switchroom 0.15.45 → 0.16.5

package/telegram-plugin/tests/auth-command-format2.test.ts

@@ -20,6 +20,7 @@
  *      auth-snapshot-format.test.ts).
  */
 import { describe, it, expect, vi } from 'vitest';
+import { __resetDemoMaskCachesForTest } from '../demo-mask.js';
 import { renderShowText, handleAuthCommand } from '../gateway/auth-command.js';
 import type { AuthBrokerClient, AuthCommandContext } from '../gateway/auth-command.js';
 import type { ListStateData } from '../../src/auth/broker/client.js';
@@ -105,6 +106,31 @@ describe('renderShowText — Format 2 vs legacy', () => {
     expect(out).not.toContain('🔋');
     expect(out).toContain('ACCOUNT');
   });
+
+  // demo mode (the `/auth demo` suffix) — masks email labels in BOTH shapes.
+  describe('demo mode masks account-email labels', () => {
+    it('WITHOUT demo, the real labels render (Format 2)', () => {
+      const out = renderShowText(FIXTURE_STATE, NOW_MS, { liveQuotas: FIXTURE_QUOTAS, tz: 'UTC' });
+      expect(out).toContain('ken@x');
+      expect(out).toContain('you@x');
+    });
+    it('WITH demo, no real label leaks (Format 2)', () => {
+      __resetDemoMaskCachesForTest();
+      const out = renderShowText(FIXTURE_STATE, NOW_MS, { liveQuotas: FIXTURE_QUOTAS, tz: 'UTC', demo: true });
+      expect(out).not.toContain('ken@x');
+      expect(out).not.toContain('me@x');
+      expect(out).not.toContain('you@x');
+      expect(out).toMatch(/@example\.com/);
+    });
+    it('WITH demo, the legacy ASCII table also masks labels', () => {
+      __resetDemoMaskCachesForTest();
+      const out = renderShowText(FIXTURE_STATE, NOW_MS, { demo: true });
+      expect(out).toContain('ACCOUNT'); // still the legacy table
+      expect(out).not.toContain('ken@x');
+      expect(out).not.toContain('you@x');
+      expect(out).toMatch(/@example\.com/);
+    });
+  });
 });
 
 describe('handleAuthCommand — keyboard attachment', () => {
@@ -127,7 +153,8 @@ describe('handleAuthCommand — keyboard attachment', () => {
   it('attaches a smart keyboard when liveQuotas yields one result per account', async () => {
     const reply = await handleAuthCommand(
       { kind: 'show' },
-      makeCtx({ liveQuotas: async () => FIXTURE_QUOTAS, tz: 'UTC' }),
+      // #2495 Change 2 — the enricher now returns { quotas, staleCachedAtMs? }.
+      makeCtx({ liveQuotas: async () => ({ quotas: FIXTURE_QUOTAS }), tz: 'UTC' }),
     );
     expect(reply.keyboard).toBeDefined();
     const allButtonText = reply.keyboard!.flat().map((b) => b.text);
@@ -153,4 +180,47 @@ describe('handleAuthCommand — keyboard attachment', () => {
     expect(reply.keyboard).toBeUndefined();
     expect(reply.text).toContain('ACCOUNT'); // legacy table fallback
   });
+
+  it('#2495 Change 2 — stamps "⚠ cached Nm ago" when the enricher reports a cache fallback', async () => {
+    const reply = await handleAuthCommand(
+      { kind: 'show' },
+      makeCtx({
+        liveQuotas: async () => ({
+          quotas: FIXTURE_QUOTAS,
+          staleCachedAtMs: Date.now() - 5 * 60_000, // 5 min old cache
+        }),
+        tz: 'UTC',
+      }),
+    );
+    expect(reply.text).toContain('⚠ cached');
+    expect(reply.text).not.toContain('Live · refreshed');
+  });
+
+  it('#2495 Change 2 — stamps a live refresh when the enricher reports no cache fallback', async () => {
+    const reply = await handleAuthCommand(
+      { kind: 'show' },
+      makeCtx({ liveQuotas: async () => ({ quotas: FIXTURE_QUOTAS }), tz: 'UTC' }),
+    );
+    expect(reply.text).toContain('Live · refreshed');
+    expect(reply.text).not.toContain('⚠ cached');
+  });
+
+  it('ctx.demo masks the account labels in the dashboard reply', async () => {
+    __resetDemoMaskCachesForTest();
+    const reply = await handleAuthCommand(
+      { kind: 'show' },
+      makeCtx({ liveQuotas: async () => ({ quotas: FIXTURE_QUOTAS }), tz: 'UTC', demo: true }),
+    );
+    expect(reply.text).not.toContain('ken@x');
+    expect(reply.text).not.toContain('you@x');
+    expect(reply.text).toMatch(/@example\.com/);
+  });
+
+  it('WITHOUT ctx.demo the real labels still render in the dashboard reply', async () => {
+    const reply = await handleAuthCommand(
+      { kind: 'show' },
+      makeCtx({ liveQuotas: async () => ({ quotas: FIXTURE_QUOTAS }), tz: 'UTC' }),
+    );
+    expect(reply.text).toContain('you@x');
+  });
 });

