init) => {
   const res = await fetch(url, {
     method: init.method,
@@ -13543,7 +13622,8 @@ var ProbeQuotaRequestSchema = exports_external.object({
   op: exports_external.literal("probe-quota"),
   id: exports_external.string().min(1),
   accounts: exports_external.array(exports_external.string().min(1)).min(1).max(32),
-  timeoutMs: exports_external.number().int().positive().max(60000).optional()
+  timeoutMs: exports_external.number().int().positive().max(60000).optional(),
+  forceLive: exports_external.boolean().optional()
 });
 var ClaimNotificationRequestSchema = exports_external.object({
   v: exports_external.literal(PROTOCOL_VERSION),
@@ -13594,7 +13674,8 @@ var ListStateDataSchema = exports_external.object({
   fallback_order: exports_external.array(exports_external.string()),
   accounts: exports_external.array(AccountStateSchema),
   agents: exports_external.array(AgentStateSchema),
-  consumers: exports_external.array(ConsumerStateSchema)
+  consumers: exports_external.array(ConsumerStateSchema),
+  active_overage_serving: exports_external.boolean().optional()
 });
 var SetActiveDataSchema = exports_external.object({
   active: exports_external.string(),
@@ -13710,6 +13791,30 @@ var AUDIT_ROTATE_BYTES = 10 * 1024 * 1024;
 var AUDIT_KEEP = 5;
 var AUDIT_LINE_MAX = 4000;
 var NOTIFICATION_CLAIM_MAX_AGE_MS = 86400000;
+var DEFAULT_QUOTA_PROBE_TTL_MS = 45000;
+function quotaProbeTtlMs() {
+  const raw = process.env.SWITCHROOM_QUOTA_PROBE_TTL_MS;
+  if (raw == null || raw === "")
+    return DEFAULT_QUOTA_PROBE_TTL_MS;
+  const n = Number(raw);
+  return Number.isFinite(n) && n >= 0 ? n : DEFAULT_QUOTA_PROBE_TTL_MS;
+}
+function cachedSnapshotToResult(s) {
+  return {
+    ok: true,
+    data: {
+      fiveHourUtilizationPct: s.fiveHourUtilizationPct,
+      sevenDayUtilizationPct: s.sevenDayUtilizationPct,
+      fiveHourResetAt: s.fiveHourResetAt ? new Date(s.fiveHourResetAt) : null,
+      sevenDayResetAt: s.sevenDayResetAt ? new Date(s.sevenDayResetAt) : null,
+      representativeClaim: s.representativeClaim,
+      overageStatus: s.overageStatus,
+      overageDisabledReason: s.overageDisabledReason,
+      fiveHourUtilPresent: s.fiveHourUtilPresent,
+      sevenDayUtilPresent: s.sevenDayUtilPresent
+    }
+  };
+}
 function sha256Hex(content) {
   return createHash2("sha256").update(content).digest("hex");
 }
@@ -13764,6 +13869,7 @@ class AuthBroker {
   providers;
   quota = {};
   lastQuotaCache = {};
+  probeInFlight = new Map;
   shaIndex = {};
   thresholdViolations = {};
   notificationClaims = {};
@@ -14164,7 +14270,7 @@ class AuthBroker {
           await this.opListMicrosoftAccounts(socket, reqId, identity2);
           break;
         case "probe-quota":
-          await this.opProbeQuota(socket, reqId, identity2, req.accounts, req.timeoutMs);
+          await this.opProbeQuota(socket, reqId, identity2, req.accounts, req.timeoutMs, req.forceLive);
           break;
         case "claim-notification":
           this.opClaimNotification(socket, reqId, identity2, req.key, req.windowMs);
@@ -14206,12 +14312,78 @@ class AuthBroker {
       return account;
     return this.accountWithFailover(account);
   }
+  isOverageAllowed(account) {
+    return (this.config.auth?.allow_overage_accounts ?? []).includes(account);
+  }
   isAccountExhausted(account) {
     return isAccountBlocked({
       mark: this.quota[account],
       snapshot: this.lastQuotaCache[account],
-      now: this.now()
+      now: this.now(),
+      allowOverage: this.isOverageAllowed(account)
+    });
+  }
+  isActiveOverageServing(account) {
+    if (!account)
+      return false;
+    if (!this.isOverageAllowed(account))
+      return false;
+    const snapshot = this.lastQuotaCache[account];
+    const now = this.now();
+    if (!snapshot || !snapshotFresh(snapshot, now))
+      return false;
+    if (!overageLiftsWall(snapshot, true))
+      return false;
+    return accountEligibility({
+      mark: this.quota[account],
+      snapshot,
+      now,
+      allowOverage: true
+    }) === "eligible";
+  }
+  accountEligibilityOf(account) {
+    const snapshot = this.lastQuotaCache[account];
+    const allowOverage = this.isOverageAllowed(account);
+    const verdict = accountEligibility({
+      mark: this.quota[account],
+      snapshot,
+      now: this.now(),
+      allowOverage
     });
