caflip 0.3.1 → 0.4.0

package/README.md

@@ -63,7 +63,7 @@ bun run dev -- help
 ## Quick Start
 
 ```bash
-# Show current account / managed accounts across both providers
+# Show current active account / all managed accounts across both providers
 caflip status
 caflip list
 
@@ -110,7 +110,7 @@ After switching, restart the target CLI (Claude Code or Codex) to pick up new au
 |---|---|
 | `caflip` | Interactive provider picker (Claude/Codex) |
 | `caflip list` | List managed accounts for Claude and Codex |
-| `caflip status` | Show current account for Claude and Codex |
+| `caflip status` | Show current active account for Claude and Codex |
 | `caflip add [--alias name]` | Pick provider, then add current account |
 | `caflip login [-- <args...>]` | Pick provider, then run provider login and register the resulting session |
 | `caflip remove [email]` | Pick provider, then remove an account |
@@ -123,8 +123,8 @@ After switching, restart the target CLI (Claude Code or Codex) to pick up new au
 | `caflip [provider] login [-- <args...>]` | Run provider login and register the resulting session |
 | `caflip [provider] remove [email]` | Remove an account |
 | `caflip [provider] next` | Rotate to next account |
-| `caflip [provider] status` | Show current account |
-| `caflip [provider] alias <name> [email]` | Set alias for current or target account |
+| `caflip [provider] status` | Show current active account |
+| `caflip [provider] alias <name> [account]` | Set alias for current or target account |
 | `caflip help` | Show help |
 
 ### Alias Usage
@@ -133,13 +133,31 @@ After switching, restart the target CLI (Claude Code or Codex) to pick up new au
 # Set alias for current active account
 caflip claude alias work
 
-# Set alias for a specific managed account
-caflip claude alias work hi.lucienlee@gmail.com
+# Set alias by list number
+caflip codex list
+# 1: me@example.com · team(org-ab12Cd)
+# 2: me@example.com · team(org-xy98Qw)
+caflip codex alias aibor 2
+
+# Reuse an existing alias as the target
+caflip claude alias primary work
 
-# Codex alias
+# Email works only when it matches exactly one managed account
 caflip codex alias work me@company.com
 ```
 
+`<account>` accepts:
+- the account number shown in `caflip [provider] list`
+- an existing alias
+- an email, only when that email matches exactly one managed account
+
+If the same email exists in multiple workspaces or organizations, use the list number or an existing alias instead.
+
+Codex display labels use provider metadata conservatively:
+- workspace plans such as `team` or `business` show `email · plan(orgShortId)`
+- `free` shows `email · free`
+- alias is the primary human-readable name when you need your own team label
+
 `add`, `remove`, and `login` can be used without a provider prefix. In that case, caflip asks you to choose Claude or Codex first, then continues the normal command flow.
 
 `remove` target accepts email only. Omit it to choose from the interactive picker after selecting a provider.
@@ -153,6 +171,10 @@ caflip claude login -- --email lucien@aibor.io --sso
 caflip codex login -- --device-auth
 ```
 
+`status` shows the currently active account for the selected provider. It does not list every saved account.
+
+Use `list` when you want to inspect all managed accounts for a provider.
+
 ## Shell Prompt Integration
 
 Show the current account in your prompt:

package/dist/cli.js

@@ -186,8 +186,11 @@ import { existsSync as existsSync9, mkdirSync as mkdirSync6 } from "fs";
 // src/config.ts
 import { homedir } from "os";
 import { join } from "path";
+function getHomeDir() {
+  return process.env.HOME ?? homedir();
+}
 function getBackupDir(provider) {
-  return join(homedir(), ".caflip-backup", provider);
+  return join(getHomeDir(), ".caflip-backup", provider);
 }
 function getSequenceFile(provider) {
   return join(getBackupDir(provider), "sequence.json");
@@ -248,6 +251,43 @@ async function writeJsonAtomic(filePath, data) {
 }
 
 // src/accounts.ts
+function getShortOrganizationId(organizationId) {
+  return organizationId.slice(0, 10);
+}
+function normalizeClaudeOrganizationName(email, organizationName) {
+  if (!organizationName) {
+    return null;
+  }
+  if (organizationName === `${email}'s Organization`) {
+    return "Personal";
+  }
+  return organizationName;
+}
+function getManagedAccountLabel(account) {
+  const provider = account.identity?.provider;
+  const organizationId = account.identity?.organizationId;
+  const organizationName = provider === "claude" ? normalizeClaudeOrganizationName(account.email, account.display?.organizationName) : account.display?.organizationName;
+  const planType = account.display?.planType;
+  if (provider === "codex") {
+    if (planType === "free") {
+      return `${account.email} · free`;
+    }
+    const orgShortId = organizationId ? getShortOrganizationId(organizationId) : null;
+    if (planType && orgShortId) {
+      return `${account.email} · ${planType}(${orgShortId})`;
+    }
+    if (orgShortId) {
+      return `${account.email} · ${orgShortId}`;
+    }
+    if (planType) {
+      return `${account.email} · ${planType}`;
+    }
+  }
+  if (organizationName) {
+    return `${account.email} · ${organizationName}`;
+  }
+  return account.email;
+}