package/telegram-plugin/tests/auth-snapshot-format.test.ts

@@ -4,8 +4,10 @@
  * with hand-crafted QuotaUtilization fixtures.
  */
 import { describe, it, expect } from 'vitest';
+import { __resetDemoMaskCachesForTest } from '../demo-mask.js';
 import {
   classifyHealth,
+  blockedReason,
   bindingWindow,
   formatRelative,
   formatAbsolute,
@@ -67,6 +69,24 @@ describe('classifyHealth', () => {
   it('returns unknown when quota probe failed', () => {
     expect(classifyHealth(snap({ quota: null, quotaError: 'HTTP 401' }))).toBe('unknown');
   });
+  it('out_of_credits overage at 0% util → healthy (demoted to informational — serves fine from quota)', () => {
+    // THE KEY CHANGE: out_of_credits is no longer serve-blocking. An account at
+    // 0% util with out_of_credits is a valid failover target (carol scenario).
+    expect(
+      classifyHealth(snap({ quota: quota({ fiveHourUtilizationPct: 0, sevenDayUtilizationPct: 0, overageStatus: 'rejected', overageDisabledReason: 'out_of_credits' }) })),
+    ).toBe('healthy');
+  });
+  it('org_level_disabled at 75% util → unchanged/healthy (MANDATORY non-regression: live active account)', () => {
+    // overageStatus:"rejected" + the benign reason must NOT flip it to blocked.
+    expect(
+      classifyHealth(snap({ quota: quota({ fiveHourUtilizationPct: 75, sevenDayUtilizationPct: 40, overageStatus: 'rejected', overageDisabledReason: 'org_level_disabled' }) })),
+    ).toBe('healthy');
+  });
+  it('unknown overage reason (payment_failed) at 0% util → healthy (deny-by-omission)', () => {
+    expect(
+      classifyHealth(snap({ quota: quota({ fiveHourUtilizationPct: 0, sevenDayUtilizationPct: 0, overageDisabledReason: 'payment_failed' }) })),
+    ).toBe('healthy');
+  });
   it('THROTTLING_THRESHOLD_PCT is 80 (regression — design choice, see jtbd)', () => {
     // If this number changes, the recommendation footer + button visibility
     // shift; bump it deliberately.
@@ -195,9 +215,18 @@ describe('renderAuthSnapshotFormat2', () => {
   it('puts the imminent window first on healthy/throttling rows', () => {
     const out = renderAuthSnapshotFormat2(fixtureSnaps, { now: NOW, tz: 'UTC' });
     // you: 5h reset is in 7m, 7d reset is in 2d. 5h should come first.
-    const pixRow = out.split('\n').find((l) => l.includes('5h refills') && l.includes('7d resets'));
-    expect(pixRow).toBeDefined();
-    expect(pixRow!.indexOf('5h refills')).toBeLessThan(pixRow!.indexOf('7d resets'));
+    // The two reset segments now render on SEPARATE lines (so the 7d
+    // segment doesn't wrap mid-line on a narrow phone) — the imminent 5h
+    // line must precede the 7d line, each on its own line.
+    const lines = out.split('\n');
+    const fiveLine = lines.findIndex((l) => l.includes('5h refills'));
+    const sevenLine = lines.findIndex((l) => l.includes('7d resets'));
+    expect(fiveLine).toBeGreaterThanOrEqual(0);
+    expect(sevenLine).toBeGreaterThanOrEqual(0);
+    // Distinct lines, 5h before 7d.
+    expect(fiveLine).toBeLessThan(sevenLine);
+    expect(lines[fiveLine]).not.toContain('7d resets');
+    expect(lines[sevenLine]).not.toContain('5h refills');
   });
 
