@karpeleslab/teamclaude 1.0.5 → 1.0.7

package/src/index.js

@@ -1,11 +1,14 @@
 #!/usr/bin/env node
 
-import { spawn } from 'node:child_process';
+import { spawnSync } from 'node:child_process';
 import { createInterface } from 'node:readline';
-import { loadOrCreateConfig, loadConfig, saveConfig, atomicConfigUpdate, getConfigPath } from './config.js';
+import net from 'node:net';
+import { loadOrCreateConfig, loadConfig, saveConfig, atomicConfigUpdate, getConfigPath, loadState, saveState } from './config.js';
 import { AccountManager } from './account-manager.js';
 import { createProxyServer } from './server.js';
-import { importCredentials, loginOAuth, fetchProfile } from './oauth.js';
+import { importCredentials, loginOAuth, fetchProfile, refreshAccessToken, isTokenExpiringSoon } from './oauth.js';
+import { sameIdentity, orgKey, matchAccounts } from './identity.js';
+import * as alias from './alias.js';
 import { TUI } from './tui.js';
 
 const args = process.argv.slice(2);
@@ -42,10 +45,26 @@ switch (command) {
     await removeCommand();
     process.exit(0);
     break;
+  case 'priority':
+    await priorityCommand();
+    process.exit(0);
+    break;
+  case 'disable':
+    await setDisabledCommand(true);
+    process.exit(0);
+    break;
+  case 'enable':
+    await setDisabledCommand(false);
+    process.exit(0);
+    break;
   case 'api':
     await apiCommand();
     process.exit(0);
     break;
+  case 'alias':
+    aliasCommand();
+    process.exit(0);
+    break;
   case 'help':
   case '--help':
   case '-h':
@@ -89,13 +108,42 @@ async function serverCommand() {
   const threshold = config.switchThreshold || 0.98;
   const accountManager = new AccountManager(accounts, threshold);
 
+  // Restore quota observed in a previous run so a restart doesn't lose rotation
+  // state (passive — we never call the API to re-learn it). Stale windows are
+  // cleared automatically on first use by _clearExpiredQuotas.
+  const savedState = await loadState().catch(err => {
+    console.error(`[TeamClaude] Could not read saved state: ${err.message}`);
+    return null;
+  });
+  if (savedState?.quota) accountManager.restoreQuotaState(savedState.quota);
+
+  // Periodically persist quota (and once more on shutdown) to the state file.
+  const persistQuotaState = () =>
+    saveState({ quota: accountManager.exportQuotaState() })
+      .catch(err => console.error(`[TeamClaude] Failed to save quota state: ${err.message}`));
+  let quotaSaveInterval = null;
+
   // Persist refreshed tokens back to config (re-read from disk to avoid clobbering
   // accounts added externally, e.g. by `teamclaude import` while server is running)
   accountManager.onTokenRefresh((idx, newTokens) => {
     const account = accountManager.accounts[idx];
     if (!account) return;
+    // Keep config.accounts in sync so TUI saveConfig doesn't clobber fresh tokens
+    if (config.accounts[idx]) {
+      config.accounts[idx].accessToken = newTokens.accessToken;
+      config.accounts[idx].refreshToken = newTokens.refreshToken;
+      config.accounts[idx].expiresAt = newTokens.expiresAt;
+    }
     atomicConfigUpdate(diskConfig => {
-      syncNewAccountsFromDisk(diskConfig, config, accountManager);
+      // Pick up any new accounts from disk so index matching stays correct
+      // (only add, don't refresh credentials — we're about to write the authoritative tokens)
+      for (const diskAcct of diskConfig.accounts) {
+        const known = config.accounts.some(a => sameIdentity(a, diskAcct));
+        if (!known) {
+          config.accounts.push(diskAcct);
+          accountManager.addAccount(diskAcct);
+        }
+      }
       // Match by UUID first, then by name — index may have shifted
       const cfgIdx = findConfigAccount(diskConfig, account);
       if (cfgIdx >= 0) {
@@ -114,24 +162,32 @@ async function serverCommand() {
   if (useTUI) {
     tui = new TUI({
       accountManager, config,
-      saveConfig: () => atomicConfigUpdate(diskConfig => {
-        syncNewAccountsFromDisk(diskConfig, config, accountManager);
-        // Write in-memory accounts back, preserving extra disk-only fields
-        diskConfig.accounts = config.accounts.map(a => {
-          const diskAcct = diskConfig.accounts.find(
-            d => (a.accountUuid && d.accountUuid === a.accountUuid) || d.name === a.name
-          );
-          return diskAcct ? { ...diskAcct, ...a } : a;
+      saveConfig: () => atomicConfigUpdate(async diskConfig => {
+        // Write in-memory accounts as the authoritative state, preserving
+        // extra disk-only fields (e.g. importFrom) where the account still exists.
+        // Use live tokens from AccountManager (not the stale config.accounts copy).
+        diskConfig.accounts = config.accounts.map((a, i) => {
+          const am = accountManager.accounts[i];
+          const live = am ? {
+            ...a,
+            accessToken: am.credential,
+            refreshToken: am.refreshToken,
+            expiresAt: am.expiresAt,
+          } : a;
+          const diskAcct = diskConfig.accounts.find(d => sameIdentity(d, a));
+          return diskAcct ? { ...diskAcct, ...live } : live;
         });
       }),
       syncAccounts: async () => {
         const diskConfig = await loadConfig();
         if (!diskConfig) return 0;
-        const before = accountManager.accounts.length;
-        syncNewAccountsFromDisk(diskConfig, config, accountManager);
-        return accountManager.accounts.length - before;
+        return syncAccountsFromDisk(diskConfig, config, accountManager);
+      },
+      onQuit: async () => {
+        if (quotaSaveInterval) clearInterval(quotaSaveInterval);
+        await persistQuotaState();
+        server.close(() => process.exit(0));
       },
-      onQuit: () => { server.close(() => process.exit(0)); },
     });
     hooks = {
       onRequestStart: (id, info) => tui.onRequestStart(id, info),
@@ -141,8 +197,17 @@ async function serverCommand() {
   }
 