+    if (verdict === "eligible" && allowOverage && snapshot && (snapshot.fiveHourUtilizationPct >= WALL_PCT || snapshot.sevenDayUtilizationPct >= WALL_PCT)) {
+      process.stdout.write(`auth-broker: ${account} is past the utilization wall but eligible via allow_overage — Anthropic overage billing active (5h=${snapshot.fiveHourUtilizationPct.toFixed(1)}%, 7d=${snapshot.sevenDayUtilizationPct.toFixed(1)}%)
+`);
+    }
+    return verdict;
+  }
+  async probeAndCacheOne(account) {
+    try {
+      const creds = readAccountCredentials(account, this.home);
+      const token = creds?.claudeAiOauth?.accessToken;
+      if (!token)
+        return;
+      const result = await this.probeQuotaSingleFlight(account, token);
+      if (result.ok)
+        this.cacheQuotaSnapshot(account, result);
+    } catch {}
+  }
+  async nextHealthyAccountLive(current, order) {
+    const cached = this.nextHealthyAccount(current, order);
+    if (cached && this.accountEligibilityOf(cached) === "eligible")
+      return cached;
+    const start = order.indexOf(current);
+    const ring = start === -1 ? [...order] : order.map((_, i) => order[(start + 1 + i) % order.length]).filter((x) => !!x);
+    const unknowns = ring.filter((cand) => cand && cand !== current && accountExists(cand, this.home) && this.accountEligibilityOf(cand) === "unknown");
+    await Promise.all(unknowns.map((cand) => this.probeAndCacheOne(cand)));
+    const reselected = this.nextHealthyAccount(current, order);
+    if (reselected && this.accountEligibilityOf(reselected) === "eligible")
+      return reselected;
+    for (const cand of ring) {
+      if (cand && cand !== current && accountExists(cand, this.home) && this.accountEligibilityOf(cand) === "unknown") {
+        return cand;
+      }
+    }
+    return null;
   }
   accountWithFailover(account) {
     if (!account || !this.isAccountExhausted(account))
@@ -14222,23 +14394,27 @@ class AuthBroker {
       if (readAccountCredentials(cand, this.home))
         return cand;
     }
+    const active = this.config.auth?.active;
+    if (active && active !== account && !this.isAccountExhausted(active) && readAccountCredentials(active, this.home)) {
+      return active;
+    }
     return account;
   }
   async opGetCredentials(socket, id, identity2) {
     const account = this.servingAccount(identity2);
     if (!account) {
-      this.audit({ op: "get-credentials", identity: identity2, ok: false, error: "no-active-account" });
+      this.audit({ op: "get-credentials", identity: identity2, accountKind: "claude", ok: false, error: "no-active-account" });
       socket.write(encodeError(id, "ACCOUNT_NOT_FOUND", "no active account configured"));
       return;
     }
     const creds = readAccountCredentials(account, this.home);
     if (!creds) {
-      this.audit({ op: "get-credentials", identity: identity2, account, ok: false, error: "missing-credentials" });
+      this.audit({ op: "get-credentials", identity: identity2, account, accountKind: "claude", ok: false, error: "missing-credentials" });
       socket.write(encodeError(id, "ACCOUNT_NOT_FOUND", `no credentials for account '${account}'`));
       return;
     }
     const expiresAt = creds.claudeAiOauth?.expiresAt;
-    this.audit({ op: "get-credentials", identity: identity2, account, ok: true });
+    this.audit({ op: "get-credentials", identity: identity2, account, accountKind: "claude", ok: true });
     socket.write(encodeSuccess(id, { account, credentials: creds, expiresAt }));
   }
   async opListState(socket, id, identity2) {
@@ -14269,13 +14445,15 @@ class AuthBroker {
       account: c.account,
       last_seen_at: this.consumerLastSeen[c.name] ?? null
     }));
+    const active_overage_serving = this.isActiveOverageServing(this.callerAccount(identity2));
     this.audit({ op: "list-state", identity: identity2, ok: true });
     socket.write(encodeSuccess(id, {
       active: auth.active ?? "",
       fallback_order: auth.fallback_order ?? [],
       accounts,
       agents,
-      consumers
+      consumers,
+      active_overage_serving
     }));
   }
   async opListGoogleAccounts(socket, id, identity2) {
@@ -14290,35 +14468,60 @@ class AuthBroker {
         clientId: creds.googleOauth.clientId
       };
     }).filter((entry) => entry !== null).sort((a, b) => a.account.localeCompare(b.account));
-    this.audit({ op: "list-google-accounts", identity: identity2, ok: true });
+    this.audit({ op: "list-google-accounts", identity: identity2, accountKind: "google", ok: true });
