@karpeleslab/teamclaude 1.0.5 → 1.0.7

package/src/oauth.js

@@ -2,6 +2,7 @@ import { readFile } from 'node:fs/promises';
 import { homedir } from 'node:os';
 import { randomBytes, createHash } from 'node:crypto';
 import { exec } from 'node:child_process';
+import { createInterface } from 'node:readline';
 import http from 'node:http';
 
 /**
@@ -68,7 +69,7 @@ export async function refreshAccessToken(refreshToken, endpoint = DEFAULT_TOKEN_
       return {
         accessToken: data.access_token,
         refreshToken: data.refresh_token || refreshToken,
-        expiresAt: data.expires_at || (Date.now() + (data.expires_in || 3600) * 1000),
+        expiresAt: normalizeExpiresAt(data.expires_at) || (Date.now() + (data.expires_in || 3600) * 1000),
       };
     } catch (err) {
       const isNetworkError = err instanceof Error &&
@@ -84,36 +85,58 @@ export async function refreshAccessToken(refreshToken, endpoint = DEFAULT_TOKEN_
   }
 }
 
+/**
+ * Normalize an expires_at value to milliseconds.
+ * OAuth endpoints may return seconds; Claude Code credentials use milliseconds.
+ */
+export function normalizeExpiresAt(expiresAt) {
+  if (!expiresAt) return expiresAt;
+  // If the value is plausibly in seconds (< 10^12 ≈ year 2001 in ms, year 33658 in s),
+  // convert to milliseconds
+  return expiresAt < 1e12 ? expiresAt * 1000 : expiresAt;
+}
+
 /**
  * Check if an OAuth token is expiring within the given threshold.
  */
 export function isTokenExpiringSoon(expiresAt, thresholdMs = 5 * 60 * 1000) {
   if (!expiresAt) return false;
-  return Date.now() + thresholdMs >= expiresAt;
+  return Date.now() + thresholdMs >= normalizeExpiresAt(expiresAt);
 }
 
 /**
  * Fetch account profile for an OAuth token.
- * Returns { email, name, orgName, orgType } or null on failure.
+ * Returns { email, name, orgName, orgType, ... } on success,
+ * or { error: 'reason' } on failure.
  */
 export async function fetchProfile(accessToken) {
   try {
     const res = await fetch(PROFILE_URL, {
       headers: { 'Authorization': `Bearer ${accessToken}` },
     });
-    if (!res.ok) return null;
+    if (!res.ok) {
+      let detail = '';
+      try {
+        const body = await res.json();
+        detail = body?.error?.message || JSON.stringify(body).slice(0, 200);
+      } catch {
+        detail = await res.text().catch(() => '');
+      }
+      return { error: `HTTP ${res.status}${detail ? ': ' + detail : ''}` };
+    }
     const data = await res.json();
     return {
       accountUuid: data.account?.uuid,
       email: data.account?.email,
       name: data.account?.display_name,
+      orgUuid: data.organization?.uuid,
       orgName: data.organization?.name,
       orgType: data.organization?.organization_type,
       hasClaudeMax: data.account?.has_claude_max,
       hasClaudePro: data.account?.has_claude_pro,
     };
-  } catch {
-    return null;
+  } catch (err) {
+    return { error: err.message || String(err) };
   }
 }
 
@@ -153,10 +176,10 @@ export async function loginOAuth() {
   console.log(`If it doesn't open, visit:\n  ${authUrl.toString()}\n`);
   openBrowser(authUrl.toString());
 
-  // Wait for the authorization code
+  // Wait for either the callback server or manual paste from stdin
   let code;
   try {
-    code = await codePromise;
+    code = await raceWithStdinCode(codePromise, state);
   } finally {
     server.close();
   }
@@ -185,10 +208,58 @@ export async function loginOAuth() {
   return {
     accessToken: tokens.access_token,
     refreshToken: tokens.refresh_token,
-    expiresAt: tokens.expires_at || (Date.now() + (tokens.expires_in || 3600) * 1000),
+    expiresAt: normalizeExpiresAt(tokens.expires_at) || (Date.now() + (tokens.expires_in || 3600) * 1000),
   };
 }
 