   it('emits a recommendation footer that names a healthy alternative when active is throttling', () => {
@@ -230,10 +259,69 @@ describe('renderAuthSnapshotFormat2', () => {
   it('renders refresh stamp when liveProbedAtMs given', () => {
     const out = renderAuthSnapshotFormat2(fixtureSnaps.slice(0, 1), {
       now: NOW,
-      liveProbedAtMs: Date.now() - 12_000,
+      liveProbedAtMs: NOW.getTime() - 12_000,
     });
     expect(out).toMatch(/<i>Live · refreshed \d+s ago<\/i>/);
   });
+
+  it('#2495 Change 2 — renders "⚠ cached Nm ago" (NOT a live stamp) on staleCachedAtMs', () => {
+    const out = renderAuthSnapshotFormat2(fixtureSnaps.slice(0, 1), {
+      now: NOW,
+      staleCachedAtMs: NOW.getTime() - 3 * 60_000, // 3 min old cache
+    });
+    expect(out).toMatch(/<i>⚠ cached 3m ago<\/i>/);
+    // Crucially: no false live stamp.
+    expect(out).not.toContain('Live · refreshed');
+  });
+
+  it('#2495 Change 2 — staleCachedAtMs takes precedence over liveProbedAtMs', () => {
+    const out = renderAuthSnapshotFormat2(fixtureSnaps.slice(0, 1), {
+      now: NOW,
+      liveProbedAtMs: NOW.getTime(),
+      staleCachedAtMs: NOW.getTime() - 90_000,
+    });
+    expect(out).toContain('⚠ cached');
+    expect(out).not.toContain('Live · refreshed');
+  });
+
+  // ── demo mode (the `/usage demo` / `/auth demo` suffix) ──────────────
+  describe('demo mode masks email labels', () => {
+    it('WITHOUT demo, the real account emails still render', () => {
+      const out = renderAuthSnapshotFormat2(fixtureSnaps, { now: NOW, tz: 'UTC' });
+      expect(out).toContain('alice@example.com');
+      expect(out).toContain('bob@example.com');
+      expect(out).toContain('you@example.com');
+    });
+
+    it('WITH demo, no real account label leaks and rows render masked emails', () => {
+      __resetDemoMaskCachesForTest();
+      const out = renderAuthSnapshotFormat2(fixtureSnaps, { now: NOW, tz: 'UTC', demo: true });
+      // Real labels gone.
+      expect(out).not.toContain('alice@example.com');
+      expect(out).not.toContain('bob@example.com');
+      expect(out).not.toContain('you@example.com');
+      // Masked fakes present (pool order from a clean cache: blocked-first
+      // render order means bob is masked first, then alice/you in healthy).
+      expect(out).toMatch(/<code>[^@<]+@example\.com<\/code>/);
+    });
+
+    it('WITH demo, the recommendation footer masks the active label', () => {
+      __resetDemoMaskCachesForTest();
+      const happy: AccountSnapshot[] = [
+        snap({ label: 'real-active@corp.com', isActive: true, quota: quota({ fiveHourUtilizationPct: 5 }) }),
+      ];
+      const out = renderAuthSnapshotFormat2(happy, { now: NOW, demo: true });
+      expect(out).not.toContain('real-active@corp.com');
+      expect(out).toMatch(/Recommendation: stay on [^@\s]+@example\.com\./);
+    });
+
+    it('demo masking is deterministic across two renders in the same process', () => {
+      __resetDemoMaskCachesForTest();
+      const a = renderAuthSnapshotFormat2(fixtureSnaps, { now: NOW, tz: 'UTC', demo: true });
+      const b = renderAuthSnapshotFormat2(fixtureSnaps, { now: NOW, tz: 'UTC', demo: true });
+      expect(a).toBe(b);
+    });
+  });
 });
 