 async function initSequenceFile(path) {
   if (existsSync2(path))
     return;
@@ -260,7 +300,34 @@ async function initSequenceFile(path) {
   await writeJsonAtomic(path, data);
 }
 async function loadSequence(path) {
-  return JSON.parse(readFileSync2(path, "utf-8"));
+  const raw = JSON.parse(readFileSync2(path, "utf-8"));
+  const accounts = Object.fromEntries(Object.entries(raw.accounts).map(([num, account]) => {
+    const display = account.display ?? {
+      email: account.email,
+      accountName: null,
+      organizationName: null,
+      planType: null,
+      role: null,
+      label: account.email
+    };
+    display.label = getManagedAccountLabel({
+      email: account.email,
+      display,
+      identity: account.identity
+    });
+    return [
+      num,
+      {
+        ...account,
+        display,
+        legacyUuid: account.legacyUuid ?? (account.identity ? undefined : account.uuid)
+      }
+    ];
+  }));
+  return {
+    ...raw,
+    accounts
+  };
 }
 function getNextAccountNumber(seq) {
   const keys = Object.keys(seq.accounts).map(Number);
@@ -268,8 +335,11 @@ function getNextAccountNumber(seq) {
     return 1;
   return Math.max(...keys) + 1;
 }
-function accountExists(seq, email) {
-  return Object.values(seq.accounts).some((a) => a.email === email);
+function accountExists(seq, identifier) {
+  if (typeof identifier === "string") {
+    return Object.values(seq.accounts).some((a) => a.email === identifier);
+  }
+  return resolveManagedAccount(seq, identifier) !== null;
 }
 function addAccountToSequence(seq, info) {
   const num = getNextAccountNumber(seq);
@@ -282,6 +352,15 @@ function addAccountToSequence(seq, info) {
   if (info.alias) {
     account.alias = info.alias;
   }
+  if (info.display) {
+    account.display = info.display;
+  }
+  if (info.identity) {
+    account.identity = info.identity;
+  }
+  if (info.providerMetadata) {
+    account.providerMetadata = info.providerMetadata;
+  }
   return {
     ...seq,
     accounts: { ...seq.accounts, [numStr]: account },
@@ -321,15 +400,35 @@ function getPostRemovalAction(original, updated, removedAccountNum) {
     targetAccountNumber: String(updated.activeAccountNumber)
   };
 }
-function resolveManagedAccountNumberForEmail(seq, currentEmail) {
-  if (!currentEmail || currentEmail === "none") {
+function resolveManagedAccountNumber(seq, currentAccount) {
+  const resolved = resolveManagedAccount(seq, currentAccount);
+  return resolved === null ? null : Number(resolved);
+}
+function resolveManagedAccount(seq, currentAccount) {
+  if (!currentAccount?.email || currentAccount.email === "none") {
     return null;
   }
-  const accountNum = resolveAccountIdentifier(seq, currentEmail);
-  if (!accountNum) {
+  if (currentAccount.uniqueKey) {
+    for (const [accountNum2, account2] of Object.entries(seq.accounts)) {
+      if (account2.identity?.uniqueKey === currentAccount.uniqueKey) {
+        return accountNum2;
+      }
+    }
+  }
+  const emailMatches = Object.entries(seq.accounts).filter(([, account2]) => {
+    if (account2.email !== currentAccount.email) {
+      return false;
+    }
+    if (!currentAccount.provider) {
+      return true;
+    }
+    return !account2.identity || account2.identity.provider === currentAccount.provider;
+  });
+  if (emailMatches.length !== 1) {
     return null;
   }
-  return Number(accountNum);
+  const [accountNum, account] = emailMatches[0];
+  return account.identity ? null : accountNum;
 }
 function getNextInSequence(seq) {
   const currentIndex = seq.sequence.indexOf(seq.activeAccountNumber);
@@ -347,27 +446,29 @@ function resolveAccountIdentifier(seq, identifier) {
     }
     return null;
   }
-  for (const [num, account] of Object.entries(seq.accounts)) {
-    if (account.email === identifier)
-      return num;
+  const emailMatches = Object.entries(seq.accounts).filter(([, account]) => account.email === identifier);
+  if (emailMatches.length === 1) {
+    return emailMatches[0][0];
   }
   return null;
 }
-function resolveAliasTargetAccount(seq, options) {
-  if (options.identifier) {
-    if (/^\d+$/.test(options.identifier)) {
-      return null;
-    }
-    for (const [num, account] of Object.entries(seq.accounts)) {
-      if (account.email === options.identifier)
-        return num;
-    }
-    return null;
+function resolveAccountTarget(seq, identifier) {
+  if (/^\d+$/.test(identifier)) {
+    const resolved = resolveAccountIdentifier(seq, identifier);
+    return resolved ? { status: "resolved", accountNum: resolved } : { status: "missing" };
   }
-  if (!options.currentEmail || options.currentEmail === "none") {
-    return null;
+  const aliasMatch = findAccountByAlias(seq, identifier);
+  if (aliasMatch) {
+    return { status: "resolved", accountNum: aliasMatch };
+  }
+  const emailMatches = Object.entries(seq.accounts).filter(([, account]) => account.email === identifier).map(([accountNum]) => accountNum);
+  if (emailMatches.length === 1) {
+    return { status: "resolved", accountNum: emailMatches[0] };
   }
-  return resolveAccountIdentifier(seq, options.currentEmail);
+  if (emailMatches.length > 1) {
+    return { status: "ambiguous", matches: emailMatches };
+  }
+  return { status: "missing" };
 }
 function getDisplayAccountNumber(seq, accountNum) {