+/**
+ * Race the callback server promise against manual code entry from stdin.
+ * The user can paste the full callback URL or just the authorization code.
+ */
+function raceWithStdinCode(callbackPromise, expectedState) {
+  if (!process.stdin.isTTY) return callbackPromise;
+
+  return new Promise((resolve, reject) => {
+    const rl = createInterface({ input: process.stdin, output: process.stderr });
+    let settled = false;
+
+    const settle = (fn, val) => {
+      if (settled) return;
+      settled = true;
+      rl.close();
+      fn(val);
+    };
+
+    rl.question('Paste authorization code here (or wait for browser callback): ', answer => {
+      const trimmed = answer.trim();
+      if (!trimmed) return; // empty input, keep waiting for callback
+
+      // Try to parse as a URL with ?code= parameter
+      try {
+        const url = new URL(trimmed);
+        const code = url.searchParams.get('code');
+        const state = url.searchParams.get('state');
+        if (code) {
+          if (expectedState && state && state !== expectedState) {
+            settle(reject, new Error('OAuth state mismatch'));
+          } else {
+            settle(resolve, code);
+          }
+          return;
+        }
+      } catch {}
+
+      // Treat raw input as the authorization code
+      settle(resolve, trimmed);
+    });
+
+    callbackPromise.then(
+      code => settle(resolve, code),
+      err => settle(reject, err),
+    );
+  });
+}
+
 function startCallbackServer(expectedState) {
   return new Promise((resolve, reject) => {
     let resolveCode, rejectCode;

package/src/server.js

@@ -2,6 +2,7 @@ import http from 'node:http';
 import { writeFile, mkdir } from 'node:fs/promises';
 import { join } from 'node:path';
 
+
 const HOP_BY_HOP_HEADERS = new Set([
   'host', 'connection', 'keep-alive', 'transfer-encoding',
   'te', 'trailer', 'upgrade', 'proxy-authorization', 'proxy-authenticate',
@@ -39,9 +40,11 @@ export function createProxyServer(accountManager, config, hooks = {}) {
         return;
       }
 
-      // Intercept token refresh requests — forward to real endpoint and capture new tokens
+      // Let client token refresh requests pass through to upstream untouched.
+      // The proxy manages its own tokens via ensureTokenFresh(); intercepting
+      // or rewriting client refreshes would cause token rotation conflicts.
       if (req.method === 'POST' && req.url === '/v1/oauth/token') {
-        await handleTokenRefresh(req, res, accountManager, hooks);
+        await relayRaw(req, res, upstream);
         return;
       }
 
@@ -57,82 +60,52 @@ export function createProxyServer(accountManager, config, hooks = {}) {
       const body = Buffer.concat(bodyChunks);
 
       const ctx = { account: null, status: null };
-      await forwardRequest(req, res, body, accountManager, upstream, 0, hooks, reqId, ctx, logDir);
-
-      hooks.onRequestEnd?.(reqId, {
-        method: req.method, path: req.url,
-        account: ctx.account, status: ctx.status,
-      });
+      try {
+        await forwardRequest(req, res, body, accountManager, upstream, 0, hooks, reqId, ctx, logDir);
+      } catch (err) {
+        ctx.status = ctx.status || 502;
+        console.error('[TeamClaude] Unhandled error:', err);
+        if (!res.headersSent) {
+          res.writeHead(502, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({
+            type: 'error',
+            error: { type: 'proxy_error', message: 'Internal proxy error' },
+          }));
+        }
+      } finally {
+        hooks.onRequestEnd?.(reqId, {
+          method: req.method, path: req.url,
+          account: ctx.account, status: ctx.status,
+        });
+      }
     } catch (err) {
       console.error('[TeamClaude] Unhandled error:', err);
-      if (!res.headersSent) {
-        res.writeHead(502, { 'Content-Type': 'application/json' });
-        res.end(JSON.stringify({
-          type: 'error',
-          error: { type: 'proxy_error', message: 'Internal proxy error' },
-        }));
-      }
     }
   });
 
