caflip 0.3.3 → 0.4.0

package/README.md

@@ -124,7 +124,7 @@ After switching, restart the target CLI (Claude Code or Codex) to pick up new au
 | `caflip [provider] remove [email]` | Remove an account |
 | `caflip [provider] next` | Rotate to next account |
 | `caflip [provider] status` | Show current active account |
-| `caflip [provider] alias <name> [email]` | Set alias for current or target account |
+| `caflip [provider] alias <name> [account]` | Set alias for current or target account |
 | `caflip help` | Show help |
 
 ### Alias Usage
@@ -133,13 +133,31 @@ After switching, restart the target CLI (Claude Code or Codex) to pick up new au
 # Set alias for current active account
 caflip claude alias work
 
-# Set alias for a specific managed account
-caflip claude alias work hi.lucienlee@gmail.com
+# Set alias by list number
+caflip codex list
+# 1: me@example.com · team(org-ab12Cd)
+# 2: me@example.com · team(org-xy98Qw)
+caflip codex alias aibor 2
+
+# Reuse an existing alias as the target
+caflip claude alias primary work
 
-# Codex alias
+# Email works only when it matches exactly one managed account
 caflip codex alias work me@company.com
 ```
 
+`<account>` accepts:
+- the account number shown in `caflip [provider] list`
+- an existing alias
+- an email, only when that email matches exactly one managed account
+
+If the same email exists in multiple workspaces or organizations, use the list number or an existing alias instead.
+
+Codex display labels use provider metadata conservatively:
+- workspace plans such as `team` or `business` show `email · plan(orgShortId)`
+- `free` shows `email · free`
+- alias is the primary human-readable name when you need your own team label
+
 `add`, `remove`, and `login` can be used without a provider prefix. In that case, caflip asks you to choose Claude or Codex first, then continues the normal command flow.
 
 `remove` target accepts email only. Omit it to choose from the interactive picker after selecting a provider.

package/dist/cli.js

@@ -186,8 +186,11 @@ import { existsSync as existsSync9, mkdirSync as mkdirSync6 } from "fs";
 // src/config.ts
 import { homedir } from "os";
 import { join } from "path";
+function getHomeDir() {
+  return process.env.HOME ?? homedir();
+}
 function getBackupDir(provider) {
-  return join(homedir(), ".caflip-backup", provider);
+  return join(getHomeDir(), ".caflip-backup", provider);
 }
 function getSequenceFile(provider) {
   return join(getBackupDir(provider), "sequence.json");
@@ -248,6 +251,43 @@ async function writeJsonAtomic(filePath, data) {
 }
 
 // src/accounts.ts
+function getShortOrganizationId(organizationId) {
+  return organizationId.slice(0, 10);
+}
+function normalizeClaudeOrganizationName(email, organizationName) {
+  if (!organizationName) {
+    return null;
+  }
+  if (organizationName === `${email}'s Organization`) {
+    return "Personal";
+  }
+  return organizationName;
+}
+function getManagedAccountLabel(account) {
+  const provider = account.identity?.provider;
+  const organizationId = account.identity?.organizationId;
+  const organizationName = provider === "claude" ? normalizeClaudeOrganizationName(account.email, account.display?.organizationName) : account.display?.organizationName;
+  const planType = account.display?.planType;
+  if (provider === "codex") {
+    if (planType === "free") {
+      return `${account.email} · free`;
+    }
+    const orgShortId = organizationId ? getShortOrganizationId(organizationId) : null;
+    if (planType && orgShortId) {
+      return `${account.email} · ${planType}(${orgShortId})`;
+    }
+    if (orgShortId) {
+      return `${account.email} · ${orgShortId}`;
+    }
+    if (planType) {
+      return `${account.email} · ${planType}`;
+    }
+  }
+  if (organizationName) {
+    return `${account.email} · ${organizationName}`;
+  }
+  return account.email;
+}
 async function initSequenceFile(path) {
   if (existsSync2(path))
     return;
@@ -260,7 +300,34 @@ async function initSequenceFile(path) {
   await writeJsonAtomic(path, data);
 }
 async function loadSequence(path) {
-  return JSON.parse(readFileSync2(path, "utf-8"));
+  const raw = JSON.parse(readFileSync2(path, "utf-8"));
+  const accounts = Object.fromEntries(Object.entries(raw.accounts).map(([num, account]) => {
+    const display = account.display ?? {
+      email: account.email,
+      accountName: null,
+      organizationName: null,
+      planType: null,
+      role: null,
+      label: account.email
+    };
+    display.label = getManagedAccountLabel({
+      email: account.email,
+      display,
+      identity: account.identity
+    });
+    return [
+      num,
+      {
+        ...account,
+        display,
+        legacyUuid: account.legacyUuid ?? (account.identity ? undefined : account.uuid)
+      }
+    ];
+  }));
+  return {
+    ...raw,
+    accounts
+  };
 }
 function getNextAccountNumber(seq) {
   const keys = Object.keys(seq.accounts).map(Number);
@@ -268,8 +335,11 @@ function getNextAccountNumber(seq) {
     return 1;
