@karpeleslab/teamclaude 1.0.5 → 1.0.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@karpeleslab/teamclaude",
-  "version": "1.0.5",
+  "version": "1.0.6",
   "description": "Multi-account Claude proxy with automatic quota-based rotation",
   "type": "module",
   "main": "src/index.js",

package/src/account-manager.js

@@ -252,7 +252,11 @@ export class AccountManager {
         this._onTokenRefresh?.(accountIndex, newTokens);
       } catch (err) {
         console.error(`[TeamClaude] Token refresh failed for "${account.name}": ${err.message}`);
-        account.status = 'error';
+        // Only mark as error if the access token is actually expired;
+        // a failed proactive refresh shouldn't kill a still-valid token
+        if (!account.expiresAt || Date.now() >= account.expiresAt) {
+          account.status = 'error';
+        }
       } finally {
         account._refreshPromise = null;
       }

package/src/index.js

@@ -1,11 +1,11 @@
 #!/usr/bin/env node
 
-import { spawn } from 'node:child_process';
+import { spawnSync } from 'node:child_process';
 import { createInterface } from 'node:readline';
 import { loadOrCreateConfig, loadConfig, saveConfig, atomicConfigUpdate, getConfigPath } from './config.js';
 import { AccountManager } from './account-manager.js';
 import { createProxyServer } from './server.js';
-import { importCredentials, loginOAuth, fetchProfile } from './oauth.js';
+import { importCredentials, loginOAuth, fetchProfile, refreshAccessToken, isTokenExpiringSoon } from './oauth.js';
 import { TUI } from './tui.js';
 
 const args = process.argv.slice(2);
@@ -94,8 +94,23 @@ async function serverCommand() {
   accountManager.onTokenRefresh((idx, newTokens) => {
     const account = accountManager.accounts[idx];
     if (!account) return;
+    // Keep config.accounts in sync so TUI saveConfig doesn't clobber fresh tokens
+    if (config.accounts[idx]) {
+      config.accounts[idx].accessToken = newTokens.accessToken;
+      config.accounts[idx].refreshToken = newTokens.refreshToken;
+      config.accounts[idx].expiresAt = newTokens.expiresAt;
+    }
     atomicConfigUpdate(diskConfig => {
-      syncNewAccountsFromDisk(diskConfig, config, accountManager);
+      // Pick up any new accounts from disk so index matching stays correct
+      // (only add, don't refresh credentials — we're about to write the authoritative tokens)
+      for (const diskAcct of diskConfig.accounts) {
+        const known = (diskAcct.accountUuid && config.accounts.some(a => a.accountUuid === diskAcct.accountUuid))
+          || config.accounts.some(a => a.name === diskAcct.name);
+        if (!known) {
+          config.accounts.push(diskAcct);
+          accountManager.addAccount(diskAcct);
+        }
+      }
       // Match by UUID first, then by name — index may have shifted
       const cfgIdx = findConfigAccount(diskConfig, account);
       if (cfgIdx >= 0) {
@@ -114,22 +129,28 @@ async function serverCommand() {
   if (useTUI) {
     tui = new TUI({
       accountManager, config,
-      saveConfig: () => atomicConfigUpdate(diskConfig => {
-        syncNewAccountsFromDisk(diskConfig, config, accountManager);
-        // Write in-memory accounts back, preserving extra disk-only fields
-        diskConfig.accounts = config.accounts.map(a => {
+      saveConfig: () => atomicConfigUpdate(async diskConfig => {
+        // Write in-memory accounts as the authoritative state, preserving
+        // extra disk-only fields (e.g. importFrom) where the account still exists.
+        // Use live tokens from AccountManager (not the stale config.accounts copy).
+        diskConfig.accounts = config.accounts.map((a, i) => {
+          const am = accountManager.accounts[i];
+          const live = am ? {
+            ...a,
+            accessToken: am.credential,
+            refreshToken: am.refreshToken,
+            expiresAt: am.expiresAt,
+          } : a;
           const diskAcct = diskConfig.accounts.find(
             d => (a.accountUuid && d.accountUuid === a.accountUuid) || d.name === a.name
           );
-          return diskAcct ? { ...diskAcct, ...a } : a;
+          return diskAcct ? { ...diskAcct, ...live } : live;
         });
       }),
       syncAccounts: async () => {
         const diskConfig = await loadConfig();
         if (!diskConfig) return 0;
-        const before = accountManager.accounts.length;
-        syncNewAccountsFromDisk(diskConfig, config, accountManager);
-        return accountManager.accounts.length - before;
+        return syncAccountsFromDisk(diskConfig, config, accountManager);
       },
       onQuit: () => { server.close(() => process.exit(0)); },
     });
@@ -299,7 +320,8 @@ async function runCommand() {
   // Only set ANTHROPIC_BASE_URL — Claude Code keeps its own OAuth token
   // which the proxy accepts from localhost. Not setting ANTHROPIC_API_KEY
   // lets Claude Code stay in subscription mode (full model access).
-  const child = spawn('claude', claudeArgs, {
+  // Use spawnSync so the Node process blocks entirely — behaves like execvp.
+  const result = spawnSync('claude', claudeArgs, {
     stdio: 'inherit',
     env: {
       ...process.env,
@@ -307,16 +329,16 @@ async function runCommand() {
     },
   });
 
