feat(proxy): credential pool auto-failover + approval-prompt coalescing (#43)

* feat(channel): coalesce duplicate approval prompts by dest:port

* wip(proxy): checkpoint persist-once + store work before respawn

* test(proxy): assert concurrent same-target asks coalesce to one prompt

* feat(store): add credential pool + health schema and store API

Migration 000006 adds credential_pools, credential_pool_members and
credential_health tables. Store API: CreatePoolWithMembers (atomic;
namespace mutual-exclusion + oauth-member validation in one tx), GetPool,
ListPools, RemovePool, PoolExists, PoolsForMember, and
Set/Get/ListCredentialHealth. Covered by CRUD/ordering/validation tests
and an up/down migration reversibility test.

* feat(vault): add PoolResolver pool->active-member chokepoint

PoolResolver is the single place a bound pool name expands to a concrete
credential. IsPool/ResolveActive (first healthy or expired-cooldown member
in position order; degrade to soonest-recovering when all down) and
MarkCooldown for Phase 2 synchronous in-memory failover. Locking
discipline documented: membership immutable per instance (atomic-pointer
swap on reload), health mutated in place under an RWMutex. RateLimit
(60s) and AuthFail (300s) cooldown TTL consts. Nil-safe.

* feat(cli): add pool subcommands and credential/pool namespace guards

sluice pool create|list|status|rotate|remove. status computes the active
member via the same PoolResolver logic the proxy uses so it never
disagrees with what gets injected; rotate parks the active member
(lazy-recovery cooldown) so the next member takes over. cred add rejects
a name colliding with an existing pool; cred remove is blocked (before
the vault delete) when the credential is a live pool member, so no
dangling member rows or destroyed secrets.

* feat(proxy): wire PoolResolver into server, addon and reloadAll

Server gains an atomic PoolResolver pointer (parallel to the binding
resolver), StorePool/PoolResolverPtr, and threads it into SluiceAddon via
WithPoolResolver. addon.resolvePoolMember is the chokepoint helper
(non-pool names passthrough). main.go registers the pool subcommand,
loads the resolver at startup, and rebuilds+atomically swaps it in
reloadAll alongside the binding/oauth reloads. Injection does not consult
it yet (Phase 1).

* feat(mcp): opt MCP tool calls out of approval coalescing

* wip(telegram): checkpoint final-count edit before respawn

* fix(telegram): use coalesced-count label in resolve edit body

* docs(plans): convert tasks/phases to exec checkboxes; mark completed work

* feat(channel): re-confirm broker coalescing tests green

* feat(store): idempotent approval-rule persist

* test(proxy): confirm full suite green after coalescing merge

* feat(telegram): render coalesced count on resolve and cancel edits

* docs(plans): complete approval-coalescing; move to completed

* test(store): confirm credential-pool Phase 0 green post-merge

* feat(proxy): pool phantom indirection + R1 attribution + R3 stable JWT

* feat(proxy): auto-failover on 429/401 for credential pools

* docs(plans): complete credential-pool-failover; move to completed

* fix(proxy): address comprehensive review findings

* fix(proxy): correct token-endpoint failover member attribution + harden cooldown durability

* style: satisfy golangci-lint (errorlint, QF1002, unparam)

* test(e2e): pool failover + approval coalescing end-to-end

* fix(proxy): address Copilot review (per-request failover attribution, JWT payload marshaling, coalesced-count accuracy, single-pool membership)

* fix: address Copilot re-review (failover callback registration, cred-remove fail-closed, CLAUDE.md accuracy)

* fix(proxy): split-host pool OAuth refresh attribution + protocol-aware failover lookup

* fix(proxy): classify token-endpoint 403 invalid_grant as auth-failure; audit detected protocol

* fix(vault): monotonic cooldown (in-memory + durable); doc pool phantom shapes

* fix(proxy): fail-closed unattributed pooled refresh; broker resolve/detach race; scope pool failover fallback to pooled requests

* fix(cli): reject pool removal while bindings still reference the pool

* fix(store): enforce namespace + pool-member + health-row invariants at store layer; engine-aware persist fast-path

* fix(proxy): pool-namespace covered-set; shared-health prune for non-members; store-gated vault delete on cred remove

