npm - @karpeleslab/teamclaude - Versions diffs - 1.0.4 → 1.0.6 - Mend

@karpeleslab/teamclaude 1.0.4 → 1.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md CHANGED Viewed

@@ -10,8 +10,9 @@ Sits transparently between Claude Code and the Anthropic API, managing multiple
 - **Automatic account rotation** — switches to the next account when session (5h) or weekly (7d) quota reaches the configured threshold (default 98%)
 - **Auto-retry on 429** — if an account is rate-limited, transparently retries with the next one
-- **Interactive TUI** — real-time dashboard with quota bars, activity log, and keyboard controls
-- **OAuth token refresh** — proactively refreshes expiring tokens and persists them to config
+- **Interactive TUI** — real-time dashboard with color-coded quota bars showing reset countdowns, activity log, and keyboard controls
+- **OAuth token refresh** — proactively refreshes expiring tokens, intercepts client token renewals, and persists them to config
+- **Hot-reload accounts** — add accounts via `import` or `login` while the server is running, press **R** to pick them up
 - **Request logging** — optional full request/response logging for debugging
 - **Zero dependencies** — uses only Node.js built-in modules
@@ -23,12 +24,11 @@ Requires Node.js 18+.
 # Install
 npm install -g @karpeleslab/teamclaude
-# Import your current Claude Code credentials
-teamclaude import
+# Add your first account (opens browser for OAuth)
+teamclaude login
-# Import a second account (log into it in Claude Code first, then import)
-# claude /login
-# teamclaude import
+# Add a second account
+teamclaude login
 # Start the proxy
 teamclaude server
@@ -37,27 +37,37 @@ teamclaude server
 teamclaude run
 ```
+You can also import existing Claude Code credentials instead of logging in:
+```bash
+claude /login           # Log into an account in Claude Code
+teamclaude import       # Import its credentials
+```
 ## Adding Accounts
-### Import from Claude Code (recommended)
+### OAuth Login (recommended)
-The easiest way to add accounts. Log into each account in Claude Code, then import:
+The easiest way to add accounts — opens your browser for authentication:
 ```bash
-# Log into your first account in Claude Code
-claude /login
+teamclaude login
+```
+Uses the same OAuth flow as Claude Code. Auto-detects the account email and subscription tier. Logging in with the same account again updates its credentials.
-# Import it
-teamclaude import
+You can add accounts while the server is running — press **R** in the TUI to reload.
-# Switch to another account in Claude Code
-claude /login
+### Import from Claude Code
-# Import that one too
-teamclaude import
+If you already have Claude Code set up, you can import its credentials directly:
+```bash
+claude /login           # Log into an account in Claude Code
+teamclaude import       # Import its credentials
 ```
-Each import auto-detects the account email and subscription tier. Re-importing the same account updates its credentials.
+Re-importing the same account updates its credentials.
 ### API Key
@@ -67,16 +77,6 @@ For Anthropic API key accounts (billed via Console):
 teamclaude login --api
 ```
-### OAuth Login (experimental)
-Direct browser-based OAuth login without needing Claude Code:
-```bash
-teamclaude login
-```
-> **Note:** OAuth login is currently experimental. Tokens obtained this way may not work for proxying `/v1/messages` requests. Use `teamclaude import` as the reliable method.
 ## Usage
 ### Start the proxy server
@@ -88,7 +88,7 @@ teamclaude server
 When running from a TTY, shows an interactive TUI with:
 - Account table with session/weekly quota progress bars
 - Real-time activity log with request tracking
-- Keyboard shortcuts: **s**witch, **a**dd, **r**emove, **q**uit
+- Keyboard shortcuts: **s**witch, **a**dd, **r**emove, **R**eload, **q**uit
 Falls back to plain log output when not a TTY (e.g. running as a service).

