@karpeleslab/teamclaude 1.0.6 → 1.0.7

package/src/index.js

@@ -2,10 +2,13 @@
 
 import { spawnSync } from 'node:child_process';
 import { createInterface } from 'node:readline';
-import { loadOrCreateConfig, loadConfig, saveConfig, atomicConfigUpdate, getConfigPath } from './config.js';
+import net from 'node:net';
+import { loadOrCreateConfig, loadConfig, saveConfig, atomicConfigUpdate, getConfigPath, loadState, saveState } from './config.js';
 import { AccountManager } from './account-manager.js';
 import { createProxyServer } from './server.js';
 import { importCredentials, loginOAuth, fetchProfile, refreshAccessToken, isTokenExpiringSoon } from './oauth.js';
+import { sameIdentity, orgKey, matchAccounts } from './identity.js';
+import * as alias from './alias.js';
 import { TUI } from './tui.js';
 
 const args = process.argv.slice(2);
@@ -42,10 +45,26 @@ switch (command) {
     await removeCommand();
     process.exit(0);
     break;
+  case 'priority':
+    await priorityCommand();
+    process.exit(0);
+    break;
+  case 'disable':
+    await setDisabledCommand(true);
+    process.exit(0);
+    break;
+  case 'enable':
+    await setDisabledCommand(false);
+    process.exit(0);
+    break;
   case 'api':
     await apiCommand();
     process.exit(0);
     break;
+  case 'alias':
+    aliasCommand();
+    process.exit(0);
+    break;
   case 'help':
   case '--help':
   case '-h':
@@ -89,6 +108,21 @@ async function serverCommand() {
   const threshold = config.switchThreshold || 0.98;
   const accountManager = new AccountManager(accounts, threshold);
 
+  // Restore quota observed in a previous run so a restart doesn't lose rotation
+  // state (passive — we never call the API to re-learn it). Stale windows are
+  // cleared automatically on first use by _clearExpiredQuotas.
+  const savedState = await loadState().catch(err => {
+    console.error(`[TeamClaude] Could not read saved state: ${err.message}`);
+    return null;
+  });
+  if (savedState?.quota) accountManager.restoreQuotaState(savedState.quota);
+
+  // Periodically persist quota (and once more on shutdown) to the state file.
+  const persistQuotaState = () =>
+    saveState({ quota: accountManager.exportQuotaState() })
+      .catch(err => console.error(`[TeamClaude] Failed to save quota state: ${err.message}`));
+  let quotaSaveInterval = null;
+
   // Persist refreshed tokens back to config (re-read from disk to avoid clobbering
   // accounts added externally, e.g. by `teamclaude import` while server is running)
   accountManager.onTokenRefresh((idx, newTokens) => {
@@ -104,8 +138,7 @@ async function serverCommand() {
       // Pick up any new accounts from disk so index matching stays correct
       // (only add, don't refresh credentials — we're about to write the authoritative tokens)
       for (const diskAcct of diskConfig.accounts) {
-        const known = (diskAcct.accountUuid && config.accounts.some(a => a.accountUuid === diskAcct.accountUuid))
-          || config.accounts.some(a => a.name === diskAcct.name);
+        const known = config.accounts.some(a => sameIdentity(a, diskAcct));
         if (!known) {
           config.accounts.push(diskAcct);
           accountManager.addAccount(diskAcct);
@@ -141,9 +174,7 @@ async function serverCommand() {
             refreshToken: am.refreshToken,
             expiresAt: am.expiresAt,
           } : a;
-          const diskAcct = diskConfig.accounts.find(
-            d => (a.accountUuid && d.accountUuid === a.accountUuid) || d.name === a.name
-          );
+          const diskAcct = diskConfig.accounts.find(d => sameIdentity(d, a));
           return diskAcct ? { ...diskAcct, ...live } : live;
         });
       }),
@@ -152,7 +183,11 @@ async function serverCommand() {
         if (!diskConfig) return 0;
         return syncAccountsFromDisk(diskConfig, config, accountManager);
       },
-      onQuit: () => { server.close(() => process.exit(0)); },
+      onQuit: async () => {
+        if (quotaSaveInterval) clearInterval(quotaSaveInterval);
+        await persistQuotaState();
+        server.close(() => process.exit(0));
+      },
     });
     hooks = {
       onRequestStart: (id, info) => tui.onRequestStart(id, info),
@@ -162,8 +197,17 @@ async function serverCommand() {
   }
 
