switchroom 0.15.45 → 0.16.5

package/telegram-plugin/tests/emission-authority-ping-gate.test.ts

@@ -0,0 +1,395 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest'
+import { readFileSync } from 'node:fs'
+import { resolve } from 'node:path'
+import {
+  decideOverPing,
+  type OverPingDecision,
+} from '../over-ping-safety-net.js'
+import type {
+  PingClaimInput,
+  PingClaimCtx,
+} from '../gateway/emission-authority.js'
+
+/**
+ * PR-4c flag-parity proof — the HEART of the PR, at the façade layer.
+ *
+ * The emission-authority façade's `claimOrDowngradePing` now RELOCATES the
+ * over-ping ownership decision behind the `SWITCHROOM_EMISSION_AUTHORITY`
+ * kill-switch. The defining correctness property: flag-OFF ≡ flag-ON ≡ the
+ * direct `decideOverPing` oracle — not one device ping differs in either flag
+ * state. This drives `claimOrDowngradePing(input, ctx, applyDecision, disabled)`
+ * across the full cross-product:
+ *
+ *   incoming {ack, substantive, silent} × slot-held-by {none, ack-held,
+ *   substantive-held}
+ *
+ * for BOTH flag states, against a fake turn + a stub `applyDecision` that
+ * records `(suppress, claimSlot, upgrade)` and APPLIES the mutations (the atomic
+ * `firstPingAt`/`firstPingWasSubstantive` pair-set), exactly like the gateway
+ * call site. It asserts:
+ *
+ *   - flag-ON outcome set == flag-OFF outcome set == direct `decideOverPing`
+ *     oracle set (the parity proof).
+ *   - after a claim/upgrade the `firstPingAt`/`firstPingWasSubstantive` pair is
+ *     consistently set (the #2562 atomicity invariant).
+ *   - the at-most-once UPGRADE via the ack→upgrade→trailing-ack sequence.
+ *
+ * The flag is read ONCE at module top (the asserted read-once invariant — we do
+ * NOT change that). We flip it per flag state by dynamically re-importing the
+ * façade module under a unique query string (bun/vite re-evaluates the module,
+ * so the read-once const is recomputed against the chosen env). This is a
+ * TEST-ONLY seam — it leaves the production read-once path untouched. Mirrors
+ * the `loadFacade` seam in emission-authority-open-gate.test.ts. NO sqlite
+ * import, so this runs cleanly under both vitest and bun.
+ */
+
+const NOW = 1_700_000_000_000
+const PRIOR_PING_AT = NOW - 5_000
+
+afterEach(() => {
+  delete process.env.SWITCHROOM_EMISSION_AUTHORITY
+})
+
+let reimportSeq = 0
+async function loadFacade(
+  enabled: boolean,
+): Promise<typeof import('../gateway/emission-authority.js')> {
+  if (enabled) process.env.SWITCHROOM_EMISSION_AUTHORITY = '1'
+  else delete process.env.SWITCHROOM_EMISSION_AUTHORITY
+  return import(`../gateway/emission-authority.js?pingcase=${reimportSeq++}`)
+}
+
+/** A minimal stand-in for the turn's ping-slot state. */
+interface FakeTurn {
+  firstPingAt: number | null
+  firstPingWasSubstantive: boolean
+}
+
+type SlotHeld = 'none' | 'ack' | 'substantive'
+type Incoming = 'ack' | 'substantive' | 'silent'
+
+function turnFor(slot: SlotHeld): FakeTurn {
+  switch (slot) {
+    case 'none':
+      return { firstPingAt: null, firstPingWasSubstantive: false }
+    case 'ack':
+      return { firstPingAt: PRIOR_PING_AT, firstPingWasSubstantive: false }
+    case 'substantive':
+      return { firstPingAt: PRIOR_PING_AT, firstPingWasSubstantive: true }
+  }
+}
+
+function inputFor(incoming: Incoming): PingClaimInput {
+  switch (incoming) {
+    case 'silent':
+      return { modelRequestedPing: false, substantive: false }
+    case 'ack':
+      return { modelRequestedPing: true, substantive: false }
+    case 'substantive':
+      return { modelRequestedPing: true, substantive: true }
+  }
+}
+
+/** The recorded outcome of one drive — what the call site would observe. */
+interface Outcome {
+  suppress: boolean
+  claimSlot: boolean
+  upgrade: boolean
+  /** Post-state of the (atomic) pair after applyDecision ran. */
+  firstPingAt: number | null
+  firstPingWasSubstantive: boolean
+  /** Did the call-site closure write disableNotification=true? */
+  disableNotification: boolean
+}
+
+/**
+ * Drive `claimOrDowngradePing` once for the given flag state, mirroring the
+ * gateway call site: the `applyDecision` thunk records the decision AND applies
+ * the atomic pair-set + the disableNotification closure write; the `disabled`
+ * thunk computes its own decision via the literal `decideOverPing` and routes it
+ * through the SAME `applyDecision`.
