@karpeleslab/teamclaude 1.0.6 → 1.0.8

package/src/sx.js

@@ -0,0 +1,218 @@
+// sx.org proxy integration — an IP-based-429 workaround.
+//
+// teamclaude's transient 429s key on the proxy's OUTBOUND IP, not the account,
+// so account failover doesn't help. sx.org is a residential proxy-port provider:
+// with an API key we provision a port and tunnel upstream Anthropic traffic
+// through it, giving a different egress IP. Crucially, TLS terminates END-TO-END
+// at the upstream (we `tls.connect` over the tunnel with the upstream's
+// servername and the default secure cert check) — the sx.org proxy only ever
+// relays ciphertext and cannot see request content.
+//
+// When no API key is configured (or mode is 'off') this module is dormant and the
+// dial paths behave exactly as before — routing is decided per-attempt by
+// useByDefault() / useOn429() / useForConnect(), all false until provisioned.
+
+import net from 'node:net';
+import tls from 'node:tls';
+
+const CONNECT_TIMEOUT_MS = 30000; // residential exits can be slow to establish
+
+// Resolved per call (not at import) so tests can point it at a local mock.
+const sxBase = () => process.env.SX_API_BASE || 'https://api.sx.org';
+
+// ── sx.org REST (apiKey is a query param; these hit api.sx.org directly, never
+// the proxy, and are unrelated to Anthropic traffic) ──
+async function sxGet(path, apiKey, params = {}) {
+  const url = new URL(sxBase() + path);
+  url.searchParams.set('apiKey', apiKey);
+  for (const [k, v] of Object.entries(params)) url.searchParams.set(k, String(v));
+  const res = await fetch(url, { headers: { accept: 'application/json' } });
+  return res.json();
+}
+
+async function sxPost(path, apiKey, body) {
+  const url = new URL(sxBase() + path);
+  url.searchParams.set('apiKey', apiKey);
+  const res = await fetch(url, {
+    method: 'POST',
+    headers: { 'content-type': 'application/json', accept: 'application/json' },
+    body: JSON.stringify(body),
+  });
+  return res.json();
+}
+
+export const SX_MODES = ['off', '429', 'always'];
+const normalizeMode = (m) => (SX_MODES.includes(m) ? m : 'always');
+
+// Normalize either API shape into { host, port, username, password, portId }.
+//   ports-list:  { proxy: "host:port", login, password, id }
+//   create-port: { server, port, login, password, id }
+function parsePort(p) {
+  let host, port;
+  if (typeof p.proxy === 'string' && p.proxy.includes(':')) {
+    const i = p.proxy.lastIndexOf(':');
+    host = p.proxy.slice(0, i); port = p.proxy.slice(i + 1);
+  } else {
+    host = p.server; port = p.port;
+  }
+  return { host, port: parseInt(port, 10), username: p.login, password: p.password, portId: p.id };
+}
+
+/**
+ * Open a CONNECT tunnel through an HTTP proxy to targetHost:targetPort and
+ * resolve with the raw (still-plaintext) socket once the proxy answers 200.
+ */
+export function connectThroughProxy({ proxyHost, proxyPort, auth, targetHost, targetPort, timeout = CONNECT_TIMEOUT_MS }) {
+  return new Promise((resolve, reject) => {
+    // autoSelectFamily (happy-eyeballs) — default on Node 20+ but not 18; set it
+    // so a dual-stack proxy host whose IPv6 path is unreachable falls back to IPv4
+    // instead of hanging the connect (sx.org returns an IP, but be robust).
