kimaki 0.4.95 → 0.4.97

package/dist/session-handler/thread-session-runtime.js

@@ -40,6 +40,14 @@ import { extractLeadingOpencodeCommand } from '../opencode-command-detection.js'
 const logger = createLogger(LogPrefix.SESSION);
 const discordLogger = createLogger(LogPrefix.DISCORD);
 const DETERMINISTIC_CONTEXT_LIMIT = 100_000;
+const TOAST_SESSION_ID_REGEX = /\b(ses_[A-Za-z0-9]+)\b\s*$/u;
+function extractToastSessionId({ message }) {
+    const match = message.match(TOAST_SESSION_ID_REGEX);
+    return match?.[1];
+}
+function stripToastSessionId({ message }) {
+    return message.replace(TOAST_SESSION_ID_REGEX, '').trimEnd();
+}
 const shouldLogSessionEvents = process.env['KIMAKI_LOG_SESSION_EVENTS'] === '1' ||
     process.env['KIMAKI_VITEST'] === '1';
 // ── Registry ─────────────────────────────────────────────────────
@@ -943,6 +951,9 @@ export class ThreadSessionRuntime {
         }
         const sessionId = this.state?.sessionId;
         const eventSessionId = getOpencodeEventSessionId(event);
+        const toastSessionId = event.type === 'tui.toast.show'
+            ? extractToastSessionId({ message: event.properties.message })
+            : undefined;
         if (shouldLogSessionEvents) {
             const eventDetails = (() => {
                 if (event.type === 'session.error') {
@@ -970,6 +981,7 @@ export class ThreadSessionRuntime {
             logger.log(`[EVENT] type=${event.type} eventSessionId=${eventSessionId || 'none'} activeSessionId=${sessionId || 'none'} ${this.formatRunStateForLog()}${eventDetails}`);
         }
         const isGlobalEvent = event.type === 'tui.toast.show';
+        const isScopedToastEvent = Boolean(toastSessionId);
         // Drop events that don't match current session (stale events from
         // previous sessions), unless it's a global event or a subtask session.
         if (!isGlobalEvent && eventSessionId && eventSessionId !== sessionId) {
@@ -977,6 +989,11 @@ export class ThreadSessionRuntime {
                 return; // stale event from previous session
             }
         }
+        if (isScopedToastEvent && toastSessionId !== sessionId) {
+            if (!this.getSubtaskInfoForSession(toastSessionId)) {
+                return;
+            }
+        }
         if (isOpencodeSessionEventLogEnabled()) {
             const eventLogResult = await appendOpencodeSessionEventLog({
                 threadId: this.threadId,
@@ -2023,7 +2040,7 @@ export class ThreadSessionRuntime {
         if (properties.variant === 'warning') {
             return;
         }
-        const toastMessage = properties.message.trim();
+        const toastMessage = stripToastSessionId({ message: properties.message }).trim();
         if (!toastMessage) {
             return;
         }

package/dist/system-message.js

@@ -450,7 +450,7 @@ kimaki send --channel ${channelId} --prompt "your task description" --worktree w
 
 This creates a new Discord thread with an isolated git worktree and starts a session in it. The worktree name should be kebab-case and descriptive of the task.
 
-By default, worktrees are created from \`origin/HEAD\` (the remote's default branch). To change the base branch for a project, the user can run \`git remote set-head origin <branch>\` in the project directory. For example, \`git remote set-head origin dev\` makes all new worktrees branch off \`origin/dev\` instead of \`origin/main\`.
+By default, worktrees are created from \`HEAD\`, which means whatever commit or branch the current checkout is on. If you want a different base, pass \`--base-branch\` or use the slash command option explicitly.
 
 Critical recursion guard:
 - If you already are in a worktree thread, do not create another worktree unless the user explicitly asks for a nested worktree.

package/dist/system-message.test.js

@@ -217,7 +217,7 @@ describe('system-message', () => {
 
       This creates a new Discord thread with an isolated git worktree and starts a session in it. The worktree name should be kebab-case and descriptive of the task.
 