+ */
+async function drive(
+  enabled: boolean,
+  incoming: Incoming,
+  slot: SlotHeld,
+): Promise<Outcome> {
+  const { EmissionAuthority } = await loadFacade(enabled)
+  const turn = turnFor(slot)
+  const input = inputFor(incoming)
+  const ctx: PingClaimCtx = {
+    firstPingAt: turn.firstPingAt,
+    firstPingWasSubstantive: turn.firstPingWasSubstantive,
+    nowMs: NOW,
+  }
+  const replySubstantive = input.substantive
+  let disableNotification = false
+  let recorded: OverPingDecision | null = null
+
+  const applyDecision = (decision: OverPingDecision): void => {
+    recorded = decision
+    if (decision.suppress) {
+      disableNotification = true
+    } else if (decision.claimSlot) {
+      // The atomic two-adjacent-line pair-set (no await between).
+      turn.firstPingAt = NOW
+      turn.firstPingWasSubstantive = replySubstantive
+    }
+  }
+
+  new EmissionAuthority('k').claimOrDowngradePing(
+    input,
+    ctx,
+    applyDecision,
+    () => {
+      const decision = decideOverPing({
+        modelRequestedPing: input.modelRequestedPing,
+        firstPingAt: turn.firstPingAt,
+        substantive: replySubstantive,
+        firstPingWasSubstantive: turn.firstPingWasSubstantive,
+        nowMs: NOW,
+      })
+      applyDecision(decision)
+    },
+  )
+
+  const d = recorded as OverPingDecision | null
+  if (d == null) throw new Error('applyDecision was never called')
+  return {
+    suppress: d.suppress,
+    claimSlot: d.claimSlot,
+    upgrade: d.upgrade,
+    firstPingAt: turn.firstPingAt,
+    firstPingWasSubstantive: turn.firstPingWasSubstantive,
+    disableNotification,
+  }
+}
+
+/** The direct oracle: `decideOverPing` over the same inputs, then the effects. */
+function oracle(incoming: Incoming, slot: SlotHeld): Outcome {
+  const turn = turnFor(slot)
+  const input = inputFor(incoming)
+  const decision = decideOverPing({
+    modelRequestedPing: input.modelRequestedPing,
+    firstPingAt: turn.firstPingAt,
+    substantive: input.substantive,
+    firstPingWasSubstantive: turn.firstPingWasSubstantive,
+    nowMs: NOW,
+  })
+  let disableNotification = false
+  if (decision.suppress) {
+    disableNotification = true
+  } else if (decision.claimSlot) {
+    turn.firstPingAt = NOW
+    turn.firstPingWasSubstantive = input.substantive
+  }
+  return {
+    suppress: decision.suppress,
+    claimSlot: decision.claimSlot,
+    upgrade: decision.upgrade,
+    firstPingAt: turn.firstPingAt,
+    firstPingWasSubstantive: turn.firstPingWasSubstantive,
+    disableNotification,
+  }
+}
+
+const INCOMING: Incoming[] = ['ack', 'substantive', 'silent']
+const SLOTS: SlotHeld[] = ['none', 'ack', 'substantive']
+
+describe('claimOrDowngradePing flag-parity — flag-ON ≡ flag-OFF ≡ decideOverPing oracle', () => {
+  for (const incoming of INCOMING) {
+    for (const slot of SLOTS) {
+      it(`incoming=${incoming} slot-held-by=${slot}: ON == OFF == oracle`, async () => {
+        const off = await drive(false, incoming, slot)
+        const on = await drive(true, incoming, slot)
+        const want = oracle(incoming, slot)
+        expect(off).toEqual(want)
+        expect(on).toEqual(want)
+        // Atomicity: after a claim/upgrade the pair is consistently set.