   const server = createProxyServer(accountManager, config, hooks);
+  // Catch bind-time errors (e.g. EADDRINUSE) only. Once the socket is bound we
+  // remove this handler so a later runtime 'error' isn't misreported as a
+  // listen failure and exit the whole proxy.
+  const onListenError = err => handleServerListenError(err, port);
+  server.once('error', onListenError);
 
   server.listen(port, () => {
+    // Bind succeeded: stop treating errors as listen failures, but keep a
+    // benign runtime handler so a later 'error' is logged rather than thrown.
+    server.removeListener('error', onListenError);
+    server.on('error', err => console.error(`[TeamClaude] Server error: ${err.message}`));
     if (tui) {
       tui.start();
       console.log(`Listening on port ${port} with ${accounts.length} account(s)`);
@@ -189,15 +233,19 @@ async function serverCommand() {
     }
   });
 
+  // Persist quota every minute; unref so it never keeps the process alive.
+  quotaSaveInterval = setInterval(persistQuotaState, 60_000);
+  quotaSaveInterval.unref?.();
+
   if (!tui) {
-    process.on('SIGINT', () => {
+    const shutdown = async () => {
       console.log('\n[TeamClaude] Shutting down...');
+      clearInterval(quotaSaveInterval);
+      await persistQuotaState();
       server.close(() => process.exit(0));
-    });
-    process.on('SIGTERM', () => {
-      console.log('\n[TeamClaude] Shutting down...');
-      server.close(() => process.exit(0));
-    });
+    };
+    process.on('SIGINT', shutdown);
+    process.on('SIGTERM', shutdown);
   }
 }
 
@@ -207,14 +255,36 @@ async function importCommand() {
   const config = await loadOrCreateConfig();
 
   let name = argValue('--name');
-  const fromPath = argValue('--from') || '~/.claude/.credentials.json';
+  const jsonStr = argValue('--json');
 
   let creds;
-  try {
-    creds = await importCredentials(fromPath);
-  } catch (err) {
-    console.error(`Failed to import from ${fromPath}: ${err.message}`);
-    process.exit(1);
+  if (jsonStr) {
+    // Accept raw JSON: --json '{"claudeAiOauth":{"accessToken":"...","refreshToken":"...","expiresAt":...}}'
+    // or flat: --json '{"accessToken":"...","refreshToken":"...","expiresAt":...}'
+    try {
+      const raw = JSON.parse(jsonStr);
+      const data = raw.claudeAiOauth || raw;
+      if (!data.accessToken) {
+        console.error('JSON must contain "accessToken" (directly or under "claudeAiOauth")');
+        process.exit(1);
+      }
+      creds = {
+        accessToken: data.accessToken,
+        refreshToken: data.refreshToken,
+        expiresAt: data.expiresAt,
+      };
+    } catch (err) {
+      console.error(`Failed to parse --json: ${err.message}`);
+      process.exit(1);
+    }
+  } else {
+    const fromPath = argValue('--from') || '~/.claude/.credentials.json';
+    try {
+      creds = await importCredentials(fromPath);
+    } catch (err) {
+      console.error(`Failed to import from ${fromPath}: ${err.message}`);
+      process.exit(1);
+    }
   }
 
   await upsertOAuthAccount(config, name, creds, 'import');
@@ -317,16 +387,25 @@ async function runCommand() {
   const claudeArgs = args.slice(1);
   if (claudeArgs[0] === '--') claudeArgs.shift();
 