-      By default, worktrees are created from \`origin/HEAD\` (the remote's default branch). To change the base branch for a project, the user can run \`git remote set-head origin <branch>\` in the project directory. For example, \`git remote set-head origin dev\` makes all new worktrees branch off \`origin/dev\` instead of \`origin/main\`.
+      By default, worktrees are created from \`HEAD\`, which means whatever commit or branch the current checkout is on. If you want a different base, pass \`--base-branch\` or use the slash command option explicitly.
 
       Critical recursion guard:
       - If you already are in a worktree thread, do not create another worktree unless the user explicitly asks for a nested worktree.

package/dist/system-prompt-drift-plugin.js

@@ -11,12 +11,16 @@ import { createPluginLogger, formatPluginErrorWithStack, setPluginLogFilePath }
 import { initSentry, notifyError } from './sentry.js';
 import { abbreviatePath } from './utils.js';
 const logger = createPluginLogger('OPENCODE');
+const TOAST_SESSION_MARKER_SEPARATOR = ' ';
 function getSystemPromptDiffDir({ dataDir }) {
     return path.join(dataDir, 'system-prompt-diffs');
 }
 function normalizeSystemPrompt({ system }) {
     return system.join('\n');
 }
+function appendToastSessionMarker({ message, sessionId, }) {
+    return `${message}${TOAST_SESSION_MARKER_SEPARATOR}${sessionId}`;
+}
 function buildTurnContext({ input, directory, }) {
     const model = input.model
         ? `${input.model.providerID}/${input.model.modelID}${input.variant ? `:${input.variant}` : ''}`
@@ -66,7 +70,7 @@ function writeSystemPromptDiffFile({ dataDir, sessionId, beforePrompt, afterProm
     const timestamp = new Date().toISOString().replaceAll(':', '-');
     const sessionDir = path.join(getSystemPromptDiffDir({ dataDir }), sessionId);
     const filePath = path.join(sessionDir, `${timestamp}.diff`);
-    const latestPromptPath = path.join(sessionDir, `${sessionId}.md`);
+    const latestPromptPath = path.join(sessionDir, `${timestamp}.md`);
     const fileContent = [
         `Session: ${sessionId}`,
         `Created: ${new Date().toISOString()}`,
@@ -84,6 +88,7 @@ function writeSystemPromptDiffFile({ dataDir, sessionId, beforePrompt, afterProm
                 additions: diff.additions,
                 deletions: diff.deletions,
                 filePath,
+                latestPromptPath,
             };
         },
         catch: (error) => {
@@ -154,9 +159,12 @@ async function handleSystemTransform({ input, output, sessions, dataDir, client,
         body: {
             variant: 'info',
             title: 'Context cache discarded',
-            message: `System prompt changed since the previous message (+${diffFileResult.additions} / -${diffFileResult.deletions}). ` +
-                `This usually means a plugin mutated the prompt and increased rate-limit usage. ` +
-                `Diff: ${abbreviatePath(diffFileResult.filePath)}`,
+            message: appendToastSessionMarker({
+                sessionId,
+                message: `system prompt changed since the previous message (+${diffFileResult.additions} / -${diffFileResult.deletions}). ` +
+                    `Diff: \`${abbreviatePath(diffFileResult.filePath)}\`. ` +
+                    `Latest prompt: \`${abbreviatePath(diffFileResult.latestPromptPath)}\``,
+            }),
         },
     });
 }