+        if (on.claimSlot) {
+          expect(on.firstPingAt).toBe(NOW)
+          expect(on.firstPingWasSubstantive).toBe(incoming === 'substantive')
+        }
+      })
+    }
+  }
+
+  it('full set equality — the ON outcome set equals the OFF set equals the oracle set', async () => {
+    const onSet: Outcome[] = []
+    const offSet: Outcome[] = []
+    const oracleSet: Outcome[] = []
+    for (const incoming of INCOMING) {
+      for (const slot of SLOTS) {
+        offSet.push(await drive(false, incoming, slot))
+        onSet.push(await drive(true, incoming, slot))
+        oracleSet.push(oracle(incoming, slot))
+      }
+    }
+    expect(onSet).toEqual(oracleSet)
+    expect(offSet).toEqual(oracleSet)
+  })
+})
+
+describe('claimOrDowngradePing — the documented R8 ownership outcomes', () => {
+  it('substantive over an ack-held slot UPGRADES (pings + claims, no suppress)', async () => {
+    for (const enabled of [false, true]) {
+      const o = await drive(enabled, 'substantive', 'ack')
+      expect(o.suppress).toBe(false)
+      expect(o.claimSlot).toBe(true)
+      expect(o.upgrade).toBe(true)
+      expect(o.disableNotification).toBe(false)
+      // The slot is upgraded to substantive.
+      expect(o.firstPingAt).toBe(NOW)
+      expect(o.firstPingWasSubstantive).toBe(true)
+    }
+  })
+
+  it('ack over a substantive-held slot SUPPRESSES (no spurious double-ping)', async () => {
+    for (const enabled of [false, true]) {
+      const o = await drive(enabled, 'ack', 'substantive')
+      expect(o.suppress).toBe(true)
+      expect(o.claimSlot).toBe(false)
+      expect(o.disableNotification).toBe(true)
+    }
+  })
+
+  it('substantive over a substantive-held slot SUPPRESSES (#1674 answer+wrap-up guard)', async () => {
+    for (const enabled of [false, true]) {
+      const o = await drive(enabled, 'substantive', 'substantive')
+      expect(o.suppress).toBe(true)
+      expect(o.claimSlot).toBe(false)
+    }
+  })
+
+  it('first ping (no slot held) CLAIMS without upgrade', async () => {
+    for (const enabled of [false, true]) {
+      const o = await drive(enabled, 'ack', 'none')
+      expect(o.suppress).toBe(false)
+      expect(o.claimSlot).toBe(true)
+      expect(o.upgrade).toBe(false)
+      expect(o.firstPingAt).toBe(NOW)
+    }
+  })
+
+  it('silent incoming is a no-op (the safety net never touches a model-silent reply)', async () => {
+    for (const enabled of [false, true]) {
+      for (const slot of SLOTS) {
+        const o = await drive(enabled, 'silent', slot)
+        expect(o.suppress).toBe(false)
+        expect(o.claimSlot).toBe(false)
+        expect(o.upgrade).toBe(false)
+        expect(o.disableNotification).toBe(false)
+      }
+    }
+  })
+})
+
+describe('claimOrDowngradePing — at-most-once upgrade (ack → upgrade → trailing-ack)', () => {
+  /**
+   * Drive a 3-reply turn against ONE persistent fake turn (the façade decides,
+   * the applyDecision thunk mutates the shared turn): an interim ACK claims the
+   * slot, the SUBSTANTIVE answer UPGRADES it (one bounded second ping), and a
+   * trailing ACK is then SUPPRESSED — at most ONE upgrade per turn.