   return server;
 }
 
-const TOKEN_ENDPOINT = 'https://platform.claude.com/v1/oauth/token';
-
 /**
- * Forward a token refresh request to the real token endpoint, capture new tokens,
- * and pass the response back to the client.
+ * Relay a request to upstream with no header rewriting — pure passthrough.
  */
-async function handleTokenRefresh(req, res, accountManager, hooks) {
+async function relayRaw(req, res, upstream) {
   const bodyChunks = [];
-  for await (const chunk of req) {
-    bodyChunks.push(chunk);
-  }
-  const rawBody = Buffer.concat(bodyChunks);
-
-  // Replace the refresh token in the request with the current account's refresh token
-  // so the renewal happens for the active account, not just the one the client knows about
-  let body = rawBody;
-  try {
-    const parsed = JSON.parse(rawBody.toString());
-    const currentAccount = accountManager.accounts[accountManager.currentIndex];
-    if (parsed.grant_type === 'refresh_token' && currentAccount?.type === 'oauth' && currentAccount.refreshToken) {
-      parsed.refresh_token = currentAccount.refreshToken;
-      body = JSON.stringify(parsed);
-      console.log(`[TeamClaude] Token refresh: substituted refresh token for account "${currentAccount.name}"`);
-    }
-  } catch {}
+  for await (const chunk of req) bodyChunks.push(chunk);
+  const body = Buffer.concat(bodyChunks);
 
   try {
-    // Forward to the real token endpoint
-    const upstreamRes = await fetch(TOKEN_ENDPOINT, {
-      method: 'POST',
+    const upstreamRes = await fetch(`${upstream}${req.url}`, {
+      method: req.method,
       headers: {
-        'Content-Type': req.headers['content-type'] || 'application/json',
-        'Accept': 'application/json, text/plain, */*',
-        'User-Agent': req.headers['user-agent'] || 'axios/1.13.6',
+        'content-type': req.headers['content-type'] || 'application/json',
+        'accept': req.headers['accept'] || 'application/json',
+        'user-agent': req.headers['user-agent'] || 'node',
       },
-      body,
+      body: body.length > 0 ? body : undefined,
     });
 
     const responseBody = await upstreamRes.text();
-
-    // Capture tokens from successful refresh — update the current account directly
-    if (upstreamRes.ok) {
-      try {
-        const tokens = JSON.parse(responseBody);
-        if (tokens.access_token) {
-          accountManager.updateAccountTokens(accountManager.currentIndex, {
-            accessToken: tokens.access_token,
-            refreshToken: tokens.refresh_token,
-            expiresAt: tokens.expires_at || (Date.now() + (tokens.expires_in || 3600) * 1000),
-          });
-        }
-      } catch {}
-    }
-
-    // Forward response to client
     const responseHeaders = {};
     for (const [key, value] of upstreamRes.headers.entries()) {
       if (key === 'transfer-encoding' || key === 'connection') continue;
@@ -141,17 +114,15 @@ async function handleTokenRefresh(req, res, accountManager, hooks) {
     res.writeHead(upstreamRes.status, responseHeaders);
     res.end(responseBody);
   } catch (err) {
-    console.error('[TeamClaude] Token refresh proxy error:', err.message);
+    console.error('[TeamClaude] Raw relay error:', err.message);
     if (!res.headersSent) {
       res.writeHead(502, { 'Content-Type': 'application/json' });
-      res.end(JSON.stringify({
-        type: 'error',
-        error: { type: 'proxy_error', message: `Token refresh failed: ${err.message}` },
-      }));
+      res.end(JSON.stringify({ type: 'error', error: { type: 'proxy_error', message: 'Upstream unreachable' } }));
     }
   }
 }
 
+
 function logTimestamp() {
   const d = new Date();
   const pad = (n, w = 2) => String(n).padStart(w, '0');
@@ -272,6 +243,43 @@ async function forwardRequest(req, res, body, accountManager, upstream, retryCou
     }
     accountManager.updateQuota(account.index, rateLimitHeaders);
 