-  child.on('error', (err) => {
-    if (err.code === 'ENOENT') {
+  if (result.error) {
+    if (result.error.code === 'ENOENT') {
       console.error('Claude Code not found in PATH. Install it first.');
     } else {
-      console.error(`Failed to start claude: ${err.message}`);
+      console.error(`Failed to start claude: ${result.error.message}`);
     }
     process.exit(1);
-  });
+  }
 
-  child.on('exit', (code) => process.exit(code ?? 1));
+  process.exit(result.status ?? 1);
 }
 
 // ── status ──────────────────────────────────────────────────
@@ -372,6 +394,23 @@ async function accountsCommand() {
     return;
   }
 
+  // Refresh expired tokens before fetching profiles
+  let configDirty = false;
+  await Promise.all(config.accounts.map(async (a) => {
+    if (a.type !== 'oauth' || !a.refreshToken) return;
+    if (!isTokenExpiringSoon(a.expiresAt)) return;
+    try {
+      const newTokens = await refreshAccessToken(a.refreshToken);
+      a.accessToken = newTokens.accessToken;
+      a.refreshToken = newTokens.refreshToken;
+      a.expiresAt = newTokens.expiresAt;
+      configDirty = true;
+    } catch (err) {
+      // refresh failed — fetchProfile will report the specific error
+    }
+  }));
+  if (configDirty) await saveConfig(config);
+
   // Fetch profiles in parallel for all OAuth accounts
   const profiles = await Promise.all(
     config.accounts.map(a =>
@@ -393,7 +432,7 @@ async function accountsCommand() {
       } else {
         seen.set(uuid, i);
         // Update stored UUID and name from profile
-        if (profiles[i]) {
+        if (profiles[i] && !profiles[i].error) {
           a.accountUuid = profiles[i].accountUuid;
           if (profiles[i].email) a.name = profiles[i].email;
         }
@@ -414,12 +453,13 @@ async function accountsCommand() {
     }
 