     socket.write(encodeSuccess(id, { accounts }));
   }
-  async opProbeQuota(socket, id, identity2, accounts, timeoutMs) {
+  async opProbeQuota(socket, id, identity2, accounts, timeoutMs, forceLive) {
+    const ttlMs = forceLive ? 0 : quotaProbeTtlMs();
     const results = await Promise.all(accounts.map(async (label) => {
+      const cached = this.lastQuotaCache[label];
+      if (ttlMs > 0 && cached && this.now() - cached.capturedAt < ttlMs) {
+        return { label, result: cachedSnapshotToResult(cached), served: "cache", capturedAt: cached.capturedAt };
+      }
       const creds = readAccountCredentials(label, this.home);
       const token = creds?.claudeAiOauth?.accessToken;
       if (!token) {
+        if (cached) {
+          return { label, result: cachedSnapshotToResult(cached), served: "cache", capturedAt: cached.capturedAt };
+        }
         const result2 = {
           ok: false,
           reason: "no credentials for account in broker store"
         };
-        this.audit({ op: "probe-quota", identity: identity2, account: label, ok: false, error: "missing-credentials" });
+        this.audit({ op: "probe-quota", identity: identity2, account: label, accountKind: "claude", ok: false, error: "missing-credentials" });
         return { label, result: result2 };
       }
-      const result = await this.fetchQuotaImpl({ accessToken: token, timeoutMs });
+      const result = await this.probeQuotaSingleFlight(label, token, timeoutMs);
       this.audit({
         op: "probe-quota",
         identity: identity2,
         account: label,
+        accountKind: "claude",
         ok: result.ok,
         error: result.ok ? undefined : result.reason
       });
-      if (result.ok)
+      if (result.ok) {
         this.cacheQuotaSnapshot(label, result);
-      return { label, result };
+        return { label, result, served: "live" };
+      }
+      if (cached) {
+        return { label, result: cachedSnapshotToResult(cached), served: "cache", capturedAt: cached.capturedAt };
+      }
+      return { label, result, served: "live" };
     }));
     socket.write(encodeSuccess(id, { results }));
   }
+  probeQuotaSingleFlight(label, token, timeoutMs) {
+    const existing = this.probeInFlight.get(label);
+    if (existing)
+      return existing;
+    const pending = this.fetchQuotaImpl({ accessToken: token, timeoutMs }).finally(() => {
+      if (this.probeInFlight.get(label) === pending)
+        this.probeInFlight.delete(label);
+    });
+    this.probeInFlight.set(label, pending);
+    return pending;
+  }
   cacheQuotaSnapshot(label, result) {
     if (!result.ok)
       return;
@@ -14330,14 +14533,18 @@ class AuthBroker {
       representativeClaim: result.data.representativeClaim,
       overageStatus: result.data.overageStatus,
       overageDisabledReason: result.data.overageDisabledReason,
-      capturedAt: this.now()
+      capturedAt: this.now(),
+      fiveHourUtilPresent: result.data.fiveHourUtilPresent,
+      sevenDayUtilPresent: result.data.sevenDayUtilPresent
     };
     this.lastQuotaCache[label] = snapshot;
+    this.persistLastQuotaCache();
     if (snapshotShouldClearMark(snapshot, this.quota[label], this.now())) {
       delete this.quota[label];
       this.persistQuota();
       process.stdout.write(`auth-broker: live probe shows ${label} healthy (5h=${snapshot.fiveHourUtilizationPct}% 7d=${snapshot.sevenDayUtilizationPct}%) — cleared stale exhaustion mark
 `);
+      this.fanoutToAffectedConsumers(label);
     }
   }
   async fleetQuotaProbeTick() {
@@ -14371,9 +14578,15 @@ class AuthBroker {
         continue;
       }
       this.cacheQuotaSnapshot(label, result);
-      const decision = quotaIndicatesExhaustion(result);
-      if (!decision.exhausted)
+      const allowOverage = this.isOverageAllowed(label);
+      const decision = quotaIndicatesExhaustion(result, allowOverage);
+      if (!decision.exhausted) {
+        if (result.ok && (result.data.fiveHourUtilizationPct >= EXHAUSTION_PCT || result.data.sevenDayUtilizationPct >= EXHAUSTION_PCT) && allowOverage) {
+          process.stdout.write(`auth-broker: consumer-quota-sensor ${label} is wall-walled but serving via overage (allow_overage) — Anthropic overage billing is active
+`);
+        }
         continue;
+      }
       const now = this.now();
       const exhaustedUntil = clampMarkExpiry({