+    const sock = net.connect({ port: proxyPort, host: proxyHost, autoSelectFamily: true });
+    let buf = '';
+    const timer = setTimeout(() => fail(new Error(`sx.org proxy CONNECT timed out after ${timeout}ms`)), timeout);
+    const cleanup = () => {
+      clearTimeout(timer);
+      sock.removeListener('data', onData);
+      sock.removeListener('error', fail);
+    };
+    const fail = (err) => { cleanup(); sock.destroy(); reject(err); };
+    const onData = (chunk) => {
+      buf += chunk.toString('latin1');
+      const idx = buf.indexOf('\r\n\r\n');
+      if (idx < 0) { if (buf.length > 65536) fail(new Error('sx.org proxy CONNECT response too large')); return; }
+      const statusLine = buf.slice(0, buf.indexOf('\r\n'));
+      const m = statusLine.match(/^HTTP\/\d\.\d\s+(\d{3})/);
+      if (!m || m[1] !== '200') { fail(new Error(`sx.org proxy refused CONNECT: ${statusLine}`)); return; }
+      cleanup();
+      sock.pause(); // stop flowing so the TLS layer we hand it to sees every byte
+      const rest = Buffer.from(buf.slice(idx + 4), 'latin1'); // bytes already past the header
+      if (rest.length) sock.unshift(rest);
+      resolve(sock);
+    };
+    sock.once('connect', () => {
+      const lines = [`CONNECT ${targetHost}:${targetPort} HTTP/1.1`, `Host: ${targetHost}:${targetPort}`];
+      if (auth) lines.push(`Proxy-Authorization: Basic ${Buffer.from(auth).toString('base64')}`);
+      lines.push('Proxy-Connection: keep-alive', '', '');
+      sock.write(lines.join('\r\n'));
+    });
+    sock.on('data', onData);
+    sock.once('error', fail);
+  });
+}
+
+/**
+ * CONNECT through `proxy`, then complete a TLS handshake to targetHost so TLS is
+ * end-to-end (the proxy sees ciphertext only). Resolves with the TLSSocket after
+ * secureConnect. Cert verification stays at its secure default; tests inject a CA
+ * via tlsOptions.ca.
+ */
+export async function tunnelTls({ proxy, targetHost, targetPort = 443, tlsOptions = {} }) {
+  const sock = await connectThroughProxy({
+    proxyHost: proxy.host,
+    proxyPort: proxy.port,
+    auth: proxy.username ? `${proxy.username}:${proxy.password}` : null,
+    targetHost,
+    targetPort,
+  });
+  return new Promise((resolve, reject) => {
+    const tlsSock = tls.connect({ socket: sock, servername: targetHost, ...tlsOptions });
+    const onErr = (err) => { tlsSock.removeListener('secureConnect', onOk); sock.destroy(); reject(err); };
+    const onOk = () => { tlsSock.removeListener('error', onErr); resolve(tlsSock); };
+    tlsSock.once('secureConnect', onOk);
+    tlsSock.once('error', onErr);
+  });
+}
+
+/**
+ * Holds the sx.org credential + the provisioned proxy. Shared in-process by the
+ * reverse proxy, the MITM handler, and the TUI so a key change applies live.
+ */
+export class SxManager {
+  constructor({ log = () => {} } = {}) {
+    this.log = log;
+    this.apiKey = null;
+    this.proxy = null;   // { host, port, username, password, portId }
+    this.mode = 'always'; // off | 429 | always — how routing decisions are made
+    this._rlUntil = 0;    // sticky-routing window end (ms) for '429' mode
+  }
+
+  isProvisioned() { return !!(this.apiKey && this.proxy); }
+  getProxy() { return this.proxy; }
+  getMode() { return this.mode; }
+
+  // ── routing decisions ──
+  // Reverse-proxy first attempt: only 'always' routes pre-emptively.