     // OAuth account
-    const tier = p?.hasClaudeMax ? 'Max' : p?.hasClaudePro ? 'Pro' : 'subscription';
-    const status = p ? `Claude ${tier}` : 'unknown (profile fetch failed)';
+    const hasProfile = p && !p.error;
+    const tier = hasProfile ? (p.hasClaudeMax ? 'Max' : p.hasClaudePro ? 'Pro' : 'subscription') : null;
+    const status = hasProfile ? `Claude ${tier}` : `unknown (${p?.error || 'no token'})`;
     const src = a.source ? `, ${a.source}` : '';
     console.log(`  [${i + 1}] ${a.name} (${status}${src})`);
-    if (p?.email && p.email !== a.name) console.log(`       Email: ${p.email}`);
-    if (p?.orgName) console.log(`       Org:   ${p.orgName}`);
+    if (hasProfile && p.email && p.email !== a.name) console.log(`       Email: ${p.email}`);
+    if (hasProfile && p.orgName) console.log(`       Org:   ${p.orgName}`);
     if (verbose && a.expiresAt) {
       const remaining = a.expiresAt - Date.now();
       if (remaining <= 0) {
@@ -550,7 +590,11 @@ Config: ${getConfigPath()}
 async function upsertOAuthAccount(config, name, creds, source = 'unknown') {
   // Fetch profile to auto-name and deduplicate by account UUID
   const profile = await fetchProfile(creds.accessToken);
+  const profileOk = profile && !profile.error;
 
+  if (!profileOk) {
+    console.error(`Warning: could not fetch account profile — ${profile?.error || 'no token'}`);
+  }
   if (!name && profile?.email) {
     name = profile.email;
     const tier = profile.hasClaudeMax ? 'Max' : profile.hasClaudePro ? 'Pro' : null;
@@ -603,22 +647,68 @@ function findConfigAccount(diskConfig, account) {
 }
 
 /**
- * Detect accounts added to disk config by external processes and add them
- * to the running AccountManager + in-memory config.
+ * Sync accounts from disk config: add new accounts and refresh credentials
+ * for existing ones (handles re-imported OAuth tokens, rotated API keys, etc.).
+ * Returns the number of new accounts added.
  */
-function syncNewAccountsFromDisk(diskConfig, memConfig, accountManager) {
+async function syncAccountsFromDisk(diskConfig, memConfig, accountManager) {
+  let added = 0;
   for (const diskAcct of diskConfig.accounts) {
-    const knownByUuid = diskAcct.accountUuid &&
-      memConfig.accounts.some(a => a.accountUuid === diskAcct.accountUuid);
-    const knownByName = memConfig.accounts.some(a => a.name === diskAcct.name);
+    const matchByUuid = diskAcct.accountUuid &&
+      memConfig.accounts.findIndex(a => a.accountUuid === diskAcct.accountUuid);
+    const matchByName = memConfig.accounts.findIndex(a => a.name === diskAcct.name);
+    const memIdx = (matchByUuid >= 0 ? matchByUuid : null) ?? (matchByName >= 0 ? matchByName : -1);
 
-    if (!knownByUuid && !knownByName) {
+    if (memIdx < 0) {
       // New account discovered on disk — add to running server
       memConfig.accounts.push(diskAcct);
       accountManager.addAccount(diskAcct);
+      added++;
       console.log(`[TeamClaude] Picked up new account "${diskAcct.name}" from config`);
+      continue;
+    }
+
+    // Existing account — resolve fresh credentials from disk
+    let freshCred = null;
+    if (diskAcct.type === 'oauth' && diskAcct.importFrom) {
+      try {
+        const creds = await importCredentials(diskAcct.importFrom);
+        freshCred = { accessToken: creds.accessToken, refreshToken: creds.refreshToken, expiresAt: creds.expiresAt };
+      } catch (err) {
+        console.error(`[TeamClaude] Re-import failed for "${diskAcct.name}": ${err.message}`);
+      }
+    } else if (diskAcct.type === 'oauth' && diskAcct.accessToken) {
+      freshCred = { accessToken: diskAcct.accessToken, refreshToken: diskAcct.refreshToken, expiresAt: diskAcct.expiresAt };
+    } else if (diskAcct.type === 'apikey' && diskAcct.apiKey) {
+      freshCred = { apiKey: diskAcct.apiKey };
+    }
+
+    if (!freshCred) continue;
+
+    // Find the corresponding AccountManager entry and update credentials
+    const mgr = accountManager.accounts.find(a =>
+      (diskAcct.accountUuid && a.accountUuid === diskAcct.accountUuid) || a.name === diskAcct.name
+    );
+    if (!mgr) continue;
+
+    if (freshCred.accessToken) {
+      const changed = mgr.credential !== freshCred.accessToken ||
+        mgr.refreshToken !== freshCred.refreshToken;
+      // Don't overwrite in-memory credentials with staler ones from disk
+      // (e.g. after a TUI import updated the AM before saveConfig wrote to disk)
+      const diskIsStaler = freshCred.expiresAt && mgr.expiresAt &&
+        freshCred.expiresAt < mgr.expiresAt;
+      if (changed && !diskIsStaler) {
+        accountManager.updateAccountTokens(mgr.index, freshCred);
+        console.log(`[TeamClaude] Refreshed credentials for "${mgr.name}"`);
+      }
+    } else if (freshCred.apiKey && mgr.credential !== freshCred.apiKey) {
+      mgr.credential = freshCred.apiKey;
+      if (mgr.status === 'error') mgr.status = 'active';
+      console.log(`[TeamClaude] Updated API key for "${mgr.name}"`);
     }
   }
+  return added;
 }
 
