switchroom 0.8.1 → 0.11.0

package/telegram-plugin/tests/boot-probes.test.ts

@@ -292,13 +292,16 @@ describe('probeQuota — #1163: /v1/messages headers path', () => {
     expect(result.detail).toContain('18% / 7d')
   })
 
-  it('surfaces auth rejection with login hint on 403', async () => {
+  it('surfaces auth rejection with the RFC-H replace-account hint on 403', async () => {
     const fakeFetch: typeof fetch = async () =>
       new Response(null, { status: 403 }) as Response
 
     const result = await probeQuota(claudeDir, agentDir, fakeFetch)
     expect(result.status).toBe('degraded')
-    expect(result.nextStep).toMatch(/switchroom auth login/)
+    // Post-RFC-H: per-agent `auth login` is retired. probeQuota emits the
+    // broker-aware "replace the account" hint pointing at `auth add ...
+    // --replace` instead. See telegram-plugin/gateway/boot-probes.ts.
+    expect(result.nextStep).toMatch(/switchroom auth add .*--from-oauth --replace/)
   })
 
   it('writing rate-limited result to cache produces a readable 30 s entry', () => {
@@ -893,42 +896,40 @@ describe('probeAccount — nextStep agent-name interpolation', () => {
     }
   })
 
-  it('not-signed-in hint interpolates agentName instead of <agent>', async () => {
+  it('not-signed-in hint points at RFC H fleet-wide auth verbs', async () => {
     tmpDir = setupAgentDir({})
-    const result = await probeAccount(tmpDir, { agentName: 'finn' })
+    const result = await probeAccount(tmpDir)
     expect(result.status).toBe('degraded')
     expect(result.detail).toBe('not signed in')
     expect(result.nextStep).toBeDefined()
-    expect(result.nextStep).toContain('switchroom auth login finn')
-    expect(result.nextStep).not.toContain('<agent>')
+    expect(result.nextStep).toContain('switchroom auth add')
+    expect(result.nextStep).toContain('--from-oauth')
+    expect(result.nextStep).toContain('switchroom auth use')
+    // RFC H: hint must not point at the retired per-agent `auth login` verb.
+    expect(result.nextStep).not.toContain('auth login')
   })
 
-  it('expired-token hint interpolates agentName', async () => {
+  it('expired-token hint points at broker auto-refresh + manual fallback', async () => {
     tmpDir = setupAgentDir(
       { oauthAccount: { emailAddress: 'me@example.com', billingType: 'max' } },
       { expiresAt: Date.now() - 86_400_000 }, // expired yesterday
     )
-    const result = await probeAccount(tmpDir, { agentName: 'klanker' })
+    const result = await probeAccount(tmpDir)
     expect(result.status).toBe('fail')
-    expect(result.nextStep).toContain('switchroom auth login klanker')
-    expect(result.nextStep).not.toContain('<agent>')
+    expect(result.nextStep).toContain('switchroom auth refresh')
+    expect(result.nextStep).toContain('--replace')
+    expect(result.nextStep).not.toContain('auth login')
   })
 
-  it('expiring-soon hint interpolates agentName', async () => {
+  it('expiring-soon hint points at broker auto-refresh window', async () => {
     tmpDir = setupAgentDir(
       { oauthAccount: { emailAddress: 'me@example.com', billingType: 'max' } },
       { expiresAt: Date.now() + 3 * 86_400_000 }, // 3 days left (< 7)
     )
-    const result = await probeAccount(tmpDir, { agentName: 'lawgpt' })
-    expect(result.status).toBe('degraded')
-    expect(result.nextStep).toContain('switchroom auth login lawgpt')
-    expect(result.nextStep).not.toContain('<agent>')
-  })
-
-  it('falls back to <agent> placeholder when no agentName provided (backwards-compat)', async () => {
-    tmpDir = setupAgentDir({})
     const result = await probeAccount(tmpDir)
-    expect(result.nextStep).toContain('<agent>')
+    expect(result.status).toBe('degraded')
+    expect(result.nextStep).toContain('switchroom auth refresh')
+    expect(result.nextStep).not.toContain('auth login')
   })
 })
 