         proposedUntil: decision.until ?? now + MARK_EXHAUSTED_DEFAULT_MS,
@@ -14386,19 +14599,20 @@ class AuthBroker {
         continue;
       this.quota[label] = { exhausted_until: exhaustedUntil, marked_at: now };
       this.persistQuota();
-      this.audit({ op: "mark-exhausted", identity: { kind: "operator" }, account: label, ok: true });
+      this.audit({ op: "mark-exhausted", identity: { kind: "operator" }, account: label, accountKind: "claude", ok: true });
       process.stdout.write(`auth-broker: consumer-quota-sensor marked ${label} exhausted until ${new Date(exhaustedUntil).toISOString()} — consumer(s) fail over
 `);
+      this.fanoutToAffectedConsumers(label);
     }
   }
   async opSetActive(socket, id, identity2, account) {
     if (!this.isAdmin(identity2)) {
-      this.audit({ op: "set-active", identity: identity2, account, ok: false, error: "FORBIDDEN" });
+      this.audit({ op: "set-active", identity: identity2, account, accountKind: "claude", ok: false, error: "FORBIDDEN" });
       this.respondForbidden(socket, id, "set-active requires admin");
       return;
     }
     if (!accountExists(account, this.home)) {
-      this.audit({ op: "set-active", identity: identity2, account, ok: false, error: "ACCOUNT_NOT_FOUND" });
+      this.audit({ op: "set-active", identity: identity2, account, accountKind: "claude", ok: false, error: "ACCOUNT_NOT_FOUND" });
       socket.write(encodeError(id, "ACCOUNT_NOT_FOUND", `account '${account}' not found`));
       return;
     }
@@ -14408,13 +14622,14 @@ class AuthBroker {
     };
     this.config = cfg;
     const fanned = this.fanoutToAffectedAgents(account);
-    this.audit({ op: "set-active", identity: identity2, account, ok: true });
+    this.fanoutAllConsumers();
+    this.audit({ op: "set-active", identity: identity2, account, accountKind: "claude", ok: true });
     socket.write(encodeSuccess(id, { active: account, fanned }));
   }
   async opMarkExhausted(socket, id, identity2, until) {
     const account = this.callerAccount(identity2);
     if (!account) {
-      this.audit({ op: "mark-exhausted", identity: identity2, ok: false, error: "no-active-account" });
+      this.audit({ op: "mark-exhausted", identity: identity2, accountKind: "claude", ok: false, error: "no-active-account" });
       socket.write(encodeError(id, "ACCOUNT_NOT_FOUND", "no active account configured"));
       return;
     }
@@ -14427,9 +14642,10 @@ class AuthBroker {
     });
     this.quota[account] = { exhausted_until: exhaustedUntil, marked_at: now };
     this.persistQuota();
-    const rolled = this.fanoutFailoverFor(account);
-    const rolledTo = this.nextHealthyAccount(account, this.config.auth?.fallback_order ?? []);
-    this.audit({ op: "mark-exhausted", identity: identity2, account, ok: true });
+    const rolledTo = await this.nextHealthyAccountLive(account, this.config.auth?.fallback_order ?? []);
+    const rolled = this.fanoutFailoverTo(account, rolledTo);
+    this.fanoutToAffectedConsumers(account);
+    this.audit({ op: "mark-exhausted", identity: identity2, account, accountKind: "claude", ok: true });
     socket.write(encodeSuccess(id, { account, rolled, rolledTo }));
   }
   opClaimNotification(socket, id, identity2, key, windowMs) {
@@ -14449,29 +14665,29 @@ class AuthBroker {
   }
   async opRefreshAccount(socket, id, identity2, account) {
     if (!this.isAdmin(identity2)) {
-      this.audit({ op: "refresh-account", identity: identity2, account, ok: false, error: "FORBIDDEN" });
+      this.audit({ op: "refresh-account", identity: identity2, account, accountKind: "claude", ok: false, error: "FORBIDDEN" });
       this.respondForbidden(socket, id, "refresh-account requires admin");
       return;
     }
     if (!accountExists(account, this.home)) {
-      this.audit({ op: "refresh-account", identity: identity2, account, ok: false, error: "ACCOUNT_NOT_FOUND" });
+      this.audit({ op: "refresh-account", identity: identity2, account, accountKind: "claude", ok: false, error: "ACCOUNT_NOT_FOUND" });
       socket.write(encodeError(id, "ACCOUNT_NOT_FOUND", `account '${account}' not found`));
       return;
     }
     const result = await this.refreshOneAccount(account, true);
     if (result.kind === "failed") {
-      this.audit({ op: "refresh-account", identity: identity2, account, ok: false, error: result.error });
+      this.audit({ op: "refresh-account", identity: identity2, account, accountKind: "claude", ok: false, error: result.error });