* fix(store): guard CAS credential-rollback for pool members + health cleanup; fix e2e coalesce deadlock-on-failure

* fix(store): RemovePool health cleanup; reject live-pool-member meta downgrade; CAS-aware health delete

* fix(proxy): API-host failover requires per-flow pool-usage evidence (non-consuming peek, no blind fallback)

* fix(cred): validate vault before store removal; cap coalesced subscribers; CLAUDE.md attribution accuracy

* fix(store): failover health write no-ops for non-pool-member (atomic; no health-row resurrection)

* fix: guard pool-rotate health write; atomic REST cred removal; gate MarkCooldown to current member set

* fix(proxy): free flow tag after Response; tag token-host flow only on actual pool-phantom swap

* fix: RemoveCredentialFully cleans health on partial-cleanup finish; exclude 5xx from token-endpoint failover classification

* fix: pool+epoch-scoped health guards; CancelAll lost-wakeup; pooled-JWT phantom swap in query/path

* fix(proxy): plain-cred refresh attribution on shared token URL; pool-aware QUIC injection

* fix: R3-stable QUIC pool phantom; pool+epoch in refresh attribution; atomic RemovePoolIfUnreferenced; REST cred-remove missing-secret tolerant

* fix(store): binding creation requires live credential or pool; CLAUDE.md QUIC R3 accuracy

* test(telegram): deterministically sync cancel-edit assertion (deflake TestCancelApprovalRendersCoalescedCount)

* fix: Telegram cred_meta on all adds; QUIC R3 comments; typed 409-vs-500 for RemoveCredentialFully

* fix(telegram): roll back vault secret if cred-add metadata/binding fails; completed-plan R3 doc accuracy

* fix(telegram): roll back credential_meta (CAS) as well as vault on env-var binding failure

Author: nnemirovsky

CLAUDE.md

@@ -286,6 +286,31 @@ github_pat       static  api.github.com
 
 **Supported response formats:** Both `application/json` and `application/x-www-form-urlencoded` token responses per RFC 6749.
 
+## Credential Pools
+
+A credential pool lets a single phantom identity the agent sees be backed by **N real OAuth credentials**, with sluice auto-failing-over to the next member when the upstream rejects the active one. Primary use case: two OpenAI Codex OAuth accounts driven by one agent, so quota exhaustion on one account transparently rolls onto the other. The agent always holds one pool-scoped phantom pair, byte-stable across member switches: the **access** phantom is a synthetic pool-stable JWT (HS256, `sub: sluice-pool:<name>`, `iss: sluice-phantom`, far-future `exp`) that is byte-identical for a given pool regardless of which member is active, so a cross-member failover never changes the access token the agent holds; the **refresh** phantom is the static string `SLUICE_PHANTOM:<pool>.refresh`. Sluice maps the pair to the currently active member's real token at injection time and persists refreshed tokens back to the member that issued them.
+
+```bash
+sluice pool create <name> --members credA,credB[,credC] [--strategy failover]
+sluice pool list
+sluice pool status <name>
+sluice pool rotate <name>     # operator override: force next member
+sluice pool remove <name>
+```
+
+Members are existing OAuth credentials (static credentials are rejected). Member order is the failover order.
+
+**Auto-failover behavior:**
+
+- HTTP 429, or 403 with a quota-exhaustion body -> the active member is rate-limited; cooled down for **60s**.
+- HTTP 401, or a token-endpoint body of `invalid_grant` / `invalid_token` -> the active member's token is rejected; cooled down for **300s**.
+- 2xx, 5xx, and any other status -> no-op (a server-side error is not evidence the account is exhausted).
+- The active-member switch is **synchronous**: the cooldown is recorded in memory before the response returns, so the very next request injects the next member. The durable store write only reconciles for restarts.
+- **No in-flight retry**: the triggering request still returns its own upstream error to the agent; the agent's own retry resolves to the freshly-activated next member.
+- Every failover emits a `cred_failover` audit event (`Reason = "<pool>:<from>-><to>:<tag>"`) and a best-effort Telegram notice.
+
+The phantom access token is **byte-identical across a member switch** (pooled OAuth credentials use a pool-keyed synthetic JWT resign), so the agent never observes the rollover.
+
 ## Approval Channels
 
 Sluice broadcasts "ask" verdicts to all configured approval channels. The first channel to respond wins. Other channels get a cancellation notice.