-  // Only set ANTHROPIC_BASE_URL — Claude Code keeps its own OAuth token
-  // which the proxy accepts from localhost. Not setting ANTHROPIC_API_KEY
-  // lets Claude Code stay in subscription mode (full model access).
+  // Route through the proxy only when it's actually up; otherwise launch claude
+  // directly so a stopped proxy doesn't break `claude`. This is what lets the
+  // shell alias (`claude='teamclaude run --'`) be a dumb passthrough.
+  const port = config.proxy.port;
+  const env = { ...process.env };
+  if (await isProxyUp(port)) {
+    // Only set ANTHROPIC_BASE_URL — Claude Code keeps its own OAuth token
+    // which the proxy accepts from localhost. Not setting ANTHROPIC_API_KEY
+    // lets Claude Code stay in subscription mode (full model access).
+    env.ANTHROPIC_BASE_URL = `http://localhost:${port}`;
+  } else {
+    console.error(`[TeamClaude] Proxy not running on port ${port} — launching claude directly (start it with: teamclaude server)`);
+  }
+
   // Use spawnSync so the Node process blocks entirely — behaves like execvp.
   const result = spawnSync('claude', claudeArgs, {
     stdio: 'inherit',
-    env: {
-      ...process.env,
-      ANTHROPIC_BASE_URL: `http://localhost:${config.proxy.port}`,
-    },
+    shell: process.platform === 'win32',
+    env,
   });
 
   if (result.error) {
@@ -359,7 +438,7 @@ async function statusCommand() {
       const current = acct.name === data.currentAccount ? ' *' : '';
 
       console.log(`  ${acct.name} (${acct.type})${current}`);
-      console.log(`    Status:   ${acct.status}`);
+      console.log(`    Status:   ${acct.status}${acct.disabled ? ' (disabled)' : ''}`);
 
       if (q.unified5h != null || q.unified7d != null) {
         const ses = q.unified5h != null ? (q.unified5h * 100).toFixed(1) + '%' : '-';
@@ -418,32 +497,51 @@ async function accountsCommand() {
     )
   );
 
-  // Deduplicate by accountUuid — keep the last (most recently added) entry
+  // Backfill account+org identity from profiles, then deduplicate by
+  // (accountUuid, org): the same person in a different org is a distinct
+  // account, not a duplicate. Keep the last (most recently added) entry.
   const seen = new Map();
   let removed = 0;
+  let touched = false;
   for (let i = config.accounts.length - 1; i >= 0; i--) {
     const a = config.accounts[i];
-    const uuid = profiles[i]?.accountUuid || a.accountUuid;
-    if (uuid) {
-      if (seen.has(uuid)) {
-        config.accounts.splice(i, 1);
-        profiles.splice(i, 1);
-        removed++;
-      } else {
-        seen.set(uuid, i);
-        // Update stored UUID and name from profile
-        if (profiles[i] && !profiles[i].error) {
-          a.accountUuid = profiles[i].accountUuid;
-          if (profiles[i].email) a.name = profiles[i].email;
-        }
-      }
+    const p = profiles[i];
+    if (p && !p.error) {
+      if (p.accountUuid && a.accountUuid !== p.accountUuid) { a.accountUuid = p.accountUuid; touched = true; }
+      if (p.orgUuid && a.orgUuid !== p.orgUuid) { a.orgUuid = p.orgUuid; touched = true; }
+      if (p.orgName && a.orgName !== p.orgName) { a.orgName = p.orgName; touched = true; }
     }
+    const uuid = a.accountUuid;
+    if (!uuid) continue;
+    const key = `${uuid}::${orgKey(a) || ''}`;
+    if (seen.has(key)) {
+      config.accounts.splice(i, 1);
+      profiles.splice(i, 1);
+      removed++;
+      touched = true;
+    } else {
+      seen.set(key, i);
+    }
+  }
+
+  // Name accounts from their email: plain when the person has a single org,
+  // "email (Org)" when the same person spans multiple orgs. Names must stay
+  // unique — they are the user-facing key for remove/api/selection.
+  const orgCount = new Map();
+  for (const a of config.accounts) {
+    if (a.accountUuid) orgCount.set(a.accountUuid, (orgCount.get(a.accountUuid) || 0) + 1);
   }
-  if (removed > 0) {
-    await saveConfig(config);
-    console.log(`Removed ${removed} duplicate account(s)\n`);
+  for (const [i, a] of config.accounts.entries()) {
+    const p = profiles[i];
+    const email = (p && !p.error && p.email) ? p.email : null;
+    if (!email) continue;
+    const newName = orgCount.get(a.accountUuid) > 1 ? `${email} (${orgLabel(a)})` : email;
+    if (a.name !== newName) { a.name = newName; touched = true; }
   }
 