   return Math.max(...keys) + 1;
 }
-function accountExists(seq, email) {
-  return Object.values(seq.accounts).some((a) => a.email === email);
+function accountExists(seq, identifier) {
+  if (typeof identifier === "string") {
+    return Object.values(seq.accounts).some((a) => a.email === identifier);
+  }
+  return resolveManagedAccount(seq, identifier) !== null;
 }
 function addAccountToSequence(seq, info) {
   const num = getNextAccountNumber(seq);
@@ -282,6 +352,15 @@ function addAccountToSequence(seq, info) {
   if (info.alias) {
     account.alias = info.alias;
   }
+  if (info.display) {
+    account.display = info.display;
+  }
+  if (info.identity) {
+    account.identity = info.identity;
+  }
+  if (info.providerMetadata) {
+    account.providerMetadata = info.providerMetadata;
+  }
   return {
     ...seq,
     accounts: { ...seq.accounts, [numStr]: account },
@@ -321,15 +400,35 @@ function getPostRemovalAction(original, updated, removedAccountNum) {
     targetAccountNumber: String(updated.activeAccountNumber)
   };
 }
-function resolveManagedAccountNumberForEmail(seq, currentEmail) {
-  if (!currentEmail || currentEmail === "none") {
+function resolveManagedAccountNumber(seq, currentAccount) {
+  const resolved = resolveManagedAccount(seq, currentAccount);
+  return resolved === null ? null : Number(resolved);
+}
+function resolveManagedAccount(seq, currentAccount) {
+  if (!currentAccount?.email || currentAccount.email === "none") {
     return null;
   }
-  const accountNum = resolveAccountIdentifier(seq, currentEmail);
-  if (!accountNum) {
+  if (currentAccount.uniqueKey) {
+    for (const [accountNum2, account2] of Object.entries(seq.accounts)) {
+      if (account2.identity?.uniqueKey === currentAccount.uniqueKey) {
+        return accountNum2;
+      }
+    }
+  }
+  const emailMatches = Object.entries(seq.accounts).filter(([, account2]) => {
+    if (account2.email !== currentAccount.email) {
+      return false;
+    }
+    if (!currentAccount.provider) {
+      return true;
+    }
+    return !account2.identity || account2.identity.provider === currentAccount.provider;
+  });
+  if (emailMatches.length !== 1) {
     return null;
   }
-  return Number(accountNum);
+  const [accountNum, account] = emailMatches[0];
+  return account.identity ? null : accountNum;
 }
 function getNextInSequence(seq) {
   const currentIndex = seq.sequence.indexOf(seq.activeAccountNumber);
@@ -347,27 +446,29 @@ function resolveAccountIdentifier(seq, identifier) {
     }
     return null;
   }
-  for (const [num, account] of Object.entries(seq.accounts)) {
-    if (account.email === identifier)
-      return num;
+  const emailMatches = Object.entries(seq.accounts).filter(([, account]) => account.email === identifier);
+  if (emailMatches.length === 1) {
+    return emailMatches[0][0];
   }
   return null;
 }
-function resolveAliasTargetAccount(seq, options) {
-  if (options.identifier) {
-    if (/^\d+$/.test(options.identifier)) {
-      return null;
-    }
-    for (const [num, account] of Object.entries(seq.accounts)) {
-      if (account.email === options.identifier)
-        return num;
-    }
-    return null;
+function resolveAccountTarget(seq, identifier) {
+  if (/^\d+$/.test(identifier)) {
+    const resolved = resolveAccountIdentifier(seq, identifier);
+    return resolved ? { status: "resolved", accountNum: resolved } : { status: "missing" };
   }
-  if (!options.currentEmail || options.currentEmail === "none") {
-    return null;
+  const aliasMatch = findAccountByAlias(seq, identifier);
+  if (aliasMatch) {
+    return { status: "resolved", accountNum: aliasMatch };
+  }
+  const emailMatches = Object.entries(seq.accounts).filter(([, account]) => account.email === identifier).map(([accountNum]) => accountNum);
+  if (emailMatches.length === 1) {
+    return { status: "resolved", accountNum: emailMatches[0] };
+  }
+  if (emailMatches.length > 1) {
+    return { status: "ambiguous", matches: emailMatches };
   }
-  return resolveAccountIdentifier(seq, options.currentEmail);
+  return { status: "missing" };
 }
 function getDisplayAccountNumber(seq, accountNum) {
   const idx = seq.sequence.indexOf(Number(accountNum));
@@ -510,8 +611,11 @@ function isProcessAlive(pid) {
 import { homedir as homedir2 } from "os";
 import { existsSync as existsSync4, readFileSync as readFileSync4 } from "fs";
 import { join as join4 } from "path";
+function getHomeDir2() {
+  return process.env.HOME ?? homedir2();
+}
 function getBackupDir2(provider) {
-  return join4(homedir2(), ".caflip-backup", provider);
+  return join4(getHomeDir2(), ".caflip-backup", provider);
 }
 function getSequenceFile2(provider) {
   return join4(getBackupDir2(provider), "sequence.json");
@@ -554,14 +658,14 @@ function detectPlatform() {
       return "unknown";
   }
 }
-function getClaudeConfigDir(env = process.env, home = homedir2()) {
+function getClaudeConfigDir(env = process.env, home = env.HOME ?? homedir2()) {
   const customDir = env.CLAUDE_CONFIG_DIR?.trim();
   if (customDir) {
     return customDir;