 // ── renderFallbackAnnouncement ───────────────────────────────────────
@@ -335,6 +423,75 @@ describe('renderFallbackAnnouncement', () => {
     expect(out).toMatch(/ken@x recovers.*in 4h 57m/);
     expect(out).toContain('/auth add');
   });
+
+  it('Bug 3 — all-blocked card ENUMERATES every account (5h%/7d% + recovery ETA)', () => {
+    // Three walled accounts with different recovery times. The card must list
+    // ALL of them so the user can verify true fleet-wide exhaustion, not just
+    // the one triggering account.
+    const ken = quota({
+      fiveHourUtilizationPct: 100,
+      sevenDayUtilizationPct: 23,
+      fiveHourResetAt: new Date('2026-05-15T05:50:00Z'),
+      sevenDayResetAt: new Date('2026-05-18T19:00:00Z'),
+      representativeClaim: 'five_hour',
+    });
+    const you = quota({
+      fiveHourUtilizationPct: 30,
+      sevenDayUtilizationPct: 100,
+      sevenDayResetAt: new Date('2026-05-16T10:00:00Z'),
+      representativeClaim: 'seven_day',
+    });
+    const carol = quota({
+      fiveHourUtilizationPct: 100,
+      sevenDayUtilizationPct: 60,
+      fiveHourResetAt: new Date('2026-05-15T03:00:00Z'),
+      representativeClaim: 'five_hour',
+    });
+    const out = renderFallbackAnnouncement({
+      oldLabel: 'ken@x',
+      oldQuota: ken,
+      newLabel: null,
+      newQuota: null,
+      triggerAgent: 'carrie',
+      fleetSnapshots: [
+        snap({ label: 'ken@x', isActive: true, quota: ken }),
+        snap({ label: 'you@x', quota: you }),
+        snap({ label: 'carol@x', quota: carol }),
+      ],
+      now: NOW,
+      tz: 'UTC',
+    });
+    expect(out).toContain('🔴 <b>All accounts blocked');
+    // Every account is listed (not just the trigger).
+    expect(out).toContain('ken@x');
+    expect(out).toContain('you@x');
+    expect(out).toContain('carol@x');
+    // Per-account utilization rows are rendered (the renderAccountRow shape).
+    expect(out).toMatch(/100%\s*\/\s*23%/);   // ken
+    expect(out).toMatch(/30%\s*\/\s*100%/);   // you
+    expect(out).toMatch(/100%\s*\/\s*60%/);   // carol
+    // Each account's recovery countdown is surfaced.
+    expect(out).toMatch(/quota exhausted/);
+    // The earliest recovery across the fleet (carol, 5h reset at 03:00Z = ~2h)
+    // is called out explicitly.
+    expect(out).toMatch(/Earliest recovery:\s*<code>carol@x<\/code>/);
+    expect(out).toContain('/auth add');
+  });
+
+  it('Bug 3 back-compat — no fleetSnapshots falls back to the single-account shape', () => {
+    const out = renderFallbackAnnouncement({
+      oldLabel: 'ken@x',
+      oldQuota: KEN_5H_BLOWN,
+      newLabel: null,
+      newQuota: null,
+      triggerAgent: 'carrie',
+      now: NOW,
+      tz: 'UTC',
+    });
+    expect(out).toContain('🔴 <b>All accounts blocked');
+    expect(out).toMatch(/ken@x recovers.*in 4h 57m/);
+    expect(out).not.toContain('Earliest recovery:');
+  });
 });
 
 // ── buildSnapshotKeyboard ────────────────────────────────────────────
@@ -378,6 +535,31 @@ describe('buildSnapshotKeyboard', () => {
     const switchRows = rows.slice(0, -1);
     expect(switchRows.length).toBe(2);
   });
+
+  it('#2495 nit A — threads `now` so a refilled-since-snapshot account is offered as a switch target', () => {
+    // refilled@x reads 100% on 5h, but its reset is in the PAST relative to the
+    // threaded `now` → refill-normalized to 0% → healthy → a valid switch
+    // target. With a default `new Date()` (well after the fixture epoch) the
+    // normalization still treats it as refilled, so to prove the THREADING we
+    // compare two explicit clocks.
+    const resetAt = new Date('2026-05-15T00:00:00Z'); // before `now`
+    const snaps: AccountSnapshot[] = [
+      snap({ label: 'active@x', isActive: true, quota: quota({ fiveHourUtilizationPct: 5 }) }),
+      snap({
+        label: 'refilled@x',
+        quota: quota({ fiveHourUtilizationPct: 100, fiveHourResetAt: resetAt }),
+      }),
+    ];
+    // `now` AFTER the reset → refilled@x normalizes to healthy → offered.
+    const after = buildSnapshotKeyboard(snaps, { now: new Date('2026-05-15T00:53:00Z') })
+      .flat().map((b) => b.text);
+    expect(after).toContain('Switch fleet → refilled@x');
+    // `now` BEFORE the reset → still walled → NOT offered. Proves the threaded
+    // clock actually drives classification (a default-`now` impl would ignore it).
+    const before = buildSnapshotKeyboard(snaps, { now: new Date('2026-05-14T23:00:00Z') })
+      .flat().map((b) => b.text);
+    expect(before).not.toContain('Switch fleet → refilled@x');
+  });
 });
 
 // ── buildSnapshotsFromState ──────────────────────────────────────────
@@ -541,13 +723,26 @@ describe('buildSnapshotsFromCachedState', () => {
 // ── recommendation logic edge cases ──────────────────────────────────
 