@@ -1149,14 +1150,18 @@ describe('nextStep — agent systemd states', () => {
 })
 
 describe('nextStep — quota / hindsight / broker / kernel / scheduler', () => {
-  it('quota: no OAuth token → degraded with login hint', async () => {
+  it('quota: no OAuth token → degraded with RFC-H add+use hint', async () => {
     const dir = mkdtempSync(join(tmpdir(), 'quota-nextstep-'))
     const oldCachePath = process.env.SWITCHROOM_QUOTA_CACHE_PATH
     process.env.SWITCHROOM_QUOTA_CACHE_PATH = join(dir, 'cache.json')
     try {
       const r = await probeQuota(dir, dir, (async () => new Response('{}')) as unknown as typeof fetch)
       expect(r.status).toBe('degraded')
-      expect(r.nextStep).toMatch(/switchroom auth login/)
+      // Post-RFC-H: the no-token nextStep points at `auth add` (register a
+      // fleet account) + `auth use` (set fleet active), not the retired
+      // per-agent `auth login`. See telegram-plugin/gateway/boot-probes.ts.
+      expect(r.nextStep).toMatch(/switchroom auth add .*--from-oauth/)
+      expect(r.nextStep).toMatch(/switchroom auth use/)
     } finally {
       if (oldCachePath) process.env.SWITCHROOM_QUOTA_CACHE_PATH = oldCachePath
       else delete process.env.SWITCHROOM_QUOTA_CACHE_PATH