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@karpeleslab/teamclaude",
-  "version": "1.0.4",
+  "version": "1.0.6",
   "description": "Multi-account Claude proxy with automatic quota-based rotation",
   "type": "module",
   "main": "src/index.js",

package/src/account-manager.js CHANGED Viewed

@@ -252,7 +252,11 @@ export class AccountManager {
         this._onTokenRefresh?.(accountIndex, newTokens);
       } catch (err) {
         console.error(`[TeamClaude] Token refresh failed for "${account.name}": ${err.message}`);
-        account.status = 'error';
+        // Only mark as error if the access token is actually expired;
+        // a failed proactive refresh shouldn't kill a still-valid token
+        if (!account.expiresAt || Date.now() >= account.expiresAt) {
+          account.status = 'error';
+        }
       } finally {
         account._refreshPromise = null;
       }

package/src/index.js CHANGED Viewed

@@ -1,11 +1,11 @@
 #!/usr/bin/env node
-import { spawn } from 'node:child_process';
+import { spawnSync } from 'node:child_process';
 import { createInterface } from 'node:readline';
 import { loadOrCreateConfig, loadConfig, saveConfig, atomicConfigUpdate, getConfigPath } from './config.js';
 import { AccountManager } from './account-manager.js';
 import { createProxyServer } from './server.js';
-import { importCredentials, loginOAuth, fetchProfile } from './oauth.js';
+import { importCredentials, loginOAuth, fetchProfile, refreshAccessToken, isTokenExpiringSoon } from './oauth.js';
 import { TUI } from './tui.js';
 const args = process.argv.slice(2);
@@ -15,29 +15,36 @@ switch (command) {
   case 'server':
     await serverCommand();
     break;
+  case 'run':
+    await runCommand();
+    break;
   case 'import':
     await importCommand();
+    process.exit(0);
     break;
   case 'login':
     await loginCommand();
+    process.exit(0);
     break;
   case 'env':
     await envCommand();
-    break;
-  case 'run':
-    await runCommand();
+    process.exit(0);
     break;
   case 'status':
     await statusCommand();
+    process.exit(0);
     break;
   case 'accounts':
     await accountsCommand();
+    process.exit(0);
     break;
   case 'remove':
     await removeCommand();
+    process.exit(0);
     break;
   case 'api':
     await apiCommand();
+    process.exit(0);
     break;
   case 'help':
   case '--help':
@@ -87,8 +94,23 @@ async function serverCommand() {
   accountManager.onTokenRefresh((idx, newTokens) => {
     const account = accountManager.accounts[idx];
     if (!account) return;
+    // Keep config.accounts in sync so TUI saveConfig doesn't clobber fresh tokens
+    if (config.accounts[idx]) {
+      config.accounts[idx].accessToken = newTokens.accessToken;
+      config.accounts[idx].refreshToken = newTokens.refreshToken;
+      config.accounts[idx].expiresAt = newTokens.expiresAt;
+    }
     atomicConfigUpdate(diskConfig => {
-      syncNewAccountsFromDisk(diskConfig, config, accountManager);
+      // Pick up any new accounts from disk so index matching stays correct
+      // (only add, don't refresh credentials — we're about to write the authoritative tokens)
+      for (const diskAcct of diskConfig.accounts) {
+        const known = (diskAcct.accountUuid && config.accounts.some(a => a.accountUuid === diskAcct.accountUuid))
+          || config.accounts.some(a => a.name === diskAcct.name);
+        if (!known) {
+          config.accounts.push(diskAcct);
+          accountManager.addAccount(diskAcct);
+        }
+      }
       // Match by UUID first, then by name — index may have shifted
       const cfgIdx = findConfigAccount(diskConfig, account);
       if (cfgIdx >= 0) {
@@ -107,22 +129,28 @@ async function serverCommand() {
   if (useTUI) {
     tui = new TUI({
       accountManager, config,
-      saveConfig: () => atomicConfigUpdate(diskConfig => {
-        syncNewAccountsFromDisk(diskConfig, config, accountManager);
-        // Write in-memory accounts back, preserving extra disk-only fields
-        diskConfig.accounts = config.accounts.map(a => {
+      saveConfig: () => atomicConfigUpdate(async diskConfig => {
+        // Write in-memory accounts as the authoritative state, preserving
+        // extra disk-only fields (e.g. importFrom) where the account still exists.
+        // Use live tokens from AccountManager (not the stale config.accounts copy).
+        diskConfig.accounts = config.accounts.map((a, i) => {
+          const am = accountManager.accounts[i];
+          const live = am ? {
+            ...a,
+            accessToken: am.credential,
+            refreshToken: am.refreshToken,
+            expiresAt: am.expiresAt,
+          } : a;
           const diskAcct = diskConfig.accounts.find(
             d => (a.accountUuid && d.accountUuid === a.accountUuid) || d.name === a.name
           );
-          return diskAcct ? { ...diskAcct, ...a } : a;
+          return diskAcct ? { ...diskAcct, ...live } : live;
         });
       }),
       syncAccounts: async () => {
         const diskConfig = await loadConfig();
         if (!diskConfig) return 0;
-        const before = accountManager.accounts.length;
-        syncNewAccountsFromDisk(diskConfig, config, accountManager);
-        return accountManager.accounts.length - before;
+        return syncAccountsFromDisk(diskConfig, config, accountManager);
       },
       onQuit: () => { server.close(() => process.exit(0)); },
     });
@@ -292,7 +320,8 @@ async function runCommand() {
   // Only set ANTHROPIC_BASE_URL — Claude Code keeps its own OAuth token
   // which the proxy accepts from localhost. Not setting ANTHROPIC_API_KEY
   // lets Claude Code stay in subscription mode (full model access).