 describe('recommendation', () => {
-  it('warns "all blocked" when no healthy alternative exists', () => {
+  it('#2494 Bug B: does NOT say "all blocked" when an alternative is refilling', () => {
+    // a@x is maxed with no reset (truly blocked); b@x is maxed but its weekly
+    // window resets in ~2d (refilling). The honest summary must surface the
+    // refill, not collapse to a false "All accounts blocked".
     const snaps: AccountSnapshot[] = [
       snap({ label: 'a@x', isActive: true, quota: quota({ fiveHourUtilizationPct: 100 }) }),
       snap({ label: 'b@x', quota: quota({ sevenDayUtilizationPct: 100, sevenDayResetAt: new Date('2026-05-17T00:00:00Z') }) }),
     ];
     const out = recommendation(snaps, NOW);
-    expect(out).toMatch(/All accounts blocked\. Earliest recovery: b@x in 1d/);
+    expect(out).not.toContain('All accounts blocked');
+    expect(out).toMatch(/soonest refill: b@x in 1d/);
+  });
+
+  it('#2494 Bug B: says "all blocked" only when EVERY account is truly walled (no reset)', () => {
+    const snaps: AccountSnapshot[] = [
+      snap({ label: 'a@x', isActive: true, quota: quota({ fiveHourUtilizationPct: 100 }) }),
+      snap({ label: 'b@x', quota: quota({ sevenDayUtilizationPct: 100 }) }),
+    ];
+    const out = recommendation(snaps, NOW);
+    expect(out).toContain('All accounts blocked');
   });
 