package/dist/worktrees.js

@@ -394,39 +394,6 @@ async function validateSubmodulePointers(directory) {
     return new Error(`Submodule validation failed: ${validationIssues.join('; ')}`);
 }
 async function resolveDefaultWorktreeTarget(directory) {
-    const remoteHead = await execAsync('git symbolic-ref refs/remotes/origin/HEAD', {
-        cwd: directory,
-    }).catch(() => {
-        return null;
-    });
-    const remoteRef = remoteHead?.stdout.trim();
-    if (remoteRef?.startsWith('refs/remotes/')) {
-        return remoteRef.replace('refs/remotes/', '');
-    }
-    const hasMain = await execAsync('git show-ref --verify --quiet refs/heads/main', {
-        cwd: directory,
-    })
-        .then(() => {
-        return true;
-    })
-        .catch(() => {
-        return false;
-    });
-    if (hasMain) {
-        return 'main';
-    }
-    const hasMaster = await execAsync('git show-ref --verify --quiet refs/heads/master', {
-        cwd: directory,
-    })
-        .then(() => {
-        return true;
-    })
-        .catch(() => {
-        return false;
-    });
-    if (hasMaster) {
-        return 'master';
-    }
     return 'HEAD';
 }
 function getManagedWorktreeDirectory({ directory, name, }) {

package/package.json

@@ -2,7 +2,7 @@
   "name": "kimaki",
   "module": "index.ts",
   "type": "module",
-  "version": "0.4.95",
+  "version": "0.4.97",
   "repository": "https://github.com/remorses/kimaki",
   "bin": "bin.js",
   "files": [
@@ -25,9 +25,9 @@
     "prisma": "7.4.2",
     "tsx": "^4.20.5",
     "undici": "^8.0.2",
+    "db": "^0.0.0",
     "discord-digital-twin": "^0.1.0",
     "opencode-cached-provider": "^0.0.1",
-    "db": "^0.0.0",
     "opencode-deterministic-provider": "^0.0.1"
   },
   "dependencies": {
@@ -64,10 +64,10 @@
     "yaml": "^2.8.3",
     "zod": "^4.3.6",
     "zustand": "^5.0.11",
+    "traforo": "^0.2.4",
     "errore": "^0.14.1",
-    "opencode-injection-guard": "^0.2.1",
     "libsqlproxy": "^0.1.0",
-    "traforo": "^0.2.4"
+    "opencode-injection-guard": "^0.2.1"
   },
   "optionalDependencies": {
     "@snazzah/davey": "^0.1.10",

package/src/anthropic-account-identity.test.ts

@@ -0,0 +1,52 @@
+// Tests Anthropic OAuth account identity parsing and normalization.
+
+import { describe, expect, test } from 'vitest'
+import {
+  extractAnthropicAccountIdentity,
+  normalizeAnthropicAccountIdentity,
+} from './anthropic-account-identity.js'
+
+describe('normalizeAnthropicAccountIdentity', () => {
+  test('normalizes email casing and drops empty values', () => {
+    expect(
+      normalizeAnthropicAccountIdentity({
+        email: '  User@Example.com ',
+        accountId: '  user_123  ',
+      }),
+    ).toEqual({
+      email: 'user@example.com',
+      accountId: 'user_123',
+    })
+
+    expect(normalizeAnthropicAccountIdentity({ email: '   ' })).toBeUndefined()
+  })
+})
+
+describe('extractAnthropicAccountIdentity', () => {
+  test('prefers nested user profile identity from client_data responses', () => {
+    expect(
+      extractAnthropicAccountIdentity({
+        organizations: [{ id: 'org_123', name: 'Workspace' }],
+        user: {
+          id: 'usr_123',
+          email: 'User@Example.com',
+        },
+      }),
+    ).toEqual({
+      accountId: 'usr_123',
+      email: 'user@example.com',
+    })
+  })
+
+  test('falls back to profile-style payloads without email', () => {
+    expect(
+      extractAnthropicAccountIdentity({
+        profile: {
+          user_id: 'usr_456',
+        },
+      }),
+    ).toEqual({
+      accountId: 'usr_456',
+    })
+  })
+})