+  useByDefault() { return this.isProvisioned() && this.mode === 'always'; }
+  // Reverse-proxy retry after a 429: 'always' and '429' both route (the 429 is
+  // IP-based, so a fresh egress IP can clear it).
+  useOn429() { return this.isProvisioned() && this.mode !== 'off'; }
+  // MITM connect-time (one tunnel carries many requests, so no per-request
+  // failover): 'always' routes; '429' routes only inside the sticky window set
+  // when a 429 was recently observed.
+  useForConnect() {
+    if (!this.isProvisioned() || this.mode === 'off') return false;
+    return this.mode === 'always' || this.isRecentlyRateLimited();
+  }
+
+  noteRateLimited(seconds = 60) { this._rlUntil = Date.now() + Math.min(Math.max(seconds, 1), 300) * 1000; }
+  isRecentlyRateLimited() { return Date.now() < this._rlUntil; }
+
+  /** Set the API key (+ optional mode) and provision unless mode is 'off'. */
+  async configure(apiKey, mode = this.mode) {
+    this.mode = normalizeMode(mode);
+    if (!apiKey) { this.disable(); return { ok: false, error: 'no API key' }; }
+    this.apiKey = apiKey;
+    if (this.mode === 'off') { this.proxy = null; return { ok: true, mode: this.mode, proxy: null }; }
+    return this._ensureProxy();
+  }
+
+  /** Switch mode WITHOUT clearing the key; provision lazily when turning on. */
+  async setMode(mode) {
+    this.mode = normalizeMode(mode);
+    if (this.mode === 'off') { this.proxy = null; return { ok: true, mode: this.mode }; }
+    if (this.apiKey && !this.proxy) return this._ensureProxy();
+    return { ok: true, mode: this.mode, proxy: this.proxy };
+  }
+
+  /** Full deconfigure — forget the key entirely. */
+  disable() { this.apiKey = null; this.proxy = null; }
+
+  async _ensureProxy() {
+    try {
+      this.proxy = await this.provision();
+      this.log(`[TeamClaude] sx.org proxy ready: ${this.proxy.host}:${this.proxy.port}`);
+      return { ok: true, mode: this.mode, proxy: this.proxy };
+    } catch (err) {
+      this.proxy = null;
+      this.log(`[TeamClaude] sx.org provisioning failed: ${err.message}`);
+      return { ok: false, error: err.message };
+    }
+  }
+
+  /** Account balance/traffic, or null on error. */
+  async getBalance() {
+    if (!this.apiKey) return null;
+    try {
+      const r = await sxGet('/v2/user/balance', this.apiKey);
+      return r?.success ? r : null;
+    } catch { return null; }
+  }
+
+  /** Reuse an active port if one exists, else create a residential US one. */
+  async provision() {
+    if (!this.apiKey) throw new Error('sx.org API key not set');
+    const list = await sxGet('/v2/proxy/ports', this.apiKey, { per_page: 50 });
+    const proxies = list?.message?.proxies || [];
+    const active = proxies.find((p) => p.status === 1 && p.login && p.password && p.proxy);
+    if (active) return parsePort(active);
+
+    const created = await sxPost('/v2/proxy/create-port', this.apiKey, {
+      country_code: 'US', proxy_type_id: 1, type_id: 1, // type_id 1 = residential
+    });
+    if (!created?.success || !created.data) {
+      const detail = created?.errors ? JSON.stringify(created.errors) : (created?.message || JSON.stringify(created));
+      throw new Error(`sx.org create-port failed: ${detail}`);
+    }
+    return parsePort(created.data);
+  }
+}

