@@ -152,15 +152,22 @@ async function resolveRecipients(
152152 * Send a usage-limit threshold email (80% warning / 100% reached) for a
153153 * non-credit category, edge-triggered on the mutation that changed usage.
154154 *
155- * Dedup + re-arm: the highest threshold already emailed is persisted per
156- * category on `user_stats` / `organization`. The send is gated on an atomic
157- * {@link claimThreshold}, so a threshold emails exactly once per crossing even
158- * under concurrent calls; it re-arms once usage drops below {@link REARM_BELOW}.
159- * Best-effort — callers fire-and-forget; failures never block the mutation.
155+ * Flow: bail when billing is off or the limit is non-positive; re-arm the
156+ * persisted threshold when current usage is back in the low band; then (for
157+ * increases) resolve eligible recipients and atomically claim the threshold
158+ * before sending. Re-arm and claim are mutually exclusive per call — re-arm only
159+ * fires when `desired === 0` — so the dedup stays a single atomic
160+ * {@link claimThreshold} with no re-arm/claim interleaving race. Recipients are
161+ * resolved with opt-outs applied BEFORE the claim, so an opted-out recipient
162+ * never burns the threshold (which would suppress a later email once
163+ * notifications are re-enabled). Per-recipient send failures are isolated.
160164 *
161- * Mirrors the credits path in `maybeSendUsageThresholdEmail`: skips when billing
162- * is disabled, respects the per-user notifications toggle and unsubscribe
163- * preferences, and emails org admins for organization-scoped limits.
165+ * The highest threshold already emailed is persisted per category on
166+ * `user_stats` / `organization`; it re-arms once usage drops below
167+ * {@link REARM_BELOW}. Best-effort — callers fire-and-forget; failures never
168+ * block the mutation. Mirrors the credits path in `maybeSendUsageThresholdEmail`:
169+ * respects the per-user notifications toggle and unsubscribe preferences, and
170+ * emails org admins for organization-scoped limits.
164171 */
165172export async function maybeSendLimitThresholdEmail ( params : {
166173 category : LimitCategory
@@ -185,8 +192,6 @@ export async function maybeSendLimitThresholdEmail(params: {
185192} ) : Promise < void > {
186193 try {
187194 if ( ! isBillingEnabled ) return
188- // A non-positive limit can't yield a percentage; a zero/negative `currentUsage`
189- // still needs to re-arm below, so it is handled by the `desired === 0` return.
190195 if ( params . limit <= 0 ) return
191196
192197 const { category, scope } = params
@@ -196,20 +201,12 @@ export async function maybeSendLimitThresholdEmail(params: {
196201 const stateId = scope === 'user' ? params . userId : params . organizationId
197202 if ( ! stateId ) return
198203
199- // Re-arm when current usage is back in the low band, so a fresh climb re-notifies.
200- // Re-arm and claim are mutually exclusive (re-arm only when desired === 0), which
201- // keeps the dedup a single atomic claim with no re-arm/claim interleaving race.
202204 if ( percent < REARM_BELOW ) {
203205 await rearmThreshold ( scope , stateId , category )
204206 }
205207
206- // Usage-decrease callers re-arm only — a drop is never a fresh crossing to email.
207208 if ( params . rearmOnly || desired === 0 ) return
208209
209- // Resolve eligible recipients (opt-outs filtered) BEFORE claiming, so the
210- // dedup state only advances when an email will actually be sent — otherwise
211- // an opted-out recipient would silently burn the threshold and suppress a
212- // later email after notifications are re-enabled.
213210 const recipients = await resolveRecipients ( scope , params )
214211 if ( recipients . length === 0 ) return
215212
@@ -221,7 +218,6 @@ export async function maybeSendLimitThresholdEmail(params: {
221218
222219 let sent = 0
223220 for ( const r of recipients ) {
224- // Isolate per-recipient failures so one bad send doesn't skip the rest.
225221 try {
226222 const html = await renderLimitThresholdEmail ( {
227223 kind,
0 commit comments