   }
   return join4(home, ".claude");
 }
-function getClaudeConfigPath(env = process.env, home = homedir2()) {
+function getClaudeConfigPath(env = process.env, home = env.HOME ?? homedir2()) {
   const customDir = env.CLAUDE_CONFIG_DIR?.trim();
   if (customDir) {
     return join4(customDir, ".claude.json");
@@ -617,7 +721,7 @@ function validateAlias(alias) {
 // package.json
 var package_default = {
   name: "caflip",
-  version: "0.3.3",
+  version: "0.4.0",
   type: "module",
   bin: {
     caflip: "bin/caflip"
@@ -2258,6 +2362,45 @@ var dist_default5 = createPrompt((config, done) => {
 `).trimEnd();
   return `${lines}${cursorHide}`;
 });
+// src/accounts.ts
+function getShortOrganizationId2(organizationId) {
+  return organizationId.slice(0, 10);
+}
+function normalizeClaudeOrganizationName2(email, organizationName) {
+  if (!organizationName) {
+    return null;
+  }
+  if (organizationName === `${email}'s Organization`) {
+    return "Personal";
+  }
+  return organizationName;
+}
+function getManagedAccountLabel2(account) {
+  const provider = account.identity?.provider;
+  const organizationId = account.identity?.organizationId;
+  const organizationName = provider === "claude" ? normalizeClaudeOrganizationName2(account.email, account.display?.organizationName) : account.display?.organizationName;
+  const planType = account.display?.planType;
+  if (provider === "codex") {
+    if (planType === "free") {
+      return `${account.email} · free`;
+    }
+    const orgShortId = organizationId ? getShortOrganizationId2(organizationId) : null;
+    if (planType && orgShortId) {
+      return `${account.email} · ${planType}(${orgShortId})`;
+    }
+    if (orgShortId) {
+      return `${account.email} · ${orgShortId}`;
+    }
+    if (planType) {
+      return `${account.email} · ${planType}`;
+    }
+  }
+  if (organizationName) {
+    return `${account.email} · ${organizationName}`;
+  }
+  return account.email;
+}
+
 // src/interactive.ts
 class PromptCancelledError extends Error {
   constructor() {
@@ -2303,13 +2446,13 @@ async function wrapPromptCancellation(fn) {
     cleanup();
   }
 }
-function formatAccount(num, email, alias, isActive) {
-  let label = `${num}: ${email}`;
+function formatAccount(num, label, alias, isActive) {
+  let formatted = `${num}: ${label}`;
   if (alias)
-    label += ` [${alias}]`;
+    formatted += ` [${alias}]`;
   if (isActive)
-    label += " (active)";
-  return label;
+    formatted += " (active)";
+  return formatted;
 }
 async function pickAccount(seq, message = "Switch to account:", promptSelect = dist_default5, extraChoices = []) {
   const choices = [
@@ -2321,7 +2464,7 @@ async function pickAccount(seq, message = "Switch to account:", promptSelect = d
       }
       const isActive = num === seq.activeAccountNumber;
       return {
-        name: formatAccount(String(index + 1), account.email, account.alias, isActive),
+        name: formatAccount(String(index + 1), getManagedAccountLabel2(account), account.alias, isActive),
         value: numStr
       };
     }),
@@ -2482,14 +2625,14 @@ function activeSecretToolAttrs() {
 function backupSecretToolAttrs(accountNum, email) {
   return ["service", "ccflip", "account", accountNum, "email", email];
 }
-function getClaudeCredentialsDir(env = process.env, home = homedir3()) {
+function getClaudeCredentialsDir(env = process.env, home = env.HOME ?? homedir3()) {
   const customDir = env.CLAUDE_CONFIG_DIR?.trim();
   if (customDir) {
     return customDir;
   }
   return join5(home, ".claude");
 }
-function getClaudeCredentialsPath(env = process.env, home = homedir3()) {
+function getClaudeCredentialsPath(env = process.env, home = env.HOME ?? homedir3()) {
   return join5(getClaudeCredentialsDir(env, home), ".credentials.json");
 }
 async function secretToolLookup(attrs) {
@@ -2818,7 +2961,21 @@ function getClaudeCurrentAccount() {
     return null;
   }
   const accountId = typeof content?.oauthAccount?.accountUuid === "string" ? content.oauthAccount.accountUuid : undefined;
-  return { email, accountId };
+  const organizationId = typeof content?.oauthAccount?.organizationUuid === "string" ? content.oauthAccount.organizationUuid : undefined;
+  const organizationName = typeof content?.oauthAccount?.organizationName === "string" ? content.oauthAccount.organizationName : undefined;
+  const workspaceRole = typeof content?.oauthAccount?.workspaceRole === "string" ? content.oauthAccount.workspaceRole : undefined;
+  const organizationRole = typeof content?.oauthAccount?.organizationRole === "string" ? content.oauthAccount.organizationRole : undefined;
+  const accountName = typeof content?.oauthAccount?.displayName === "string" ? content.oauthAccount.displayName : undefined;
+  return {
+    email,
+    accountId,
+    organizationId,
+    organizationName,
+    role: workspaceRole ?? organizationRole,
+    accountName,
+    uniqueKey: accountId && organizationId ? `claude:${accountId}:${organizationId}` : undefined,
+    identityStatus: accountId && organizationId ? "resolved" : "partial"