README.md

@@ -27,6 +27,16 @@ func setupBindingDB(t *testing.T) string {
 	if err != nil {
 		t.Fatalf("create test DB: %v", err)
 	}
+	// Seed the credentials these tests bind to. AddBinding /
+	// AddRuleAndBinding now require the referenced credential (or pool) to
+	// exist, mirroring the real flow where "sluice cred add" creates the
+	// credential before "sluice binding add" binds to it. Without this, the
+	// binding-CLI tests would be exercising an impossible state.
+	for _, c := range []string{"mycred", "cred_a", "cred_b"} {
+		if err := db.AddCredentialMeta(c, "static", ""); err != nil {
+			t.Fatalf("seed credential meta %q: %v", c, err)
+		}
+	}
 	_ = db.Close()
 	return dbPath
 }

cmd/sluice/binding_test.go

@@ -227,6 +227,15 @@ func handleCredAdd(args []string) error {
 	}
 	defer func() { _ = db.Close() }()
 
+	// Namespace mutual-exclusion: a credential must not shadow a pool. Pool
+	// and credential names share one namespace so a bound destination
+	// resolves unambiguously to either a pool or a plain credential.
+	if exists, perr := db.PoolExists(name); perr != nil {
+		return fmt.Errorf("check pool name collision: %w", perr)
+	} else if exists {
+		return fmt.Errorf("name %q is already a credential pool; pool and credential names share one namespace", name)
+	}
+
 	// Inputs validated and DB is open. Now persist the credential.
 	vs, err := openVaultStore(*dbPath)
 	if err != nil {
@@ -553,13 +562,85 @@ func handleCredRemove(args []string) error {
 	}
 	name := fs.Arg(0)
 
+	// Removal order (Finding 1, round-13 + Finding 3, round-9):
+	//
+	//  1. Open/validate the vault store FIRST (no delete yet -- just
+	//     confirm it opens). If the configured backend cannot be opened
+	//     (e.g. a non-age provider unsupported by the CLI), abort BEFORE
+	//     any metadata is removed. Doing the store removal first and then
+	//     discovering the vault is unopenable would leave credential_meta
+	//     gone while the vault secret + bindings/rules are orphaned.
+	//
+	//  2. Run the store-layer pool-membership gate (RemoveCredentialMeta).
+	//     This is the atomic, fail-closed guard: it refuses inside its own
+	//     transaction if the credential is still a live pool member,
+	//     closing the TOCTOU window where a separate pre-check passes and a
+	//     concurrent caller then creates a pool with this credential before
+	//     the vault secret is deleted.
+	//
+	//  3. Only call vs.Remove AFTER that gate succeeds. If the gate
+	//     refuses, the vault secret is left untouched and no window exists
+	//     where the secret is gone but credential_pool_members still
+	//     references it.
+	//
+	// (1) precedes (2) so an unopenable vault aborts before any metadata is
+	// removed; (2) still precedes (3) so the store gate always runs before
+	// the actual secret delete.
 	vs, err := openVaultStore(*dbPath)
 	if err != nil {
 		return err
 	}
 