 // ── helpers ─────────────────────────────────────────────────

package/src/oauth.js

@@ -2,6 +2,7 @@ import { readFile } from 'node:fs/promises';
 import { homedir } from 'node:os';
 import { randomBytes, createHash } from 'node:crypto';
 import { exec } from 'node:child_process';
+import { createInterface } from 'node:readline';
 import http from 'node:http';
 
 /**
@@ -68,7 +69,7 @@ export async function refreshAccessToken(refreshToken, endpoint = DEFAULT_TOKEN_
       return {
         accessToken: data.access_token,
         refreshToken: data.refresh_token || refreshToken,
-        expiresAt: data.expires_at || (Date.now() + (data.expires_in || 3600) * 1000),
+        expiresAt: normalizeExpiresAt(data.expires_at) || (Date.now() + (data.expires_in || 3600) * 1000),
       };
     } catch (err) {
       const isNetworkError = err instanceof Error &&
@@ -84,24 +85,45 @@ export async function refreshAccessToken(refreshToken, endpoint = DEFAULT_TOKEN_
   }
 }
 
+/**
+ * Normalize an expires_at value to milliseconds.
+ * OAuth endpoints may return seconds; Claude Code credentials use milliseconds.
+ */
+export function normalizeExpiresAt(expiresAt) {
+  if (!expiresAt) return expiresAt;
+  // If the value is plausibly in seconds (< 10^12 ≈ year 2001 in ms, year 33658 in s),
+  // convert to milliseconds
+  return expiresAt < 1e12 ? expiresAt * 1000 : expiresAt;
+}
+
 /**
  * Check if an OAuth token is expiring within the given threshold.
  */
 export function isTokenExpiringSoon(expiresAt, thresholdMs = 5 * 60 * 1000) {
   if (!expiresAt) return false;
-  return Date.now() + thresholdMs >= expiresAt;
+  return Date.now() + thresholdMs >= normalizeExpiresAt(expiresAt);
 }
 
 /**
  * Fetch account profile for an OAuth token.
- * Returns { email, name, orgName, orgType } or null on failure.
+ * Returns { email, name, orgName, orgType, ... } on success,
+ * or { error: 'reason' } on failure.
  */
 export async function fetchProfile(accessToken) {
   try {
     const res = await fetch(PROFILE_URL, {
       headers: { 'Authorization': `Bearer ${accessToken}` },
     });
-    if (!res.ok) return null;
+    if (!res.ok) {
+      let detail = '';
+      try {
+        const body = await res.json();
+        detail = body?.error?.message || JSON.stringify(body).slice(0, 200);
+      } catch {
+        detail = await res.text().catch(() => '');
+      }
+      return { error: `HTTP ${res.status}${detail ? ': ' + detail : ''}` };
+    }
     const data = await res.json();
     return {
       accountUuid: data.account?.uuid,
@@ -112,8 +134,8 @@ export async function fetchProfile(accessToken) {
       hasClaudeMax: data.account?.has_claude_max,
       hasClaudePro: data.account?.has_claude_pro,
     };
-  } catch {
-    return null;
+  } catch (err) {
+    return { error: err.message || String(err) };
   }
 }
 