package/src/tui.js

@@ -1,4 +1,5 @@
 import { importCredentials, fetchProfile } from './oauth.js';
+import { sameIdentity } from './identity.js';
 
 // ── ANSI helpers ─────────────────────────────────────────────
 
@@ -114,16 +115,18 @@ function timestamp() {
 // ── TUI class ────────────────────────────────────────────────
 
 export class TUI {
-  constructor({ accountManager, config, saveConfig, syncAccounts, onQuit }) {
+  constructor({ accountManager, config, saveConfig, syncAccounts, onQuit, sx = null }) {
     this.am = accountManager;
     this.config = config;
     this.saveConfig = saveConfig;
     this.syncAccounts = syncAccounts;
     this.onQuit = onQuit;
+    this.sx = sx;            // sx.org proxy manager (may be null)
+    this.sxBalance = null;   // last fetched sx.org balance, for the settings screen
 
     this.log = [];           // completed activity entries
     this.active = new Map(); // in-flight requests
-    this.mode = 'normal';    // normal | select | add | input
+    this.mode = 'normal';    // normal | select | add | input | settings
     this.selAction = null;   // switch | remove
     this.selIdx = 0;
     this.inputPrompt = '';
@@ -220,6 +223,7 @@ export class TUI {
       case 'select': this._keySelect(k); break;
       case 'add':    this._keyAdd(k); break;
       case 'input':  this._keyInput(k); break;
+      case 'settings': this._keySettings(k); break;
     }
     this.render();
   }
@@ -232,8 +236,68 @@ export class TUI {
     else if (k === 'r' && this.am.accounts.length > 0) {
       this.mode = 'select'; this.selAction = 'remove'; this.selIdx = 0;
     }
+    else if (k === 'd' && this.am.accounts.length > 0) {
+      this.mode = 'select'; this.selAction = 'toggle'; this.selIdx = this.am.currentIndex;
+    }
     else if (k === 'a') { this.mode = 'add'; }
     else if (k === 'R') { this._doSync(); }
+    else if (k === 'g' && this.sx) { this.mode = 'settings'; this._loadSxBalance(); }
+  }
+
+  _keySettings(k) {
+    if (k === 't') {
+      this.mode = 'input';
+      this.inputPrompt = 'Switch threshold % (1-100)';
+      this.inputBuf = '';
+      this.inputCb = v => { if (v) this._doSetThreshold(v.trim()); };
+    }
+    else if (k === 'p') {
+      this.mode = 'input';
+      this.inputPrompt = 'Quota probe seconds (0=off, min 30)';
+      this.inputBuf = '';
+      this.inputCb = v => { if (v) this._doSetProbe(v.trim()); };
+    }
+    else if (k === 'k') {
+      this.mode = 'input';
+      this.inputPrompt = 'sx.org API key';
+      this.inputBuf = '';
+      this.inputCb = v => { if (v) this._doSetSxKey(v.trim()); };
+    }
+    else if (k === 'm') { this._doCycleSxMode(); }
+    else if (k === 'x') { this._doClearSxKey(); }
+    else if (k === 'esc' || k === 'q') { this.mode = 'normal'; }
+  }
+
+  async _doSetThreshold(input) {
+    const pct = Number(input);
+    if (!Number.isFinite(pct) || pct < 1 || pct > 100) {
+      this._addLog('Invalid threshold — enter 1–100'); this.mode = 'settings'; if (this.running) this.render(); return;
+    }
+    const v = Math.round(pct) / 100;
+    this.config.switchThreshold = v;
+    this.am.switchThreshold = v; // apply to the running rotation immediately
+    try { await this.saveConfig(this.config); }
+    catch (e) { this._addLog(`Failed to save: ${e.message}`); }
+    this._addLog(`Switch threshold set to ${Math.round(v * 100)}%`);
+    this.mode = 'settings';
+    if (this.running) this.render();
+  }
+
+  async _doSetProbe(input) {
+    let secs = parseInt(input, 10);
+    if (Number.isNaN(secs) || secs < 0) {
+      this._addLog('Invalid interval — enter 0 (off) or seconds'); this.mode = 'settings'; if (this.running) this.render(); return;
+    }
+    if (secs > 0 && secs < 30) secs = 30; // match the CLI minimum (don't hammer the usage endpoint)
+    this.config.quotaProbeSeconds = secs;
+    try { await this.saveConfig(this.config); }
+    catch (e) { this._addLog(`Failed to save: ${e.message}`); }
+    // syncAccounts re-reads disk config and reschedules the running prober live.
+    try { await this.syncAccounts(); }
+    catch (e) { this._addLog(`Reload failed: ${e.message}`); }
+    this._addLog(secs > 0 ? `Quota probe every ${secs}s` : 'Quota probe disabled');
+    this.mode = 'settings';
+    if (this.running) this.render();
   }
 
   _keySelect(k) {
@@ -244,6 +308,8 @@ export class TUI {
       if (this.selAction === 'switch') {
         this.am.currentIndex = this.selIdx;
         this._addLog(`Switched to "${this.am.accounts[this.selIdx].name}"`);
+      } else if (this.selAction === 'toggle') {
+        this._doToggleDisabled(this.selIdx);
       } else {
         this._doRemove(this.selIdx);
       }
@@ -290,6 +356,57 @@ export class TUI {
     }
   }
 