+  if (touched) await saveConfig(config);
+  if (removed > 0) console.log(`Removed ${removed} duplicate account(s)\n`);
+
   for (const [i, a] of config.accounts.entries()) {
     const p = profiles[i];
 
@@ -494,7 +592,7 @@ async function apiCommand() {
   const accounts = await resolveAccounts(config);
   let account;
   if (accountName) {
-    account = accounts.find(a => a.name === accountName);
+    account = resolveAccount(accounts, accountName, argValue('--org'));
     if (!account) { console.error(`Account "${accountName}" not found`); process.exit(1); }
   } else {
     account = accounts.find(a => a.type === 'oauth') || accounts[0];
@@ -534,26 +632,128 @@ async function apiCommand() {
   }
 }
 
+// ── alias ───────────────────────────────────────────────────
+
+function aliasCommand() {
+  const shell = argValue('--shell') || undefined;
+  if (args.includes('--uninstall')) {
+    alias.uninstallAlias({ shell });
+  } else if (args.includes('--install')) {
+    alias.installAlias({ shell });
+  } else {
+    alias.printAlias({ shell });
+  }
+}
+
 // ── remove ──────────────────────────────────────────────────
 
+/**
+ * Resolve a single account from a name-or-email query.
+ *
+ * An exact display-name match wins. Otherwise match by email (the part before a
+ * " (org)" suffix), optionally narrowed by --org. If still ambiguous across
+ * orgs, print the candidates and exit so the caller can disambiguate with --org.
+ * Returns the matched account, or null if nothing matched.
+ */
+function resolveAccount(accounts, query, orgFilter) {
+  const matches = matchAccounts(accounts, query, orgFilter);
+  if (matches.length === 1) return matches[0];
+  if (matches.length === 0) return null;
+  console.error(`"${query}" matches ${matches.length} accounts — disambiguate with --org <name|uuid>:`);
+  for (const a of matches) {
+    console.error(`  - ${a.name}${a.orgName ? `  (org: ${a.orgName})` : ''}`);
+  }
+  process.exit(1);
+}
+
 async function removeCommand() {
   const config = await loadOrCreateConfig();
   const name = args[1];
 
   if (!name) {
-    console.error('Usage: teamclaude remove <account-name>');
+    console.error('Usage: teamclaude remove <account-name|email> [--org <name|uuid>]');
     process.exit(1);
   }
 
-  const idx = config.accounts.findIndex(a => a.name === name);
-  if (idx < 0) {
+  const account = resolveAccount(config.accounts, name, argValue('--org'));
+  if (!account) {
     console.error(`Account "${name}" not found`);
     process.exit(1);
   }
 