   const server = createProxyServer(accountManager, config, hooks);
+  // Catch bind-time errors (e.g. EADDRINUSE) only. Once the socket is bound we
+  // remove this handler so a later runtime 'error' isn't misreported as a
+  // listen failure and exit the whole proxy.
+  const onListenError = err => handleServerListenError(err, port);
+  server.once('error', onListenError);
 
   server.listen(port, () => {
+    // Bind succeeded: stop treating errors as listen failures, but keep a
+    // benign runtime handler so a later 'error' is logged rather than thrown.
+    server.removeListener('error', onListenError);
+    server.on('error', err => console.error(`[TeamClaude] Server error: ${err.message}`));
     if (tui) {
       tui.start();
       console.log(`Listening on port ${port} with ${accounts.length} account(s)`);
@@ -168,15 +233,19 @@ async function serverCommand() {
     }
   });
 
+  // Persist quota every minute; unref so it never keeps the process alive.
+  quotaSaveInterval = setInterval(persistQuotaState, 60_000);
+  quotaSaveInterval.unref?.();
+
   if (!tui) {
-    process.on('SIGINT', () => {
+    const shutdown = async () => {
       console.log('\n[TeamClaude] Shutting down...');
+      clearInterval(quotaSaveInterval);
+      await persistQuotaState();
       server.close(() => process.exit(0));
-    });
-    process.on('SIGTERM', () => {
-      console.log('\n[TeamClaude] Shutting down...');
-      server.close(() => process.exit(0));
-    });
+    };
+    process.on('SIGINT', shutdown);
+    process.on('SIGTERM', shutdown);
   }
 }
 
@@ -186,14 +255,36 @@ async function importCommand() {
   const config = await loadOrCreateConfig();
 
   let name = argValue('--name');
-  const fromPath = argValue('--from') || '~/.claude/.credentials.json';
+  const jsonStr = argValue('--json');
 