package/telegram-plugin/tests/fleet-fallback-gate.test.ts

@@ -0,0 +1,197 @@
+import { describe, expect, test } from "bun:test";
+import { createFleetFallbackGate } from "../fleet-fallback-gate.js";
+
+function fakeClock(start = 0) {
+  let now = start;
+  return {
+    nowFn: () => now,
+    advance(ms: number) { now += ms; },
+    set(ms: number) { now = ms; },
+  };
+}
+
+describe("createFleetFallbackGate — wouldFire honesty contract", () => {
+  test("fresh state: wouldFire is true", () => {
+    const gate = createFleetFallbackGate({ dedupMs: 30_000, nowFn: fakeClock().nowFn });
+    expect(gate.wouldFire()).toBe(true);
+  });
+
+  test("in-flight: wouldFire is false until action resolves", async () => {
+    const clock = fakeClock();
+    const gate = createFleetFallbackGate({ dedupMs: 30_000, nowFn: clock.nowFn });
+
+    let resolveAction: (b: boolean) => void = () => {};
+    const action = () => new Promise<boolean>((r) => { resolveAction = r; });
+
+    const firePromise = gate.fire(action);
+
+    expect(gate.wouldFire()).toBe(false);
+    expect(gate.inspect().inFlight).toBe(true);
+
+    resolveAction(true);
+    await firePromise;
+
+    // After fire stamps lastFiredAtMs, dedup window blocks until clock advances.
+    expect(gate.wouldFire()).toBe(false);
+    clock.advance(30_000);
+    expect(gate.wouldFire()).toBe(true);
+  });
+
+  test("post-fire dedup window blocks wouldFire", async () => {
+    const clock = fakeClock();
+    const gate = createFleetFallbackGate({ dedupMs: 30_000, nowFn: clock.nowFn });
+
+    await gate.fire(async () => true);
+    expect(gate.wouldFire()).toBe(false);
+
+    clock.advance(29_999);
+    expect(gate.wouldFire()).toBe(false);
+
+    clock.advance(1);
+    expect(gate.wouldFire()).toBe(true);
+  });
+
+  test("no-op fires (action returns false) DO NOT arm dedup window", async () => {
+    const clock = fakeClock();
+    const gate = createFleetFallbackGate({ dedupMs: 30_000, nowFn: clock.nowFn });
+
+    await gate.fire(async () => false);
+    // Window NOT armed — wouldFire should still be true immediately.
+    expect(gate.wouldFire()).toBe(true);
+    expect(gate.inspect().lastFiredAtMs).toBe(Number.NEGATIVE_INFINITY);
+  });
+
+  test("thrown action: dedup window NOT armed, gate releases in-flight", async () => {
+    const clock = fakeClock();
+    const gate = createFleetFallbackGate({ dedupMs: 30_000, nowFn: clock.nowFn });
+    const errors: unknown[] = [];
+
+    await gate.fire(async () => { throw new Error("broker exploded"); }, (e) => errors.push(e));
+
+    expect(gate.inspect().inFlight).toBe(false);
+    expect(gate.inspect().lastFiredAtMs).toBe(Number.NEGATIVE_INFINITY);
+    expect(gate.wouldFire()).toBe(true);
+    expect((errors[0] as Error).message).toBe("broker exploded");
+  });
+
+  test("no onError: thrown action still releases in-flight without crashing", async () => {
+    const gate = createFleetFallbackGate({ dedupMs: 30_000, nowFn: fakeClock().nowFn });
+
+    await gate.fire(async () => { throw new Error("silent"); });
+
+    expect(gate.inspect().inFlight).toBe(false);
+    expect(gate.wouldFire()).toBe(true);
+  });
+});
+
+describe("createFleetFallbackGate — fire semantics", () => {
+  test("collapses concurrent callers to one in-flight Promise", async () => {
+    const clock = fakeClock();
+    const gate = createFleetFallbackGate({ dedupMs: 30_000, nowFn: clock.nowFn });
+    let calls = 0;
+    let resolveAction: (b: boolean) => void = () => {};
+
+    const action = () => {
+      calls += 1;
+      return new Promise<boolean>((r) => { resolveAction = r; });
+    };
+
+    const p1 = gate.fire(action);
+    const p2 = gate.fire(action);
+    const p3 = gate.fire(action);
+
+    // Same in-flight promise returned to all three callers.
+    expect(p1).toBe(p2);
+    expect(p2).toBe(p3);
+    expect(calls).toBe(1);
+
+    resolveAction(true);
+    await Promise.all([p1, p2, p3]);
+    expect(calls).toBe(1);
+  });
+
+  test("fire during dedup window resolves immediately without invoking action", async () => {
+    const clock = fakeClock();
+    const gate = createFleetFallbackGate({ dedupMs: 30_000, nowFn: clock.nowFn });
+    let calls = 0;
+
+    await gate.fire(async () => { calls += 1; return true; });
+    expect(calls).toBe(1);
+
+    await gate.fire(async () => { calls += 1; return true; });
+    expect(calls).toBe(1);
+
+    clock.advance(30_000);
+
+    await gate.fire(async () => { calls += 1; return true; });
+    expect(calls).toBe(2);
+  });
+});
+
+describe("createFleetFallbackGate — broker reachability check", () => {
+  test("brokerReachable=false makes wouldFire return false even on fresh state", () => {
+    const gate = createFleetFallbackGate({
+      dedupMs: 30_000,
+      nowFn: fakeClock().nowFn,
+      brokerReachable: () => false,
+    });
+    expect(gate.wouldFire()).toBe(false);
+  });
+
+  test("brokerReachable=true gates as if no check provided", () => {
+    const gate = createFleetFallbackGate({
+      dedupMs: 30_000,
+      nowFn: fakeClock().nowFn,
+      brokerReachable: () => true,
+    });
+    expect(gate.wouldFire()).toBe(true);
+  });
+
+  test("brokerReachable=false makes fire() short-circuit without invoking action", async () => {
+    let calls = 0;
+    const gate = createFleetFallbackGate({
+      dedupMs: 30_000,
+      nowFn: fakeClock().nowFn,
+      brokerReachable: () => false,
+    });
+
+    await gate.fire(async () => { calls += 1; return true; });
+    expect(calls).toBe(0);
+    expect(gate.inspect().lastFiredAtMs).toBe(Number.NEGATIVE_INFINITY);
+  });
+
+  test("brokerReachable can flip from false to true between calls", async () => {
+    let reachable = false;
+    let calls = 0;
+    const gate = createFleetFallbackGate({
+      dedupMs: 30_000,
+      nowFn: fakeClock().nowFn,
+      brokerReachable: () => reachable,
+    });
+
+    expect(gate.wouldFire()).toBe(false);
+    await gate.fire(async () => { calls += 1; return true; });
+    expect(calls).toBe(0);
+
+    reachable = true;
+    expect(gate.wouldFire()).toBe(true);
+    await gate.fire(async () => { calls += 1; return true; });
+    expect(calls).toBe(1);
+  });
+});
+
+describe("createFleetFallbackGate — reset (test seam)", () => {
+  test("reset clears in-flight + lastFiredAtMs", async () => {
+    const clock = fakeClock();
+    const gate = createFleetFallbackGate({ dedupMs: 30_000, nowFn: clock.nowFn });
+
+    await gate.fire(async () => true);
+    expect(gate.inspect().lastFiredAtMs).toBeGreaterThan(Number.NEGATIVE_INFINITY);
+    expect(gate.wouldFire()).toBe(false);
+
+    gate.reset();
+    expect(gate.inspect().lastFiredAtMs).toBe(Number.NEGATIVE_INFINITY);
+    expect(gate.inspect().inFlight).toBe(false);
+    expect(gate.wouldFire()).toBe(true);
+  });
+});