-  const child = spawn('claude', claudeArgs, {
+  // Use spawnSync so the Node process blocks entirely — behaves like execvp.
+  const result = spawnSync('claude', claudeArgs, {
     stdio: 'inherit',
     env: {
       ...process.env,
@@ -300,16 +329,16 @@ async function runCommand() {
     },
   });
-  child.on('error', (err) => {
-    if (err.code === 'ENOENT') {
+  if (result.error) {
+    if (result.error.code === 'ENOENT') {
       console.error('Claude Code not found in PATH. Install it first.');
     } else {
-      console.error(`Failed to start claude: ${err.message}`);
+      console.error(`Failed to start claude: ${result.error.message}`);
     }
     process.exit(1);
-  });
+  }
-  child.on('exit', (code) => process.exit(code ?? 1));
+  process.exit(result.status ?? 1);
 }
 // ── status ──────────────────────────────────────────────────
@@ -365,6 +394,23 @@ async function accountsCommand() {
     return;
   }
+  // Refresh expired tokens before fetching profiles
+  let configDirty = false;
+  await Promise.all(config.accounts.map(async (a) => {
+    if (a.type !== 'oauth' || !a.refreshToken) return;
+    if (!isTokenExpiringSoon(a.expiresAt)) return;
+    try {
+      const newTokens = await refreshAccessToken(a.refreshToken);
+      a.accessToken = newTokens.accessToken;
+      a.refreshToken = newTokens.refreshToken;
+      a.expiresAt = newTokens.expiresAt;
+      configDirty = true;
+    } catch (err) {
+      // refresh failed — fetchProfile will report the specific error
+    }
+  }));
+  if (configDirty) await saveConfig(config);
   // Fetch profiles in parallel for all OAuth accounts
   const profiles = await Promise.all(
     config.accounts.map(a =>
@@ -386,7 +432,7 @@ async function accountsCommand() {
       } else {
         seen.set(uuid, i);
         // Update stored UUID and name from profile
-        if (profiles[i]) {
+        if (profiles[i] && !profiles[i].error) {
           a.accountUuid = profiles[i].accountUuid;
           if (profiles[i].email) a.name = profiles[i].email;
         }
@@ -407,12 +453,13 @@ async function accountsCommand() {
     }
     // OAuth account
-    const tier = p?.hasClaudeMax ? 'Max' : p?.hasClaudePro ? 'Pro' : 'subscription';
-    const status = p ? `Claude ${tier}` : 'unknown (profile fetch failed)';
+    const hasProfile = p && !p.error;
+    const tier = hasProfile ? (p.hasClaudeMax ? 'Max' : p.hasClaudePro ? 'Pro' : 'subscription') : null;
+    const status = hasProfile ? `Claude ${tier}` : `unknown (${p?.error || 'no token'})`;
     const src = a.source ? `, ${a.source}` : '';
     console.log(`  [${i + 1}] ${a.name} (${status}${src})`);
-    if (p?.email && p.email !== a.name) console.log(`       Email: ${p.email}`);
-    if (p?.orgName) console.log(`       Org:   ${p.orgName}`);
+    if (hasProfile && p.email && p.email !== a.name) console.log(`       Email: ${p.email}`);
+    if (hasProfile && p.orgName) console.log(`       Org:   ${p.orgName}`);
     if (verbose && a.expiresAt) {
       const remaining = a.expiresAt - Date.now();
       if (remaining <= 0) {
@@ -543,7 +590,11 @@ Config: ${getConfigPath()}
 async function upsertOAuthAccount(config, name, creds, source = 'unknown') {
   // Fetch profile to auto-name and deduplicate by account UUID
   const profile = await fetchProfile(creds.accessToken);
+  const profileOk = profile && !profile.error;
+  if (!profileOk) {
+    console.error(`Warning: could not fetch account profile — ${profile?.error || 'no token'}`);
+  }
   if (!name && profile?.email) {
     name = profile.email;
     const tier = profile.hasClaudeMax ? 'Max' : profile.hasClaudePro ? 'Pro' : null;
@@ -596,22 +647,68 @@ function findConfigAccount(diskConfig, account) {
 }
 /**
- * Detect accounts added to disk config by external processes and add them
- * to the running AccountManager + in-memory config.