+  // ── sx.org settings ────────────────────────────────
+
+  _loadSxBalance() {
+    this.sxBalance = null;
+    if (!this.sx?.apiKey) return;
+    this.sx.getBalance()
+      .then(b => { this.sxBalance = b; if (this.running) this.render(); })
+      .catch(() => {});
+  }
+
+  _sxModeLabel(m) { return m === 'always' ? 'always' : m === '429' ? 'on 429 only' : 'off'; }
+
+  async _doSetSxKey(key) {
+    const mode = this.config.sx?.mode || 'always';
+    this.config.sx = { apiKey: key, mode };
+    try { await this.saveConfig(this.config); }
+    catch (e) { this._addLog(`Failed to save sx.org key: ${e.message}`); }
+    this._addLog('sx.org: configuring...');
+    const r = await this.sx.configure(key, mode);
+    if (r.ok && r.proxy) this._addLog(`sx.org key saved — proxy ${r.proxy.host}:${r.proxy.port} (mode: ${this._sxModeLabel(mode)})`);
+    else if (r.ok) this._addLog(`sx.org key saved (mode: ${this._sxModeLabel(mode)})`);
+    else this._addLog(`sx.org error: ${r.error}`);
+    this._loadSxBalance();
+    this.mode = 'settings';
+    if (this.running) this.render();
+  }
+
+  // Cycle off → on-429 → always. Keeps the API key, so the user can disable
+  // sx.org without deconfiguring it.
+  async _doCycleSxMode() {
+    const order = ['off', '429', 'always'];
+    const next = order[(order.indexOf(this.sx.getMode()) + 1) % order.length];
+    this.config.sx = { ...(this.config.sx || {}), mode: next };
+    try { await this.saveConfig(this.config); }
+    catch (e) { this._addLog(`Failed to save: ${e.message}`); }
+    const r = await this.sx.setMode(next);
+    this._addLog(`sx.org mode: ${this._sxModeLabel(next)}${r.ok ? '' : ` — ${r.error}`}`);
+    if (next !== 'off') this._loadSxBalance();
+    if (this.running) this.render();
+  }
+
+  async _doClearSxKey() {
+    this.config.sx = null;
+    try { await this.saveConfig(this.config); }
+    catch (e) { this._addLog(`Failed to save: ${e.message}`); }
+    this.sx.disable();
+    this.sxBalance = null;
+    this._addLog('sx.org key cleared');
+    if (this.running) this.render();
+  }
+
   async _doImport() {
     try {
       this._addLog('Importing credentials...');
@@ -314,34 +431,50 @@ export class TUI {
       const entry = {
         name, type: 'oauth', source: 'import',
         accountUuid: profile?.accountUuid || null,
+        orgUuid: profile?.orgUuid || null,
+        orgName: profile?.orgName || null,
         accessToken: creds.accessToken,
         refreshToken: creds.refreshToken,
         expiresAt: creds.expiresAt,
       };
 
-      // Deduplicate: match by UUID first, then by name
-      let idx = profile?.accountUuid
-        ? this.config.accounts.findIndex(a => a.accountUuid === profile.accountUuid)
-        : -1;
+      // Deduplicate by account+org identity (same email in a different org is a
+      // distinct account), then by name.
+      let idx = this.config.accounts.findIndex(a => sameIdentity(a, entry));
       if (idx < 0) idx = this.config.accounts.findIndex(a => a.name === name);
 