package/src/anthropic-account-identity.ts

@@ -0,0 +1,77 @@
+// Helpers for extracting and normalizing Anthropic OAuth account identity.
+
+export type AnthropicAccountIdentity = {
+  email?: string
+  accountId?: string
+}
+
+type IdentityCandidate = AnthropicAccountIdentity & {
+  score: number
+}
+
+const identityHintKeys = new Set(['user', 'profile', 'account', 'viewer'])
+const idKeys = ['user_id', 'userId', 'account_id', 'accountId', 'id', 'sub']
+
+export function normalizeAnthropicAccountIdentity(
+  identity: AnthropicAccountIdentity | null | undefined,
+) {
+  const email =
+    typeof identity?.email === 'string' && identity.email.trim()
+      ? identity.email.trim().toLowerCase()
+      : undefined
+  const accountId =
+    typeof identity?.accountId === 'string' && identity.accountId.trim()
+      ? identity.accountId.trim()
+      : undefined
+  if (!email && !accountId) return undefined
+  return {
+    ...(email ? { email } : {}),
+    ...(accountId ? { accountId } : {}),
+  }
+}
+
+function getCandidateFromRecord(record: Record<string, unknown>, path: string[]) {
+  const email = typeof record.email === 'string' ? record.email : undefined
+  const accountId = idKeys
+    .map((key) => {
+      const value = record[key]
+      return typeof value === 'string' ? value : undefined
+    })
+    .find((value) => {
+      return Boolean(value)
+    })
+  const normalized = normalizeAnthropicAccountIdentity({ email, accountId })
+  if (!normalized) return undefined
+  const hasIdentityHint = path.some((segment) => {
+    return identityHintKeys.has(segment)
+  })
+  return {
+    ...normalized,
+    score: (normalized.email ? 4 : 0) + (normalized.accountId ? 2 : 0) + (hasIdentityHint ? 2 : 0),
+  } satisfies IdentityCandidate
+}
+
+function collectIdentityCandidates(value: unknown, path: string[] = []): IdentityCandidate[] {
+  if (!value || typeof value !== 'object') return []
+  if (Array.isArray(value)) {
+    return value.flatMap((entry) => {
+      return collectIdentityCandidates(entry, path)
+    })
+  }
+
+  const record = value as Record<string, unknown>
+  const nested = Object.entries(record).flatMap(([key, entry]) => {
+    return collectIdentityCandidates(entry, [...path, key])
+  })
+  const current = getCandidateFromRecord(record, path)
+  return current ? [current, ...nested] : nested
+}
+
+export function extractAnthropicAccountIdentity(value: unknown) {
+  const candidates = collectIdentityCandidates(value)
+  const best = candidates.sort((a, b) => {
+    return b.score - a.score
+  })[0]
+  if (!best) return undefined
+  return normalizeAnthropicAccountIdentity(best)
+}

package/src/anthropic-auth-plugin.ts

@@ -35,6 +35,10 @@ import {
   upsertAccount,
   withAuthStateLock,
 } from './anthropic-auth-state.js'
+import {
+  extractAnthropicAccountIdentity,
+  type AnthropicAccountIdentity,
+} from './anthropic-account-identity.js'
 // PKCE (Proof Key for Code Exchange) using Web Crypto API.
 // Reference: https://github.com/badlogic/pi-mono/blob/main/packages/ai/src/utils/oauth/pkce.ts
 function base64urlEncode(bytes: Uint8Array): string {
@@ -68,6 +72,8 @@ const CLIENT_ID = (() => {
 
 const TOKEN_URL = 'https://platform.claude.com/v1/oauth/token'
 const CREATE_API_KEY_URL = 'https://api.anthropic.com/api/oauth/claude_cli/create_api_key'
+const CLIENT_DATA_URL = 'https://api.anthropic.com/api/oauth/claude_cli/client_data'
+const PROFILE_URL = 'https://api.anthropic.com/api/oauth/profile'
 const CALLBACK_PORT = 53692
 const CALLBACK_PATH = '/callback'
 const REDIRECT_URI = `http://localhost:${CALLBACK_PORT}${CALLBACK_PATH}`
@@ -81,6 +87,7 @@ const CLAUDE_CODE_BETA = 'claude-code-20250219'
 const OAUTH_BETA = 'oauth-2025-04-20'
 const FINE_GRAINED_TOOL_STREAMING_BETA = 'fine-grained-tool-streaming-2025-05-14'
 const INTERLEAVED_THINKING_BETA = 'interleaved-thinking-2025-05-14'
+const TOAST_SESSION_HEADER = 'x-kimaki-session-id'
 