-  config.accounts.splice(idx, 1);
+  config.accounts.splice(config.accounts.indexOf(account), 1);
   await saveConfig(config);
-  console.log(`Removed account "${name}"`);
+  console.log(`Removed account "${account.name}"`);
+}
+
+// ── priority ────────────────────────────────────────────────
+
+async function priorityCommand() {
+  const config = await loadOrCreateConfig();
+  const name = args[1];
+
+  if (!name) {
+    console.error('Usage: teamclaude priority <account-name|email> <n> [--org <name|uuid>]');
+    console.error('       teamclaude priority <account-name|email> --first | --last');
+    console.error('Lower priority is preferred for rotation (default 0).');
+    process.exit(1);
+  }
+
+  const account = resolveAccount(config.accounts, name, argValue('--org'));
+  if (!account) {
+    console.error(`Account "${name}" not found`);
+    process.exit(1);
+  }
+
+  const priorities = config.accounts.map(a => a.priority || 0);
+  let priority;
+  if (args.includes('--first')) {
+    priority = Math.min(0, ...priorities) - 1;
+  } else if (args.includes('--last')) {
+    priority = Math.max(0, ...priorities) + 1;
+  } else {
+    // Accept the integer in any position (e.g. after --org) — first int-looking token.
+    const numTok = args.slice(2).find(t => /^-?\d+$/.test(t));
+    priority = numTok != null ? parseInt(numTok, 10) : NaN;
+    if (Number.isNaN(priority)) {
+      console.error('Provide an integer priority, or --first / --last.');
+      process.exit(1);
+    }
+  }
+
+  account.priority = priority;
+  await saveConfig(config);
+  console.log(`Set priority of "${account.name}" to ${priority} (lower = preferred)`);
+}
+
+// ── enable / disable ────────────────────────────────────────
+
+async function setDisabledCommand(disabled) {
+  const config = await loadOrCreateConfig();
+  const name = args[1];
+  const verb = disabled ? 'disable' : 'enable';
+
+  if (!name) {
+    console.error(`Usage: teamclaude ${verb} <account-name|email> [--org <name|uuid>]`);
+    process.exit(1);
+  }
+
+  const account = resolveAccount(config.accounts, name, argValue('--org'));
+  if (!account) {
+    console.error(`Account "${name}" not found`);
+    process.exit(1);
+  }
+
+  if (disabled) {
+    account.disabled = true;
+  } else {
+    delete account.disabled;
+  }
+  await saveConfig(config);
+  console.log(`${disabled ? 'Disabled' : 'Enabled'} account "${account.name}"`);
+  if (!disabled) {
+    console.log('(restart or reload the running server to retry it if it was in an error state)');
+  }
 }
 
 // ── help ────────────────────────────────────────────────────
@@ -569,16 +769,24 @@ Commands:
   login               OAuth login via browser
   login --api         Add an API key account
   env                 Print env vars to use with Claude
-  run [-- args...]    Run Claude Code through the proxy
+  run [-- args...]    Run Claude Code through the proxy (direct if it's down)
+  alias               Print a shell alias so plain 'claude' routes via the proxy
+                      (--install to write it to your shell rc; --uninstall to remove)
   status              Show proxy & account status (live)
   accounts            List configured accounts
-  remove <name>       Remove an account
+  remove <name>       Remove an account (by name or email; --org to disambiguate)
+  disable <name>      Temporarily exclude an account from rotation
+  enable <name>       Re-enable a disabled account (also clears a stuck error)
+  priority <name> <n> Set rotation priority (lower = preferred; --first/--last)
   api <path>          Call an API endpoint with account credentials
   help                Show this help
 
 Options:
   --name NAME         Set account name (import/login)
+  --org NAME|UUID     Disambiguate when an email spans multiple orgs (remove/priority/api)
   --from PATH         Credentials path (import, default: ~/.claude/.credentials.json)
+  --json JSON         Import from inline JSON (import), e.g.:
+                      --json '{"accessToken":"...","refreshToken":"...","expiresAt":1234}'
   --log-to DIR        Log full requests/responses to DIR (server, one file per request)
 
 Config: ${getConfigPath()}
@@ -587,8 +795,14 @@ Config: ${getConfigPath()}
 
 // ── shared account upsert ────────────────────────────────────
 
+/** Short human label for an account's organization, for disambiguating names. */
+function orgLabel(a) {
+  return a.orgName || (a.orgUuid ? a.orgUuid.slice(0, 8) : 'org');
+}
+
 async function upsertOAuthAccount(config, name, creds, source = 'unknown') {
-  // Fetch profile to auto-name and deduplicate by account UUID
+  // Fetch profile to auto-name and deduplicate by account+org identity.
+  const userNamed = !!name;
   const profile = await fetchProfile(creds.accessToken);
   const profileOk = profile && !profile.error;
 