       if (idx >= 0) {
-        this.config.accounts[idx] = entry;
+        const prev = this.config.accounts[idx];
+        this.config.accounts[idx] = { ...prev, ...entry, name: prev.name };
         // Update the running account manager entry
-        const amAcct = this.am.accounts[idx];
+        const amAcct = this.am.accounts.find(a => sameIdentity(a, entry)) || this.am.accounts[idx];
         if (amAcct) {
           amAcct.credential = creds.accessToken;
           amAcct.refreshToken = creds.refreshToken;
           amAcct.expiresAt = creds.expiresAt;
           amAcct.accountUuid = entry.accountUuid;
-          amAcct.name = name;
+          amAcct.orgUuid = entry.orgUuid;
+          amAcct.orgName = entry.orgName;
           if (amAcct.status === 'error') amAcct.status = 'active';
         }
-        this._addLog(`Updated account "${name}"`);
+        this._addLog(`Updated account "${prev.name}"`);
       } else {
+        // New org for this person: disambiguate colliding email names with " (org)".
+        if (profile?.accountUuid) {
+          const orgLbl = a => a.orgName || (a.orgUuid ? a.orgUuid.slice(0, 8) : 'org');
+          const collisions = this.config.accounts.filter(
+            a => a.accountUuid === entry.accountUuid && !sameIdentity(a, entry)
+          );
+          if (collisions.length > 0) {
+            for (const c of collisions) {
+              if (!c.name.includes(' (')) c.name = `${c.name} (${orgLbl(c)})`;
+            }
+            entry.name = `${name} (${orgLbl(entry)})`;
+          }
+        }
         this.config.accounts.push(entry);
         this.am.addAccount(entry);
-        this._addLog(`Imported account "${name}"`);
+        this._addLog(`Imported account "${entry.name}"`);
       }
 
       await this.saveConfig(this.config);
@@ -369,10 +502,37 @@ export class TUI {
     this._addLog(`Removed account "${name}"`);
   }
 
+  async _doToggleDisabled(idx) {
+    if (idx < 0 || idx >= this.am.accounts.length) return;
+    const acct = this.am.accounts[idx];
+    const next = !acct.disabled;
+    this.am.setDisabled(idx, next); // re-enabling also clears a stuck error state
+    // Write an explicit boolean (not delete): saveConfig merges over the on-disk
+    // entry, so a `delete` would leave a stale `disabled: true` from disk intact.
+    if (this.config.accounts[idx]) this.config.accounts[idx].disabled = next;
+    await this.saveConfig(this.config);
+    this._addLog(`${next ? 'Disabled' : 'Enabled'} account "${acct.name}"`);
+  }
+
   // ── rendering ──────────────────────────────────────
 
   render() {
     if (!this.running) return;
+    // Guard against re-entry: clearing an expired quota logs, and _addLog calls
+    // render() again — without this the nested call would render twice.
+    if (this._rendering) return;
+    this._rendering = true;
+    try {
+      this._render();
+    } finally {
+      this._rendering = false;
+    }
+  }
+
+  _render() {
+    // Reset the display the instant a quota window (e.g. 5-hour session) expires,
+    // instead of waiting for the next request to clear it.
+    this.am.refreshExpiredQuotas();
     const W = process.stdout.columns || 80;
     const H = process.stdout.rows || 24;
 
@@ -390,6 +550,10 @@ export class TUI {
     lines.push(left + ' '.repeat(Math.max(1, W - vw(left) - vw(right))) + right);
     lines.push(' ' + dim('─'.repeat(W - 2)));
 
+    const footerH = 2;
+    if (this.mode === 'settings') {
+      this._renderSettings(lines);
+    } else {
     // ── Accounts
     if (this.am.accounts.length === 0) {
       lines.push('');
@@ -423,11 +587,11 @@ export class TUI {
     }
 
     // Completed log
-    const footerH = 2;
     const space = Math.max(0, H - lines.length - footerH);
     for (let i = 0; i < space && i < this.log.length; i++) {
       lines.push(`   ${gray(this.log[i].t)}  ${this.log[i].msg}`);
     }
+    } // end non-settings body
 
     // Pad to fill
     while (lines.length < H - footerH) lines.push('');
@@ -463,9 +627,11 @@ export class TUI {
     // Type
     const type = gray(a.type.padEnd(7));
 
-    // Status
+    // Status — a disabled account is shown as such regardless of its quota state.
     let status;
-    switch (a.status) {
+    if (a.disabled) {
+      status = gray('disabled');
+    } else switch (a.status) {
       case 'active':    status = isCur ? green('active') : 'active'; break;
       case 'throttled': status = yellow('throttled'); break;
       case 'exhausted': status = red('exhausted'); break;
@@ -478,7 +644,7 @@ export class TUI {
     const q = a.quota;
     let r1 = null, r2 = null, l1 = 'Ses', l2 = 'Wk ', t1 = null, t2 = null;
 