 const ANTHROPIC_HOSTS = new Set([
   'api.anthropic.com',
@@ -298,6 +305,28 @@ async function createApiKey(accessToken: string): Promise<ApiKeySuccess> {
   return { type: 'success', key: json.raw_key }
 }
 
+async function fetchAnthropicAccountIdentity(accessToken: string) {
+  const urls = [CLIENT_DATA_URL, PROFILE_URL]
+  for (const url of urls) {
+    const responseText = await requestText(url, {
+      method: 'GET',
+      headers: {
+        Accept: 'application/json',
+        authorization: `Bearer ${accessToken}`,
+        'user-agent': process.env.OPENCODE_ANTHROPIC_USER_AGENT || `claude-cli/${CLAUDE_CODE_VERSION}`,
+        'x-app': 'cli',
+      },
+    }).catch(() => {
+      return undefined
+    })
+    if (!responseText) continue
+    const parsed = JSON.parse(responseText) as unknown
+    const identity = extractAnthropicAccountIdentity(parsed)
+    if (identity) return identity
+  }
+  return undefined
+}
+
 // --- Localhost callback server ---
 
 type CallbackResult = { code: string; state: string }
@@ -469,12 +498,13 @@ function buildAuthorizeHandler(mode: 'oauth' | 'apikey') {
       if (mode === 'apikey') {
         return createApiKey(creds.access)
       }
+      const identity = await fetchAnthropicAccountIdentity(creds.access)
       await rememberAnthropicOAuth({
         type: 'oauth',
         refresh: creds.refresh,
         access: creds.access,
         expires: creds.expires,
-      })
+      }, identity)
       return creds
     }
 
@@ -489,8 +519,7 @@ function buildAuthorizeHandler(mode: 'oauth' | 'apikey') {
             try {
               const result = await waitForCallback(auth.callbackServer)
               return await finalize(result)
-            } catch (error) {
-              console.error(`[anthropic-auth] ${error}`)
+            } catch {
               return { type: 'failed' }
             }
           })()
@@ -509,8 +538,7 @@ function buildAuthorizeHandler(mode: 'oauth' | 'apikey') {
           try {
             const result = await waitForCallback(auth.callbackServer, input)
             return await finalize(result)
-          } catch (error) {
-            console.error(`[anthropic-auth] ${error}`)
+          } catch {
             return { type: 'failed' }
           }
         })()
@@ -682,6 +710,19 @@ function wrapResponseStream(response: Response, reverseToolNameMap: Map<string,
   })
 }
 
+function appendToastSessionMarker({
+  message,
+  sessionId,
+}: {
+  message: string
+  sessionId: string | undefined
+}) {
+  if (!sessionId) {
+    return message
+  }
+  return `${message} ${sessionId}`
+}
+
 // --- Beta headers ---
 
 function getRequiredBetas(modelId: string | undefined) {
@@ -737,7 +778,18 @@ async function getFreshOAuth(
     await setAnthropicAuth(refreshed, client)
     const store = await loadAccountStore()
     if (store.accounts.length > 0) {
-      upsertAccount(store, refreshed)
+      const identity: AnthropicAccountIdentity | undefined = (() => {
+        const currentIndex = store.accounts.findIndex((account) => {
+          return account.refresh === latest.refresh || account.access === latest.access
+        })
+        const current = currentIndex >= 0 ? store.accounts[currentIndex] : undefined
+        if (!current) return undefined
+        return {
+          ...(current.email ? { email: current.email } : {}),
+          ...(current.accountId ? { accountId: current.accountId } : {}),
+        }
+      })()
+      upsertAccount(store, { ...refreshed, ...identity })
       await saveAccountStore(store)
     }
     return refreshed
@@ -752,6 +804,12 @@ async function getFreshOAuth(
 