       socket.write(encodeError(id, "REFRESH_FAILED", result.error));
       return;
     }
     const creds = readAccountCredentials(account, this.home);
     const expiresAt = creds?.claudeAiOauth?.expiresAt;
-    this.audit({ op: "refresh-account", identity: identity2, account, ok: true });
+    this.audit({ op: "refresh-account", identity: identity2, account, accountKind: "claude", ok: true });
     socket.write(encodeSuccess(id, { account, expiresAt }));
   }
   async opAddAccount(socket, id, identity2, label, credentials, replace) {
     if (!this.isAdmin(identity2)) {
-      this.audit({ op: "add-account", identity: identity2, account: label, ok: false, error: "FORBIDDEN" });
+      this.audit({ op: "add-account", identity: identity2, account: label, accountKind: "claude", ok: false, error: "FORBIDDEN" });
       this.respondForbidden(socket, id, "add-account requires admin");
       return;
     }
@@ -14482,7 +14698,7 @@ class AuthBroker {
       return;
     }
     if (accountExists(label, this.home) && !replace) {
-      this.audit({ op: "add-account", identity: identity2, account: label, ok: false, error: "ACCOUNT_ALREADY_EXISTS" });
+      this.audit({ op: "add-account", identity: identity2, account: label, accountKind: "claude", ok: false, error: "ACCOUNT_ALREADY_EXISTS" });
       socket.write(encodeError(id, "ACCOUNT_ALREADY_EXISTS", `account '${label}' already exists; pass replace:true to overwrite`));
       return;
     }
@@ -14500,12 +14716,12 @@ class AuthBroker {
     this.persistShaIndex();
     this.fanoutToAffectedAgents(label);
     const expiresAt = credentials.claudeAiOauth?.expiresAt;
-    this.audit({ op: "add-account", identity: identity2, account: label, ok: true, replace });
+    this.audit({ op: "add-account", identity: identity2, account: label, accountKind: "claude", ok: true, replace });
     socket.write(encodeSuccess(id, { label, expiresAt }));
   }
   async opRmAccount(socket, id, identity2, label) {
     if (!this.isAdmin(identity2)) {
-      this.audit({ op: "rm-account", identity: identity2, account: label, ok: false, error: "FORBIDDEN" });
+      this.audit({ op: "rm-account", identity: identity2, account: label, accountKind: "claude", ok: false, error: "FORBIDDEN" });
       this.respondForbidden(socket, id, "rm-account requires admin");
       return;
     }
@@ -14533,10 +14749,12 @@ class AuthBroker {
     delete this.quota[label];
     delete this.thresholdViolations[label];
     this.lastWrittenExpiresAt.delete(label);
+    delete this.lastQuotaCache[label];
     this.persistShaIndex();
     this.persistQuota();
     this.persistThresholdViolations();
-    this.audit({ op: "rm-account", identity: identity2, account: label, ok: true });
+    this.persistLastQuotaCache();
+    this.audit({ op: "rm-account", identity: identity2, account: label, accountKind: "claude", ok: true });
     socket.write(encodeSuccess(id, { label }));
   }
   async opGoogleGetCredentials(socket, id, identity2) {
@@ -14548,30 +14766,30 @@ class AuthBroker {
     const agent = (this.config.agents ?? {})[agentName];
     const account = agent?.google_workspace?.account;
     if (!account) {
-      this.audit({ op: "get-credentials", identity: identity2, ok: false, error: "no-google-account-configured" });
+      this.audit({ op: "get-credentials", identity: identity2, accountKind: "google", ok: false, error: "no-google-account-configured" });
       socket.write(encodeError(id, "ACCOUNT_NOT_FOUND", `agent '${agentName}' has no google_workspace.account configured in switchroom.yaml`));
       return;
     }
     const ga = this.config.google_accounts;
     const enabledFor = ga?.[account]?.enabled_for ?? [];
     if (!enabledFor.includes(agentName)) {
-      this.audit({ op: "get-credentials", identity: identity2, account, ok: false, error: "acl-deny" });
+      this.audit({ op: "get-credentials", identity: identity2, account, accountKind: "google", ok: false, error: "acl-deny" });
       socket.write(encodeError(id, "FORBIDDEN", `agent '${agentName}' not in google_accounts['${account}'].enabled_for[] — operator must run \`switchroom auth google enable ${account} ${agentName}\``));
       return;
     }
     const creds = readGoogleAccountCredentials(this.stateDir, account);
     if (!creds) {
-      this.audit({ op: "get-credentials", identity: identity2, account, ok: false, error: "missing-credentials" });