-	// Remove from vault. If already gone (previous partial cleanup),
-	// continue to DB cleanup so stale rules/bindings can be removed.
+	// Only consult/mutate the DB if it already exists (do not create it as
+	// a side effect of a removal).
+	dbExists := false
+	if _, statErr := os.Stat(*dbPath); statErr == nil {
+		dbExists = true
+	} else if !os.IsNotExist(statErr) {
+		return fmt.Errorf("access database %q for credential removal of %q (refusing to remove; a pool member may otherwise be orphaned): %w", *dbPath, name, statErr)
+	}
+
+	var db *store.Store
+	if dbExists {
+		var derr error
+		db, derr = store.New(*dbPath)
+		if derr != nil {
+			// Fail closed: the DB exists but cannot be opened, so the
+			// pool-membership gate cannot run. Proceeding to delete the
+			// vault secret would orphan any credential_pool_members row
+			// pointing at this now-missing credential -- exactly what the
+			// gate prevents. Refuse the removal instead.
+			return fmt.Errorf("open database %q to check pool membership for %q (refusing to remove; a pool member may otherwise be orphaned): %w", *dbPath, name, derr)
+		}
+		defer func() { _ = db.Close() }()
+
+		// GATE + atomic store cleanup (Finding 2, round-15). This MUST run
+		// before the vault delete. RemoveCredentialFully runs the
+		// fail-closed pool-member guard AND deletes credential_meta,
+		// credential_health, all bindings on the credential, and all
+		// auto-created rules in ONE transaction. If the credential is still
+		// a live pool member (or any store delete fails) it returns an
+		// error with NOTHING removed and the vault secret below is never
+		// touched — no partially-deleted-credential window.
+		metaDeleted, rmBindings, rmRules, rmErr := db.RemoveCredentialFully(name)
+		if rmErr != nil {
+			return fmt.Errorf("remove credential store state for %q (refusing to delete the vault secret so the credential is not partially deleted): %w", name, rmErr)
+		}
+		if metaDeleted {
+			fmt.Printf("removed credential metadata for %q\n", name)
+		}
+		if rmRules > 0 {
+			fmt.Printf("removed %d auto-created rule(s) for credential %q\n", rmRules, name)
+		}
+		if rmBindings > 0 {
+			fmt.Printf("removed %d binding(s) for %q\n", rmBindings, name)
+		}
+	}
+
+	// Store removal already succeeded (or the DB does not exist). Now it is
+	// safe to delete the vault secret. If already gone (previous partial
+	// cleanup), continue to DB cleanup so stale rules/bindings can be
+	// removed.
 	if err := vs.Remove(name); err != nil {
 		if !os.IsNotExist(err) {
 			return fmt.Errorf("remove: %w", err)
@@ -569,57 +650,9 @@ func handleCredRemove(args []string) error {
 		fmt.Printf("credential %q removed\n", name)
 	}
 
-	// Clean up associated bindings and auto-created rules. Only open the
-	// store if the DB file exists to avoid creating it as a side effect of
-	// a credential removal.
-	if _, statErr := os.Stat(*dbPath); statErr != nil {
-		if !os.IsNotExist(statErr) {
-			log.Printf("warning: cannot access database %q for cleanup: %v (stale rules/bindings may remain)", *dbPath, statErr)
-		}
-		return nil
-	}
-
-	db, err := store.New(*dbPath)
-	if err != nil {
-		log.Printf("warning: could not open database %q for cleanup: %v (stale rules/bindings may remain)", *dbPath, err)
-		return nil
-	}
-	defer func() { _ = db.Close() }()
-
-	// Remove rules tagged either by "sluice cred add --destination"
-	// (cred-add:<name>) or by "sluice binding add" (binding-add:<name>).
-	// Both paths may have produced rules associated with this credential,
-	// and failing to clean up either set leaves orphan allow rules in
-	// the store.
-	var total int64
-	for _, src := range []string{
-		store.CredAddSourcePrefix + name,
-		store.BindingAddSourcePrefix + name,
-	} {
-		n, rmErr := db.RemoveRulesBySource(src)
-		if rmErr != nil {
-			log.Printf("warning: failed to remove rules with source %q for credential %q: %v", src, name, rmErr)
-			continue
-		}
-		total += n
-	}
-	if total > 0 {
-		fmt.Printf("removed %d auto-created rule(s) for credential %q\n", total, name)
-	}
-	removed, rmBindErr := db.RemoveBindingsByCredential(name)
-	if rmBindErr != nil {
-		log.Printf("warning: failed to remove bindings for %q: %v", name, rmBindErr)
-	} else if removed > 0 {
-		fmt.Printf("removed %d binding(s) for %q\n", removed, name)
-	}
-
-	// Remove credential metadata (type, token_url).
-	metaDeleted, rmMetaErr := db.RemoveCredentialMeta(name)
-	if rmMetaErr != nil {
-		log.Printf("warning: failed to remove credential meta for %q: %v", name, rmMetaErr)
-	} else if metaDeleted {
-		fmt.Printf("removed credential metadata for %q\n", name)
-	}
+	// Bindings and auto-created rules were already removed atomically with
+	// credential_meta + health by RemoveCredentialFully above, before the
+	// vault secret was deleted. Nothing left to clean up here.
 	return nil
 }