@@ -610,23 +824,40 @@ async function upsertOAuthAccount(config, name, creds, source = 'unknown') {
     type: 'oauth',
     source,
     accountUuid: profile?.accountUuid || null,
+    orgUuid: profile?.orgUuid || null,
+    orgName: profile?.orgName || null,
     accessToken: creds.accessToken,
     refreshToken: creds.refreshToken,
     expiresAt: creds.expiresAt,
   };
 
-  // Deduplicate: match by UUID first, then by name
-  let idx = profile?.accountUuid
-    ? config.accounts.findIndex(a => a.accountUuid === profile.accountUuid)
-    : -1;
+  // Deduplicate by account+org identity (same email in a different org is a
+  // distinct account), then by name.
+  let idx = config.accounts.findIndex(a => sameIdentity(a, account));
   if (idx < 0) idx = config.accounts.findIndex(a => a.name === name);
 
   if (idx >= 0) {
-    config.accounts[idx] = account;
-    console.log(`Updated account "${name}"`);
+    // Same account+org: refresh credentials and org info, but keep the existing
+    // display name and any disk-only fields (e.g. importFrom).
+    const prev = config.accounts[idx];
+    config.accounts[idx] = { ...prev, ...account, name: prev.name };
+    console.log(`Updated account "${prev.name}"`);
   } else {
+    // New org for this person: if another entry shares the accountUuid, the bare
+    // email name would collide — disambiguate both with " (org)".
+    if (!userNamed && account.accountUuid) {
+      const collisions = config.accounts.filter(
+        a => a.accountUuid === account.accountUuid && !sameIdentity(a, account)
+      );
+      if (collisions.length > 0) {
+        for (const c of collisions) {
+          if (!c.name.includes(' (')) c.name = `${c.name} (${orgLabel(c)})`;
+        }
+        account.name = `${name} (${orgLabel(account)})`;
+      }
+    }
     config.accounts.push(account);
-    console.log(`Added account "${name}"`);
+    console.log(`Added account "${account.name}"`);
   }
 
   await saveConfig(config);
@@ -636,14 +867,10 @@ async function upsertOAuthAccount(config, name, creds, source = 'unknown') {
 // ── config sync helpers ─────────────────────────────────────
 
 /**
- * Find a config account entry matching an in-memory account (by UUID, then name).
+ * Find a config account entry matching an in-memory account by account+org identity.
  */
 function findConfigAccount(diskConfig, account) {
-  if (account.accountUuid) {
-    const idx = diskConfig.accounts.findIndex(a => a.accountUuid === account.accountUuid);
-    if (idx >= 0) return idx;
-  }
-  return diskConfig.accounts.findIndex(a => a.name === account.name);
+  return diskConfig.accounts.findIndex(a => sameIdentity(a, account));
 }
 
 /**
@@ -653,21 +880,46 @@ function findConfigAccount(diskConfig, account) {
  */
 async function syncAccountsFromDisk(diskConfig, memConfig, accountManager) {
   let added = 0;
+  // Greedy 1:1 pairing of disk entries to in-memory accounts, account+org aware.
+  // Each disk entry claims at most one unclaimed manager account, so multiple
+  // same-person/different-org entries pair correctly instead of all matching the
+  // first one with that accountUuid.
+  const claimed = new Set();
+  const claim = (diskAcct) => {
+    for (let i = 0; i < accountManager.accounts.length; i++) {
+      if (!claimed.has(i) && sameIdentity(accountManager.accounts[i], diskAcct)) {
+        claimed.add(i);
+        return i;
+      }
+    }
+    return -1;
+  };
+
   for (const diskAcct of diskConfig.accounts) {
-    const matchByUuid = diskAcct.accountUuid &&
-      memConfig.accounts.findIndex(a => a.accountUuid === diskAcct.accountUuid);
-    const matchByName = memConfig.accounts.findIndex(a => a.name === diskAcct.name);
-    const memIdx = (matchByUuid >= 0 ? matchByUuid : null) ?? (matchByName >= 0 ? matchByName : -1);
+    const mgrIdx = claim(diskAcct);
 