+  };
 }
 function getClaudeCurrentAccountEmail() {
   return getClaudeCurrentAccount()?.email ?? "none";
@@ -3012,35 +3169,50 @@ async function deleteCodexAccountAuthBackup(accountNum, email, credentialsDir) {
   const backupPath = join6(credentialsDir, `.codex-auth-${accountNum}-${email}.json`);
   rmSync4(backupPath, { force: true });
 }
-function getCodexCurrentAccount() {
+function resolveCodexCurrentAccount() {
   const authPath = getCodexAuthPath();
   if (!existsSync7(authPath)) {
-    return null;
+    return { account: null, ambiguousOrganization: false };
   }
   try {
     const authObj = JSON.parse(readFileSync7(authPath, "utf-8"));
     const idToken = authObj.tokens?.id_token;
     if (!idToken) {
-      return null;
+      return { account: null, ambiguousOrganization: false };
     }
     const payload = decodeJwtPayload(idToken);
     if (!payload) {
-      return null;
+      return { account: null, ambiguousOrganization: false };
     }
     const email = typeof payload.email === "string" ? payload.email : null;
     if (!email) {
-      return null;
+      return { account: null, ambiguousOrganization: false };
     }
     const authPayload = payload["https://api.openai.com/auth"];
     const accountId = authPayload?.chatgpt_account_id ?? authObj.tokens?.account_id;
+    const organizations = Array.isArray(authPayload?.organizations) ? authPayload.organizations : [];
+    const organization = organizations.find((candidate) => candidate.is_default === true) ?? (organizations.length === 1 ? organizations[0] : undefined);
+    const ambiguousOrganization = organizations.length > 1 && !organization;
     return {
-      email,
-      accountId
+      ambiguousOrganization,
+      account: {
+        email,
+        accountId,
+        organizationId: organization?.id,
+        organizationName: organization?.title,
+        planType: authPayload?.chatgpt_plan_type,
+        role: organization?.role,
+        uniqueKey: accountId && organization?.id ? `codex:${accountId}:${organization.id}` : undefined,
+        identityStatus: ambiguousOrganization ? "ambiguous" : accountId && organization?.id ? "resolved" : "partial"
+      }
     };
   } catch {
-    return null;
+    return { account: null, ambiguousOrganization: false };
   }
 }
+function getCodexCurrentAccount() {
+  return resolveCodexCurrentAccount().account;
+}
 function readCodexAuthFile() {
   const authPath = getCodexAuthPath();
   if (!existsSync7(authPath)) {
@@ -3085,17 +3257,28 @@ async function verifyCodexLogin(commandRunner = runCapturedCommand) {
       }
     };
   }
-  const currentAccount = getCodexCurrentAccount();
+  const { account: currentAccount, ambiguousOrganization } = resolveCodexCurrentAccount();
   if (!currentAccount?.email) {
     return {
       ok: false,
       reason: "codex auth file did not resolve a current account email"
     };
   }
+  if (ambiguousOrganization) {
+    return {
+      ok: false,
+      reason: "codex login resolved an ambiguous workspace context: multiple organizations without a default workspace"
+    };
+  }
   return {
     ok: true,
     email: currentAccount.email,
-    details: currentAccount.accountId ? { accountId: currentAccount.accountId } : undefined
+    details: {
+      accountId: currentAccount.accountId,
+      organizationId: currentAccount.organizationId,
+      organizationName: currentAccount.organizationName,
+      planType: currentAccount.planType
+    }
   };
 }
 var codexLoginAdapter = {
@@ -3186,12 +3369,115 @@ function setupDirectories() {
     mkdirSync6(dir, { recursive: true, mode: 448 });
   }
 }
+function getCurrentAccountIdentity() {
+  return activeProvider.getCurrentAccount();
+}
 function getCurrentAccount() {
-  return activeProvider.getCurrentAccountEmail();
+  return getCurrentAccountIdentity()?.email ?? "none";
 }
 function getProviderLabel() {
   return activeProvider.name === "codex" ? "Codex" : "Claude Code";
 }
+function hasMultipleProviderEmailMatches(seq, email, provider) {
+  return Object.values(seq.accounts).filter((account) => {
+    if (account.email !== email) {
+      return false;
+    }
+    return !account.identity || account.identity.provider === provider;
+  }).length > 1;
+}
+function resolveCurrentManagedAccountForSwitch(seq, currentIdentity, currentEmail) {
+  if (currentIdentity) {
+    const resolved = resolveManagedAccount(seq, currentIdentity);
+    if (resolved) {
+      return resolved;
+    }
+    const providerEmailMatchCount = Object.values(seq.accounts).filter((account) => {
+      if (account.email !== currentIdentity.email) {
+        return false;
+      }
+      return !account.identity || account.identity.provider === activeProvider.name;
+    }).length;
+    if (currentIdentity.identityStatus === "ambiguous") {
+      throw new Error(`Cannot determine which managed account is currently active for ${currentIdentity.email}.`);
+    }
+    if (currentIdentity.email !== "none" && providerEmailMatchCount > 0) {