   const idx = seq.sequence.indexOf(Number(accountNum));
@@ -510,8 +611,11 @@ function isProcessAlive(pid) {
 import { homedir as homedir2 } from "os";
 import { existsSync as existsSync4, readFileSync as readFileSync4 } from "fs";
 import { join as join4 } from "path";
+function getHomeDir2() {
+  return process.env.HOME ?? homedir2();
+}
 function getBackupDir2(provider) {
-  return join4(homedir2(), ".caflip-backup", provider);
+  return join4(getHomeDir2(), ".caflip-backup", provider);
 }
 function getSequenceFile2(provider) {
   return join4(getBackupDir2(provider), "sequence.json");
@@ -554,14 +658,14 @@ function detectPlatform() {
       return "unknown";
   }
 }
-function getClaudeConfigDir(env = process.env, home = homedir2()) {
+function getClaudeConfigDir(env = process.env, home = env.HOME ?? homedir2()) {
   const customDir = env.CLAUDE_CONFIG_DIR?.trim();
   if (customDir) {
     return customDir;
   }
   return join4(home, ".claude");
 }
-function getClaudeConfigPath(env = process.env, home = homedir2()) {
+function getClaudeConfigPath(env = process.env, home = env.HOME ?? homedir2()) {
   const customDir = env.CLAUDE_CONFIG_DIR?.trim();
   if (customDir) {
     return join4(customDir, ".claude.json");
@@ -617,7 +721,7 @@ function validateAlias(alias) {
 // package.json
 var package_default = {
   name: "caflip",
-  version: "0.3.1",
+  version: "0.4.0",
   type: "module",
   bin: {
     caflip: "bin/caflip"
@@ -2258,6 +2362,45 @@ var dist_default5 = createPrompt((config, done) => {
 `).trimEnd();
   return `${lines}${cursorHide}`;
 });
+// src/accounts.ts
+function getShortOrganizationId2(organizationId) {
+  return organizationId.slice(0, 10);
+}
+function normalizeClaudeOrganizationName2(email, organizationName) {
+  if (!organizationName) {
+    return null;
+  }
+  if (organizationName === `${email}'s Organization`) {
+    return "Personal";
+  }
+  return organizationName;
+}
+function getManagedAccountLabel2(account) {
+  const provider = account.identity?.provider;
+  const organizationId = account.identity?.organizationId;
+  const organizationName = provider === "claude" ? normalizeClaudeOrganizationName2(account.email, account.display?.organizationName) : account.display?.organizationName;
+  const planType = account.display?.planType;
+  if (provider === "codex") {
+    if (planType === "free") {
+      return `${account.email} · free`;
+    }
+    const orgShortId = organizationId ? getShortOrganizationId2(organizationId) : null;
+    if (planType && orgShortId) {
+      return `${account.email} · ${planType}(${orgShortId})`;
+    }
+    if (orgShortId) {
+      return `${account.email} · ${orgShortId}`;
+    }
+    if (planType) {
+      return `${account.email} · ${planType}`;
+    }
+  }
+  if (organizationName) {
+    return `${account.email} · ${organizationName}`;
+  }
+  return account.email;
+}
+
 // src/interactive.ts
 class PromptCancelledError extends Error {
   constructor() {
@@ -2303,13 +2446,13 @@ async function wrapPromptCancellation(fn) {
     cleanup();
   }
 }
-function formatAccount(num, email, alias, isActive) {
-  let label = `${num}: ${email}`;
+function formatAccount(num, label, alias, isActive) {
+  let formatted = `${num}: ${label}`;
   if (alias)
-    label += ` [${alias}]`;
+    formatted += ` [${alias}]`;
   if (isActive)
-    label += " (active)";
-  return label;
+    formatted += " (active)";
+  return formatted;
 }
 async function pickAccount(seq, message = "Switch to account:", promptSelect = dist_default5, extraChoices = []) {
   const choices = [
@@ -2321,7 +2464,7 @@ async function pickAccount(seq, message = "Switch to account:", promptSelect = d
       }
       const isActive = num === seq.activeAccountNumber;
       return {
-        name: formatAccount(String(index + 1), account.email, account.alias, isActive),
+        name: formatAccount(String(index + 1), getManagedAccountLabel2(account), account.alias, isActive),
         value: numStr
       };
     }),
@@ -2482,14 +2625,14 @@ function activeSecretToolAttrs() {
 function backupSecretToolAttrs(accountNum, email) {
   return ["service", "ccflip", "account", accountNum, "email", email];
 }
-function getClaudeCredentialsDir(env = process.env, home = homedir3()) {
+function getClaudeCredentialsDir(env = process.env, home = env.HOME ?? homedir3()) {
   const customDir = env.CLAUDE_CONFIG_DIR?.trim();
   if (customDir) {
     return customDir;
   }
   return join5(home, ".claude");
 }
-function getClaudeCredentialsPath(env = process.env, home = homedir3()) {
+function getClaudeCredentialsPath(env = process.env, home = env.HOME ?? homedir3()) {
   return join5(getClaudeCredentialsDir(env, home), ".credentials.json");
 }
 async function secretToolLookup(attrs) {
@@ -2818,7 +2961,21 @@ function getClaudeCurrentAccount() {
     return null;
   }
   const accountId = typeof content?.oauthAccount?.accountUuid === "string" ? content.oauthAccount.accountUuid : undefined;
-  return { email, accountId };
+  const organizationId = typeof content?.oauthAccount?.organizationUuid === "string" ? content.oauthAccount.organizationUuid : undefined;
+  const organizationName = typeof content?.oauthAccount?.organizationName === "string" ? content.oauthAccount.organizationName : undefined;