+      this.audit({ op: "get-credentials", identity: identity2, account, accountKind: "google", ok: false, error: "missing-credentials" });
       socket.write(encodeError(id, "ACCOUNT_NOT_FOUND", `no Google credentials for account '${account}' — operator must run \`switchroom auth google account add ${account}\``));
       return;
     }
     const expiresAt = creds.googleOauth?.expiresAt;
-    this.audit({ op: "get-credentials", identity: identity2, account, ok: true });
+    this.audit({ op: "get-credentials", identity: identity2, account, accountKind: "google", ok: true });
     socket.write(encodeSuccess(id, { account, credentials: creds, expiresAt }));
   }
   async opGoogleAddAccount(socket, id, identity2, label, credentials, replace) {
     if (!this.isAdmin(identity2)) {
-      this.audit({ op: "add-account", identity: identity2, account: label, ok: false, error: "FORBIDDEN" });
+      this.audit({ op: "add-account", identity: identity2, account: label, accountKind: "google", ok: false, error: "FORBIDDEN" });
       this.respondForbidden(socket, id, "add-account requires admin");
       return;
     }
@@ -14582,7 +14800,7 @@ class AuthBroker {
       return;
     }
     if (googleAccountExists(this.stateDir, label) && !replace) {
-      this.audit({ op: "add-account", identity: identity2, account: label, ok: false, error: "ACCOUNT_ALREADY_EXISTS" });
+      this.audit({ op: "add-account", identity: identity2, account: label, accountKind: "google", ok: false, error: "ACCOUNT_ALREADY_EXISTS" });
       socket.write(encodeError(id, "ACCOUNT_ALREADY_EXISTS", `google account '${label}' already exists; pass replace:true to overwrite`));
       return;
     }
@@ -14593,12 +14811,12 @@ class AuthBroker {
       return;
     }
     const expiresAt = credentials.googleOauth?.expiresAt;
-    this.audit({ op: "add-account", identity: identity2, account: label, ok: true, replace });
+    this.audit({ op: "add-account", identity: identity2, account: label, accountKind: "google", ok: true, replace });
     socket.write(encodeSuccess(id, { label, expiresAt }));
   }
   async opGoogleRmAccount(socket, id, identity2, label) {
     if (!this.isAdmin(identity2)) {
-      this.audit({ op: "rm-account", identity: identity2, account: label, ok: false, error: "FORBIDDEN" });
+      this.audit({ op: "rm-account", identity: identity2, account: label, accountKind: "google", ok: false, error: "FORBIDDEN" });
       this.respondForbidden(socket, id, "rm-account requires admin");
       return;
     }
@@ -14624,7 +14842,7 @@ class AuthBroker {
       socket.write(encodeError(id, "INTERNAL", err.message));
       return;
     }
-    this.audit({ op: "rm-account", identity: identity2, account: label, ok: true });
+    this.audit({ op: "rm-account", identity: identity2, account: label, accountKind: "google", ok: true });
     socket.write(encodeSuccess(id, { label }));
   }
   async opMicrosoftGetCredentials(socket, id, identity2) {
@@ -14636,30 +14854,30 @@ class AuthBroker {
     const agent = (this.config.agents ?? {})[agentName];
     const account = agent?.microsoft_workspace?.account;
     if (!account) {
-      this.audit({ op: "get-credentials", identity: identity2, ok: false, error: "no-microsoft-account-configured" });
+      this.audit({ op: "get-credentials", identity: identity2, accountKind: "microsoft", ok: false, error: "no-microsoft-account-configured" });
       socket.write(encodeError(id, "ACCOUNT_NOT_FOUND", `agent '${agentName}' has no microsoft_workspace.account configured in switchroom.yaml`));
       return;
     }
     const ma = this.config.microsoft_accounts;
     const enabledFor = ma?.[account]?.enabled_for ?? [];
     if (!enabledFor.includes(agentName)) {
-      this.audit({ op: "get-credentials", identity: identity2, account, ok: false, error: "acl-deny" });
+      this.audit({ op: "get-credentials", identity: identity2, account, accountKind: "microsoft", ok: false, error: "acl-deny" });
       socket.write(encodeError(id, "FORBIDDEN", `agent '${agentName}' not in microsoft_accounts['${account}'].enabled_for[] — operator must run \`switchroom auth microsoft enable ${account} ${agentName}\``));
       return;
     }
     const creds = readMicrosoftAccountCredentials(this.stateDir, account);
     if (!creds) {
-      this.audit({ op: "get-credentials", identity: identity2, account, ok: false, error: "missing-credentials" });