@@ -153,10 +175,10 @@ export async function loginOAuth() {
   console.log(`If it doesn't open, visit:\n  ${authUrl.toString()}\n`);
   openBrowser(authUrl.toString());
 
-  // Wait for the authorization code
+  // Wait for either the callback server or manual paste from stdin
   let code;
   try {
-    code = await codePromise;
+    code = await raceWithStdinCode(codePromise, state);
   } finally {
     server.close();
   }
@@ -185,10 +207,58 @@ export async function loginOAuth() {
   return {
     accessToken: tokens.access_token,
     refreshToken: tokens.refresh_token,
-    expiresAt: tokens.expires_at || (Date.now() + (tokens.expires_in || 3600) * 1000),
+    expiresAt: normalizeExpiresAt(tokens.expires_at) || (Date.now() + (tokens.expires_in || 3600) * 1000),
   };
 }
 
+/**
+ * Race the callback server promise against manual code entry from stdin.
+ * The user can paste the full callback URL or just the authorization code.
+ */
+function raceWithStdinCode(callbackPromise, expectedState) {
+  if (!process.stdin.isTTY) return callbackPromise;
+
+  return new Promise((resolve, reject) => {
+    const rl = createInterface({ input: process.stdin, output: process.stderr });
+    let settled = false;
+
+    const settle = (fn, val) => {
+      if (settled) return;
+      settled = true;
+      rl.close();
+      fn(val);
+    };
+
+    rl.question('Paste authorization code here (or wait for browser callback): ', answer => {
+      const trimmed = answer.trim();
+      if (!trimmed) return; // empty input, keep waiting for callback
+
+      // Try to parse as a URL with ?code= parameter
+      try {
+        const url = new URL(trimmed);
+        const code = url.searchParams.get('code');
+        const state = url.searchParams.get('state');
+        if (code) {
+          if (expectedState && state && state !== expectedState) {
+            settle(reject, new Error('OAuth state mismatch'));
+          } else {
+            settle(resolve, code);
+          }
+          return;
+        }
+      } catch {}
+
+      // Treat raw input as the authorization code
+      settle(resolve, trimmed);
+    });
+
+    callbackPromise.then(
+      code => settle(resolve, code),
+      err => settle(reject, err),
+    );
+  });
+}
+
 function startCallbackServer(expectedState) {
   return new Promise((resolve, reject) => {
     let resolveCode, rejectCode;

package/src/server.js

@@ -2,6 +2,7 @@ import http from 'node:http';
 import { writeFile, mkdir } from 'node:fs/promises';
 import { join } from 'node:path';
 
+
 const HOP_BY_HOP_HEADERS = new Set([
   'host', 'connection', 'keep-alive', 'transfer-encoding',
   'te', 'trailer', 'upgrade', 'proxy-authorization', 'proxy-authenticate',
@@ -39,9 +40,11 @@ export function createProxyServer(accountManager, config, hooks = {}) {
         return;
       }
 
-      // Intercept token refresh requests — forward to real endpoint and capture new tokens
+      // Let client token refresh requests pass through to upstream untouched.
+      // The proxy manages its own tokens via ensureTokenFresh(); intercepting
+      // or rewriting client refreshes would cause token rotation conflicts.
       if (req.method === 'POST' && req.url === '/v1/oauth/token') {
-        await handleTokenRefresh(req, res, accountManager, hooks);
+        await relayRaw(req, res, upstream);
         return;
       }
 