   let creds;
-  try {
-    creds = await importCredentials(fromPath);
-  } catch (err) {
-    console.error(`Failed to import from ${fromPath}: ${err.message}`);
-    process.exit(1);
+  if (jsonStr) {
+    // Accept raw JSON: --json '{"claudeAiOauth":{"accessToken":"...","refreshToken":"...","expiresAt":...}}'
+    // or flat: --json '{"accessToken":"...","refreshToken":"...","expiresAt":...}'
+    try {
+      const raw = JSON.parse(jsonStr);
+      const data = raw.claudeAiOauth || raw;
+      if (!data.accessToken) {
+        console.error('JSON must contain "accessToken" (directly or under "claudeAiOauth")');
+        process.exit(1);
+      }
+      creds = {
+        accessToken: data.accessToken,
+        refreshToken: data.refreshToken,
+        expiresAt: data.expiresAt,
+      };
+    } catch (err) {
+      console.error(`Failed to parse --json: ${err.message}`);
+      process.exit(1);
+    }
+  } else {
+    const fromPath = argValue('--from') || '~/.claude/.credentials.json';
+    try {
+      creds = await importCredentials(fromPath);
+    } catch (err) {
+      console.error(`Failed to import from ${fromPath}: ${err.message}`);
+      process.exit(1);
+    }
   }
 
   await upsertOAuthAccount(config, name, creds, 'import');
@@ -296,27 +387,37 @@ async function runCommand() {
   const claudeArgs = args.slice(1);
   if (claudeArgs[0] === '--') claudeArgs.shift();
 
-  // Only set ANTHROPIC_BASE_URL — Claude Code keeps its own OAuth token
-  // which the proxy accepts from localhost. Not setting ANTHROPIC_API_KEY
-  // lets Claude Code stay in subscription mode (full model access).
-  const child = spawn('claude', claudeArgs, {
+  // Route through the proxy only when it's actually up; otherwise launch claude
+  // directly so a stopped proxy doesn't break `claude`. This is what lets the
+  // shell alias (`claude='teamclaude run --'`) be a dumb passthrough.
+  const port = config.proxy.port;
+  const env = { ...process.env };
+  if (await isProxyUp(port)) {
+    // Only set ANTHROPIC_BASE_URL — Claude Code keeps its own OAuth token
+    // which the proxy accepts from localhost. Not setting ANTHROPIC_API_KEY
+    // lets Claude Code stay in subscription mode (full model access).
+    env.ANTHROPIC_BASE_URL = `http://localhost:${port}`;
+  } else {
+    console.error(`[TeamClaude] Proxy not running on port ${port} — launching claude directly (start it with: teamclaude server)`);
+  }
+
+  // Use spawnSync so the Node process blocks entirely — behaves like execvp.
+  const result = spawnSync('claude', claudeArgs, {
     stdio: 'inherit',
-    env: {
-      ...process.env,
-      ANTHROPIC_BASE_URL: `http://localhost:${config.proxy.port}`,
-    },
+    shell: process.platform === 'win32',
+    env,
   });
 
-  child.on('error', (err) => {
-    if (err.code === 'ENOENT') {
+  if (result.error) {
+    if (result.error.code === 'ENOENT') {
       console.error('Claude Code not found in PATH. Install it first.');
     } else {
-      console.error(`Failed to start claude: ${err.message}`);
+      console.error(`Failed to start claude: ${result.error.message}`);
     }
     process.exit(1);
-  });
+  }
 
-  child.on('exit', (code) => process.exit(code ?? 1));
+  process.exit(result.status ?? 1);
 }
 
 // ── status ──────────────────────────────────────────────────
@@ -337,7 +438,7 @@ async function statusCommand() {
       const current = acct.name === data.currentAccount ? ' *' : '';
 
       console.log(`  ${acct.name} (${acct.type})${current}`);
-      console.log(`    Status:   ${acct.status}`);
+      console.log(`    Status:   ${acct.status}${acct.disabled ? ' (disabled)' : ''}`);
 
       if (q.unified5h != null || q.unified7d != null) {
         const ses = q.unified5h != null ? (q.unified5h * 100).toFixed(1) + '%' : '-';
@@ -372,6 +473,23 @@ async function accountsCommand() {
     return;
   }
 
+  // Refresh expired tokens before fetching profiles
+  let configDirty = false;
+  await Promise.all(config.accounts.map(async (a) => {
+    if (a.type !== 'oauth' || !a.refreshToken) return;
+    if (!isTokenExpiringSoon(a.expiresAt)) return;
+    try {
+      const newTokens = await refreshAccessToken(a.refreshToken);
+      a.accessToken = newTokens.accessToken;
+      a.refreshToken = newTokens.refreshToken;
+      a.expiresAt = newTokens.expiresAt;
+      configDirty = true;
+    } catch (err) {
+      // refresh failed — fetchProfile will report the specific error
+    }
+  }));
+  if (configDirty) await saveConfig(config);
+
   // Fetch profiles in parallel for all OAuth accounts
   const profiles = await Promise.all(
     config.accounts.map(a =>
@@ -379,32 +497,51 @@ async function accountsCommand() {
     )
   );
 