+      this.audit({ op: "get-credentials", identity: identity2, account, accountKind: "microsoft", ok: false, error: "missing-credentials" });
       socket.write(encodeError(id, "ACCOUNT_NOT_FOUND", `no Microsoft credentials for account '${account}' — operator must run \`switchroom auth microsoft account add ${account}\``));
       return;
     }
     const expiresAt = creds.microsoftOauth?.expiresAt;
-    this.audit({ op: "get-credentials", identity: identity2, account, ok: true });
+    this.audit({ op: "get-credentials", identity: identity2, account, accountKind: "microsoft", ok: true });
     socket.write(encodeSuccess(id, { account, credentials: creds, expiresAt }));
   }
   async opMicrosoftAddAccount(socket, id, identity2, label, credentials, replace) {
     if (!this.isAdmin(identity2)) {
-      this.audit({ op: "add-account", identity: identity2, account: label, ok: false, error: "FORBIDDEN" });
+      this.audit({ op: "add-account", identity: identity2, account: label, accountKind: "microsoft", ok: false, error: "FORBIDDEN" });
       this.respondForbidden(socket, id, "add-account requires admin");
       return;
     }
@@ -14670,7 +14888,7 @@ class AuthBroker {
       return;
     }
     if (microsoftAccountExists(this.stateDir, label) && !replace) {
-      this.audit({ op: "add-account", identity: identity2, account: label, ok: false, error: "ACCOUNT_ALREADY_EXISTS" });
+      this.audit({ op: "add-account", identity: identity2, account: label, accountKind: "microsoft", ok: false, error: "ACCOUNT_ALREADY_EXISTS" });
       socket.write(encodeError(id, "ACCOUNT_ALREADY_EXISTS", `microsoft account '${label}' already exists; pass replace:true to overwrite`));
       return;
     }
@@ -14681,12 +14899,12 @@ class AuthBroker {
       return;
     }
     const expiresAt = credentials.microsoftOauth?.expiresAt;
-    this.audit({ op: "add-account", identity: identity2, account: label, ok: true, replace });
+    this.audit({ op: "add-account", identity: identity2, account: label, accountKind: "microsoft", ok: true, replace });
     socket.write(encodeSuccess(id, { label, expiresAt }));
   }
   async opMicrosoftRmAccount(socket, id, identity2, label) {
     if (!this.isAdmin(identity2)) {
-      this.audit({ op: "rm-account", identity: identity2, account: label, ok: false, error: "FORBIDDEN" });
+      this.audit({ op: "rm-account", identity: identity2, account: label, accountKind: "microsoft", ok: false, error: "FORBIDDEN" });
       this.respondForbidden(socket, id, "rm-account requires admin");
       return;
     }
@@ -14712,7 +14930,7 @@ class AuthBroker {
       socket.write(encodeError(id, "INTERNAL", err.message));
       return;
     }
-    this.audit({ op: "rm-account", identity: identity2, account: label, ok: true });
+    this.audit({ op: "rm-account", identity: identity2, account: label, accountKind: "microsoft", ok: true });
     socket.write(encodeSuccess(id, { label }));
   }
   async opListMicrosoftAccounts(socket, id, identity2) {
@@ -14728,12 +14946,12 @@ class AuthBroker {
         accountType: creds.microsoftOauth.accountType
       };
     }).filter((entry) => entry !== null).sort((a, b) => a.account.localeCompare(b.account));
-    this.audit({ op: "list-microsoft-accounts", identity: identity2, ok: true });
+    this.audit({ op: "list-microsoft-accounts", identity: identity2, accountKind: "microsoft", ok: true });
     socket.write(encodeSuccess(id, { accounts }));
   }
   async opSetOverride(socket, id, identity2, agentName, account) {
     if (!this.isAdmin(identity2)) {
-      this.audit({ op: "set-override", identity: identity2, account: account ?? undefined, ok: false, error: "FORBIDDEN" });
+      this.audit({ op: "set-override", identity: identity2, account: account ?? undefined, accountKind: "claude", ok: false, error: "FORBIDDEN" });
       this.respondForbidden(socket, id, "set-override requires admin");
       return;
     }
@@ -14755,7 +14973,7 @@ class AuthBroker {
     agents[agentName] = { ...cur, auth };
     this.config = { ...this.config, agents };
     this.fanoutForAgent(agentName);
-    this.audit({ op: "set-override", identity: identity2, account: account ?? undefined, ok: true });
+    this.audit({ op: "set-override", identity: identity2, account: account ?? undefined, accountKind: "claude", ok: true });
     socket.write(encodeSuccess(id, { agent: agentName, account }));
   }
   async refreshTick() {