@@ -57,82 +60,52 @@ export function createProxyServer(accountManager, config, hooks = {}) {
       const body = Buffer.concat(bodyChunks);
 
       const ctx = { account: null, status: null };
-      await forwardRequest(req, res, body, accountManager, upstream, 0, hooks, reqId, ctx, logDir);
-
-      hooks.onRequestEnd?.(reqId, {
-        method: req.method, path: req.url,
-        account: ctx.account, status: ctx.status,
-      });
+      try {
+        await forwardRequest(req, res, body, accountManager, upstream, 0, hooks, reqId, ctx, logDir);
+      } catch (err) {
+        ctx.status = ctx.status || 502;
+        console.error('[TeamClaude] Unhandled error:', err);
+        if (!res.headersSent) {
+          res.writeHead(502, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({
+            type: 'error',
+            error: { type: 'proxy_error', message: 'Internal proxy error' },
+          }));
+        }
+      } finally {
+        hooks.onRequestEnd?.(reqId, {
+          method: req.method, path: req.url,
+          account: ctx.account, status: ctx.status,
+        });
+      }
     } catch (err) {
       console.error('[TeamClaude] Unhandled error:', err);
-      if (!res.headersSent) {
-        res.writeHead(502, { 'Content-Type': 'application/json' });
-        res.end(JSON.stringify({
-          type: 'error',
-          error: { type: 'proxy_error', message: 'Internal proxy error' },
-        }));
-      }
     }
   });
 
   return server;
 }
 
-const TOKEN_ENDPOINT = 'https://platform.claude.com/v1/oauth/token';
-
 /**
- * Forward a token refresh request to the real token endpoint, capture new tokens,
- * and pass the response back to the client.
+ * Relay a request to upstream with no header rewriting — pure passthrough.
  */
-async function handleTokenRefresh(req, res, accountManager, hooks) {
+async function relayRaw(req, res, upstream) {
   const bodyChunks = [];
-  for await (const chunk of req) {
-    bodyChunks.push(chunk);
-  }
-  const rawBody = Buffer.concat(bodyChunks);
-
-  // Replace the refresh token in the request with the current account's refresh token
-  // so the renewal happens for the active account, not just the one the client knows about
-  let body = rawBody;
-  try {
-    const parsed = JSON.parse(rawBody.toString());
-    const currentAccount = accountManager.accounts[accountManager.currentIndex];
-    if (parsed.grant_type === 'refresh_token' && currentAccount?.type === 'oauth' && currentAccount.refreshToken) {
-      parsed.refresh_token = currentAccount.refreshToken;
-      body = JSON.stringify(parsed);
-      console.log(`[TeamClaude] Token refresh: substituted refresh token for account "${currentAccount.name}"`);
-    }
-  } catch {}
+  for await (const chunk of req) bodyChunks.push(chunk);
+  const body = Buffer.concat(bodyChunks);
 
   try {
-    // Forward to the real token endpoint
-    const upstreamRes = await fetch(TOKEN_ENDPOINT, {
-      method: 'POST',
+    const upstreamRes = await fetch(`${upstream}${req.url}`, {
+      method: req.method,
       headers: {
-        'Content-Type': req.headers['content-type'] || 'application/json',
-        'Accept': 'application/json, text/plain, */*',
-        'User-Agent': req.headers['user-agent'] || 'axios/1.13.6',
+        'content-type': req.headers['content-type'] || 'application/json',
+        'accept': req.headers['accept'] || 'application/json',
+        'user-agent': req.headers['user-agent'] || 'node',
       },
-      body,
+      body: body.length > 0 ? body : undefined,
     });
 