-  // Deduplicate by accountUuid — keep the last (most recently added) entry
+  // Backfill account+org identity from profiles, then deduplicate by
+  // (accountUuid, org): the same person in a different org is a distinct
+  // account, not a duplicate. Keep the last (most recently added) entry.
   const seen = new Map();
   let removed = 0;
+  let touched = false;
   for (let i = config.accounts.length - 1; i >= 0; i--) {
     const a = config.accounts[i];
-    const uuid = profiles[i]?.accountUuid || a.accountUuid;
-    if (uuid) {
-      if (seen.has(uuid)) {
-        config.accounts.splice(i, 1);
-        profiles.splice(i, 1);
-        removed++;
-      } else {
-        seen.set(uuid, i);
-        // Update stored UUID and name from profile
-        if (profiles[i]) {
-          a.accountUuid = profiles[i].accountUuid;
-          if (profiles[i].email) a.name = profiles[i].email;
-        }
-      }
+    const p = profiles[i];
+    if (p && !p.error) {
+      if (p.accountUuid && a.accountUuid !== p.accountUuid) { a.accountUuid = p.accountUuid; touched = true; }
+      if (p.orgUuid && a.orgUuid !== p.orgUuid) { a.orgUuid = p.orgUuid; touched = true; }
+      if (p.orgName && a.orgName !== p.orgName) { a.orgName = p.orgName; touched = true; }
     }
+    const uuid = a.accountUuid;
+    if (!uuid) continue;
+    const key = `${uuid}::${orgKey(a) || ''}`;
+    if (seen.has(key)) {
+      config.accounts.splice(i, 1);
+      profiles.splice(i, 1);
+      removed++;
+      touched = true;
+    } else {
+      seen.set(key, i);
+    }
+  }
+
+  // Name accounts from their email: plain when the person has a single org,
+  // "email (Org)" when the same person spans multiple orgs. Names must stay
+  // unique — they are the user-facing key for remove/api/selection.
+  const orgCount = new Map();
+  for (const a of config.accounts) {
+    if (a.accountUuid) orgCount.set(a.accountUuid, (orgCount.get(a.accountUuid) || 0) + 1);
   }
-  if (removed > 0) {
-    await saveConfig(config);
-    console.log(`Removed ${removed} duplicate account(s)\n`);
+  for (const [i, a] of config.accounts.entries()) {
+    const p = profiles[i];
+    const email = (p && !p.error && p.email) ? p.email : null;
+    if (!email) continue;
+    const newName = orgCount.get(a.accountUuid) > 1 ? `${email} (${orgLabel(a)})` : email;
+    if (a.name !== newName) { a.name = newName; touched = true; }
   }
 
+  if (touched) await saveConfig(config);
+  if (removed > 0) console.log(`Removed ${removed} duplicate account(s)\n`);
+
   for (const [i, a] of config.accounts.entries()) {
     const p = profiles[i];
 