+   */
+  async function driveSequence(
+    enabled: boolean,
+  ): Promise<{ upgrades: number; pings: number; suppresses: number }> {
+    const { EmissionAuthority } = await loadFacade(enabled)
+    const turn: FakeTurn = { firstPingAt: null, firstPingWasSubstantive: false }
+    const ea = new EmissionAuthority('k')
+    let upgrades = 0
+    let pings = 0
+    let suppresses = 0
+    let tick = 0
+
+    const step = (incoming: Incoming): void => {
+      const input = inputFor(incoming)
+      const replySubstantive = input.substantive
+      const now = NOW + tick++
+      const ctx: PingClaimCtx = {
+        firstPingAt: turn.firstPingAt,
+        firstPingWasSubstantive: turn.firstPingWasSubstantive,
+        nowMs: now,
+      }
+      const applyDecision = (decision: OverPingDecision): void => {
+        if (decision.upgrade) upgrades++
+        if (decision.suppress) suppresses++
+        if (decision.claimSlot) {
+          // A claim/upgrade lets the ping through.
+          pings++
+          turn.firstPingAt = now
+          turn.firstPingWasSubstantive = replySubstantive
+        }
+      }
+      ea.claimOrDowngradePing(input, ctx, applyDecision, () => {
+        const decision = decideOverPing({
+          modelRequestedPing: input.modelRequestedPing,
+          firstPingAt: turn.firstPingAt,
+          substantive: replySubstantive,
+          firstPingWasSubstantive: turn.firstPingWasSubstantive,
+          nowMs: now,
+        })
+        applyDecision(decision)
+      })
+    }
+
+    step('ack') // interim ack — claims the slot (first ping)
+    step('substantive') // answer — UPGRADES over the ack's slot (second ping)
+    step('ack') // trailing ack — suppressed
+    return { upgrades, pings, suppresses }
+  }
+
+  for (const enabled of [false, true]) {
+    it(`flag ${enabled ? 'ON' : 'OFF'}: exactly one upgrade, two pings (ack-claim + answer-upgrade), one suppress`, async () => {
+      const { upgrades, pings, suppresses } = await driveSequence(enabled)
+      expect(upgrades).toBe(1)
+      expect(pings).toBe(2)
+      expect(suppresses).toBe(1)
+    })
+  }
+})
+
+describe('claimOrDowngradePing — no await in the synchronous decide→apply→pair-set chain (source-read)', () => {
+  const facadeSrc = readFileSync(
+    resolve(__dirname, '..', 'gateway', 'emission-authority.ts'),
+    'utf-8',
+  )
+  const gatewaySrc = readFileSync(
+    resolve(__dirname, '..', 'gateway', 'gateway.ts'),
+    'utf-8',
+  )
+
+  it('the façade method is synchronous and await-free', () => {
+    expect(facadeSrc).not.toMatch(/async\s+claimOrDowngradePing/)
+    const after = facadeSrc.split('claimOrDowngradePing(')[1] ?? ''
+    const body = after.split(/\n  [A-Za-z]+[(<]/)[0] ?? after
+    expect(body).not.toMatch(/\bawait\b/)
+  })
+
+  it('the call-site over-ping block is await-free (atomic pair-set preserved)', () => {
+    // Bound the window to the over-ping block itself — from the
+    // `applyOverPingDecision` thunk to the end of the `claimOrDowngradePing`
+    // call, BEFORE the Telegraph block below (which legitimately awaits).