+      throw new Error(`Cannot determine which managed account is currently active for ${currentIdentity.email}.`);
+    }
+    return null;
+  }
+  if (currentEmail === "none") {
+    return null;
+  }
+  return resolveAccountIdentifier(seq, currentEmail);
+}
+function getAccountDisplayLabel(account) {
+  return getManagedAccountLabel(account);
+}
+function getCurrentAccountDisplayLabel(currentAccount) {
+  if (!currentAccount) {
+    return "none";
+  }
+  return getManagedAccountLabel({
+    email: currentAccount.email,
+    display: {
+      email: currentAccount.email,
+      accountName: currentAccount.accountName ?? null,
+      organizationName: currentAccount.organizationName ?? null,
+      planType: currentAccount.planType ?? null,
+      role: currentAccount.role ?? null,
+      label: ""
+    },
+    identity: {
+      provider: activeProvider.name,
+      accountId: currentAccount.accountId ?? null,
+      organizationId: currentAccount.organizationId ?? null,
+      uniqueKey: ""
+    }
+  });
+}
+function buildManagedAccountDetails(currentAccount) {
+  if (!currentAccount) {
+    return {
+      email: "none",
+      uuid: "",
+      display: {
+        email: "none",
+        accountName: null,
+        organizationName: null,
+        planType: null,
+        role: null,
+        label: "none"
+      },
+      identity: undefined,
+      providerMetadata: undefined
+    };
+  }
+  return {
+    email: currentAccount.email,
+    uuid: currentAccount.accountId ?? currentAccount.uniqueKey ?? "",
+    display: {
+      email: currentAccount.email,
+      accountName: currentAccount.accountName ?? null,
+      organizationName: currentAccount.organizationName ?? null,
+      planType: currentAccount.planType ?? null,
+      role: currentAccount.role ?? null,
+      label: getCurrentAccountDisplayLabel(currentAccount)
+    },
+    identity: currentAccount.uniqueKey ? {
+      provider: activeProvider.name,
+      accountId: currentAccount.accountId ?? null,
+      organizationId: currentAccount.organizationId ?? null,
+      uniqueKey: currentAccount.uniqueKey
+    } : undefined,
+    providerMetadata: {
+      organizationName: currentAccount.organizationName ?? null,
+      planType: currentAccount.planType ?? null,
+      role: currentAccount.role ?? null,
+      accountName: currentAccount.accountName ?? null
+    }
+  };
+}
 function showProviderRequiredError(command) {
   console.error(`Error: ${command} requires provider prefix.`);
   console.error(`Try: caflip claude ${command} or caflip codex ${command}`);
@@ -3268,8 +3554,7 @@ async function resolveCliContext(parsed, deps = { resolveProviderForCommand }) {
   };
 }
 async function syncSequenceActiveAccount(seq) {
-  const currentEmail = getCurrentAccount();
-  const resolvedActive = resolveManagedAccountNumberForEmail(seq, currentEmail);
+  const resolvedActive = resolveManagedAccountNumber(seq, getCurrentAccountIdentity());
   if (seq.activeAccountNumber !== resolvedActive) {
     seq.activeAccountNumber = resolvedActive;
     seq.lastUpdated = new Date().toISOString();
@@ -3289,22 +3574,26 @@ async function registerCurrentActiveAccount(options) {
   if (options?.expectedEmail && currentEmail !== options.expectedEmail) {
     throw new Error(`Active ${getProviderLabel()} account changed during login verification: expected ${options.expectedEmail}, got ${currentEmail}`);
   }
+  if (currentAccount?.identityStatus === "ambiguous") {
+    throw new Error(`${getProviderLabel()} current account is in an ambiguous workspace context. Please pick a single workspace first, then retry.`);
+  }
   setupDirectories();
   await initSequenceFile(activeSequenceFile);
   const seq = await loadSequence(activeSequenceFile);
   await syncSequenceActiveAccount(seq);
+  const currentAccountNum = resolveManagedAccount(seq, currentAccount);
+  const currentDetails = buildManagedAccountDetails(currentAccount);
   if (options?.alias) {
     const result = validateAlias(options.alias);
     if (!result.valid) {
       throw new Error(result.reason);
     }
     const existingAliasTarget = findAccountByAlias(seq, options.alias);
-    const currentAccountNum = resolveAccountIdentifier(seq, currentEmail);
     if (existingAliasTarget && existingAliasTarget !== currentAccountNum) {
       throw new Error(`Alias "${options.alias}" is already in use`);
     }
   }
-  const existingAccountNum = resolveAccountIdentifier(seq, currentEmail);
+  const existingAccountNum = currentAccountNum;
   if (existingAccountNum) {
     if (!options?.updateIfExists) {
       console.log(`Account ${currentEmail} is already managed.`);
@@ -3333,7 +3622,11 @@ async function registerCurrentActiveAccount(options) {
         ...seq.accounts,
         [existingAccountNum]: {
           ...seq.accounts[existingAccountNum],
+          email: currentEmail,
           uuid,
+          identity: currentDetails.identity ?? seq.accounts[existingAccountNum].identity,
+          display: currentDetails.display,
+          providerMetadata: currentDetails.providerMetadata ?? seq.accounts[existingAccountNum].providerMetadata,