+ * Sync accounts from disk config: add new accounts and refresh credentials
+ * for existing ones (handles re-imported OAuth tokens, rotated API keys, etc.).
+ * Returns the number of new accounts added.
  */
-function syncNewAccountsFromDisk(diskConfig, memConfig, accountManager) {
+async function syncAccountsFromDisk(diskConfig, memConfig, accountManager) {
+  let added = 0;
   for (const diskAcct of diskConfig.accounts) {
-    const knownByUuid = diskAcct.accountUuid &&
-      memConfig.accounts.some(a => a.accountUuid === diskAcct.accountUuid);
-    const knownByName = memConfig.accounts.some(a => a.name === diskAcct.name);
+    const matchByUuid = diskAcct.accountUuid &&
+      memConfig.accounts.findIndex(a => a.accountUuid === diskAcct.accountUuid);
+    const matchByName = memConfig.accounts.findIndex(a => a.name === diskAcct.name);
+    const memIdx = (matchByUuid >= 0 ? matchByUuid : null) ?? (matchByName >= 0 ? matchByName : -1);
-    if (!knownByUuid && !knownByName) {
+    if (memIdx < 0) {
       // New account discovered on disk — add to running server
       memConfig.accounts.push(diskAcct);
       accountManager.addAccount(diskAcct);
+      added++;
       console.log(`[TeamClaude] Picked up new account "${diskAcct.name}" from config`);
+      continue;
+    }
+    // Existing account — resolve fresh credentials from disk
+    let freshCred = null;
+    if (diskAcct.type === 'oauth' && diskAcct.importFrom) {
+      try {
+        const creds = await importCredentials(diskAcct.importFrom);
+        freshCred = { accessToken: creds.accessToken, refreshToken: creds.refreshToken, expiresAt: creds.expiresAt };
+      } catch (err) {
+        console.error(`[TeamClaude] Re-import failed for "${diskAcct.name}": ${err.message}`);
+      }
+    } else if (diskAcct.type === 'oauth' && diskAcct.accessToken) {
+      freshCred = { accessToken: diskAcct.accessToken, refreshToken: diskAcct.refreshToken, expiresAt: diskAcct.expiresAt };
+    } else if (diskAcct.type === 'apikey' && diskAcct.apiKey) {
+      freshCred = { apiKey: diskAcct.apiKey };
+    }
+    if (!freshCred) continue;
+    // Find the corresponding AccountManager entry and update credentials
+    const mgr = accountManager.accounts.find(a =>
+      (diskAcct.accountUuid && a.accountUuid === diskAcct.accountUuid) || a.name === diskAcct.name
+    );
+    if (!mgr) continue;
+    if (freshCred.accessToken) {
+      const changed = mgr.credential !== freshCred.accessToken ||
+        mgr.refreshToken !== freshCred.refreshToken;
+      // Don't overwrite in-memory credentials with staler ones from disk
+      // (e.g. after a TUI import updated the AM before saveConfig wrote to disk)
+      const diskIsStaler = freshCred.expiresAt && mgr.expiresAt &&
+        freshCred.expiresAt < mgr.expiresAt;
+      if (changed && !diskIsStaler) {
+        accountManager.updateAccountTokens(mgr.index, freshCred);
+        console.log(`[TeamClaude] Refreshed credentials for "${mgr.name}"`);
+      }
+    } else if (freshCred.apiKey && mgr.credential !== freshCred.apiKey) {
+      mgr.credential = freshCred.apiKey;
+      if (mgr.status === 'error') mgr.status = 'active';
+      console.log(`[TeamClaude] Updated API key for "${mgr.name}"`);
     }
   }
+  return added;
 }
 // ── helpers ─────────────────────────────────────────────────

package/src/oauth.js CHANGED Viewed

@@ -2,6 +2,7 @@ import { readFile } from 'node:fs/promises';
 import { homedir } from 'node:os';
 import { randomBytes, createHash } from 'node:crypto';
 import { exec } from 'node:child_process';
+import { createInterface } from 'node:readline';
 import http from 'node:http';
 /**
@@ -68,7 +69,7 @@ export async function refreshAccessToken(refreshToken, endpoint = DEFAULT_TOKEN_
       return {
         accessToken: data.access_token,
         refreshToken: data.refresh_token || refreshToken,
-        expiresAt: data.expires_at || (Date.now() + (data.expires_in || 3600) * 1000),
+        expiresAt: normalizeExpiresAt(data.expires_at) || (Date.now() + (data.expires_in || 3600) * 1000),
       };
     } catch (err) {
       const isNetworkError = err instanceof Error &&
@@ -84,24 +85,45 @@ export async function refreshAccessToken(refreshToken, endpoint = DEFAULT_TOKEN_
   }
 }
+/**
+ * Normalize an expires_at value to milliseconds.