+    const blockStart = gatewaySrc.indexOf('const applyOverPingDecision')
+    const telegraphIdx = gatewaySrc.indexOf('// Telegraph publish (#579)', blockStart)
+    expect(blockStart).toBeGreaterThan(-1)
+    expect(telegraphIdx).toBeGreaterThan(blockStart)
+    const block = gatewaySrc.slice(blockStart, telegraphIdx)
+    // Strip comment lines so a prose "no await between" in a doc-comment does
+    // not trip the executable-await check.
+    const blockCode = block
+      .split('\n')
+      .filter((l) => {
+        const t = l.trim()
+        return !(t.startsWith('*') || t.startsWith('//') || t.startsWith('/*'))
+      })
+      .join('\n')
+    // Sanity: the single claimOrDowngradePing call is inside this window.
+    expect(blockCode).toMatch(/\.claimOrDowngradePing\(/)
+    expect(blockCode).not.toMatch(/\bawait\b/)
+    // The two-adjacent-line pair-set is intact.
+    expect(block).toMatch(
+      /turn\.firstPingAt = now\s*\n\s*turn\.firstPingWasSubstantive = replySubstantive/,
+    )
+  })
+})

package/telegram-plugin/tests/emission-determinism-wiring.test.ts

@@ -0,0 +1,177 @@
+/**
+ * Emission-determinism wiring — structural (source-read) assertions for the
+ * deterministic activity-card OPEN gating + reply-is-last ordering changes
+ * (design `docs/message-emission-determinism.md` §9 levers 1, 2, 5; #2556).
+ *
+ * The gateway IIFE can't be instantiated in-process, so these pin the
+ * load-bearing wiring by reading gateway.ts source — same pattern as
+ * activity-ever-opened-sticky.test.ts / feed-heartbeat-liveness-open.test.ts.
+ * The pure decision logic (mayOpenActivityCard) is exercised behaviourally in
+ * feed-open-gate.test.ts; this file guards that the gateway is wired to it.
+ */
+import { describe, it, expect } from 'vitest'
+import { readFileSync } from 'node:fs'
+import { resolve } from 'node:path'
+
+const gatewaySrc = readFileSync(
+  resolve(__dirname, '..', 'gateway', 'gateway.ts'),
+  'utf-8',
+)
+
+/** Source of `drainActivitySummary` up to the next top-level function. */
+function drainSrc(): string {
+  const after = gatewaySrc.split('async function drainActivitySummary(')[1] ?? ''
+  return after.split('\nasync function ')[0]?.split('\nfunction ')[0] ?? after
+}
+
+describe('sticky finalAnswerEverDelivered latch (lever 1 precondition / R0)', () => {
+  it('is initialised false in the turn object literal (per-turn reset at turn start)', () => {
+    expect(gatewaySrc).toMatch(/finalAnswerEverDelivered:\s*false/)
+  })
+
+  it('is reset to false in exactly ONE place — the turn initialiser (never cleared by reopen)', () => {
+    // Mirrors activityEverOpened's sticky-true contract: the only `false` is the
+    // per-turn init. A standalone `= false` reassignment would let reopen clear
+    // the latch and reintroduce the reorder (the R0 correction).