+    // On 429, wait the retry-after duration and retry on the same account
+    // (this is a transient rate limit, not quota exhaustion).
+    if (upstreamRes.status === 429) {
+      // Clamp Retry-After to a sane window: missing/invalid falls back to 60s,
+      // and out-of-range values are bounded to [1, 300]. A negative value would
+      // otherwise bypass the retry cap — setTimeout returns immediately and
+      // markRateLimited would set rateLimitedUntil in the past.
+      let retryAfter = parseInt(upstreamRes.headers.get('retry-after'), 10);
+      if (Number.isNaN(retryAfter)) retryAfter = 60;
+      retryAfter = Math.min(Math.max(retryAfter, 1), 300);
+      // Discard the 429 response body
+      await upstreamRes.body?.cancel();
+
+      // Bound the retries: a persistently-throttled upstream must not loop
+      // forever (that would tie up the client connection indefinitely).
+      // Once retries are exhausted, throttle this account and re-dispatch —
+      // getActiveAccount then picks another account, or returns 429 to the
+      // client if every account is throttled.
+      if (retryCount >= maxRetries) {
+        console.log(`[TeamClaude] Persistent 429 on "${account.name}" — throttling ${retryAfter}s and re-dispatching`);
+        accountManager.markRateLimited(account.index, retryAfter);
+        if (logDir) {
+          logSections.push(`=== RESPONSE 429 — capped after ${retryCount} retries, throttling account ===\n${formatHeaders(upstreamRes.headers)}`);
+        }
+        return forwardRequest(req, res, body, accountManager, upstream, retryCount + 1, hooks, reqId, ctx, logDir);
+      }
+
+      if (logDir) {
+        logSections.push(`=== RESPONSE 429 — waiting ${retryAfter}s ===\n${formatHeaders(upstreamRes.headers)}`);
+      }
+      console.log(`[TeamClaude] 429 on "${account.name}" — waiting ${retryAfter}s before retry`);
+      await new Promise(resolve => setTimeout(resolve, retryAfter * 1000));
+      // Client may have disconnected during the wait
+      if (res.destroyed) return;
+      return forwardRequest(req, res, body, accountManager, upstream, retryCount + 1, hooks, reqId, ctx, logDir);
+    }
+
     // Log response headers
     if (logDir) {
       logSections.push(`=== RESPONSE ${upstreamRes.status} ===\n${formatHeaders(upstreamRes.headers)}`);
@@ -329,6 +337,17 @@ async function forwardRequest(req, res, body, accountManager, upstream, retryCou
       writeRequestLog(logDir, reqId, logSections);
     }
 
+    const isTransient = err instanceof Error &&
+      (err.message.includes('fetch failed') ||
+        err.code === 'ECONNRESET' || err.code === 'ECONNREFUSED' ||
+        err.code === 'ETIMEDOUT' || err.code === 'UND_ERR_CONNECT_TIMEOUT');
+
+    // Transient network errors: just close the connection and let the client retry
+    if (isTransient) {
+      res.destroy();
+      return;
+    }
+
     if (retryCount < maxRetries && !res.headersSent) {
       account.status = 'error';
       return forwardRequest(req, res, body, accountManager, upstream, retryCount + 1, hooks, reqId, ctx, logDir);
@@ -358,6 +377,9 @@ async function streamResponse(webStream, res, accountIndex, accountManager, stre
       const { done, value } = await reader.read();
       if (done) break;
 
+      // Client disconnected — stop reading from upstream
+      if (res.destroyed) break;
+
       // Forward chunk immediately
       const ok = res.write(value);
 
@@ -375,9 +397,14 @@ async function streamResponse(webStream, res, accountIndex, accountManager, stre
         parseSSEUsage(event, accountIndex, accountManager);
       }
 
-      // Handle backpressure
+      // Handle backpressure — also bail out if client disconnects,
+      // because 'drain' will never fire on a destroyed socket
       if (!ok) {
-        await new Promise(resolve => res.once('drain', resolve));
+        await new Promise(resolve => {
+          res.once('drain', resolve);
+          res.once('close', resolve);
+        });
+        if (res.destroyed) break;
       }
     }
 