+ * OAuth endpoints may return seconds; Claude Code credentials use milliseconds.
+ */
+export function normalizeExpiresAt(expiresAt) {
+  if (!expiresAt) return expiresAt;
+  // If the value is plausibly in seconds (< 10^12 ≈ year 2001 in ms, year 33658 in s),
+  // convert to milliseconds
+  return expiresAt < 1e12 ? expiresAt * 1000 : expiresAt;
+}
 /**
  * Check if an OAuth token is expiring within the given threshold.
  */
 export function isTokenExpiringSoon(expiresAt, thresholdMs = 5 * 60 * 1000) {
   if (!expiresAt) return false;
-  return Date.now() + thresholdMs >= expiresAt;
+  return Date.now() + thresholdMs >= normalizeExpiresAt(expiresAt);
 }
 /**
  * Fetch account profile for an OAuth token.
- * Returns { email, name, orgName, orgType } or null on failure.
+ * Returns { email, name, orgName, orgType, ... } on success,
+ * or { error: 'reason' } on failure.
  */
 export async function fetchProfile(accessToken) {
   try {
     const res = await fetch(PROFILE_URL, {
       headers: { 'Authorization': `Bearer ${accessToken}` },
     });
-    if (!res.ok) return null;
+    if (!res.ok) {
+      let detail = '';
+      try {
+        const body = await res.json();
+        detail = body?.error?.message || JSON.stringify(body).slice(0, 200);
+      } catch {
+        detail = await res.text().catch(() => '');
+      }
+      return { error: `HTTP ${res.status}${detail ? ': ' + detail : ''}` };
+    }
     const data = await res.json();
     return {
       accountUuid: data.account?.uuid,
@@ -112,8 +134,8 @@ export async function fetchProfile(accessToken) {
       hasClaudeMax: data.account?.has_claude_max,
       hasClaudePro: data.account?.has_claude_pro,
     };
-  } catch {
-    return null;
+  } catch (err) {
+    return { error: err.message || String(err) };
   }
 }
@@ -153,10 +175,10 @@ export async function loginOAuth() {
   console.log(`If it doesn't open, visit:\n  ${authUrl.toString()}\n`);
   openBrowser(authUrl.toString());
-  // Wait for the authorization code
+  // Wait for either the callback server or manual paste from stdin
   let code;
   try {
-    code = await codePromise;
+    code = await raceWithStdinCode(codePromise, state);
   } finally {
     server.close();
   }
@@ -185,10 +207,58 @@ export async function loginOAuth() {
   return {
     accessToken: tokens.access_token,
     refreshToken: tokens.refresh_token,
-    expiresAt: tokens.expires_at || (Date.now() + (tokens.expires_in || 3600) * 1000),
+    expiresAt: normalizeExpiresAt(tokens.expires_at) || (Date.now() + (tokens.expires_in || 3600) * 1000),
   };
 }
+/**
+ * Race the callback server promise against manual code entry from stdin.
+ * The user can paste the full callback URL or just the authorization code.