     const responseBody = await upstreamRes.text();
-
-    // Capture tokens from successful refresh — update the current account directly
-    if (upstreamRes.ok) {
-      try {
-        const tokens = JSON.parse(responseBody);
-        if (tokens.access_token) {
-          accountManager.updateAccountTokens(accountManager.currentIndex, {
-            accessToken: tokens.access_token,
-            refreshToken: tokens.refresh_token,
-            expiresAt: tokens.expires_at || (Date.now() + (tokens.expires_in || 3600) * 1000),
-          });
-        }
-      } catch {}
-    }
-
-    // Forward response to client
     const responseHeaders = {};
     for (const [key, value] of upstreamRes.headers.entries()) {
       if (key === 'transfer-encoding' || key === 'connection') continue;
@@ -141,17 +114,15 @@ async function handleTokenRefresh(req, res, accountManager, hooks) {
     res.writeHead(upstreamRes.status, responseHeaders);
     res.end(responseBody);
   } catch (err) {
-    console.error('[TeamClaude] Token refresh proxy error:', err.message);
+    console.error('[TeamClaude] Raw relay error:', err.message);
     if (!res.headersSent) {
       res.writeHead(502, { 'Content-Type': 'application/json' });
-      res.end(JSON.stringify({
-        type: 'error',
-        error: { type: 'proxy_error', message: `Token refresh failed: ${err.message}` },
-      }));
+      res.end(JSON.stringify({ type: 'error', error: { type: 'proxy_error', message: 'Upstream unreachable' } }));
     }
   }
 }
 
+
 function logTimestamp() {
   const d = new Date();
   const pad = (n, w = 2) => String(n).padStart(w, '0');
@@ -272,6 +243,23 @@ async function forwardRequest(req, res, body, accountManager, upstream, retryCou
     }
     accountManager.updateQuota(account.index, rateLimitHeaders);
 
+    // On 429, wait the retry-after duration and retry on the same account
+    // (this is a transient rate limit, not quota exhaustion)
+    if (upstreamRes.status === 429) {
+      const retryAfter = parseInt(upstreamRes.headers.get('retry-after'), 10) || 60;
+      // Discard the 429 response body
+      await upstreamRes.body?.cancel();
+
+      if (logDir) {
+        logSections.push(`=== RESPONSE 429 — waiting ${retryAfter}s ===\n${formatHeaders(upstreamRes.headers)}`);
+      }
+      console.log(`[TeamClaude] 429 on "${account.name}" — waiting ${retryAfter}s before retry`);
+      await new Promise(resolve => setTimeout(resolve, retryAfter * 1000));
+      // Client may have disconnected during the wait
+      if (res.destroyed) return;
+      return forwardRequest(req, res, body, accountManager, upstream, retryCount, hooks, reqId, ctx, logDir);
+    }
+
     // Log response headers
     if (logDir) {
       logSections.push(`=== RESPONSE ${upstreamRes.status} ===\n${formatHeaders(upstreamRes.headers)}`);
@@ -329,6 +317,17 @@ async function forwardRequest(req, res, body, accountManager, upstream, retryCou
       writeRequestLog(logDir, reqId, logSections);
     }
 
+    const isTransient = err instanceof Error &&
+      (err.message.includes('fetch failed') ||
+        err.code === 'ECONNRESET' || err.code === 'ECONNREFUSED' ||
+        err.code === 'ETIMEDOUT' || err.code === 'UND_ERR_CONNECT_TIMEOUT');
+
+    // Transient network errors: just close the connection and let the client retry
+    if (isTransient) {
+      res.destroy();
+      return;
+    }
+
     if (retryCount < maxRetries && !res.headersSent) {
       account.status = 'error';
       return forwardRequest(req, res, body, accountManager, upstream, retryCount + 1, hooks, reqId, ctx, logDir);
@@ -358,6 +357,9 @@ async function streamResponse(webStream, res, accountIndex, accountManager, stre
       const { done, value } = await reader.read();
       if (done) break;
 
+      // Client disconnected — stop reading from upstream
+      if (res.destroyed) break;
+
       // Forward chunk immediately
       const ok = res.write(value);
 
@@ -375,9 +377,14 @@ async function streamResponse(webStream, res, accountIndex, accountManager, stre
         parseSSEUsage(event, accountIndex, accountManager);
       }
 