package/telegram-plugin/tests/model-unavailable.test.ts

@@ -154,7 +154,7 @@ describe('formatModelUnavailableCard — actionable card', () => {
     return resetAt ? { kind, resetAt, raw: 'test' } : { kind, raw: 'test' }
   }
 
-  it('quota_exhausted with reset → snapshot-stable card', () => {
+  it('quota_exhausted with reset → snapshot-stable card (manual-action shape)', () => {
     const card = formatModelUnavailableCard(
       detection('quota_exhausted', new Date('2026-05-03T13:00:00Z')),
       'gymbro',
@@ -165,12 +165,30 @@ describe('formatModelUnavailableCard — actionable card', () => {
       Reason: quota exhausted (resets in 5h)
 
       <b>What to try</b>
-      • <code>/authfallback</code> — switch to the next account slot
+      • <code>/auth use &lt;label&gt;</code> — switch the fleet to a healthy account
       • <code>/auth add</code> — attach another subscription
       • <code>/usage</code> — show quota breakdown"
     `)
   })
 
+  it('autoFallbackInFlight=true → quiet variant (no manual command list)', () => {
+    // Regression for the "lying card" bug — when the gateway has
+    // already kicked off `fireFleetAutoFallback`, the card MUST NOT
+    // list manual commands the user shouldn't run. Otherwise the
+    // user manually types /auth use while a fleet swap is mid-flight,
+    // racing two writes through the broker.
+    const card = formatModelUnavailableCard(
+      detection('quota_exhausted', new Date('2026-05-03T13:00:00Z')),
+      'gymbro',
+      { now: NOW, autoFallbackInFlight: true },
+    )
+    expect(card).toContain('Auto-failover in progress')
+    expect(card).not.toContain('What to try')
+    expect(card).not.toContain('/auth use')
+    expect(card).not.toContain('/auth add')
+    expect(card).not.toContain('/authfallback')
+  })
+
   it('overload without reset omits the parenthetical', () => {
     const card = formatModelUnavailableCard(detection('overload'), 'clerk', { now: NOW })
     expect(card).toContain('Reason: model overloaded')
@@ -183,11 +201,14 @@ describe('formatModelUnavailableCard — actionable card', () => {
     expect(card).not.toContain('(resets')
   })
 
-  it('always includes the three actionable suggestions', () => {
+  it('default (no autoFallback) variant includes the actionable suggestions', () => {
     const card = formatModelUnavailableCard(detection('quota_exhausted'), 'gymbro', { now: NOW })
-    expect(card).toContain('<code>/authfallback</code>')
+    expect(card).toContain('<code>/auth use')
     expect(card).toContain('<code>/auth add</code>')
     expect(card).toContain('<code>/usage</code>')
+    // Regression — `/authfallback` is no longer a verb (post-RFC-H);
+    // pre-fix the card lied by suggesting it.
+    expect(card).not.toContain('/authfallback')
   })
 
   it('names the slot in the header when one is supplied', () => {
@@ -283,9 +304,13 @@ describe('integration — gateway suppresses raw stderr in favour of the card',
     // The actionable card replaces the raw verbatim error.
     expect(card).toContain('Model unavailable')
     expect(card).toContain('quota exhausted')
-    expect(card).toContain('/authfallback')
+    // Post-RFC-H: `/authfallback` is no longer a verb. The default
+    // (non-auto-fallback) card now points at `/auth use <label>` —
+    // the canonical fleet-wide swap.
+    expect(card).toContain('/auth use')
     expect(card).toContain('/auth add')
     expect(card).toContain('/usage')
+    expect(card).not.toContain('/authfallback')
 