           ...options?.alias ? { alias: options.alias } : {}
         }
       }
@@ -3352,7 +3645,10 @@ async function registerCurrentActiveAccount(options) {
   const updated = addAccountToSequence(seq, {
     email: currentEmail,
     uuid,
-    alias: options?.alias
+    alias: options?.alias,
+    identity: currentDetails.identity,
+    display: currentDetails.display,
+    providerMetadata: currentDetails.providerMetadata
   });
   const accountNum = String(updated.activeAccountNumber);
   await activeProvider.writeAccountAuth(accountNum, currentEmail, creds, activeCredentialsDir);
@@ -3380,17 +3676,27 @@ function getLoginPassthroughArgs(args) {
   return args.slice(passthroughIdx + 1);
 }
 async function performSwitch(seq, targetAccount, options) {
+  const targetProvider = seq.accounts[targetAccount].identity?.provider;
+  if (targetProvider) {
+    setActiveProvider(targetProvider);
+  }
+  const providerName = targetProvider ?? activeProvider.name;
+  const sequenceFile = getSequenceFile(providerName);
+  const credentialsDir = getCredentialsDir(providerName);
+  const configsDir = getConfigsDir(providerName);
   const targetEmail = seq.accounts[targetAccount].email;
-  const currentEmail = options?.currentEmail ?? getCurrentAccount();
-  const currentAccount = currentEmail === "none" ? null : resolveAccountIdentifier(seq, currentEmail);
-  if (currentEmail === targetEmail) {
+  const observedCurrentIdentity = getCurrentAccountIdentity();
+  const currentIdentity = options?.currentEmail && observedCurrentIdentity && observedCurrentIdentity.email !== options.currentEmail ? null : observedCurrentIdentity;
+  const currentEmail = options?.currentEmail ?? currentIdentity?.email ?? "none";
+  const currentAccount = resolveCurrentManagedAccountForSwitch(seq, currentIdentity, currentEmail);
+  if (currentAccount === targetAccount) {
     const account = seq.accounts[targetAccount];
     const aliasStr2 = account.alias ? ` [${account.alias}]` : "";
     const displayLabel2 = getDisplayAccountLabel(seq, targetAccount);
     if (seq.activeAccountNumber !== Number(targetAccount)) {
       seq.activeAccountNumber = Number(targetAccount);
       seq.lastUpdated = new Date().toISOString();
-      await writeJsonAtomic2(activeSequenceFile, seq);
+      await writeJsonAtomic2(sequenceFile, seq);
     }
     console.log(`Already using ${displayLabel2} (${account.email})${aliasStr2}`);
     return;
@@ -3404,17 +3710,17 @@ async function performSwitch(seq, targetAccount, options) {
   if (currentEmail !== "none" && currentAccount) {
     const currentCreds = await activeProvider.readActiveAuth();
     if (currentCreds) {
-      await activeProvider.writeAccountAuth(currentAccount, currentEmail, currentCreds, activeCredentialsDir);
+      await activeProvider.writeAccountAuth(currentAccount, currentEmail, currentCreds, credentialsDir);
     }
     if (activeProvider.usesAccountConfig) {
       const currentConfig = await activeProvider.readActiveConfig();
       if (currentConfig) {
-        await activeProvider.writeAccountConfig(currentAccount, currentEmail, currentConfig, activeConfigsDir);
+        await activeProvider.writeAccountConfig(currentAccount, currentEmail, currentConfig, configsDir);
       }
     }
   }
-  const targetCreds = await activeProvider.readAccountAuth(targetAccount, targetEmail, activeCredentialsDir);
-  const targetConfig = activeProvider.readAccountConfig(targetAccount, targetEmail, activeConfigsDir);
+  const targetCreds = await activeProvider.readAccountAuth(targetAccount, targetEmail, credentialsDir);
+  const targetConfig = activeProvider.readAccountConfig(targetAccount, targetEmail, configsDir);
   if (!targetCreds) {
     throw new Error(`Missing backup data for ${getDisplayAccountLabel(seq, targetAccount)}`);
   }
@@ -3427,10 +3733,23 @@ async function performSwitch(seq, targetAccount, options) {
   }
   seq.activeAccountNumber = Number(targetAccount);
   seq.lastUpdated = new Date().toISOString();
-  await writeJsonAtomic2(activeSequenceFile, seq);
+  await writeJsonAtomic2(sequenceFile, seq);
   const alias = seq.accounts[targetAccount].alias;
   const aliasStr = alias ? ` [${alias}]` : "";
   const displayLabel = getDisplayAccountLabel(seq, targetAccount);
+  const refreshedAccount = activeProvider.getCurrentAccount();
+  if (refreshedAccount) {
+    const refreshedDetails = buildManagedAccountDetails(refreshedAccount);
+    seq.accounts[targetAccount] = {
+      ...seq.accounts[targetAccount],
+      email: refreshedDetails.email,
+      uuid: refreshedDetails.uuid,
+      display: refreshedDetails.display,
+      identity: refreshedDetails.identity ?? seq.accounts[targetAccount].identity,
+      providerMetadata: refreshedDetails.providerMetadata ?? seq.accounts[targetAccount].providerMetadata
+    };
+    await writeJsonAtomic2(sequenceFile, seq);
+  }
   console.log(`Switched to ${displayLabel} (${targetEmail})${aliasStr}`);
   console.log(`
 Please restart ${getProviderLabel()} to use the new authentication.