@@ -414,12 +551,13 @@ async function accountsCommand() {
     }
 
     // OAuth account
-    const tier = p?.hasClaudeMax ? 'Max' : p?.hasClaudePro ? 'Pro' : 'subscription';
-    const status = p ? `Claude ${tier}` : 'unknown (profile fetch failed)';
+    const hasProfile = p && !p.error;
+    const tier = hasProfile ? (p.hasClaudeMax ? 'Max' : p.hasClaudePro ? 'Pro' : 'subscription') : null;
+    const status = hasProfile ? `Claude ${tier}` : `unknown (${p?.error || 'no token'})`;
     const src = a.source ? `, ${a.source}` : '';
     console.log(`  [${i + 1}] ${a.name} (${status}${src})`);
-    if (p?.email && p.email !== a.name) console.log(`       Email: ${p.email}`);
-    if (p?.orgName) console.log(`       Org:   ${p.orgName}`);
+    if (hasProfile && p.email && p.email !== a.name) console.log(`       Email: ${p.email}`);
+    if (hasProfile && p.orgName) console.log(`       Org:   ${p.orgName}`);
     if (verbose && a.expiresAt) {
       const remaining = a.expiresAt - Date.now();
       if (remaining <= 0) {
@@ -454,7 +592,7 @@ async function apiCommand() {
   const accounts = await resolveAccounts(config);
   let account;
   if (accountName) {
-    account = accounts.find(a => a.name === accountName);
+    account = resolveAccount(accounts, accountName, argValue('--org'));
     if (!account) { console.error(`Account "${accountName}" not found`); process.exit(1); }
   } else {
     account = accounts.find(a => a.type === 'oauth') || accounts[0];
@@ -494,26 +632,128 @@ async function apiCommand() {
   }
 }
 
+// ── alias ───────────────────────────────────────────────────
+
+function aliasCommand() {
+  const shell = argValue('--shell') || undefined;
+  if (args.includes('--uninstall')) {
+    alias.uninstallAlias({ shell });
+  } else if (args.includes('--install')) {
+    alias.installAlias({ shell });
+  } else {
+    alias.printAlias({ shell });
+  }
+}
+
 // ── remove ──────────────────────────────────────────────────
 
+/**
+ * Resolve a single account from a name-or-email query.
+ *
+ * An exact display-name match wins. Otherwise match by email (the part before a
+ * " (org)" suffix), optionally narrowed by --org. If still ambiguous across
+ * orgs, print the candidates and exit so the caller can disambiguate with --org.
+ * Returns the matched account, or null if nothing matched.
+ */
+function resolveAccount(accounts, query, orgFilter) {
+  const matches = matchAccounts(accounts, query, orgFilter);
+  if (matches.length === 1) return matches[0];
+  if (matches.length === 0) return null;
+  console.error(`"${query}" matches ${matches.length} accounts — disambiguate with --org <name|uuid>:`);
+  for (const a of matches) {
+    console.error(`  - ${a.name}${a.orgName ? `  (org: ${a.orgName})` : ''}`);
+  }
+  process.exit(1);
+}
+
 async function removeCommand() {
   const config = await loadOrCreateConfig();
   const name = args[1];
 
   if (!name) {
-    console.error('Usage: teamclaude remove <account-name>');
+    console.error('Usage: teamclaude remove <account-name|email> [--org <name|uuid>]');
+    process.exit(1);
+  }
+
+  const account = resolveAccount(config.accounts, name, argValue('--org'));
+  if (!account) {
+    console.error(`Account "${name}" not found`);
+    process.exit(1);
+  }
+
+  config.accounts.splice(config.accounts.indexOf(account), 1);
+  await saveConfig(config);
+  console.log(`Removed account "${account.name}"`);
+}
+
+// ── priority ────────────────────────────────────────────────
+
+async function priorityCommand() {
+  const config = await loadOrCreateConfig();
+  const name = args[1];
+
+  if (!name) {
+    console.error('Usage: teamclaude priority <account-name|email> <n> [--org <name|uuid>]');
+    console.error('       teamclaude priority <account-name|email> --first | --last');
+    console.error('Lower priority is preferred for rotation (default 0).');
     process.exit(1);
   }
 
-  const idx = config.accounts.findIndex(a => a.name === name);
-  if (idx < 0) {
+  const account = resolveAccount(config.accounts, name, argValue('--org'));
+  if (!account) {
     console.error(`Account "${name}" not found`);
     process.exit(1);
   }
 