+  const workspaceRole = typeof content?.oauthAccount?.workspaceRole === "string" ? content.oauthAccount.workspaceRole : undefined;
+  const organizationRole = typeof content?.oauthAccount?.organizationRole === "string" ? content.oauthAccount.organizationRole : undefined;
+  const accountName = typeof content?.oauthAccount?.displayName === "string" ? content.oauthAccount.displayName : undefined;
+  return {
+    email,
+    accountId,
+    organizationId,
+    organizationName,
+    role: workspaceRole ?? organizationRole,
+    accountName,
+    uniqueKey: accountId && organizationId ? `claude:${accountId}:${organizationId}` : undefined,
+    identityStatus: accountId && organizationId ? "resolved" : "partial"
+  };
 }
 function getClaudeCurrentAccountEmail() {
   return getClaudeCurrentAccount()?.email ?? "none";
@@ -3012,35 +3169,50 @@ async function deleteCodexAccountAuthBackup(accountNum, email, credentialsDir) {
   const backupPath = join6(credentialsDir, `.codex-auth-${accountNum}-${email}.json`);
   rmSync4(backupPath, { force: true });
 }
-function getCodexCurrentAccount() {
+function resolveCodexCurrentAccount() {
   const authPath = getCodexAuthPath();
   if (!existsSync7(authPath)) {
-    return null;
+    return { account: null, ambiguousOrganization: false };
   }
   try {
     const authObj = JSON.parse(readFileSync7(authPath, "utf-8"));
     const idToken = authObj.tokens?.id_token;
     if (!idToken) {
-      return null;
+      return { account: null, ambiguousOrganization: false };
     }
     const payload = decodeJwtPayload(idToken);
     if (!payload) {
-      return null;
+      return { account: null, ambiguousOrganization: false };
     }
     const email = typeof payload.email === "string" ? payload.email : null;
     if (!email) {
-      return null;
+      return { account: null, ambiguousOrganization: false };
     }
     const authPayload = payload["https://api.openai.com/auth"];
     const accountId = authPayload?.chatgpt_account_id ?? authObj.tokens?.account_id;
+    const organizations = Array.isArray(authPayload?.organizations) ? authPayload.organizations : [];
+    const organization = organizations.find((candidate) => candidate.is_default === true) ?? (organizations.length === 1 ? organizations[0] : undefined);
+    const ambiguousOrganization = organizations.length > 1 && !organization;
     return {
-      email,
-      accountId
+      ambiguousOrganization,
+      account: {
+        email,
+        accountId,
+        organizationId: organization?.id,
+        organizationName: organization?.title,
+        planType: authPayload?.chatgpt_plan_type,
+        role: organization?.role,
+        uniqueKey: accountId && organization?.id ? `codex:${accountId}:${organization.id}` : undefined,
+        identityStatus: ambiguousOrganization ? "ambiguous" : accountId && organization?.id ? "resolved" : "partial"
+      }
     };
   } catch {
-    return null;
+    return { account: null, ambiguousOrganization: false };
   }
 }
+function getCodexCurrentAccount() {
+  return resolveCodexCurrentAccount().account;
+}
 function readCodexAuthFile() {
   const authPath = getCodexAuthPath();
   if (!existsSync7(authPath)) {
@@ -3085,17 +3257,28 @@ async function verifyCodexLogin(commandRunner = runCapturedCommand) {
       }
     };
   }
-  const currentAccount = getCodexCurrentAccount();
+  const { account: currentAccount, ambiguousOrganization } = resolveCodexCurrentAccount();
   if (!currentAccount?.email) {
     return {
       ok: false,
       reason: "codex auth file did not resolve a current account email"
     };
   }
+  if (ambiguousOrganization) {
+    return {
+      ok: false,
+      reason: "codex login resolved an ambiguous workspace context: multiple organizations without a default workspace"
+    };
+  }
   return {
     ok: true,
     email: currentAccount.email,
-    details: currentAccount.accountId ? { accountId: currentAccount.accountId } : undefined
+    details: {
+      accountId: currentAccount.accountId,
+      organizationId: currentAccount.organizationId,
+      organizationName: currentAccount.organizationName,
+      planType: currentAccount.planType
+    }
   };
 }
 var codexLoginAdapter = {
@@ -3186,12 +3369,115 @@ function setupDirectories() {
     mkdirSync6(dir, { recursive: true, mode: 448 });
   }
 }
+function getCurrentAccountIdentity() {
+  return activeProvider.getCurrentAccount();
+}
 function getCurrentAccount() {
-  return activeProvider.getCurrentAccountEmail();
+  return getCurrentAccountIdentity()?.email ?? "none";
 }
 function getProviderLabel() {
   return activeProvider.name === "codex" ? "Codex" : "Claude Code";
 }
+function hasMultipleProviderEmailMatches(seq, email, provider) {
+  return Object.values(seq.accounts).filter((account) => {
+    if (account.email !== email) {
+      return false;
+    }
+    return !account.identity || account.identity.provider === provider;
+  }).length > 1;
+}
+function resolveCurrentManagedAccountForSwitch(seq, currentIdentity, currentEmail) {
+  if (currentIdentity) {
+    const resolved = resolveManagedAccount(seq, currentIdentity);
+    if (resolved) {
+      return resolved;
+    }
+    const providerEmailMatchCount = Object.values(seq.accounts).filter((account) => {