+ */
+function raceWithStdinCode(callbackPromise, expectedState) {
+  if (!process.stdin.isTTY) return callbackPromise;
+  return new Promise((resolve, reject) => {
+    const rl = createInterface({ input: process.stdin, output: process.stderr });
+    let settled = false;
+    const settle = (fn, val) => {
+      if (settled) return;
+      settled = true;
+      rl.close();
+      fn(val);
+    };
+    rl.question('Paste authorization code here (or wait for browser callback): ', answer => {
+      const trimmed = answer.trim();
+      if (!trimmed) return; // empty input, keep waiting for callback
+      // Try to parse as a URL with ?code= parameter
+      try {
+        const url = new URL(trimmed);
+        const code = url.searchParams.get('code');
+        const state = url.searchParams.get('state');
+        if (code) {
+          if (expectedState && state && state !== expectedState) {
+            settle(reject, new Error('OAuth state mismatch'));
+          } else {
+            settle(resolve, code);
+          }
+          return;
+        }
+      } catch {}
+      // Treat raw input as the authorization code
+      settle(resolve, trimmed);
+    });
+    callbackPromise.then(
+      code => settle(resolve, code),
+      err => settle(reject, err),
+    );
+  });
+}
 function startCallbackServer(expectedState) {
   return new Promise((resolve, reject) => {
     let resolveCode, rejectCode;

package/src/server.js CHANGED Viewed

@@ -2,6 +2,7 @@ import http from 'node:http';
 import { writeFile, mkdir } from 'node:fs/promises';
 import { join } from 'node:path';
 const HOP_BY_HOP_HEADERS = new Set([
   'host', 'connection', 'keep-alive', 'transfer-encoding',
   'te', 'trailer', 'upgrade', 'proxy-authorization', 'proxy-authenticate',
@@ -39,9 +40,11 @@ export function createProxyServer(accountManager, config, hooks = {}) {
         return;
       }
-      // Intercept token refresh requests — forward to real endpoint and capture new tokens
+      // Let client token refresh requests pass through to upstream untouched.
+      // The proxy manages its own tokens via ensureTokenFresh(); intercepting
+      // or rewriting client refreshes would cause token rotation conflicts.
       if (req.method === 'POST' && req.url === '/v1/oauth/token') {
-        await handleTokenRefresh(req, res, accountManager, hooks);
+        await relayRaw(req, res, upstream);
         return;
       }
@@ -57,82 +60,52 @@ export function createProxyServer(accountManager, config, hooks = {}) {
       const body = Buffer.concat(bodyChunks);
       const ctx = { account: null, status: null };
-      await forwardRequest(req, res, body, accountManager, upstream, 0, hooks, reqId, ctx, logDir);
-      hooks.onRequestEnd?.(reqId, {
-        method: req.method, path: req.url,
-        account: ctx.account, status: ctx.status,
-      });
+      try {
+        await forwardRequest(req, res, body, accountManager, upstream, 0, hooks, reqId, ctx, logDir);
+      } catch (err) {
+        ctx.status = ctx.status || 502;
+        console.error('[TeamClaude] Unhandled error:', err);
+        if (!res.headersSent) {
+          res.writeHead(502, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({
+            type: 'error',
+            error: { type: 'proxy_error', message: 'Internal proxy error' },
+          }));
+        }
+      } finally {
+        hooks.onRequestEnd?.(reqId, {
+          method: req.method, path: req.url,
+          account: ctx.account, status: ctx.status,
+        });
+      }
     } catch (err) {
       console.error('[TeamClaude] Unhandled error:', err);
-      if (!res.headersSent) {
-        res.writeHead(502, { 'Content-Type': 'application/json' });
-        res.end(JSON.stringify({
-          type: 'error',
-          error: { type: 'proxy_error', message: 'Internal proxy error' },
-        }));
-      }
     }
   });
   return server;
 }
-const TOKEN_ENDPOINT = 'https://platform.claude.com/v1/oauth/token';
 /**
- * Forward a token refresh request to the real token endpoint, capture new tokens,
- * and pass the response back to the client.
+ * Relay a request to upstream with no header rewriting — pure passthrough.