-  config.accounts.splice(idx, 1);
+  const priorities = config.accounts.map(a => a.priority || 0);
+  let priority;
+  if (args.includes('--first')) {
+    priority = Math.min(0, ...priorities) - 1;
+  } else if (args.includes('--last')) {
+    priority = Math.max(0, ...priorities) + 1;
+  } else {
+    // Accept the integer in any position (e.g. after --org) — first int-looking token.
+    const numTok = args.slice(2).find(t => /^-?\d+$/.test(t));
+    priority = numTok != null ? parseInt(numTok, 10) : NaN;
+    if (Number.isNaN(priority)) {
+      console.error('Provide an integer priority, or --first / --last.');
+      process.exit(1);
+    }
+  }
+
+  account.priority = priority;
   await saveConfig(config);
-  console.log(`Removed account "${name}"`);
+  console.log(`Set priority of "${account.name}" to ${priority} (lower = preferred)`);
+}
+
+// ── enable / disable ────────────────────────────────────────
+
+async function setDisabledCommand(disabled) {
+  const config = await loadOrCreateConfig();
+  const name = args[1];
+  const verb = disabled ? 'disable' : 'enable';
+
+  if (!name) {
+    console.error(`Usage: teamclaude ${verb} <account-name|email> [--org <name|uuid>]`);
+    process.exit(1);
+  }
+
+  const account = resolveAccount(config.accounts, name, argValue('--org'));
+  if (!account) {
+    console.error(`Account "${name}" not found`);
+    process.exit(1);
+  }
+
+  if (disabled) {
+    account.disabled = true;
+  } else {
+    delete account.disabled;
+  }
+  await saveConfig(config);
+  console.log(`${disabled ? 'Disabled' : 'Enabled'} account "${account.name}"`);
+  if (!disabled) {
+    console.log('(restart or reload the running server to retry it if it was in an error state)');
+  }
 }
 
 // ── help ────────────────────────────────────────────────────
@@ -529,16 +769,24 @@ Commands:
   login               OAuth login via browser
   login --api         Add an API key account
   env                 Print env vars to use with Claude
-  run [-- args...]    Run Claude Code through the proxy
+  run [-- args...]    Run Claude Code through the proxy (direct if it's down)
+  alias               Print a shell alias so plain 'claude' routes via the proxy
+                      (--install to write it to your shell rc; --uninstall to remove)
   status              Show proxy & account status (live)
   accounts            List configured accounts
-  remove <name>       Remove an account
+  remove <name>       Remove an account (by name or email; --org to disambiguate)
+  disable <name>      Temporarily exclude an account from rotation
+  enable <name>       Re-enable a disabled account (also clears a stuck error)
+  priority <name> <n> Set rotation priority (lower = preferred; --first/--last)
   api <path>          Call an API endpoint with account credentials
   help                Show this help
 
 Options:
   --name NAME         Set account name (import/login)
+  --org NAME|UUID     Disambiguate when an email spans multiple orgs (remove/priority/api)
   --from PATH         Credentials path (import, default: ~/.claude/.credentials.json)
+  --json JSON         Import from inline JSON (import), e.g.:
+                      --json '{"accessToken":"...","refreshToken":"...","expiresAt":1234}'
   --log-to DIR        Log full requests/responses to DIR (server, one file per request)
 
 Config: ${getConfigPath()}
@@ -547,10 +795,20 @@ Config: ${getConfigPath()}
 
 // ── shared account upsert ────────────────────────────────────
 
+/** Short human label for an account's organization, for disambiguating names. */
+function orgLabel(a) {
+  return a.orgName || (a.orgUuid ? a.orgUuid.slice(0, 8) : 'org');
+}
+
 async function upsertOAuthAccount(config, name, creds, source = 'unknown') {
-  // Fetch profile to auto-name and deduplicate by account UUID
+  // Fetch profile to auto-name and deduplicate by account+org identity.
+  const userNamed = !!name;
   const profile = await fetchProfile(creds.accessToken);
+  const profileOk = profile && !profile.error;
 
+  if (!profileOk) {
+    console.error(`Warning: could not fetch account profile — ${profile?.error || 'no token'}`);
+  }
   if (!name && profile?.email) {
     name = profile.email;
     const tier = profile.hasClaudeMax ? 'Max' : profile.hasClaudePro ? 'Pro' : null;
@@ -566,23 +824,40 @@ async function upsertOAuthAccount(config, name, creds, source = 'unknown') {
     type: 'oauth',
     source,
     accountUuid: profile?.accountUuid || null,
+    orgUuid: profile?.orgUuid || null,
+    orgName: profile?.orgName || null,
     accessToken: creds.accessToken,
     refreshToken: creds.refreshToken,
     expiresAt: creds.expiresAt,
   };
 