@@ -3454,15 +3773,16 @@ async function getManagedAccountLinesForActiveProvider() {
   }
   const seq = await loadSequence(activeSequenceFile);
   await syncSequenceActiveAccount(seq);
-  const currentEmail = getCurrentAccount();
+  const currentAccount = getCurrentAccountIdentity();
+  const activeAccountNum = resolveManagedAccount(seq, currentAccount);
   return seq.sequence.map((num, index) => {
     const numStr = String(num);
     const account = seq.accounts[numStr];
     if (!account) {
       throw new Error(`Corrupt sequence data: missing account entry for id ${numStr}`);
     }
-    const isActive = account.email === currentEmail;
-    let line = `  ${index + 1}: ${account.email}`;
+    const isActive = activeAccountNum === numStr;
+    let line = `  ${index + 1}: ${getAccountDisplayLabel(account)}`;
     if (account.alias)
       line += ` [${account.alias}]`;
     if (isActive)
@@ -3566,6 +3886,8 @@ async function cmdStatus(options) {
     console.log(JSON.stringify({
       provider: activeProvider.name,
       email: summary.email === "none" ? null : summary.email,
+      label: summary.email === "none" ? null : summary.label,
+      organizationName: summary.organizationName,
       alias: summary.alias,
       managed: summary.managed
     }));
@@ -3574,32 +3896,36 @@ async function cmdStatus(options) {
   if (summary.email === "none") {
     console.log("none");
   } else if (summary.alias) {
-    console.log(`${summary.email} [${summary.alias}]`);
+    console.log(`${summary.label} [${summary.alias}]`);
   } else {
-    console.log(summary.email);
+    console.log(summary.label);
   }
   console.log(`managed accounts: ${summary.managedCount}`);
 }
 async function getStatusSummaryForActiveProvider() {
-  const email = getCurrentAccount();
+  const currentAccount = getCurrentAccountIdentity();
+  const email = currentAccount?.email ?? "none";
   let alias = null;
   let managed = false;
   let managedCount = 0;
+  let label = getCurrentAccountDisplayLabel(currentAccount);
+  let organizationName = currentAccount?.organizationName ?? null;
   if (email !== "none" && existsSync9(activeSequenceFile)) {
     const seq = await loadSequence(activeSequenceFile);
     managedCount = Object.keys(seq.accounts).length;
-    for (const account of Object.values(seq.accounts)) {
-      if (account.email === email) {
-        managed = true;
-        alias = account.alias ?? null;
-        break;
-      }
+    const matchedAccountNum = resolveManagedAccount(seq, currentAccount);
+    if (matchedAccountNum) {
+      const account = seq.accounts[matchedAccountNum];
+      managed = true;
+      alias = account.alias ?? null;
+      label = getAccountDisplayLabel(account);
+      organizationName = account.display?.organizationName ?? organizationName;
     }
   } else if (existsSync9(activeSequenceFile)) {
     const seq = await loadSequence(activeSequenceFile);
     managedCount = Object.keys(seq.accounts).length;
   }
-  return { email, alias, managed, managedCount };
+  return { email, alias, managed, managedCount, label, organizationName };
 }
 async function withActiveProvider(provider, fn) {
   const previousProvider = activeProvider.name;
@@ -3650,9 +3976,9 @@ async function cmdStatusAllProviders() {
     if (summary.email === "none") {
       console.log("  none");
     } else if (summary.alias) {
-      console.log(`  ${summary.email} [${summary.alias}]`);
+      console.log(`  ${summary.label} [${summary.alias}]`);
     } else {
-      console.log(`  ${summary.email}`);
+      console.log(`  ${summary.label}`);
     }
     console.log(`  managed accounts: ${summary.managedCount}`);
   }
@@ -3666,19 +3992,31 @@ async function cmdAlias(alias, identifier) {
     throw new Error(result.reason);
   }
   const seq = await loadSequence(activeSequenceFile);
-  if (identifier && /^\d+$/.test(identifier)) {
-    throw new Error("Alias target must be an email, not a number");
-  }
   const currentEmail = getCurrentAccount();
-  const accountNum = resolveAliasTargetAccount(seq, { identifier, currentEmail });
-  if (!accountNum) {
-    if (identifier) {
+  const currentIdentity = getCurrentAccountIdentity();
+  let accountNum = null;
+  if (identifier) {
+    const target = resolveAccountTarget(seq, identifier);
+    if (target.status === "ambiguous") {
+      throw new Error(`Multiple managed accounts match ${identifier}. Use account number or alias.`);
+    }
+    if (target.status === "missing") {
       throw new Error(`Account not found: ${identifier}`);
-    } else if (currentEmail === "none") {
+    }
+    accountNum = target.accountNum;
+  } else {
+    accountNum = resolveManagedAccount(seq, currentIdentity);
+    if (!accountNum && currentIdentity?.email && currentIdentity.email !== "none") {
+      if (hasMultipleProviderEmailMatches(seq, currentIdentity.email, activeProvider.name)) {