  */
-async function handleTokenRefresh(req, res, accountManager, hooks) {
+async function relayRaw(req, res, upstream) {
   const bodyChunks = [];
-  for await (const chunk of req) {
-    bodyChunks.push(chunk);
-  }
-  const rawBody = Buffer.concat(bodyChunks);
-  // Replace the refresh token in the request with the current account's refresh token
-  // so the renewal happens for the active account, not just the one the client knows about
-  let body = rawBody;
-  try {
-    const parsed = JSON.parse(rawBody.toString());
-    const currentAccount = accountManager.accounts[accountManager.currentIndex];
-    if (parsed.grant_type === 'refresh_token' && currentAccount?.type === 'oauth' && currentAccount.refreshToken) {
-      parsed.refresh_token = currentAccount.refreshToken;
-      body = JSON.stringify(parsed);
-      console.log(`[TeamClaude] Token refresh: substituted refresh token for account "${currentAccount.name}"`);
-    }
-  } catch {}
+  for await (const chunk of req) bodyChunks.push(chunk);
+  const body = Buffer.concat(bodyChunks);
   try {
-    // Forward to the real token endpoint
-    const upstreamRes = await fetch(TOKEN_ENDPOINT, {
-      method: 'POST',
+    const upstreamRes = await fetch(`${upstream}${req.url}`, {
+      method: req.method,
       headers: {
-        'Content-Type': req.headers['content-type'] || 'application/json',
-        'Accept': 'application/json, text/plain, */*',
-        'User-Agent': req.headers['user-agent'] || 'axios/1.13.6',
+        'content-type': req.headers['content-type'] || 'application/json',
+        'accept': req.headers['accept'] || 'application/json',
+        'user-agent': req.headers['user-agent'] || 'node',
       },
-      body,
+      body: body.length > 0 ? body : undefined,
     });
     const responseBody = await upstreamRes.text();
-    // Capture tokens from successful refresh — update the current account directly
-    if (upstreamRes.ok) {
-      try {
-        const tokens = JSON.parse(responseBody);
-        if (tokens.access_token) {
-          accountManager.updateAccountTokens(accountManager.currentIndex, {
-            accessToken: tokens.access_token,
-            refreshToken: tokens.refresh_token,
-            expiresAt: tokens.expires_at || (Date.now() + (tokens.expires_in || 3600) * 1000),
-          });
-        }
-      } catch {}
-    }
-    // Forward response to client
     const responseHeaders = {};
     for (const [key, value] of upstreamRes.headers.entries()) {
       if (key === 'transfer-encoding' || key === 'connection') continue;
@@ -141,17 +114,15 @@ async function handleTokenRefresh(req, res, accountManager, hooks) {
     res.writeHead(upstreamRes.status, responseHeaders);
     res.end(responseBody);
   } catch (err) {
-    console.error('[TeamClaude] Token refresh proxy error:', err.message);
+    console.error('[TeamClaude] Raw relay error:', err.message);
     if (!res.headersSent) {
       res.writeHead(502, { 'Content-Type': 'application/json' });
-      res.end(JSON.stringify({
-        type: 'error',
-        error: { type: 'proxy_error', message: `Token refresh failed: ${err.message}` },
-      }));
+      res.end(JSON.stringify({ type: 'error', error: { type: 'proxy_error', message: 'Upstream unreachable' } }));
     }
   }
 }
 function logTimestamp() {
   const d = new Date();
   const pad = (n, w = 2) => String(n).padStart(w, '0');
@@ -272,6 +243,23 @@ async function forwardRequest(req, res, body, accountManager, upstream, retryCou
     }
     accountManager.updateQuota(account.index, rateLimitHeaders);
+    // On 429, wait the retry-after duration and retry on the same account
+    // (this is a transient rate limit, not quota exhaustion)
+    if (upstreamRes.status === 429) {
+      const retryAfter = parseInt(upstreamRes.headers.get('retry-after'), 10) || 60;
+      // Discard the 429 response body
+      await upstreamRes.body?.cancel();
+      if (logDir) {
+        logSections.push(`=== RESPONSE 429 — waiting ${retryAfter}s ===\n${formatHeaders(upstreamRes.headers)}`);
+      }
+      console.log(`[TeamClaude] 429 on "${account.name}" — waiting ${retryAfter}s before retry`);
+      await new Promise(resolve => setTimeout(resolve, retryAfter * 1000));
+      // Client may have disconnected during the wait
+      if (res.destroyed) return;
+      return forwardRequest(req, res, body, accountManager, upstream, retryCount, hooks, reqId, ctx, logDir);
+    }
     // Log response headers
     if (logDir) {
       logSections.push(`=== RESPONSE ${upstreamRes.status} ===\n${formatHeaders(upstreamRes.headers)}`);
@@ -329,6 +317,17 @@ async function forwardRequest(req, res, body, accountManager, upstream, retryCou
       writeRequestLog(logDir, reqId, logSections);
     }
+    const isTransient = err instanceof Error &&
+      (err.message.includes('fetch failed') ||