@@ -14892,6 +15110,7 @@ class AuthBroker {
         this.shaIndex[label] = sha256Hex(contents);
         this.persistShaIndex();
         this.fanoutToAffectedAgents(label);
+        this.fanoutToAffectedConsumers(label);
         return { kind: "refreshed", newExpiresAt };
       }
       if (outcome.kind === "failed") {
@@ -14913,6 +15132,9 @@ class AuthBroker {
       if (this.fanoutForAgent(name))
         out.push(name);
     }
+    for (const consumerName of this.fanoutAllConsumers()) {
+      out.push(`consumer:${consumerName}`);
+    }
     return out;
   }
   fanoutToAffectedAgents(label) {
@@ -14927,10 +15149,68 @@ class AuthBroker {
     }
     return fanned;
   }
-  fanoutFailoverFor(label) {
+  fanoutToAffectedConsumers(label) {
+    const fanned = [];
+    for (const consumer of this.config.auth?.consumers ?? []) {
+      if (!consumer.mirror_dir)
+        continue;
+      const isPinned = consumer.account === label;
+      const effective = this.servingAccountForConsumer(consumer.name);
+      const isEffective = effective === label;
+      if (!isPinned && !isEffective)
+        continue;
+      const toMirror = effective ?? consumer.account;
+      if (this.mirrorAccountToConsumer(toMirror, consumer)) {
+        fanned.push(consumer.name);
+      }
+    }
+    return fanned;
+  }
+  fanoutAllConsumers() {
+    const out = [];
+    for (const consumer of this.config.auth?.consumers ?? []) {
+      if (!consumer.mirror_dir)
+        continue;
+      const effective = this.servingAccountForConsumer(consumer.name);
+      if (!effective)
+        continue;
+      if (this.mirrorAccountToConsumer(effective, consumer))
+        out.push(consumer.name);
+    }
+    return out;
+  }
+  servingAccountForConsumer(name) {
+    const c = (this.config.auth?.consumers ?? []).find((x) => x.name === name);
+    if (!c)
+      return null;
+    return this.accountWithFailover(c.account);
+  }
+  mirrorAccountToConsumer(label, consumer) {
+    const mirrorDir = consumer.mirror_dir;
+    if (!mirrorDir)
+      return false;
+    const targetPath = join4(mirrorDir, ".credentials.json");
+    const credsPath = accountCredentialsPath(label, this.home);
+    if (!existsSync7(credsPath))
+      return false;
+    const mirrorContent = enrichMirrorContent(readFileSync6(credsPath, "utf-8"));
+    try {
+      mkdirSync4(mirrorDir, { recursive: true, mode: 448 });
+      atomicWriteFileSync(targetPath, mirrorContent, 384);
+      try {
+        const uid = consumer.uid ?? 0;
+        chownSync2(targetPath, uid, uid);
+      } catch (err) {
+        this.warnCapChownMissing(err);
+      }
+      return true;
+    } catch (err) {
+      this.logErr(`consumer-mirror ${consumer.name} <- ${label}: ${err.message}`);
+      return false;
+    }
+  }
+  fanoutFailoverTo(label, next) {
     const auth = this.config.auth ?? {};
-    const order = auth.fallback_order ?? [];
-    const next = this.nextHealthyAccount(label, order);
     if (!next || next === label)
       return [];
     const rolled = [];
@@ -15048,6 +15328,7 @@ class AuthBroker {
     this.shaIndex = this.readJson("sha-index.json") ?? {};
     this.thresholdViolations = this.readJson("threshold-violations.json") ?? {};
     this.notificationClaims = this.readJson("notification-claims.json") ?? {};
+    this.lastQuotaCache = this.readJson("last-quota.json") ?? {};
   }
   readJson(name) {
     const p = join4(this.stateDir, name);
@@ -15062,6 +15343,9 @@ class AuthBroker {
   persistQuota() {
     atomicWriteJsonSync(join4(this.stateDir, "quota.json"), this.quota, 384);
   }
+  persistLastQuotaCache() {
+    atomicWriteJsonSync(join4(this.stateDir, "last-quota.json"), this.lastQuotaCache, 384);
+  }
   persistNotificationClaims() {
     atomicWriteJsonSync(join4(this.stateDir, "notification-claims.json"), this.notificationClaims, 384);
   }
@@ -15098,6 +15382,7 @@ class AuthBroker {
       op: entry.op,
       peer,
       account: entry.account,
+      accountKind: entry.accountKind,
       ok: entry.ok,
       error: entry.error,
       replace: entry.replace
@@ -15188,7 +15473,8 @@ class AuthBroker {
       quota: { ...this.quota },
       shaIndex: { ...this.shaIndex },
       thresholdViolations: { ...this.thresholdViolations },
-      listeners: [...this.listeners.keys()]
+      listeners: [...this.listeners.keys()],
+      lastQuotaCache: structuredClone(this.lastQuotaCache)
     };
   }
   _fanoutAll() {