+      if (account.email !== currentIdentity.email) {
+        return false;
+      }
+      return !account.identity || account.identity.provider === activeProvider.name;
+    }).length;
+    if (currentIdentity.identityStatus === "ambiguous") {
+      throw new Error(`Cannot determine which managed account is currently active for ${currentIdentity.email}.`);
+    }
+    if (currentIdentity.email !== "none" && providerEmailMatchCount > 0) {
+      throw new Error(`Cannot determine which managed account is currently active for ${currentIdentity.email}.`);
+    }
+    return null;
+  }
+  if (currentEmail === "none") {
+    return null;
+  }
+  return resolveAccountIdentifier(seq, currentEmail);
+}
+function getAccountDisplayLabel(account) {
+  return getManagedAccountLabel(account);
+}
+function getCurrentAccountDisplayLabel(currentAccount) {
+  if (!currentAccount) {
+    return "none";
+  }
+  return getManagedAccountLabel({
+    email: currentAccount.email,
+    display: {
+      email: currentAccount.email,
+      accountName: currentAccount.accountName ?? null,
+      organizationName: currentAccount.organizationName ?? null,
+      planType: currentAccount.planType ?? null,
+      role: currentAccount.role ?? null,
+      label: ""
+    },
+    identity: {
+      provider: activeProvider.name,
+      accountId: currentAccount.accountId ?? null,
+      organizationId: currentAccount.organizationId ?? null,
+      uniqueKey: ""
+    }
+  });
+}
+function buildManagedAccountDetails(currentAccount) {
+  if (!currentAccount) {
+    return {
+      email: "none",
+      uuid: "",
+      display: {
+        email: "none",
+        accountName: null,
+        organizationName: null,
+        planType: null,
+        role: null,
+        label: "none"
+      },
+      identity: undefined,
+      providerMetadata: undefined
+    };
+  }
+  return {
+    email: currentAccount.email,
+    uuid: currentAccount.accountId ?? currentAccount.uniqueKey ?? "",
+    display: {
+      email: currentAccount.email,
+      accountName: currentAccount.accountName ?? null,
+      organizationName: currentAccount.organizationName ?? null,
+      planType: currentAccount.planType ?? null,
+      role: currentAccount.role ?? null,
+      label: getCurrentAccountDisplayLabel(currentAccount)
+    },
+    identity: currentAccount.uniqueKey ? {
+      provider: activeProvider.name,
+      accountId: currentAccount.accountId ?? null,
+      organizationId: currentAccount.organizationId ?? null,
+      uniqueKey: currentAccount.uniqueKey
+    } : undefined,
+    providerMetadata: {
+      organizationName: currentAccount.organizationName ?? null,
+      planType: currentAccount.planType ?? null,
+      role: currentAccount.role ?? null,
+      accountName: currentAccount.accountName ?? null
+    }
+  };
+}
 function showProviderRequiredError(command) {
   console.error(`Error: ${command} requires provider prefix.`);
   console.error(`Try: caflip claude ${command} or caflip codex ${command}`);
@@ -3268,8 +3554,7 @@ async function resolveCliContext(parsed, deps = { resolveProviderForCommand }) {
   };
 }
 async function syncSequenceActiveAccount(seq) {
-  const currentEmail = getCurrentAccount();
-  const resolvedActive = resolveManagedAccountNumberForEmail(seq, currentEmail);
+  const resolvedActive = resolveManagedAccountNumber(seq, getCurrentAccountIdentity());
   if (seq.activeAccountNumber !== resolvedActive) {
     seq.activeAccountNumber = resolvedActive;
     seq.lastUpdated = new Date().toISOString();
@@ -3289,22 +3574,26 @@ async function registerCurrentActiveAccount(options) {
   if (options?.expectedEmail && currentEmail !== options.expectedEmail) {
     throw new Error(`Active ${getProviderLabel()} account changed during login verification: expected ${options.expectedEmail}, got ${currentEmail}`);
   }
+  if (currentAccount?.identityStatus === "ambiguous") {
+    throw new Error(`${getProviderLabel()} current account is in an ambiguous workspace context. Please pick a single workspace first, then retry.`);
+  }
   setupDirectories();
   await initSequenceFile(activeSequenceFile);
   const seq = await loadSequence(activeSequenceFile);
   await syncSequenceActiveAccount(seq);
+  const currentAccountNum = resolveManagedAccount(seq, currentAccount);
+  const currentDetails = buildManagedAccountDetails(currentAccount);
   if (options?.alias) {
     const result = validateAlias(options.alias);
     if (!result.valid) {
       throw new Error(result.reason);
     }
     const existingAliasTarget = findAccountByAlias(seq, options.alias);
-    const currentAccountNum = resolveAccountIdentifier(seq, currentEmail);
     if (existingAliasTarget && existingAliasTarget !== currentAccountNum) {
       throw new Error(`Alias "${options.alias}" is already in use`);
     }
   }
-  const existingAccountNum = resolveAccountIdentifier(seq, currentEmail);
+  const existingAccountNum = currentAccountNum;
   if (existingAccountNum) {
     if (!options?.updateIfExists) {
       console.log(`Account ${currentEmail} is already managed.`);
@@ -3333,7 +3622,11 @@ async function registerCurrentActiveAccount(options) {
         ...seq.accounts,
         [existingAccountNum]: {
           ...seq.accounts[existingAccountNum],
+          email: currentEmail,