+    const initFalse = [...gatewaySrc.matchAll(/finalAnswerEverDelivered:\s*false/g)]
+    expect(initFalse).toHaveLength(1)
+    const resetFalse = [...gatewaySrc.matchAll(/finalAnswerEverDelivered\s*=\s*false/g)]
+    expect(resetFalse).toHaveLength(0)
+  })
+
+  it('feed-reopen-gate.ts resets only the MUTABLE flag, never the sticky latch (#2141 preserved)', () => {
+    const reopenSrc = readFileSync(
+      resolve(__dirname, '..', 'gateway', 'feed-reopen-gate.ts'),
+      'utf-8',
+    )
+    expect(reopenSrc).toMatch(/finalAnswerDelivered:\s*false/)
+    expect(reopenSrc).not.toMatch(/finalAnswerEverDelivered/)
+  })
+
+  it('every site that sets the sticky latch true gates on finalAnswerSubstantive', () => {
+    // The latch is set true only at the points that set finalAnswerDelivered=true,
+    // and only when the reply was substantive — so an ack never latches it.
+    const setTrue = [...gatewaySrc.matchAll(/finalAnswerEverDelivered\s*=\s*true/g)]
+    // executeReply, executeStreamReply, silent-anchor merge, + the two lever-2
+    // finalize blocks (which are themselves substantive-gated).
+    expect(setTrue.length).toBeGreaterThanOrEqual(3)
+    // Each `finalAnswerEverDelivered = true` must sit in a substantive context:
+    // either guarded by `if (turn.finalAnswerSubstantive)` or inside an
+    // `isSubstantiveFinalReply(...)` branch. Assert the substantive-gating
+    // token co-occurs (no bare unconditional latch set).
+    const bareUnconditional = [
+      ...gatewaySrc.matchAll(/\n\s*(?:turn|finalizeTurn)\.finalAnswerEverDelivered\s*=\s*true/g),
+    ]
+    for (const m of bareUnconditional) {
+      const idx = m.index ?? 0
+      const window = gatewaySrc.slice(Math.max(0, idx - 600), idx)
+      expect(
+        /finalAnswerSubstantive/.test(window) || /isSubstantiveFinalReply/.test(window),
+      ).toBe(true)
+    }
+  })
+})
+
+describe('drainActivitySummary OPEN gate (levers 1 + 5, heartbeat-covered)', () => {
+  it('consults mayOpenActivityCard in the OPEN branch (activityMessageId == null)', () => {
+    const src = drainSrc()
+    expect(src).toMatch(/mayOpenActivityCard\(/)
+    // The gate is keyed on the sticky latch + labeledToolCount + producer.
+    expect(src).toMatch(/finalAnswerEverDelivered:\s*turn\.finalAnswerEverDelivered/)
+    expect(src).toMatch(/labeledToolCount:\s*turn\.labeledToolCount/)
+    expect(src).toMatch(/producer/)
+  })
+
+  it('refusing an OPEN does NOT advance activityLastSentRender (break, not mark-sent)', () => {
+    // The gate check must `break` out of the drain loop when an OPEN is refused,
+    // BEFORE the activityLastSentRender = target write — otherwise the
+    // accumulated render is marked sent and a later OPEN-eligible producer
+    // (a tool label) skips it via the `pending !== lastSent` guard.
+    const src = drainSrc()
+    const gateIdx = src.indexOf('mayOpenActivityCard(')
+    const lastSentIdx = src.indexOf('activityLastSentRender = target')
+    expect(gateIdx).toBeGreaterThan(-1)
+    expect(lastSentIdx).toBeGreaterThan(-1)
+    expect(gateIdx).toBeLessThan(lastSentIdx)
+    // A `break` follows the gate check.
