fix(auth): retire rate_limit_until, unify on cachedQuota single truth

[icebear0828]

Summary

Eliminate the dual-source-of-truth between local rate_limit_until + status === "rate_limited" and cachedQuota.<bucket>.limit_reached that has been causing stale locks. The two signals drift apart whenever markStatus(_, "active") is called from refresh-scheduler / account-mutation (which never clear rate_limit_until), leaving accounts locally locked long after the upstream window has actually reset. Visible to users as "已限速 badge + 0% 已使用" contradiction; for free-plan accounts (7-day primary window), the orphan lock could persist for up to a week past the real reset.

cachedQuota is now the only signal. All "is this account exhausted" decisions flow through hasReachedCachedQuota (which already covers all 3 buckets — primary / secondary / code_review).

While auditing this we also pinned down the long-running "premature stream close" complaint: native rust transport now emits the full reqwest cause chain, which revealed upstream chatgpt.com hard-cuts HTTP/1.1 chunked encoding mid-chunk after ~120s of reasoning without output_text. Surface this distinctly so cross-account empty-response retry doesn't burn 3 accounts × 120s on a deterministic upstream cap.

Changes

Backend (src/auth/):

• Delete markRateLimited / clearRateLimit / markQuotaExhausted; add applyRateLimit429() that writes into cachedQuota.rate_limit.{limit_reached=true, reset_at} and never shrinks an existing reset_at (src/auth/account-registry.ts, src/auth/account-pool.ts).
• Drop "rate_limited" from AccountStatus enum; status is now pure rotation marker (src/auth/types.ts).
• refreshStatus loses its rate-limit clearing branch — resetExpiredQuotaWindow already auto-clears limit_reached when reset_at passes (src/auth/account-registry.ts).
• isAuthenticated + getPoolSummary consult hasReachedCachedQuota so an all-exhausted pool reports correctly.
• Export isQuotaExhausted(quota) helper (src/auth/quota-skip.ts).
• One-shot accounts.json migration in loadPersisted via migrateLegacyRateLimit — converts legacy status="rate_limited" + rate_limit_until to status="active" + synthesized cachedQuota.rate_limit only when the local lock is fresher than cachedQuota (src/auth/account-persistence.ts).

Routes / proxy plumbing:

• 429 handler routes through new method, no longer combines retry-after with cachedQuota inside the handler (logic moved to registry layer) (src/routes/shared/proxy-error-handler.ts).
• Success-path proactive marking uses the same helper (src/routes/shared/proxy-handler.ts).

Premature-close diagnostics (bonus, surfaced during the audit):

• UpstreamPrematureCloseError (src/translation/codex-event-extractor.ts); collectCodexResponse throws it when stream ends without response.completed/failed/error terminal event. proxy-handler returns 504 fail-fast instead of triggering empty-response cross-account retry (src/translation/codex-to-openai.ts).
• Native rust transport upgraded eprintln!("Stream error: {e}") to error_chain(&e) so hyper cause chains are visible in stderr (native/src/lib.rs).

Dashboard:

• New derivedStatus(account) + isQuotaExhausted(quota) helper (web/src/lib/accountStatus.ts).
• AccountCard, AccountList filter dropdown + counts, AccountTable, AccountManagement filter ladder all wired to render "rate_limited" badge based on cachedQuota — fixes the "已活跃 + 7d 已达上限" contradiction.

Tests:

• New tests/unit/auth/account-pool-rate-limit-429.test.ts (9 cases) covering primary-bucket write, never-shrink rule, hasReachedCachedQuota exclusion, status not mutated, request counting, auto-clear via resetExpiredQuotaWindow.
• New tests/unit/auth/account-persistence-migration.test.ts (7 cases) covering legacy-future-lock synthesis, fresh-cachedQuota-trust, stale-cachedQuota-overwrite, orphan-past-lock cleanup.
• Rewrote ~10 existing tests (account-pool-quota, account-pool-config-di, account-pool, account-pool-has-available, account-pool-sticky, account-routing, proxy-handler integration, quota-refresh e2e, secondary-quota stress, proxy-error-handler unit) to assert via applyRateLimit429 + isQuotaExhausted(account.quota) instead of the retired fields.

CHANGELOG [Unreleased] → Fixed entries cover both the dual-truth fix (with free-plan severity callout) and the premature-close 504 fail-fast.

Test Plan

• npm test — 1927 passed, 1 skipped, 0 failed (1 pre-existing flaky usage-stats history test confirmed unrelated via git stash baseline check)
• npx tsc --noEmit — clean
• npm run build — vite bundle + tsc both clean
• Migration smoke: backed up data/accounts.json to .bak-pre-refactor, restarted prod proxy, confirmed via curl /auth/accounts | jq that previously-locked miles.halloway had orphan rate_limit_until cleared and a1432350557 correctly reports secondary_rate_limit.limit_reached=true from cachedQuota
• Manual verification: derivedStatus returns "rate_limited" for the a1432350557-style account (status=active + secondary.limit_reached=true) — fixes Bug B
• npm run test:real not run this session (network-bound upstream test)

Notes

• accounts.json migration is one-way: the legacy field is dropped on next persist. Operators should keep a backup before rolling out. Rolling restart back to old build will see rate_limit_until: null and status="active" on previously-locked accounts (brief lock amnesia → handful of extra 429s, acceptable for a one-time migration).
• For free-plan users the bug was meaningfully worse than for plus (week-long orphan locks vs ~5h). Worth highlighting in release notes when this lands on stable.
• The 504 fail-fast for UpstreamPrematureCloseError is a new client-visible status code for a previously-502 condition. Codex CLI and Claude Code both treat 504 as retryable, so end-user behavior should improve (no longer burns 3 accounts before reporting).