   it('reports throttling-with-no-alt when active is throttling and others are too', () => {
@@ -558,4 +753,179 @@ describe('recommendation', () => {
     const out = recommendation(snaps, NOW);
     expect(out).toContain('throttling; no healthy alternative');
   });
+
+  it('#2494 Bug B: mixed blocked-active + throttling-other → recommends the throttling slot, never "all blocked"', () => {
+    const snaps: AccountSnapshot[] = [
+      snap({ label: 'a@x', isActive: true, quota: quota({ fiveHourUtilizationPct: 100 }) }),
+      snap({ label: 'b@x', quota: quota({ fiveHourUtilizationPct: 85 }) }), // throttling, usable
+    ];
+    const out = recommendation(snaps, NOW);
+    expect(out).not.toContain('All accounts blocked');
+    expect(out).toContain('b@x is throttling but still usable');
+  });
+});
+
+// ── #2494 Bug A — refill-aware classification ───────────────────────────
+
+describe('#2494 Bug A — refill-aware classifyHealth', () => {
+  it('a pre-refill snapshot read AFTER its 5h reset classifies healthy', () => {
+    // Captured at 100% on a 5h window whose reset is 3 min in the PAST → rolled.
+    const pastReset = new Date(NOW.getTime() - 3 * 60_000);
+    const s = snap({
+      isActive: true,
+      quota: quota({ fiveHourUtilizationPct: 100, fiveHourResetAt: pastReset, sevenDayUtilizationPct: 1 }),
+    });
+    expect(classifyHealth(s, NOW)).toBe('healthy');
+  });
+
+  it('a maxed weekly whose reset has PASSED classifies healthy', () => {
+    const pastWeekly = new Date(NOW.getTime() - 60_000);
+    const s = snap({ quota: quota({ sevenDayUtilizationPct: 100, sevenDayResetAt: pastWeekly, fiveHourUtilizationPct: 2 }) });
+    expect(classifyHealth(s, NOW)).toBe('healthy');
+  });
+
+  it('a maxed window with a FUTURE reset still classifies blocked (not yet refilled)', () => {
+    const futureReset = new Date(NOW.getTime() + 60 * 60_000);
+    const s = snap({ quota: quota({ fiveHourUtilizationPct: 100, fiveHourResetAt: futureReset }) });
+    expect(classifyHealth(s, NOW)).toBe('blocked');
+  });
+
+  it('the just-refilled lone active account is not falsely "all blocked" in the summary', () => {
+    const pastReset = new Date(NOW.getTime() - 3 * 60_000);
+    const snaps: AccountSnapshot[] = [
+      snap({ label: 'a@x', isActive: true, quota: quota({ fiveHourUtilizationPct: 100, fiveHourResetAt: pastReset, sevenDayUtilizationPct: 1 }) }),
+    ];
+    expect(recommendation(snaps, NOW)).toContain('stay on a@x');
+  });
+});
+
+// ── #2494 Bug C — quota-exhausted vs thin probe (billing-dead demoted) ────────
+
+describe('#2494 Bug C — blockedReason + thin probe (out_of_credits now informational)', () => {
+  it('out_of_credits at 0% util → healthy (demoted from billing-dead to informational)', () => {
+    // THE KEY CHANGE: out_of_credits is no longer a blocked state.
+    const s = snap({ quota: quota({ fiveHourUtilizationPct: 0, overageDisabledReason: 'out_of_credits' }) });
+    expect(classifyHealth(s, NOW)).toBe('healthy');
+    expect(blockedReason(s, NOW)).toBeNull(); // not blocked → no blocked reason
+  });
+
+  it('out_of_credits at HIGH util is still blocked (via util wall, not credits)', () => {
+    // blocked because 5h>=99.5%, NOT because of out_of_credits
+    const futureReset = new Date(NOW.getTime() + 30 * 60_000);
+    const s = snap({ quota: quota({ fiveHourUtilizationPct: 100, fiveHourResetAt: futureReset, overageDisabledReason: 'out_of_credits' }) });
+    expect(classifyHealth(s, NOW)).toBe('blocked');
+    expect(blockedReason(s, NOW)).toBe('quota-exhausted'); // blocked by quota, not billing
+  });
+
+  it('a maxed window (no overage reason) → quota-exhausted (recoverable)', () => {
+    const futureReset = new Date(NOW.getTime() + 30 * 60_000);
+    const s = snap({ quota: quota({ fiveHourUtilizationPct: 100, fiveHourResetAt: futureReset }) });
+    expect(blockedReason(s, NOW)).toBe('quota-exhausted');
+  });
+
+  it('blockedReason is null for a non-blocked account', () => {
+    expect(blockedReason(snap({ quota: quota({ fiveHourUtilizationPct: 10 }) }), NOW)).toBeNull();
+  });
+
+  it('org_level_disabled behavior is unchanged — still healthy', () => {
+    const s = snap({ quota: quota({ fiveHourUtilizationPct: 75, sevenDayUtilizationPct: 40, overageStatus: 'rejected', overageDisabledReason: 'org_level_disabled' }) });
+    expect(classifyHealth(s, NOW)).toBe('healthy');
+    expect(blockedReason(s, NOW)).toBeNull();
+  });
+
+  it('a thin/headerless probe classifies unknown, never a confident 0%/healthy', () => {
+    const s = snap({
+      quota: quota({ fiveHourUtilizationPct: 0, sevenDayUtilizationPct: 0, fiveHourUtilPresent: false, sevenDayUtilPresent: false }),
+    });