-  // Deduplicate: match by UUID first, then by name
-  let idx = profile?.accountUuid
-    ? config.accounts.findIndex(a => a.accountUuid === profile.accountUuid)
-    : -1;
+  // Deduplicate by account+org identity (same email in a different org is a
+  // distinct account), then by name.
+  let idx = config.accounts.findIndex(a => sameIdentity(a, account));
   if (idx < 0) idx = config.accounts.findIndex(a => a.name === name);
 
   if (idx >= 0) {
-    config.accounts[idx] = account;
-    console.log(`Updated account "${name}"`);
+    // Same account+org: refresh credentials and org info, but keep the existing
+    // display name and any disk-only fields (e.g. importFrom).
+    const prev = config.accounts[idx];
+    config.accounts[idx] = { ...prev, ...account, name: prev.name };
+    console.log(`Updated account "${prev.name}"`);
   } else {
+    // New org for this person: if another entry shares the accountUuid, the bare
+    // email name would collide — disambiguate both with " (org)".
+    if (!userNamed && account.accountUuid) {
+      const collisions = config.accounts.filter(
+        a => a.accountUuid === account.accountUuid && !sameIdentity(a, account)
+      );
+      if (collisions.length > 0) {
+        for (const c of collisions) {
+          if (!c.name.includes(' (')) c.name = `${c.name} (${orgLabel(c)})`;
+        }
+        account.name = `${name} (${orgLabel(account)})`;
+      }
+    }
     config.accounts.push(account);
-    console.log(`Added account "${name}"`);
+    console.log(`Added account "${account.name}"`);
   }
 
   await saveConfig(config);
@@ -592,33 +867,94 @@ async function upsertOAuthAccount(config, name, creds, source = 'unknown') {
 // ── config sync helpers ─────────────────────────────────────
 
 /**
- * Find a config account entry matching an in-memory account (by UUID, then name).
+ * Find a config account entry matching an in-memory account by account+org identity.
  */
 function findConfigAccount(diskConfig, account) {
-  if (account.accountUuid) {
-    const idx = diskConfig.accounts.findIndex(a => a.accountUuid === account.accountUuid);
-    if (idx >= 0) return idx;
-  }
-  return diskConfig.accounts.findIndex(a => a.name === account.name);
+  return diskConfig.accounts.findIndex(a => sameIdentity(a, account));
 }
 
 /**
- * Detect accounts added to disk config by external processes and add them
- * to the running AccountManager + in-memory config.
+ * Sync accounts from disk config: add new accounts and refresh credentials
+ * for existing ones (handles re-imported OAuth tokens, rotated API keys, etc.).
+ * Returns the number of new accounts added.
  */
-function syncNewAccountsFromDisk(diskConfig, memConfig, accountManager) {
+async function syncAccountsFromDisk(diskConfig, memConfig, accountManager) {
+  let added = 0;
+  // Greedy 1:1 pairing of disk entries to in-memory accounts, account+org aware.
+  // Each disk entry claims at most one unclaimed manager account, so multiple
+  // same-person/different-org entries pair correctly instead of all matching the
+  // first one with that accountUuid.
+  const claimed = new Set();
+  const claim = (diskAcct) => {
+    for (let i = 0; i < accountManager.accounts.length; i++) {
+      if (!claimed.has(i) && sameIdentity(accountManager.accounts[i], diskAcct)) {
+        claimed.add(i);
+        return i;
+      }
+    }
+    return -1;
+  };
+
   for (const diskAcct of diskConfig.accounts) {
-    const knownByUuid = diskAcct.accountUuid &&
-      memConfig.accounts.some(a => a.accountUuid === diskAcct.accountUuid);
-    const knownByName = memConfig.accounts.some(a => a.name === diskAcct.name);
+    const mgrIdx = claim(diskAcct);
 