           uuid,
+          identity: currentDetails.identity ?? seq.accounts[existingAccountNum].identity,
+          display: currentDetails.display,
+          providerMetadata: currentDetails.providerMetadata ?? seq.accounts[existingAccountNum].providerMetadata,
           ...options?.alias ? { alias: options.alias } : {}
         }
       }
@@ -3352,7 +3645,10 @@ async function registerCurrentActiveAccount(options) {
   const updated = addAccountToSequence(seq, {
     email: currentEmail,
     uuid,
-    alias: options?.alias
+    alias: options?.alias,
+    identity: currentDetails.identity,
+    display: currentDetails.display,
+    providerMetadata: currentDetails.providerMetadata
   });
   const accountNum = String(updated.activeAccountNumber);
   await activeProvider.writeAccountAuth(accountNum, currentEmail, creds, activeCredentialsDir);
@@ -3380,17 +3676,27 @@ function getLoginPassthroughArgs(args) {
   return args.slice(passthroughIdx + 1);
 }
 async function performSwitch(seq, targetAccount, options) {
+  const targetProvider = seq.accounts[targetAccount].identity?.provider;
+  if (targetProvider) {
+    setActiveProvider(targetProvider);
+  }
+  const providerName = targetProvider ?? activeProvider.name;
+  const sequenceFile = getSequenceFile(providerName);
+  const credentialsDir = getCredentialsDir(providerName);
+  const configsDir = getConfigsDir(providerName);
   const targetEmail = seq.accounts[targetAccount].email;
-  const currentEmail = options?.currentEmail ?? getCurrentAccount();
-  const currentAccount = currentEmail === "none" ? null : resolveAccountIdentifier(seq, currentEmail);
-  if (currentEmail === targetEmail) {
+  const observedCurrentIdentity = getCurrentAccountIdentity();
+  const currentIdentity = options?.currentEmail && observedCurrentIdentity && observedCurrentIdentity.email !== options.currentEmail ? null : observedCurrentIdentity;
+  const currentEmail = options?.currentEmail ?? currentIdentity?.email ?? "none";
+  const currentAccount = resolveCurrentManagedAccountForSwitch(seq, currentIdentity, currentEmail);
+  if (currentAccount === targetAccount) {
     const account = seq.accounts[targetAccount];
     const aliasStr2 = account.alias ? ` [${account.alias}]` : "";
     const displayLabel2 = getDisplayAccountLabel(seq, targetAccount);
     if (seq.activeAccountNumber !== Number(targetAccount)) {
       seq.activeAccountNumber = Number(targetAccount);
       seq.lastUpdated = new Date().toISOString();
-      await writeJsonAtomic2(activeSequenceFile, seq);
+      await writeJsonAtomic2(sequenceFile, seq);
     }
     console.log(`Already using ${displayLabel2} (${account.email})${aliasStr2}`);
     return;
@@ -3404,17 +3710,17 @@ async function performSwitch(seq, targetAccount, options) {
   if (currentEmail !== "none" && currentAccount) {
     const currentCreds = await activeProvider.readActiveAuth();
     if (currentCreds) {
-      await activeProvider.writeAccountAuth(currentAccount, currentEmail, currentCreds, activeCredentialsDir);
+      await activeProvider.writeAccountAuth(currentAccount, currentEmail, currentCreds, credentialsDir);
     }
     if (activeProvider.usesAccountConfig) {
       const currentConfig = await activeProvider.readActiveConfig();
       if (currentConfig) {
-        await activeProvider.writeAccountConfig(currentAccount, currentEmail, currentConfig, activeConfigsDir);
+        await activeProvider.writeAccountConfig(currentAccount, currentEmail, currentConfig, configsDir);
       }
     }
   }
-  const targetCreds = await activeProvider.readAccountAuth(targetAccount, targetEmail, activeCredentialsDir);
-  const targetConfig = activeProvider.readAccountConfig(targetAccount, targetEmail, activeConfigsDir);
+  const targetCreds = await activeProvider.readAccountAuth(targetAccount, targetEmail, credentialsDir);
+  const targetConfig = activeProvider.readAccountConfig(targetAccount, targetEmail, configsDir);
   if (!targetCreds) {
     throw new Error(`Missing backup data for ${getDisplayAccountLabel(seq, targetAccount)}`);
   }
@@ -3427,10 +3733,23 @@ async function performSwitch(seq, targetAccount, options) {
   }
   seq.activeAccountNumber = Number(targetAccount);
   seq.lastUpdated = new Date().toISOString();
-  await writeJsonAtomic2(activeSequenceFile, seq);
+  await writeJsonAtomic2(sequenceFile, seq);
   const alias = seq.accounts[targetAccount].alias;
   const aliasStr = alias ? ` [${alias}]` : "";
   const displayLabel = getDisplayAccountLabel(seq, targetAccount);
+  const refreshedAccount = activeProvider.getCurrentAccount();
+  if (refreshedAccount) {
+    const refreshedDetails = buildManagedAccountDetails(refreshedAccount);
+    seq.accounts[targetAccount] = {
+      ...seq.accounts[targetAccount],
+      email: refreshedDetails.email,
+      uuid: refreshedDetails.uuid,
+      display: refreshedDetails.display,
+      identity: refreshedDetails.identity ?? seq.accounts[targetAccount].identity,
+      providerMetadata: refreshedDetails.providerMetadata ?? seq.accounts[targetAccount].providerMetadata
+    };
+    await writeJsonAtomic2(sequenceFile, seq);
+  }
   console.log(`Switched to ${displayLabel} (${targetEmail})${aliasStr}`);
   console.log(`
 Please restart ${getProviderLabel()} to use the new authentication.