+    expect(classifyHealth(s, NOW)).toBe('unknown');
+  });
+
+  it('a real 0%/0% probe (both windows present) stays healthy', () => {
+    const s = snap({
+      quota: quota({ fiveHourUtilizationPct: 0, sevenDayUtilizationPct: 0, fiveHourUtilPresent: true, sevenDayUtilPresent: true }),
+    });
+    expect(classifyHealth(s, NOW)).toBe('healthy');
+  });
+
+  it('a single-window probe (7d header missing) is NOT thin → governed by util', () => {
+    const s = snap({
+      quota: quota({ fiveHourUtilizationPct: 50, sevenDayUtilizationPct: 0, fiveHourUtilPresent: true, sevenDayUtilPresent: false }),
+    });
+    expect(classifyHealth(s, NOW)).toBe('healthy');
+  });
+});
+
+// ── #2494 — row rendering: out_of_credits as informational annotation ─────────
+
+describe('#2494 — renderAuthSnapshotFormat2 row rendering (out_of_credits demoted)', () => {
+  it('out_of_credits at 0% util → healthy row with informational overage annotation, NOT blocked', () => {
+    // THE KEY CHANGE: carol scenario — 0% util, out_of_credits → healthy group
+    // with an informational sub-line "overage off (out_of_credits) — serving from quota"
+    const out = renderAuthSnapshotFormat2(
+      [snap({ label: 'dead@x', isActive: true, quota: quota({ fiveHourUtilizationPct: 0, overageDisabledReason: 'out_of_credits' }) })],
+      { now: NOW },
+    );
+    // Must be in HEALTHY group, not BLOCKED
+    expect(out).toContain('🟢 <b>HEALTHY</b>');
+    expect(out).not.toContain('🔴 <b>BLOCKED</b>');
+    // Must have informational annotation
+    expect(out).toContain('overage off (out_of_credits) — serving from quota');
+    // Must NOT have old blocked framing
+    expect(out).not.toContain('billing disabled');
+    expect(out).not.toContain("won't recover until billing is fixed");
+    expect(out).not.toContain('quota exhausted');
+  });
+
+  it('out_of_credits account is a valid failover target (appears in buildSnapshotKeyboard switch buttons)', () => {
+    // A 0%-util out_of_credits account must be offerable as a switch target
+    const snaps: AccountSnapshot[] = [
+      snap({ label: 'a@x', isActive: true, quota: quota({ fiveHourUtilizationPct: 100 }) }), // blocked, active
+      snap({ label: 'carol@example.com', quota: quota({ fiveHourUtilizationPct: 0, overageDisabledReason: 'out_of_credits' }) }), // healthy
+    ];
+    const rows = buildSnapshotKeyboard(snaps);
+    const allText = rows.flat().map((b) => b.text);
+    expect(allText).toContain('Switch fleet → carol@example.com');
+  });
+
+  it('quota-exhausted row shows a recovery countdown, not "billing disabled" or overage annotation', () => {
+    const futureReset = new Date(NOW.getTime() + 45 * 60_000);
+    const out = renderAuthSnapshotFormat2(
+      [snap({ label: 'ex@x', isActive: true, quota: quota({ fiveHourUtilizationPct: 100, fiveHourResetAt: futureReset }) })],
+      { now: NOW },
+    );
+    expect(out).toContain('quota exhausted');
+    expect(out).not.toContain('billing disabled');
+    expect(out).not.toContain('overage off');
+  });
+
+  it('thin probe row renders "quota unknown", not "0% / 0%"', () => {
+    const out = renderAuthSnapshotFormat2(
+      [snap({ label: 'thin@x', isActive: true, quota: quota({ fiveHourUtilizationPct: 0, sevenDayUtilizationPct: 0, fiveHourUtilPresent: false, sevenDayUtilPresent: false }) })],
+      { now: NOW },
+    );
+    expect(out).toContain('quota unknown');
+    expect(out).not.toContain('0% / 0%');
+  });
+
+  it('org_level_disabled at 85% util has no overage annotation (only in OVERAGE_EXHAUSTED_REASONS)', () => {
+    // org_level_disabled is NOT on the OVERAGE_EXHAUSTED_REASONS list → no annotation
+    const out = renderAuthSnapshotFormat2(
+      [snap({ label: 'org@x', isActive: false, quota: quota({ fiveHourUtilizationPct: 85, overageDisabledReason: 'org_level_disabled' }) })],
+      { now: NOW },
+    );
+    expect(out).toContain('🟡 <b>THROTTLING</b>');
+    expect(out).not.toContain('overage off');
+  });
+
+  it('recommendation treats out_of_credits 0%-util account as healthy alternative', () => {
+    // The active account is blocked (quota), the out_of_credits 0%-util account
+    // is the only alternative — it must be recommended as the switch target.
+    const snaps: AccountSnapshot[] = [
+      snap({ label: 'main@x', isActive: true, quota: quota({ fiveHourUtilizationPct: 100 }) }), // blocked
+      snap({ label: 'carol@example.com', quota: quota({ fiveHourUtilizationPct: 0, overageDisabledReason: 'out_of_credits' }) }), // healthy
+    ];
+    const out = recommendation(snaps, NOW);
+    expect(out).toContain('switch to carol@example.com');
+    expect(out).not.toContain('All accounts blocked');
+  });
 });