     // And the raw stderr text never appears in the user-facing card.
     expect(card).not.toContain('out of extra usage')

package/telegram-plugin/tests/permission-title.test.ts

@@ -103,4 +103,35 @@ describe('summarizeToolForTitle (#186)', () => {
     const input = JSON.stringify({ skill: 'mail', name: 'wrong' })
     expect(summarizeToolForTitle('Skill', input)).toBe('Skill (mail)')
   })
+
+  test('MCP curated: agent-config tools render as human verb-phrases (#1215)', () => {
+    expect(summarizeToolForTitle('mcp__agent-config__skill_list', undefined)).toBe(
+      'List its own installed skills',
+    )
+    expect(summarizeToolForTitle('mcp__agent-config__cron_list', undefined)).toBe(
+      'List its own scheduled tasks',
+    )
+    expect(summarizeToolForTitle('mcp__agent-config__peers_list', undefined)).toBe(
+      'List the other agents on this instance',
+    )
+  })
+
+  test('MCP curated: hostd tools render as human verb-phrases (#1215)', () => {
+    expect(summarizeToolForTitle('mcp__hostd__agent_logs', undefined)).toBe(
+      "Read another agent's container logs",
+    )
+    expect(summarizeToolForTitle('mcp__hostd__agent_exec', undefined)).toBe(
+      'Run a read-only inspection inside another agent',
+    )
+  })
+
+  test('MCP fallback: unknown mcp tool renders as `<server>: <verb with spaces>`', () => {
+    expect(summarizeToolForTitle('mcp__some-server__do_thing', undefined)).toBe(
+      'some-server: do thing',
+    )
+  })
+
+  test('MCP malformed: bare mcp__ prefix without __<server>__<verb> shape is left alone', () => {
+    expect(summarizeToolForTitle('mcp__bad', undefined)).toBe('mcp__bad')
+  })
 })

package/telegram-plugin/tests/quota-check.test.ts

@@ -380,41 +380,11 @@ describe('fetchAccountQuota — cache + token resolution', () => {
     }
   })
 
-  it('persists the snapshot under the supplied home, not the real homedir (issue #708 regression)', async () => {
-    const home = makeAccountHome({
-      'work@example.com': { accessToken: 'tok' },
-    })
-    const fakeFetch = async () =>
-      new Response('{}', {
-        status: 200,
-        headers: {
-          'anthropic-ratelimit-unified-5h-utilization': '0.42',
-          'anthropic-ratelimit-unified-7d-utilization': '0.17',
-        },
-      })
-    try {
-      const r = await fetchAccountQuota('work@example.com', {
-        home,
-        fetchImpl: fakeFetch as typeof fetch,
-      })
-      expect(r.ok).toBe(true)
-      const snapPath = join(
-        home,
-        '.switchroom',
-        'accounts',
-        'work@example.com',
-        'quota.json',
-      )
-      // The bug: writeAccountQuota was called without opts.home, so the
-      // snapshot landed under the real $HOME instead of the test home.
-      expect(existsSync(snapPath)).toBe(true)
-      const snap = JSON.parse(readFileSync(snapPath, 'utf-8'))
-      expect(snap.fiveHourPct).toBeCloseTo(42, 0)
-      expect(snap.sevenDayPct).toBeCloseTo(17, 0)
-    } finally {
-      rmSync(home, { recursive: true, force: true })
-    }
-  })
+  // Removed in RFC H: per-account quota.json disk persistence is gone.
+  // switchroom-auth-broker holds canonical quota state and exposes it
+  // via list-state; the gateway's in-process cache is enough between
+  // restarts (and the broker survives gateway restarts, so the state
+  // is preserved at the broker side anyway).
 })
 
 describe('getCachedAccountQuota + prefetchAccountQuotaIfStale', () => {