-    if (!knownByUuid && !knownByName) {
+    if (mgrIdx < 0) {
       // New account discovered on disk — add to running server
       memConfig.accounts.push(diskAcct);
       accountManager.addAccount(diskAcct);
+      claimed.add(accountManager.accounts.length - 1);
+      added++;
       console.log(`[TeamClaude] Picked up new account "${diskAcct.name}" from config`);
+      continue;
+    }
+
+    const mgr = accountManager.accounts[mgrIdx];
+
+    // Backfill org identity and pick up renames/priority onto the running
+    // account (e.g. after disk-side org disambiguation or a `priority` change).
+    if (diskAcct.orgUuid && !mgr.orgUuid) mgr.orgUuid = diskAcct.orgUuid;
+    if (diskAcct.orgName && !mgr.orgName) mgr.orgName = diskAcct.orgName;
+    if (diskAcct.name && mgr.name !== diskAcct.name) mgr.name = diskAcct.name;
+    if (diskAcct.priority != null && mgr.priority !== diskAcct.priority) mgr.priority = diskAcct.priority;
+    // Pick up enable/disable toggles; re-enabling clears a stuck error state.
+    const wantDisabled = !!diskAcct.disabled;
+    if (mgr.disabled !== wantDisabled) accountManager.setDisabled(mgr.index, wantDisabled);
+
+    // Existing account — resolve fresh credentials from disk
+    let freshCred = null;
+    if (diskAcct.type === 'oauth' && diskAcct.importFrom) {
+      try {
+        const creds = await importCredentials(diskAcct.importFrom);
+        freshCred = { accessToken: creds.accessToken, refreshToken: creds.refreshToken, expiresAt: creds.expiresAt };
+      } catch (err) {
+        console.error(`[TeamClaude] Re-import failed for "${diskAcct.name}": ${err.message}`);
+      }
+    } else if (diskAcct.type === 'oauth' && diskAcct.accessToken) {
+      freshCred = { accessToken: diskAcct.accessToken, refreshToken: diskAcct.refreshToken, expiresAt: diskAcct.expiresAt };
+    } else if (diskAcct.type === 'apikey' && diskAcct.apiKey) {
+      freshCred = { apiKey: diskAcct.apiKey };
+    }
+
+    if (!freshCred) continue;
+
+    if (freshCred.accessToken) {
+      const changed = mgr.credential !== freshCred.accessToken ||
+        mgr.refreshToken !== freshCred.refreshToken;
+      // Don't overwrite in-memory credentials with staler ones from disk
+      // (e.g. after a TUI import updated the AM before saveConfig wrote to disk)
+      const diskIsStaler = freshCred.expiresAt && mgr.expiresAt &&
+        freshCred.expiresAt < mgr.expiresAt;
+      if (changed && !diskIsStaler) {
+        accountManager.updateAccountTokens(mgr.index, freshCred);
+        console.log(`[TeamClaude] Refreshed credentials for "${mgr.name}"`);
+      }
+    } else if (freshCred.apiKey && mgr.credential !== freshCred.apiKey) {
+      mgr.credential = freshCred.apiKey;
+      if (mgr.status === 'error') mgr.status = 'active';
+      console.log(`[TeamClaude] Updated API key for "${mgr.name}"`);
     }
   }
+  return added;
 }
 
 // ── helpers ─────────────────────────────────────────────────
@@ -651,3 +987,32 @@ function argValue(flag) {
   const i = args.indexOf(flag);
   return (i >= 0 && args[i + 1]) ? args[i + 1] : null;
 }
+
+// Quick liveness probe: is something listening on the local proxy port?
+// A successful TCP connect is enough (the proxy is local). Times out fast so a
+// down proxy doesn't add noticeable latency to `claude` launches via the alias.
+function isProxyUp(port, timeout = 600) {
+  return new Promise(resolve => {
+    const socket = net.connect({ host: '127.0.0.1', port });
+    const done = up => { socket.destroy(); resolve(up); };
+    socket.setTimeout(timeout);
+    socket.once('connect', () => done(true));
+    socket.once('timeout', () => done(false));
+    socket.once('error', () => resolve(false));
+  });
+}
+
+function handleServerListenError(err, port) {
+  if (err.code === 'EADDRINUSE') {
+    console.error(`[TeamClaude] Port ${port} is already in use.`);
+    console.error('Another TeamClaude proxy may already be running.');
+    console.error('Check the existing server with: teamclaude status');
+    console.error(`Find the listener with: lsof -nP -iTCP:${port} -sTCP:LISTEN`);
+  } else if (err.code === 'EACCES') {
+    console.error(`[TeamClaude] Permission denied while listening on port ${port}.`);
+    console.error('Choose a non-privileged port in the TeamClaude config.');
+  } else {
+    console.error(`[TeamClaude] Failed to listen on port ${port}: ${err.message}`);
+  }
+  process.exit(1);
+}