 const AnthropicAuthPlugin: Plugin = async ({ client }) => {
   return {
+    'chat.headers': async (input, output) => {
+      if (input.model.providerID !== 'anthropic') {
+        return
+      }
+      output.headers[TOAST_SESSION_HEADER] = input.sessionID
+    },
     auth: {
       provider: 'anthropic',
       async loader(
@@ -788,21 +846,27 @@ const AnthropicAuthPlugin: Plugin = async ({ client }) => {
                       .catch(() => undefined)
                   : undefined
 
-            const rewritten = rewriteRequestPayload(originalBody, (msg) => {
-              client.tui.showToast({
-                body: { message: msg, variant: 'error' },
-              }).catch(() => {})
-            })
             const headers = new Headers(init?.headers)
             if (input instanceof Request) {
               input.headers.forEach((v, k) => {
                 if (!headers.has(k)) headers.set(k, v)
               })
             }
+            const sessionId = headers.get(TOAST_SESSION_HEADER) ?? undefined
+
+            const rewritten = rewriteRequestPayload(originalBody, (msg) => {
+              client.tui.showToast({
+                body: {
+                  message: appendToastSessionMarker({ message: msg, sessionId }),
+                  variant: 'error',
+                },
+              }).catch(() => {})
+            })
             const betas = getRequiredBetas(rewritten.modelId)
 
             const runRequest = async (auth: OAuthStored) => {
               const requestHeaders = new Headers(headers)
+              requestHeaders.delete(TOAST_SESSION_HEADER)
               requestHeaders.set('accept', 'application/json')
               requestHeaders.set(
                 'anthropic-beta',
@@ -839,9 +903,13 @@ const AnthropicAuthPlugin: Plugin = async ({ client }) => {
                   // Show toast notification so Discord thread shows the rotation
                   client.tui.showToast({
                     body: {
-                      message: `Switching from account ${rotated.fromLabel} to account ${rotated.toLabel}`,
+                      message: appendToastSessionMarker({
+                        message: `Switching from account ${rotated.fromLabel} to account ${rotated.toLabel}`,
+                        sessionId,
+                      }),
                       variant: 'info',
                     },
+
                   }).catch(() => {})
                   const retryAuth = await getFreshOAuth(getAuth, client)
                   if (retryAuth) {

package/src/{anthropic-auth-plugin.test.ts → anthropic-auth-state.test.ts}

@@ -1,10 +1,11 @@
-// Tests for Anthropic OAuth multi-account persistence and rotation.
+// Tests Anthropic OAuth account persistence, deduplication, and rotation.
 
 import { mkdtemp, readFile, rm, mkdir, writeFile } from 'node:fs/promises'
 import { tmpdir } from 'node:os'
 import path from 'node:path'
 import { afterEach, beforeEach, describe, expect, test } from 'vitest'
 import {
+  accountLabel,
   authFilePath,
   loadAccountStore,
   rememberAnthropicOAuth,
@@ -60,6 +61,27 @@ describe('rememberAnthropicOAuth', () => {
       expires: 3,
     })
   })
+
+  test('deduplicates new tokens by email or account ID', async () => {
+    await rememberAnthropicOAuth(firstAccount, {
+      email: 'user@example.com',
+      accountId: 'usr_123',
+    })
+    await rememberAnthropicOAuth(secondAccount, {
+      email: 'User@example.com',
+      accountId: 'usr_123',
+    })
+
+    const store = await loadAccountStore()
+    expect(store.accounts).toHaveLength(1)
+    expect(store.accounts[0]).toMatchObject({
+      refresh: 'refresh-second',
+      access: 'access-second',
+      email: 'user@example.com',
+      accountId: 'usr_123',
+    })
+    expect(accountLabel(store.accounts[0]!)).toBe('user@example.com')
+  })
 })
 