+        err.code === 'ECONNRESET' || err.code === 'ECONNREFUSED' ||
+        err.code === 'ETIMEDOUT' || err.code === 'UND_ERR_CONNECT_TIMEOUT');
+    // Transient network errors: just close the connection and let the client retry
+    if (isTransient) {
+      res.destroy();
+      return;
+    }
     if (retryCount < maxRetries && !res.headersSent) {
       account.status = 'error';
       return forwardRequest(req, res, body, accountManager, upstream, retryCount + 1, hooks, reqId, ctx, logDir);
@@ -358,6 +357,9 @@ async function streamResponse(webStream, res, accountIndex, accountManager, stre
       const { done, value } = await reader.read();
       if (done) break;
+      // Client disconnected — stop reading from upstream
+      if (res.destroyed) break;
       // Forward chunk immediately
       const ok = res.write(value);
@@ -375,9 +377,14 @@ async function streamResponse(webStream, res, accountIndex, accountManager, stre
         parseSSEUsage(event, accountIndex, accountManager);
       }
-      // Handle backpressure
+      // Handle backpressure — also bail out if client disconnects,
+      // because 'drain' will never fire on a destroyed socket
       if (!ok) {
-        await new Promise(resolve => res.once('drain', resolve));
+        await new Promise(resolve => {
+          res.once('drain', resolve);
+          res.once('close', resolve);
+        });
+        if (res.destroyed) break;
       }
     }
@@ -386,7 +393,9 @@ async function streamResponse(webStream, res, accountIndex, accountManager, stre
       parseSSEUsage(sseBuffer, accountIndex, accountManager);
     }
   } finally {
-    res.end();
+    // Cancel upstream reader to stop consuming data nobody needs
+    reader.cancel().catch(() => {});
+    if (!res.writableEnded) res.end();
   }
 }

package/src/tui.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { importCredentials } from './oauth.js';
+import { importCredentials, fetchProfile } from './oauth.js';
 // ── ANSI helpers ─────────────────────────────────────────────
@@ -283,7 +283,7 @@ export class TUI {
       if (count > 0) {
         this._addLog(`Synced ${count} new account(s) from config`);
       } else {
-        this._addLog('Config reloaded, no new accounts');
+        this._addLog('Config reloaded, credentials refreshed');
       }
     } catch (e) {
       this._addLog(`Sync failed: ${e.message}`);
@@ -292,19 +292,59 @@ export class TUI {
   async _doImport() {
     try {
+      this._addLog('Importing credentials...');
       const creds = await importCredentials('~/.claude/.credentials.json');
-      const n = this.config.accounts.filter(a => a.name.startsWith('max-')).length + 1;
-      const name = `max-${n}`;
+      const profile = await fetchProfile(creds.accessToken);
+      const profileOk = profile && !profile.error;
+      if (!profileOk) {
+        this._addLog(`Warning: could not fetch profile — ${profile?.error || 'no token'}`);
+      }
+      let name;
+      if (profile?.email) {
+        name = profile.email;
+        const tier = profile.hasClaudeMax ? 'Max' : profile.hasClaudePro ? 'Pro' : null;
+        if (tier) this._addLog(`Detected Claude ${tier}: ${name}`);
+      } else {
+        const n = this.config.accounts.filter(a => a.name.startsWith('account-')).length + 1;
+        name = `account-${n}`;
+      }
       const entry = {
-        name, type: 'oauth',
+        name, type: 'oauth', source: 'import',
+        accountUuid: profile?.accountUuid || null,
         accessToken: creds.accessToken,
         refreshToken: creds.refreshToken,
         expiresAt: creds.expiresAt,
       };
-      this.config.accounts.push(entry);
-      this.am.addAccount(entry);
+      // Deduplicate: match by UUID first, then by name
+      let idx = profile?.accountUuid
+        ? this.config.accounts.findIndex(a => a.accountUuid === profile.accountUuid)
+        : -1;
+      if (idx < 0) idx = this.config.accounts.findIndex(a => a.name === name);
+      if (idx >= 0) {
+        this.config.accounts[idx] = entry;
+        // Update the running account manager entry
+        const amAcct = this.am.accounts[idx];
+        if (amAcct) {
+          amAcct.credential = creds.accessToken;
+          amAcct.refreshToken = creds.refreshToken;
+          amAcct.expiresAt = creds.expiresAt;
+          amAcct.accountUuid = entry.accountUuid;
+          amAcct.name = name;
+          if (amAcct.status === 'error') amAcct.status = 'active';
+        }
+        this._addLog(`Updated account "${name}"`);
+      } else {
+        this.config.accounts.push(entry);
+        this.am.addAccount(entry);
+        this._addLog(`Imported account "${name}"`);
+      }
       await this.saveConfig(this.config);
-      this._addLog(`Imported account "${name}"`);
     } catch (e) {
       this._addLog(`Import failed: ${e.message}`);
     }