+        throw new Error(`Multiple managed accounts match ${currentIdentity.email}. Use account number or alias.`);
+      }
+    }
+  }
+  if (!accountNum) {
+    if (currentEmail === "none") {
       throw new Error(`No active ${getProviderLabel()} account found. Please log in first.`);
-    } else {
-      throw new Error(`Current account is not managed: ${currentEmail}`);
     }
+    throw new Error(`Current account is not managed: ${currentEmail}`);
   }
   const updated = setAlias(seq, accountNum, alias);
   await writeJsonAtomic2(activeSequenceFile, updated);
@@ -3686,7 +4024,9 @@ async function cmdAlias(alias, identifier) {
   console.log(`Alias "${alias}" set for ${getDisplayAccountLabel(updated, accountNum)} (${account.email})`);
 }
 async function cmdInteractiveSwitch() {
-  const currentEmail = getCurrentAccount();
+  const currentIdentity = getCurrentAccountIdentity();
+  const currentEmail = currentIdentity?.email ?? "none";
+  const currentLabel = getCurrentAccountDisplayLabel(currentIdentity);
   const hasSequence = existsSync9(activeSequenceFile);
   const seq = hasSequence ? await loadSequence(activeSequenceFile) : null;
   if (seq) {
@@ -3695,7 +4035,7 @@ async function cmdInteractiveSwitch() {
   if (!seq || seq.sequence.length === 0) {
     const emptyStateChoices = [
       {
-        name: `+ Add current logged-in account${currentEmail === "none" ? "" : ` (${currentEmail})`}`,
+        name: `+ Add current logged-in account${currentEmail === "none" ? "" : ` (${currentLabel})`}`,
         value: ADD_CURRENT_ACCOUNT_CHOICE
       },
       { name: "Back", value: "__back__" }
@@ -3707,8 +4047,8 @@ async function cmdInteractiveSwitch() {
     await cmdAdd();
     return;
   }
-  const shouldOfferAddCurrent = currentEmail !== "none" && !accountExists(seq, currentEmail);
-  const extraChoices = shouldOfferAddCurrent ? [{ name: `+ Add current logged-in account (${currentEmail})`, value: ADD_CURRENT_ACCOUNT_CHOICE }] : [];
+  const shouldOfferAddCurrent = currentEmail !== "none" && currentIdentity?.identityStatus !== "ambiguous" && !accountExists(seq, currentIdentity ?? currentEmail);
+  const extraChoices = shouldOfferAddCurrent ? [{ name: `+ Add current logged-in account (${currentLabel})`, value: ADD_CURRENT_ACCOUNT_CHOICE }] : [];
   const selected = await pickAccount(seq, `caflip v${package_default.version} \u2014 Switch ${getProviderLabel()} account:`, undefined, extraChoices);
   if (selected === ADD_CURRENT_ACCOUNT_CHOICE) {
     await cmdAdd();
@@ -3738,7 +4078,7 @@ Commands:
   <provider> remove [<email>]          Remove an account
   <provider> next                      Rotate to next account
   <provider> status [--json]           Show current active account
-  <provider> alias <name> [<email>]    Set alias for current or target account
+  <provider> alias <name> [<account>]  Set alias for current or target account
   help                                 Show this help
 
 Examples:
@@ -3751,6 +4091,8 @@ Examples:
   caflip claude                        Pick Claude account interactively
   caflip claude work                   Switch Claude account by alias
   caflip claude add --alias personal   Add current Claude account with alias
+  caflip claude alias work             Alias the current Claude account as "work"
+  caflip claude alias work 2           Alias Claude Account-2 as "work"
   caflip claude login                  Run Claude login and register session
   caflip claude login -- --email me@example.com --sso
                                        Pass provider-specific flags after --
@@ -3758,8 +4100,12 @@ Examples:
   caflip codex list                    List managed Codex accounts
   caflip codex login -- --device-auth  Run Codex login and register session
   caflip codex add --alias work        Add current Codex account with alias
-  caflip codex alias work user@company.com
-                                       Set Codex alias for target email`);
+  caflip codex alias work 2
+                                       Set Codex alias for target account
+
+Alias targets:
+  <account> can be a list number, an existing alias, or an email when it matches exactly one managed account.
+  Codex labels show workspace plans as email \xB7 plan(orgShortId); free shows email \xB7 free.`);
 }
 async function executeProviderCommand(command, args, provider, runWithLock) {
   switch (command) {
@@ -3801,7 +4147,7 @@ async function executeProviderCommand(command, args, provider, runWithLock) {
       break;
     case "alias": {
       if (!args[1]) {
-        console.error(`Usage: caflip ${provider} alias <name> [<email>]`);
+        console.error(`Usage: caflip ${provider} alias <name> [<account>]`);
         process.exit(1);
       }
       await runWithLock(async () => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "caflip",
-  "version": "0.3.3",
+  "version": "0.4.0",
   "type": "module",
   "bin": {
     "caflip": "bin/caflip"