-    if (q.unified5h != null || q.unified7d != null) {
+    if (q.unified5h != null || q.unified7d != null || q.unified7dSonnet != null) {
       r1 = q.unified5h;
       r2 = q.unified7d;
       t1 = q.unified5hReset;
@@ -497,16 +663,64 @@ export class TUI {
     let line = ` ${sel}${cur} ${name} ${type} ${status} ${l1} ${bar(r1, bw, t1)}`;
     if (showBoth) {
       line += `  ${l2} ${bar(r2, bw, t2)}`;
+      // Sonnet weekly bar — only shown when the usage probe has populated it.
+      if (q.unified7dSonnet != null) {
+        line += `  S7  ${bar(q.unified7dSonnet, bw, q.unified7dSonnetReset)}`;
+      }
     }
     return line;
   }
 
+  _renderSettings(lines) {
+    lines.push('');
+    // ── Rotation
+    const thr = this.am.switchThreshold ?? this.config.switchThreshold ?? 0.98;
+    lines.push(bold('  Rotation') + dim('  — switch accounts when quota crosses the threshold'));
+    lines.push(`  Switch at:  ${green(`${Math.round(thr * 100)}%`)}  ${dim('utilization')}`);
+    lines.push('');
+    // ── Quota probe
+    const probe = this.config.quotaProbeSeconds || 0;
+    lines.push(bold('  Quota probe') + dim('  — refresh idle accounts from the usage endpoint'));
+    lines.push(`  Interval:   ${probe > 0 ? green(`${probe}s`) : gray('off (passive)')}`);
+    lines.push('');
+    // ── sx.org
+    lines.push(bold('  sx.org proxy') + dim('  — route upstream via a residential IP (429 workaround)'));
+    lines.push('');
+    if (!this.sx) { lines.push(yellow('  Unavailable in this build.')); return; }
+    const key = this.config.sx?.apiKey;
+    const masked = key ? key.slice(0, 4) + '…' + key.slice(-4) : dim('(not set)');
+    const mode = this.sx.getMode();
+    const modeStr = mode === 'always' ? green('always')
+      : mode === '429' ? cyan('on 429 only')
+      : gray('off');
+    const p = this.sx.getProxy?.();
+    const proxyStr = mode === 'off' ? gray('—')
+      : this.sx.isProvisioned() ? green(`${p.host}:${p.port}`)
+      : key ? yellow('not provisioned')
+      : gray('no key');
+    const b = this.sxBalance;
+    lines.push(`  Mode:     ${modeStr}`);
+    lines.push(`  API key:  ${masked}`);
+    lines.push(`  Proxy:    ${proxyStr}`);
+    lines.push(`  Balance:  ${b ? green('$' + Number(b.balance).toFixed(4)) : dim('…')}`);
+    lines.push('');
+    lines.push(dim('  always    tunnel ALL upstream traffic through sx.org'));
+    lines.push(dim('  on 429    only retry through sx.org after a 429 (fresh IP)'));
+    lines.push(dim('  off       never use sx.org (API key is kept)'));
+    lines.push('');
+    lines.push(dim('  TLS stays end-to-end; residential traffic is metered by sx.org.'));
+  }
+
   _renderFooter() {
     switch (this.mode) {
       case 'normal':
-        return ` ${bold('s')}witch  ${bold('a')}dd  ${bold('r')}emove  ${bold('R')}eload  ${bold('q')}uit`;
+        return ` ${bold('s')}witch  ${bold('a')}dd  ${bold('r')}emove  ${bold('d')}isable  ${bold('R')}eload  ${bold('g')} settings  ${bold('q')}uit`;
+      case 'settings':
+        return ` ${bold('t')} threshold  ${bold('p')} probe  ${bold('m')} sx-mode  ${bold('k')} sx-key  ${bold('x')} clear-key  ${bold('Esc')} back`;
       case 'select': {
-        const act = this.selAction === 'switch' ? 'switch' : 'remove';
+        const act = this.selAction === 'switch' ? 'switch'
+          : this.selAction === 'toggle' ? 'enable/disable'
+          : 'remove';
         return ` ${dim('↑↓')} select  ${bold('Enter')} ${act}  ${bold('Esc')} cancel`;
       }
       case 'add':