-    if (memIdx < 0) {
+    if (mgrIdx < 0) {
       // New account discovered on disk — add to running server
       memConfig.accounts.push(diskAcct);
       accountManager.addAccount(diskAcct);
+      claimed.add(accountManager.accounts.length - 1);
       added++;
       console.log(`[TeamClaude] Picked up new account "${diskAcct.name}" from config`);
       continue;
     }
 
+    const mgr = accountManager.accounts[mgrIdx];
+
+    // Backfill org identity and pick up renames/priority onto the running
+    // account (e.g. after disk-side org disambiguation or a `priority` change).
+    if (diskAcct.orgUuid && !mgr.orgUuid) mgr.orgUuid = diskAcct.orgUuid;
+    if (diskAcct.orgName && !mgr.orgName) mgr.orgName = diskAcct.orgName;
+    if (diskAcct.name && mgr.name !== diskAcct.name) mgr.name = diskAcct.name;
+    if (diskAcct.priority != null && mgr.priority !== diskAcct.priority) mgr.priority = diskAcct.priority;
+    // Pick up enable/disable toggles; re-enabling clears a stuck error state.
+    const wantDisabled = !!diskAcct.disabled;
+    if (mgr.disabled !== wantDisabled) accountManager.setDisabled(mgr.index, wantDisabled);
+
     // Existing account — resolve fresh credentials from disk
     let freshCred = null;
     if (diskAcct.type === 'oauth' && diskAcct.importFrom) {
@@ -685,12 +937,6 @@ async function syncAccountsFromDisk(diskConfig, memConfig, accountManager) {
 
     if (!freshCred) continue;
 
-    // Find the corresponding AccountManager entry and update credentials
-    const mgr = accountManager.accounts.find(a =>
-      (diskAcct.accountUuid && a.accountUuid === diskAcct.accountUuid) || a.name === diskAcct.name
-    );
-    if (!mgr) continue;
-
     if (freshCred.accessToken) {
       const changed = mgr.credential !== freshCred.accessToken ||
         mgr.refreshToken !== freshCred.refreshToken;
@@ -741,3 +987,32 @@ function argValue(flag) {
   const i = args.indexOf(flag);
   return (i >= 0 && args[i + 1]) ? args[i + 1] : null;
 }
+
+// Quick liveness probe: is something listening on the local proxy port?
+// A successful TCP connect is enough (the proxy is local). Times out fast so a
+// down proxy doesn't add noticeable latency to `claude` launches via the alias.
+function isProxyUp(port, timeout = 600) {
+  return new Promise(resolve => {
+    const socket = net.connect({ host: '127.0.0.1', port });
+    const done = up => { socket.destroy(); resolve(up); };
+    socket.setTimeout(timeout);
+    socket.once('connect', () => done(true));
+    socket.once('timeout', () => done(false));
+    socket.once('error', () => resolve(false));
+  });
+}
+
+function handleServerListenError(err, port) {
+  if (err.code === 'EADDRINUSE') {
+    console.error(`[TeamClaude] Port ${port} is already in use.`);
+    console.error('Another TeamClaude proxy may already be running.');
+    console.error('Check the existing server with: teamclaude status');
+    console.error(`Find the listener with: lsof -nP -iTCP:${port} -sTCP:LISTEN`);
+  } else if (err.code === 'EACCES') {
+    console.error(`[TeamClaude] Permission denied while listening on port ${port}.`);
+    console.error('Choose a non-privileged port in the TeamClaude config.');
+  } else {
+    console.error(`[TeamClaude] Failed to listen on port ${port}: ${err.message}`);
+  }
+  process.exit(1);
+}

package/src/oauth.js

@@ -129,6 +129,7 @@ export async function fetchProfile(accessToken) {
       accountUuid: data.account?.uuid,
       email: data.account?.email,
       name: data.account?.display_name,
+      orgUuid: data.organization?.uuid,
       orgName: data.organization?.name,
       orgType: data.organization?.organization_type,
       hasClaudeMax: data.account?.has_claude_max,