@@ -386,7 +413,9 @@ async function streamResponse(webStream, res, accountIndex, accountManager, stre
       parseSSEUsage(sseBuffer, accountIndex, accountManager);
     }
   } finally {
-    res.end();
+    // Cancel upstream reader to stop consuming data nobody needs
+    reader.cancel().catch(() => {});
+    if (!res.writableEnded) res.end();
   }
 }
 

package/src/tui.js

@@ -1,4 +1,5 @@
-import { importCredentials } from './oauth.js';
+import { importCredentials, fetchProfile } from './oauth.js';
+import { sameIdentity } from './identity.js';
 
 // ── ANSI helpers ─────────────────────────────────────────────
 
@@ -232,6 +233,9 @@ export class TUI {
     else if (k === 'r' && this.am.accounts.length > 0) {
       this.mode = 'select'; this.selAction = 'remove'; this.selIdx = 0;
     }
+    else if (k === 'd' && this.am.accounts.length > 0) {
+      this.mode = 'select'; this.selAction = 'toggle'; this.selIdx = this.am.currentIndex;
+    }
     else if (k === 'a') { this.mode = 'add'; }
     else if (k === 'R') { this._doSync(); }
   }
@@ -244,6 +248,8 @@ export class TUI {
       if (this.selAction === 'switch') {
         this.am.currentIndex = this.selIdx;
         this._addLog(`Switched to "${this.am.accounts[this.selIdx].name}"`);
+      } else if (this.selAction === 'toggle') {
+        this._doToggleDisabled(this.selIdx);
       } else {
         this._doRemove(this.selIdx);
       }
@@ -283,7 +289,7 @@ export class TUI {
       if (count > 0) {
         this._addLog(`Synced ${count} new account(s) from config`);
       } else {
-        this._addLog('Config reloaded, no new accounts');
+        this._addLog('Config reloaded, credentials refreshed');
       }
     } catch (e) {
       this._addLog(`Sync failed: ${e.message}`);
@@ -292,19 +298,75 @@ export class TUI {
 
   async _doImport() {
     try {
+      this._addLog('Importing credentials...');
       const creds = await importCredentials('~/.claude/.credentials.json');
-      const n = this.config.accounts.filter(a => a.name.startsWith('max-')).length + 1;
-      const name = `max-${n}`;
+      const profile = await fetchProfile(creds.accessToken);
+      const profileOk = profile && !profile.error;
+
+      if (!profileOk) {
+        this._addLog(`Warning: could not fetch profile — ${profile?.error || 'no token'}`);
+      }
+
+      let name;
+      if (profile?.email) {
+        name = profile.email;
+        const tier = profile.hasClaudeMax ? 'Max' : profile.hasClaudePro ? 'Pro' : null;
+        if (tier) this._addLog(`Detected Claude ${tier}: ${name}`);
+      } else {
+        const n = this.config.accounts.filter(a => a.name.startsWith('account-')).length + 1;
+        name = `account-${n}`;
+      }
+
       const entry = {
-        name, type: 'oauth',
+        name, type: 'oauth', source: 'import',
+        accountUuid: profile?.accountUuid || null,
+        orgUuid: profile?.orgUuid || null,
+        orgName: profile?.orgName || null,
         accessToken: creds.accessToken,
         refreshToken: creds.refreshToken,
         expiresAt: creds.expiresAt,
       };
-      this.config.accounts.push(entry);
-      this.am.addAccount(entry);
+
+      // Deduplicate by account+org identity (same email in a different org is a
+      // distinct account), then by name.
+      let idx = this.config.accounts.findIndex(a => sameIdentity(a, entry));
+      if (idx < 0) idx = this.config.accounts.findIndex(a => a.name === name);
+
+      if (idx >= 0) {
+        const prev = this.config.accounts[idx];
+        this.config.accounts[idx] = { ...prev, ...entry, name: prev.name };
+        // Update the running account manager entry
+        const amAcct = this.am.accounts.find(a => sameIdentity(a, entry)) || this.am.accounts[idx];
+        if (amAcct) {
+          amAcct.credential = creds.accessToken;
+          amAcct.refreshToken = creds.refreshToken;
+          amAcct.expiresAt = creds.expiresAt;
+          amAcct.accountUuid = entry.accountUuid;
+          amAcct.orgUuid = entry.orgUuid;
+          amAcct.orgName = entry.orgName;
+          if (amAcct.status === 'error') amAcct.status = 'active';
+        }
+        this._addLog(`Updated account "${prev.name}"`);
+      } else {
+        // New org for this person: disambiguate colliding email names with " (org)".
+        if (profile?.accountUuid) {
+          const orgLbl = a => a.orgName || (a.orgUuid ? a.orgUuid.slice(0, 8) : 'org');
+          const collisions = this.config.accounts.filter(
+            a => a.accountUuid === entry.accountUuid && !sameIdentity(a, entry)
+          );
+          if (collisions.length > 0) {
+            for (const c of collisions) {
+              if (!c.name.includes(' (')) c.name = `${c.name} (${orgLbl(c)})`;
+            }
+            entry.name = `${name} (${orgLbl(entry)})`;
+          }
+        }
+        this.config.accounts.push(entry);
+        this.am.addAccount(entry);
+        this._addLog(`Imported account "${entry.name}"`);
+      }
+
       await this.saveConfig(this.config);
-      this._addLog(`Imported account "${name}"`);
     } catch (e) {
       this._addLog(`Import failed: ${e.message}`);
     }
@@ -329,10 +391,37 @@ export class TUI {
     this._addLog(`Removed account "${name}"`);
   }
 