package/src/upstream-fetch.js

@@ -0,0 +1,85 @@
+// Zero-dependency `fetch` shim that routes upstream requests through the sx.org
+// proxy when it is enabled. With sx disabled it IS global fetch (byte-for-byte
+// the same behavior), so the default path is unchanged.
+//
+// Node's global fetch can't use a CONNECT proxy without `undici` (a dependency —
+// and "zero dependencies" is a project feature), so when sx is enabled we issue
+// the request with `https.request` over a tunneled TLS socket and return a small
+// object exposing exactly the fetch-Response surface src/server.js relies on:
+// `status`, `headers.get()/.entries()`, `text()`, `arrayBuffer()`, and `body`
+// (a web ReadableStream, so streamResponse()'s getReader()/cancel() is untouched).
+
+import https from 'node:https';
+import { Readable } from 'node:stream';
+import { tunnelTls } from './sx.js';
+
+// `useProxy` is decided by the caller (it varies per attempt — e.g. direct first,
+// then via sx after a 429). With it false, or sx unprovisioned, this is plain fetch.
+export function upstreamFetch(url, opts = {}, sx = null, useProxy = false) {
+  if (!sx || !useProxy || !sx.isProvisioned()) return fetch(url, opts);
+  return proxiedFetch(url, opts, sx);
+}
+
+function proxiedFetch(url, opts, sx) {
+  const u = new URL(url);
+  const proxy = sx.getProxy();
+
+  // Custom agent: every socket is a TLS connection tunneled through sx.org.
+  const agent = new https.Agent({ keepAlive: true });
+  agent.createConnection = (_options, cb) => {
+    // sx.tlsOptions is undefined in production (system CAs verify api.anthropic.com);
+    // tests inject a CA here to reach a self-signed upstream.
+    tunnelTls({ proxy, targetHost: u.hostname, targetPort: Number(u.port) || 443, tlsOptions: sx.tlsOptions || {} })
+      .then((sock) => cb(null, sock))
+      .catch((err) => cb(err));
+    return undefined; // socket delivered asynchronously via cb
+  };
+
+  return new Promise((resolve, reject) => {
+    const req = https.request(
+      u,
+      { method: opts.method || 'GET', headers: opts.headers || {}, agent },
+      (res) => resolve(makeResponse(res)),
+    );
+    req.once('error', reject);
+
+    const body = opts.body;
+    const method = (opts.method || 'GET').toUpperCase();
+    if (body == null || method === 'GET' || method === 'HEAD') req.end();
+    else if (typeof body === 'string' || Buffer.isBuffer(body) || body instanceof Uint8Array) req.end(Buffer.from(body));
+    else req.end(String(body));
+  });
+}
+
+// Wrap a Node IncomingMessage as the subset of a fetch Response that server.js uses.
+function makeResponse(res) {
+  const web = Readable.toWeb(res); // single web stream — one consumer either way
+  const collect = async () => {
+    const chunks = [];
+    const reader = web.getReader();
+    for (;;) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      chunks.push(Buffer.from(value));
+    }
+    return Buffer.concat(chunks);
+  };
+  return {
+    status: res.statusCode,
+    headers: makeHeaders(res.headers),
+    body: web,
+    async text() { return (await collect()).toString('utf8'); },
+    async arrayBuffer() { const b = await collect(); return b.buffer.slice(b.byteOffset, b.byteOffset + b.byteLength); },
+  };
+}
+
+// res.headers already has lowercased keys; values are string | string[] (set-cookie).
+function makeHeaders(h) {
+  const flat = (v) => (Array.isArray(v) ? v.join(', ') : v);
+  const entries = function* () { for (const [k, v] of Object.entries(h)) yield [k, flat(v)]; };
+  return {
+    get: (name) => { const v = h[name.toLowerCase()]; return v == null ? null : flat(v); },
+    entries,
+    [Symbol.iterator]: entries,
+  };
+}