+    const afterGate = src.slice(gateIdx, lastSentIdx)
+    expect(afterGate).toMatch(/break/)
+  })
+
+  it('the gate only applies to the OPEN branch — guarded on activityMessageId == null', () => {
+    const src = drainSrc()
+    const gateIdx = src.indexOf('mayOpenActivityCard(')
+    const window = src.slice(Math.max(0, gateIdx - 200), gateIdx)
+    expect(window).toMatch(/activityMessageId == null/)
+  })
+})
+
+describe('drain producers — narrative may not OPEN, liveness + tool may', () => {
+  it('showNarrativeStep drains with producer "narrative" (lever 5 base case)', () => {
+    const after = gatewaySrc.split('function showNarrativeStep(')[1] ?? ''
+    const body = after.split('\nfunction ')[0] ?? after
+    expect(body).toMatch(/drainActivitySummary\(turn,\s*'narrative'\)/)
+  })
+
+  it('the liveness-open path drains with producer "liveness" (producer C preserved)', () => {
+    const after = gatewaySrc.split('function feedHeartbeatTick(')[1] ?? ''
+    const body = after.split('\nfunction ')[0] ?? after
+    expect(body).toMatch(/drainActivitySummary\(turn,\s*'liveness'\)/)
+  })
+
+  it('the tool_label path drains with producer "tool" (always OPEN-eligible)', () => {
+    expect(gatewaySrc).toMatch(/drainActivitySummary\(turn,\s*'tool'\)/)
+  })
+})
+
+describe('lever 2 — finalize the card BEFORE a substantive reply send', () => {
+  /** executeReply body up to executeStreamReply. */
+  function executeReplySrc(): string {
+    const after = gatewaySrc.split('async function executeReply(')[1] ?? ''
+    return after.split('async function executeStreamReply(')[0] ?? after
+  }
+  /** executeStreamReply body up to the next top-level function. */
+  function executeStreamReplySrc(): string {
+    const after = gatewaySrc.split('async function executeStreamReply(')[1] ?? ''
+    return after.split('\nasync function ')[0]?.split('\nfunction ')[0] ?? after
+  }
+
+  it('executeReply finalizes (clearActivitySummary) before the chunk loop, gated on substantive', () => {
+    const src = executeReplySrc()
+    const clearIdx = src.indexOf('clearActivitySummary(')
+    const loopIdx = src.indexOf('for (let i = 0; i < chunks.length')
+    expect(clearIdx).toBeGreaterThan(-1)
+    expect(loopIdx).toBeGreaterThan(-1)
+    expect(clearIdx).toBeLessThan(loopIdx)
+    // The finalize is substantive-gated (acks do nothing — R3/#2141).
+    const window = src.slice(Math.max(0, clearIdx - 500), clearIdx)
+    expect(window).toMatch(/isSubstantiveFinalReply/)
+  })
+
+  it('executeStreamReply finalizes before handleStreamReply, gated on substantive', () => {
+    const src = executeStreamReplySrc()
+    const clearIdx = src.indexOf('clearActivitySummary(')
+    const sendIdx = src.indexOf('const result = await handleStreamReply(')
+    expect(clearIdx).toBeGreaterThan(-1)
+    expect(sendIdx).toBeGreaterThan(-1)
+    expect(clearIdx).toBeLessThan(sendIdx)
+    // Window extended to 600 chars to account for the finalAnswerDeliveredAt stamp
+    // added inside the markSubstantiveFinalDelivered callback (Fix 2 / #2587).
+    const window = src.slice(Math.max(0, clearIdx - 600), clearIdx)
+    expect(window).toMatch(/isSubstantiveFinalReply/)
+  })
+
+  it('acks do NOT finalize early — no unconditional clearActivitySummary before the reply send', () => {
+    // Both lever-2 finalize sites sit inside an isSubstantiveFinalReply guard.
+    // An ack (non-substantive) falls through and never finalizes early, so the
+    // reopen path keeps owning the card (the #2141 ack-then-work feed).
+    const replySrc = (() => {
+      const after = gatewaySrc.split('async function executeReply(')[1] ?? ''
+      return after.split('async function executeStreamReply(')[0] ?? after
+    })()
+    // The pre-loop clearActivitySummary must be the substantive-gated one.
+    const preLoop = replySrc.split('for (let i = 0; i < chunks.length')[0] ?? ''
+    const clears = [...preLoop.matchAll(/clearActivitySummary\(/g)]
+    expect(clears).toHaveLength(1)
+  })
+})