+  async _doToggleDisabled(idx) {
+    if (idx < 0 || idx >= this.am.accounts.length) return;
+    const acct = this.am.accounts[idx];
+    const next = !acct.disabled;
+    this.am.setDisabled(idx, next); // re-enabling also clears a stuck error state
+    // Write an explicit boolean (not delete): saveConfig merges over the on-disk
+    // entry, so a `delete` would leave a stale `disabled: true` from disk intact.
+    if (this.config.accounts[idx]) this.config.accounts[idx].disabled = next;
+    await this.saveConfig(this.config);
+    this._addLog(`${next ? 'Disabled' : 'Enabled'} account "${acct.name}"`);
+  }
+
   // ── rendering ──────────────────────────────────────
 
   render() {
     if (!this.running) return;
+    // Guard against re-entry: clearing an expired quota logs, and _addLog calls
+    // render() again — without this the nested call would render twice.
+    if (this._rendering) return;
+    this._rendering = true;
+    try {
+      this._render();
+    } finally {
+      this._rendering = false;
+    }
+  }
+
+  _render() {
+    // Reset the display the instant a quota window (e.g. 5-hour session) expires,
+    // instead of waiting for the next request to clear it.
+    this.am.refreshExpiredQuotas();
     const W = process.stdout.columns || 80;
     const H = process.stdout.rows || 24;
 
@@ -423,9 +512,11 @@ export class TUI {
     // Type
     const type = gray(a.type.padEnd(7));
 
-    // Status
+    // Status — a disabled account is shown as such regardless of its quota state.
     let status;
-    switch (a.status) {
+    if (a.disabled) {
+      status = gray('disabled');
+    } else switch (a.status) {
       case 'active':    status = isCur ? green('active') : 'active'; break;
       case 'throttled': status = yellow('throttled'); break;
       case 'exhausted': status = red('exhausted'); break;
@@ -464,9 +555,11 @@ export class TUI {
   _renderFooter() {
     switch (this.mode) {
       case 'normal':
-        return ` ${bold('s')}witch  ${bold('a')}dd  ${bold('r')}emove  ${bold('R')}eload  ${bold('q')}uit`;
+        return ` ${bold('s')}witch  ${bold('a')}dd  ${bold('r')}emove  ${bold('d')}isable  ${bold('R')}eload  ${bold('q')}uit`;
       case 'select': {
-        const act = this.selAction === 'switch' ? 'switch' : 'remove';
+        const act = this.selAction === 'switch' ? 'switch'
+          : this.selAction === 'toggle' ? 'enable/disable'
+          : 'remove';
         return ` ${dim('↑↓')} select  ${bold('Enter')} ${act}  ${bold('Esc')} cancel`;
       }
       case 'add':