ralphx 0.3.4__py3-none-any.whl → 0.4.0__py3-none-any.whl

ralphx/core/auth.py

@@ -128,7 +128,7 @@ class AuthStatus(BaseModel):
     """Authentication status."""
 
     connected: bool
-    scope: Optional[Literal["project", "global"]] = None
+    scope: Optional[Literal["project", "global", "account"]] = None
     email: Optional[str] = None  # User's email address
     subscription_type: Optional[str] = None
     rate_limit_tier: Optional[str] = None
@@ -140,50 +140,44 @@ class AuthStatus(BaseModel):
 
 
 def get_auth_status(project_id: Optional[str] = None) -> AuthStatus:
-    """Get auth status from database (project-specific first, then global).
+    """Get auth status based on effective account for project.
 
-    Returns detailed status including whether project is using global fallback.
+    Returns detailed status including whether project has a specific assignment.
     """
     db = Database()
 
-    # Check for project-specific credentials (no fallback)
-    project_creds = None
-    if project_id:
-        project_creds = db.get_credentials_by_scope("project", project_id)
+    # Get effective account (assigned to project, or default, or first active)
+    account = db.get_effective_account(project_id)
 
-    # Check for global credentials
-    global_creds = db.get_credentials_by_scope("global", None)
+    # Check if project has explicit assignment
+    has_project_assignment = False
+    if project_id:
+        assignment = db.get_project_account_assignment(project_id)
+        has_project_assignment = assignment is not None
 
-    # Determine which credentials to use (project takes priority)
-    creds = project_creds or global_creds
+    # Check if using default fallback
+    using_fallback = project_id is not None and not has_project_assignment and account is not None
 
-    # Determine if we're using global as a fallback for a project
-    using_fallback = (
-        project_id is not None
-        and project_creds is None
-        and global_creds is not None
-    )
-
-    if not creds:
+    if not account:
         return AuthStatus(
             connected=False,
-            has_project_credentials=project_creds is not None,
+            has_project_credentials=has_project_assignment,
         )
 
     # Check expiry
     now = int(time.time())
-    expires_at = creds["expires_at"]
+    expires_at = account["expires_at"]
     is_expired = now >= expires_at
 
     return AuthStatus(
         connected=True,
-        scope=creds["scope"],
-        email=creds.get("email"),
+        scope="account",  # New: accounts don't have scope like old credentials
+        email=account.get("email"),
         expires_at=datetime.fromtimestamp(expires_at),
         expires_in_seconds=max(0, expires_at - now),
         is_expired=is_expired,
         using_global_fallback=using_fallback,
-        has_project_credentials=project_creds is not None,
+        has_project_credentials=has_project_assignment,
     )
 
 
@@ -215,17 +209,25 @@ async def _token_refresh_lock() -> AsyncGenerator[None, None]:
 
 def store_oauth_tokens(
     tokens: dict,
-    scope: Literal["project", "global"],
     project_id: Optional[str] = None,
-) -> bool:
-    """Store OAuth tokens in database.
+) -> dict:
+    """Store OAuth tokens in database (accounts table).
 
     Args:
-        tokens: Dict with access_token, refresh_token, expires_in, email (optional),
+        tokens: Dict with access_token, refresh_token, expires_in, email (required),
                 scopes (optional), subscription_type (optional), rate_limit_tier (optional)
-        scope: "project" or "global"
-        project_id: Project ID for project-scoped credentials
+        project_id: Optional project ID to assign this account to
+
+    Returns:
+        Account dict with id, email, and other fields
+
+    Raises:
+        ValueError: If email not provided in tokens
     """
+    email = tokens.get("email")
+    if not email:
+        raise ValueError("Email is required to store OAuth tokens")
+
     db = Database()
     expires_at = int(time.time()) + tokens.get("expires_in", 28800)
 
@@ -234,43 +236,210 @@ def store_oauth_tokens(
     if tokens.get("scopes"):
         scopes_json = json.dumps(tokens["scopes"])
 