package/telegram-plugin/tests/auto-fallback-fleet.test.ts

@@ -112,6 +112,9 @@ describe('runFleetAutoFallback', () => {
     if (out.kind === 'all-blocked') {
       expect(out.announcement).toContain('All accounts blocked');
       expect(out.announcement).toContain('/auth add');
+      // Bug 3 — the announcement enumerates EVERY account, not just the trigger.
+      expect(out.announcement).toContain('ken@x');
+      expect(out.announcement).toContain('me@x');
     }
   });
 
@@ -135,6 +138,71 @@ describe('runFleetAutoFallback', () => {
     expect(out.announcement).toContain('Stale event?');
   });
 
+  it('out_of_credits active account ⇒ NO swap (informational, not a serve-block)', async () => {
+    // NEW CONTRACT (fix/out-of-credits-serve-block): out_of_credits is
+    // INFORMATIONAL. An active account at 0% util with out_of_credits is
+    // classified HEALTHY by classifyHealth(), so the idempotency guard fires
+    // and the swap is skipped. out_of_credits must NEVER on its own cause a
+    // fleet auto-fallback swap.
+    const failover = vi.fn(async () => ({ rolledTo: 'bob@example.com', rolled: ['alice@example.com'] }));
+    const out = await runFleetAutoFallback({
+      state: state('alice@example.com', ['alice@example.com', 'bob@example.com']),
+      quotas: [
+        qOk({ fiveHourUtilizationPct: 0, sevenDayUtilizationPct: 0, overageStatus: 'rejected', overageDisabledReason: 'out_of_credits' }),
+        qOk({ fiveHourUtilizationPct: 8, sevenDayUtilizationPct: 20 }),
+      ],
+      failover,
+      triggerAgent: 'carrie',
+      now: NOW,
+      tz: 'UTC',
+    });
+
+    // out_of_credits at 0% util → classifyHealth='healthy' → idempotency guard
+    // returns no-eligible-target WITHOUT calling failover.
+    expect(out.kind).toBe('no-eligible-target');
+    expect(failover).not.toHaveBeenCalled();
+  });
+
+  it('genuine quota wall (100% 5h util) ⇒ swap fires (failover safety preserved)', async () => {
+    // Failover on a REAL quota wall must still work. This anchors the safety
+    // contract: only out_of_credits is demoted, genuine exhaustion still swaps.
+    const failover = vi.fn(async () => ({ rolledTo: 'bob@example.com', rolled: ['alice@example.com'] }));
+    const out = await runFleetAutoFallback({
+      state: state('alice@example.com', ['alice@example.com', 'bob@example.com']),
+      quotas: [
+        qOk({ fiveHourUtilizationPct: 100, fiveHourResetAt: new Date('2026-05-15T05:50:00Z'), representativeClaim: 'five_hour' }),
+        qOk({ fiveHourUtilizationPct: 8, sevenDayUtilizationPct: 20 }),
+      ],
+      failover,
+      triggerAgent: 'carrie',
+      now: NOW,
+      tz: 'UTC',
+    });
+
+    expect(out.kind).toBe('switched');
+    expect(failover).toHaveBeenCalledTimes(1);
+    if (out.kind === 'switched') expect(out.newLabel).toBe('bob@example.com');
+  });
+
+  it('org_level_disabled active @75% ⇒ NO swap (idempotency: classifyHealth=healthy)', async () => {
+    // The benign reason on the live active account must NOT trigger a swap.
+    const failover = vi.fn();
+    const out = await runFleetAutoFallback({
+      state: state('alice@example.com', ['alice@example.com', 'bob@example.com']),
+      quotas: [
+        qOk({ fiveHourUtilizationPct: 75, sevenDayUtilizationPct: 40, overageStatus: 'rejected', overageDisabledReason: 'org_level_disabled' }),
+        qOk({ fiveHourUtilizationPct: 5, sevenDayUtilizationPct: 10 }),
+      ],
+      failover,
+      triggerAgent: 'carrie',
+      now: NOW,
+      tz: 'UTC',
+    });
+
+    expect(out.kind).toBe('no-eligible-target');
+    expect(failover).not.toHaveBeenCalled();
+  });
+
   it('returns no-old-active (no failover) when broker has no active account', async () => {
     const failover = vi.fn();
     const out = await runFleetAutoFallback({
@@ -244,3 +312,55 @@ describe("evaluateFallbackFailureNotice", () => {
     expect(sent).toBeGreaterThanOrEqual(1);
   });
 });
+
+// ── Bug 2: the all-blocked card must not re-emit every ~60s ───────────────────
+
+import {
+  evaluateAllBlockedNotice,
+  FALLBACK_ALL_BLOCKED_NOTICE_COOLDOWN_MS,
+} from "../auto-fallback-fleet.js";
+
+describe("evaluateAllBlockedNotice", () => {
+  const T0 = 1_780_000_000_000;
+
+  it("the first all-blocked card sends and arms the cooldown", () => {
+    const r = evaluateAllBlockedNotice({ lastSentAtMs: 0 }, T0);
+    expect(r.send).toBe(true);
+    expect(r.next.lastSentAtMs).toBe(T0);
+  });
+
+  it("a second all-blocked signal within the cooldown does NOT re-emit (the Bug-2 fix)", () => {
+    const armed = { lastSentAtMs: T0 };
+    const r = evaluateAllBlockedNotice(armed, T0 + 60_000);
+    expect(r.send).toBe(false);
+    expect(r.next).toBe(armed); // window not extended by suppressed attempts
+  });
+
+  it("sends again once the cooldown elapses (still-walled, but the user re-hears once)", () => {
+    const r = evaluateAllBlockedNotice(
+      { lastSentAtMs: T0 },
+      T0 + FALLBACK_ALL_BLOCKED_NOTICE_COOLDOWN_MS,
+    );
+    expect(r.send).toBe(true);
+    expect(r.next.lastSentAtMs).toBe(T0 + FALLBACK_ALL_BLOCKED_NOTICE_COOLDOWN_MS);
+  });
+
+  it("collapses the ~60s quota_wall_detected re-fire storm to ≤2 cards/hour", () => {
+    let state = { lastSentAtMs: 0 };
+    let sent = 0;
+    for (let t = T0; t < T0 + 3_600_000; t += 60_000) {
+      const r = evaluateAllBlockedNotice(state, t);
+      if (r.send) sent++;
+      state = r.next;
+    }
+    expect(sent).toBeLessThanOrEqual(2);
+    expect(sent).toBeGreaterThanOrEqual(1);
+  });
+
+  it("a NEW transition emits promptly: reset (lastSentAtMs=0) after a swap sends immediately", () => {
+    // The gateway resets the window on a successful swap, so a fresh all-blocked
+    // after a recovery is not stale-suppressed.
+    const r = evaluateAllBlockedNotice({ lastSentAtMs: 0 }, T0 + 5 * 60_000);
+    expect(r.send).toBe(true);
+  });
+});