@@ -3454,15 +3773,16 @@ async function getManagedAccountLinesForActiveProvider() {
   }
   const seq = await loadSequence(activeSequenceFile);
   await syncSequenceActiveAccount(seq);
-  const currentEmail = getCurrentAccount();
+  const currentAccount = getCurrentAccountIdentity();
+  const activeAccountNum = resolveManagedAccount(seq, currentAccount);
   return seq.sequence.map((num, index) => {
     const numStr = String(num);
     const account = seq.accounts[numStr];
     if (!account) {
       throw new Error(`Corrupt sequence data: missing account entry for id ${numStr}`);
     }
-    const isActive = account.email === currentEmail;
-    let line = `  ${index + 1}: ${account.email}`;
+    const isActive = activeAccountNum === numStr;
+    let line = `  ${index + 1}: ${getAccountDisplayLabel(account)}`;
     if (account.alias)
       line += ` [${account.alias}]`;
     if (isActive)
@@ -3566,6 +3886,8 @@ async function cmdStatus(options) {
     console.log(JSON.stringify({
       provider: activeProvider.name,
       email: summary.email === "none" ? null : summary.email,
+      label: summary.email === "none" ? null : summary.label,
+      organizationName: summary.organizationName,
       alias: summary.alias,
       managed: summary.managed
     }));
@@ -3573,29 +3895,37 @@ async function cmdStatus(options) {
   }
   if (summary.email === "none") {
     console.log("none");
+  } else if (summary.alias) {
+    console.log(`${summary.label} [${summary.alias}]`);
   } else {
-    if (summary.alias) {
-      console.log(`${summary.email} [${summary.alias}]`);
-      return;
-    }
-    console.log(summary.email);
+    console.log(summary.label);
   }
+  console.log(`managed accounts: ${summary.managedCount}`);
 }
 async function getStatusSummaryForActiveProvider() {
-  const email = getCurrentAccount();
+  const currentAccount = getCurrentAccountIdentity();
+  const email = currentAccount?.email ?? "none";
   let alias = null;
   let managed = false;
+  let managedCount = 0;
+  let label = getCurrentAccountDisplayLabel(currentAccount);
+  let organizationName = currentAccount?.organizationName ?? null;
   if (email !== "none" && existsSync9(activeSequenceFile)) {
     const seq = await loadSequence(activeSequenceFile);
-    for (const account of Object.values(seq.accounts)) {
-      if (account.email === email) {
-        managed = true;
-        alias = account.alias ?? null;
-        break;
-      }
-    }
+    managedCount = Object.keys(seq.accounts).length;
+    const matchedAccountNum = resolveManagedAccount(seq, currentAccount);
+    if (matchedAccountNum) {
+      const account = seq.accounts[matchedAccountNum];
+      managed = true;
+      alias = account.alias ?? null;
+      label = getAccountDisplayLabel(account);
+      organizationName = account.display?.organizationName ?? organizationName;
+    }
+  } else if (existsSync9(activeSequenceFile)) {
+    const seq = await loadSequence(activeSequenceFile);
+    managedCount = Object.keys(seq.accounts).length;
   }
-  return { email, alias, managed };
+  return { email, alias, managed, managedCount, label, organizationName };
 }
 async function withActiveProvider(provider, fn) {
   const previousProvider = activeProvider.name;
@@ -3645,13 +3975,12 @@ async function cmdStatusAllProviders() {
     console.log(summary.heading);
     if (summary.email === "none") {
       console.log("  none");
-      continue;
-    }
-    if (summary.alias) {
-      console.log(`  ${summary.email} [${summary.alias}]`);
-      continue;
+    } else if (summary.alias) {
+      console.log(`  ${summary.label} [${summary.alias}]`);
+    } else {
+      console.log(`  ${summary.label}`);
     }
-    console.log(`  ${summary.email}`);
+    console.log(`  managed accounts: ${summary.managedCount}`);
   }
 }
 async function cmdAlias(alias, identifier) {
@@ -3663,19 +3992,31 @@ async function cmdAlias(alias, identifier) {
     throw new Error(result.reason);
   }
   const seq = await loadSequence(activeSequenceFile);
-  if (identifier && /^\d+$/.test(identifier)) {
-    throw new Error("Alias target must be an email, not a number");
-  }
   const currentEmail = getCurrentAccount();
-  const accountNum = resolveAliasTargetAccount(seq, { identifier, currentEmail });
-  if (!accountNum) {
-    if (identifier) {
+  const currentIdentity = getCurrentAccountIdentity();
+  let accountNum = null;
+  if (identifier) {
+    const target = resolveAccountTarget(seq, identifier);
+    if (target.status === "ambiguous") {
+      throw new Error(`Multiple managed accounts match ${identifier}. Use account number or alias.`);
+    }
+    if (target.status === "missing") {
       throw new Error(`Account not found: ${identifier}`);
-    } else if (currentEmail === "none") {
+    }
+    accountNum = target.accountNum;
+  } else {
+    accountNum = resolveManagedAccount(seq, currentIdentity);
+    if (!accountNum && currentIdentity?.email && currentIdentity.email !== "none") {
+      if (hasMultipleProviderEmailMatches(seq, currentIdentity.email, activeProvider.name)) {
+        throw new Error(`Multiple managed accounts match ${currentIdentity.email}. Use account number or alias.`);
+      }
+    }
+  }
+  if (!accountNum) {
+    if (currentEmail === "none") {
       throw new Error(`No active ${getProviderLabel()} account found. Please log in first.`);
-    } else {
-      throw new Error(`Current account is not managed: ${currentEmail}`);
     }
+    throw new Error(`Current account is not managed: ${currentEmail}`);
   }
   const updated = setAlias(seq, accountNum, alias);
   await writeJsonAtomic2(activeSequenceFile, updated);