-      // Handle backpressure
+      // Handle backpressure — also bail out if client disconnects,
+      // because 'drain' will never fire on a destroyed socket
       if (!ok) {
-        await new Promise(resolve => res.once('drain', resolve));
+        await new Promise(resolve => {
+          res.once('drain', resolve);
+          res.once('close', resolve);
+        });
+        if (res.destroyed) break;
       }
     }
 
@@ -386,7 +393,9 @@ async function streamResponse(webStream, res, accountIndex, accountManager, stre
       parseSSEUsage(sseBuffer, accountIndex, accountManager);
     }
   } finally {
-    res.end();
+    // Cancel upstream reader to stop consuming data nobody needs
+    reader.cancel().catch(() => {});
+    if (!res.writableEnded) res.end();
   }
 }
 

package/src/tui.js

@@ -1,4 +1,4 @@
-import { importCredentials } from './oauth.js';
+import { importCredentials, fetchProfile } from './oauth.js';
 
 // ── ANSI helpers ─────────────────────────────────────────────
 
@@ -283,7 +283,7 @@ export class TUI {
       if (count > 0) {
         this._addLog(`Synced ${count} new account(s) from config`);
       } else {
-        this._addLog('Config reloaded, no new accounts');
+        this._addLog('Config reloaded, credentials refreshed');
       }
     } catch (e) {
       this._addLog(`Sync failed: ${e.message}`);
@@ -292,19 +292,59 @@ export class TUI {
 
   async _doImport() {
     try {
+      this._addLog('Importing credentials...');
       const creds = await importCredentials('~/.claude/.credentials.json');
-      const n = this.config.accounts.filter(a => a.name.startsWith('max-')).length + 1;
-      const name = `max-${n}`;
+      const profile = await fetchProfile(creds.accessToken);
+      const profileOk = profile && !profile.error;
+
+      if (!profileOk) {
+        this._addLog(`Warning: could not fetch profile — ${profile?.error || 'no token'}`);
+      }
+
+      let name;
+      if (profile?.email) {
+        name = profile.email;
+        const tier = profile.hasClaudeMax ? 'Max' : profile.hasClaudePro ? 'Pro' : null;
+        if (tier) this._addLog(`Detected Claude ${tier}: ${name}`);
+      } else {
+        const n = this.config.accounts.filter(a => a.name.startsWith('account-')).length + 1;
+        name = `account-${n}`;
+      }
+
       const entry = {
-        name, type: 'oauth',
+        name, type: 'oauth', source: 'import',
+        accountUuid: profile?.accountUuid || null,
         accessToken: creds.accessToken,
         refreshToken: creds.refreshToken,
         expiresAt: creds.expiresAt,
       };
-      this.config.accounts.push(entry);
-      this.am.addAccount(entry);
+
+      // Deduplicate: match by UUID first, then by name
+      let idx = profile?.accountUuid
+        ? this.config.accounts.findIndex(a => a.accountUuid === profile.accountUuid)
+        : -1;
+      if (idx < 0) idx = this.config.accounts.findIndex(a => a.name === name);
+
+      if (idx >= 0) {
+        this.config.accounts[idx] = entry;
+        // Update the running account manager entry
+        const amAcct = this.am.accounts[idx];
+        if (amAcct) {
+          amAcct.credential = creds.accessToken;
+          amAcct.refreshToken = creds.refreshToken;
+          amAcct.expiresAt = creds.expiresAt;
+          amAcct.accountUuid = entry.accountUuid;
+          amAcct.name = name;
+          if (amAcct.status === 'error') amAcct.status = 'active';
+        }
+        this._addLog(`Updated account "${name}"`);
+      } else {
+        this.config.accounts.push(entry);
+        this.am.addAccount(entry);
+        this._addLog(`Imported account "${name}"`);
+      }
+
       await this.saveConfig(this.config);
-      this._addLog(`Imported account "${name}"`);
     } catch (e) {
       this._addLog(`Import failed: ${e.message}`);
     }