 describe('rotateAnthropicAccount', () => {

package/src/anthropic-auth-state.ts

@@ -2,6 +2,10 @@ import type { Plugin } from '@opencode-ai/plugin'
 import * as fs from 'node:fs/promises'
 import { homedir } from 'node:os'
 import path from 'node:path'
+import {
+  normalizeAnthropicAccountIdentity,
+  type AnthropicAccountIdentity,
+} from './anthropic-account-identity.js'
 
 const AUTH_LOCK_STALE_MS = 30_000
 const AUTH_LOCK_RETRY_MS = 100
@@ -14,6 +18,8 @@ export type OAuthStored = {
 }
 
 type AccountRecord = OAuthStored & {
+  email?: string
+  accountId?: string
   addedAt: number
   lastUsed: number
 }
@@ -114,6 +120,8 @@ export function normalizeAccountStore(
           typeof account.refresh === 'string' &&
           typeof account.access === 'string' &&
           typeof account.expires === 'number' &&
+          (typeof account.email === 'undefined' || typeof account.email === 'string') &&
+          (typeof account.accountId === 'undefined' || typeof account.accountId === 'string') &&
           typeof account.addedAt === 'number' &&
           typeof account.lastUsed === 'number',
       )
@@ -135,8 +143,13 @@ export async function saveAccountStore(store: AccountStore) {
 
 /** Short label for an account: first 8 + last 4 chars of refresh token. */
 export function accountLabel(account: OAuthStored, index?: number): string {
+  const accountWithIdentity = account as OAuthStored & AnthropicAccountIdentity
+  const identity = accountWithIdentity.email || accountWithIdentity.accountId
   const r = account.refresh
   const short = r.length > 12 ? `${r.slice(0, 8)}...${r.slice(-4)}` : r
+  if (identity) {
+    return index !== undefined ? `#${index + 1} (${identity})` : identity
+  }
   return index !== undefined ? `#${index + 1} (${short})` : short
 }
 
@@ -162,14 +175,29 @@ function findCurrentAccountIndex(store: AccountStore, auth: OAuthStored) {
 }
 
 export function upsertAccount(store: AccountStore, auth: OAuthStored, now = Date.now()) {
+  const authWithIdentity = auth as OAuthStored & AnthropicAccountIdentity
+  const identity = normalizeAnthropicAccountIdentity({
+    email: authWithIdentity.email,
+    accountId: authWithIdentity.accountId,
+  })
   const index = store.accounts.findIndex((account) => {
-    return account.refresh === auth.refresh || account.access === auth.access
+    if (account.refresh === auth.refresh || account.access === auth.access) {
+      return true
+    }
+    if (identity?.accountId && account.accountId === identity.accountId) {
+      return true
+    }
+    if (identity?.email && account.email === identity.email) {
+      return true
+    }
+    return false
   })
   const nextAccount: AccountRecord = {
     type: 'oauth',
     refresh: auth.refresh,
     access: auth.access,
     expires: auth.expires,
+    ...identity,
     addedAt: now,
     lastUsed: now,
   }
@@ -186,15 +214,20 @@ export function upsertAccount(store: AccountStore, auth: OAuthStored, now = Date
     ...existing,
     ...nextAccount,
     addedAt: existing.addedAt,
+    email: nextAccount.email || existing.email,
+    accountId: nextAccount.accountId || existing.accountId,
   }
   store.activeIndex = index
   return index
 }
 
-export async function rememberAnthropicOAuth(auth: OAuthStored) {
+export async function rememberAnthropicOAuth(
+  auth: OAuthStored,
+  identity?: AnthropicAccountIdentity,
+) {
   await withAuthStateLock(async () => {
     const store = await loadAccountStore()
-    upsertAccount(store, auth)
+    upsertAccount(store, { ...auth, ...normalizeAnthropicAccountIdentity(identity) })
     await saveAccountStore(store)
   })
 }