@@ -3683,7 +4024,9 @@ async function cmdAlias(alias, identifier) {
   console.log(`Alias "${alias}" set for ${getDisplayAccountLabel(updated, accountNum)} (${account.email})`);
 }
 async function cmdInteractiveSwitch() {
-  const currentEmail = getCurrentAccount();
+  const currentIdentity = getCurrentAccountIdentity();
+  const currentEmail = currentIdentity?.email ?? "none";
+  const currentLabel = getCurrentAccountDisplayLabel(currentIdentity);
   const hasSequence = existsSync9(activeSequenceFile);
   const seq = hasSequence ? await loadSequence(activeSequenceFile) : null;
   if (seq) {
@@ -3692,7 +4035,7 @@ async function cmdInteractiveSwitch() {
   if (!seq || seq.sequence.length === 0) {
     const emptyStateChoices = [
       {
-        name: `+ Add current logged-in account${currentEmail === "none" ? "" : ` (${currentEmail})`}`,
+        name: `+ Add current logged-in account${currentEmail === "none" ? "" : ` (${currentLabel})`}`,
         value: ADD_CURRENT_ACCOUNT_CHOICE
       },
       { name: "Back", value: "__back__" }
@@ -3704,8 +4047,8 @@ async function cmdInteractiveSwitch() {
     await cmdAdd();
     return;
   }
-  const shouldOfferAddCurrent = currentEmail !== "none" && !accountExists(seq, currentEmail);
-  const extraChoices = shouldOfferAddCurrent ? [{ name: `+ Add current logged-in account (${currentEmail})`, value: ADD_CURRENT_ACCOUNT_CHOICE }] : [];
+  const shouldOfferAddCurrent = currentEmail !== "none" && currentIdentity?.identityStatus !== "ambiguous" && !accountExists(seq, currentIdentity ?? currentEmail);
+  const extraChoices = shouldOfferAddCurrent ? [{ name: `+ Add current logged-in account (${currentLabel})`, value: ADD_CURRENT_ACCOUNT_CHOICE }] : [];
   const selected = await pickAccount(seq, `caflip v${package_default.version} \u2014 Switch ${getProviderLabel()} account:`, undefined, extraChoices);
   if (selected === ADD_CURRENT_ACCOUNT_CHOICE) {
     await cmdAdd();
@@ -3723,7 +4066,7 @@ Usage:
 Commands:
   (no args)                            Interactive provider picker
   list                                 List managed accounts for all providers
-  status                               Show current account for all providers
+  status                               Show current active account for all providers
   add [--alias <name>]                 Pick provider, then add current account
   login [-- <args...>]                 Pick provider, then run provider login
   remove [<email>]                     Pick provider, then remove an account
@@ -3734,20 +4077,22 @@ Commands:
   <provider> login [-- <args...>]      Run provider login and register session
   <provider> remove [<email>]          Remove an account
   <provider> next                      Rotate to next account
-  <provider> status [--json]           Show current account
-  <provider> alias <name> [<email>]    Set alias for current or target account
+  <provider> status [--json]           Show current active account
+  <provider> alias <name> [<account>]  Set alias for current or target account
   help                                 Show this help
 
 Examples:
   caflip                               Pick provider interactively
   caflip list                          List managed accounts for Claude and Codex
-  caflip status                        Show current account for Claude and Codex
+  caflip status                        Show current active account for Claude and Codex
   caflip add                           Pick provider, then add current account
   caflip login                         Pick provider, then run provider login
   caflip remove                        Pick provider, then remove an account interactively
   caflip claude                        Pick Claude account interactively
   caflip claude work                   Switch Claude account by alias
   caflip claude add --alias personal   Add current Claude account with alias
+  caflip claude alias work             Alias the current Claude account as "work"
+  caflip claude alias work 2           Alias Claude Account-2 as "work"
   caflip claude login                  Run Claude login and register session
   caflip claude login -- --email me@example.com --sso
                                        Pass provider-specific flags after --
@@ -3755,8 +4100,12 @@ Examples:
   caflip codex list                    List managed Codex accounts
   caflip codex login -- --device-auth  Run Codex login and register session
   caflip codex add --alias work        Add current Codex account with alias
-  caflip codex alias work user@company.com
-                                       Set Codex alias for target email`);
+  caflip codex alias work 2
+                                       Set Codex alias for target account
+
+Alias targets:
+  <account> can be a list number, an existing alias, or an email when it matches exactly one managed account.
+  Codex labels show workspace plans as email \xB7 plan(orgShortId); free shows email \xB7 free.`);
 }
 async function executeProviderCommand(command, args, provider, runWithLock) {
   switch (command) {
@@ -3798,7 +4147,7 @@ async function executeProviderCommand(command, args, provider, runWithLock) {
       break;
     case "alias": {
       if (!args[1]) {
-        console.error(`Usage: caflip ${provider} alias <name> [<email>]`);
+        console.error(`Usage: caflip ${provider} alias <name> [<account>]`);
         process.exit(1);
       }
       await runWithLock(async () => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "caflip",
-  "version": "0.3.1",
+  "version": "0.4.0",
   "type": "module",
   "bin": {
     "caflip": "bin/caflip"