-    db.store_credentials(
-        scope=scope,
+    # Create or update account
+    account = db.create_account(
+        email=email,
         access_token=tokens["access_token"],
         refresh_token=tokens.get("refresh_token"),
         expires_at=expires_at,
-        project_id=project_id if scope == "project" else None,
-        email=tokens.get("email"),
         scopes=scopes_json,
         subscription_type=tokens.get("subscription_type"),
         rate_limit_tier=tokens.get("rate_limit_tier"),
     )
 
+    # If project_id provided, assign this account to the project
+    if project_id:
+        db.assign_account_to_project(project_id, account["id"])
+
     auth_log.info(
         "login",
-        f"Logged in ({scope})",
-        scope=scope,
-        email=tokens.get("email"),
+        f"Logged in as {email}",
+        email=email,
         project_id=project_id,
     )
-    return True
+    return account
+
 
+def get_effective_account_for_project(project_id: Optional[str] = None) -> Optional[dict]:
+    """Get the effective account for a project.
 
-async def _do_token_refresh(creds: dict, project_id: Optional[str] = None) -> bool:
-    """Actually perform the token refresh via OAuth.
+    Resolution order:
+    1. If project has assignment -> use that account
+    2. Else -> use default account
+    3. If no default -> use first active account
 
     Args:
-        creds: Credentials dict from database
+        project_id: Optional project ID
+
+    Returns:
+        Account dict or None
+    """
+    db = Database()
+    return db.get_effective_account(project_id)
+
+
+def get_fallback_account_for_rate_limit(
+    current_account_id: int,
+    failed_account_ids: Optional[list[int]] = None,
+) -> Optional[dict]:
+    """Get a fallback account after hitting rate limit (429).
+
+    Args:
+        current_account_id: Account that hit the rate limit
+        failed_account_ids: List of account IDs that already failed
+
+    Returns:
+        Account dict for fallback, or None if no fallback available
+    """
+    db = Database()
+    exclude_ids = [current_account_id] + (failed_account_ids or [])
+    return db.get_fallback_account(exclude_ids=exclude_ids, prefer_lowest_usage=True)
+
+
+@contextmanager
+def swap_credentials_for_account(
+    account: dict,
+) -> Generator[bool, None, None]:
+    """Context manager: backup user creds, write account creds, restore after.
+
+    Similar to swap_credentials_for_loop but takes an account dict directly.
+    Used when we have a specific account to use (e.g., from fallback logic).
+
+    Args:
+        account: Account dict with access_token, refresh_token, etc.
+
+    Yields:
+        True if credentials were written, False if account invalid
+    """
+    global _credential_swap_active
+
+    db = Database()
+
+    # Acquire exclusive lock to prevent concurrent credential access
+    CREDENTIAL_LOCK_PATH.parent.mkdir(parents=True, exist_ok=True)
+    lock_file = open(CREDENTIAL_LOCK_PATH, "w")
+
+    try:
+        fcntl.flock(lock_file.fileno(), fcntl.LOCK_EX)  # Exclusive lock
+
+        # Backup user's current credentials
+        had_backup = False
+        original_content = None
+        if CLAUDE_CREDENTIALS_PATH.exists():
+            original_content = CLAUDE_CREDENTIALS_PATH.read_text()
+            shutil.copy2(CLAUDE_CREDENTIALS_PATH, CLAUDE_CREDENTIALS_BACKUP)
+            had_backup = True
+
+        _credential_swap_active = True
+
+        # Write account credentials to Claude's location
+        has_creds = False
+        if account and account.get("access_token"):
+            default_scopes = ["user:inference", "user:profile", "user:sessions:claude_code"]
+            stored_scopes = account.get("scopes")
+            if stored_scopes:
+                try:
+                    scopes = json.loads(stored_scopes)
+                except (json.JSONDecodeError, TypeError):
+                    scopes = default_scopes
+            else:
+                scopes = default_scopes
+
+            creds_data = {
+                "claudeAiOauth": {
+                    "accessToken": account["access_token"],
+                    "refreshToken": account.get("refresh_token"),
+                    "expiresAt": account.get("expires_at", 0) * 1000,
+                    "scopes": scopes,
+                    "subscriptionType": account.get("subscription_type") or "max",
+                    "rateLimitTier": account.get("rate_limit_tier") or "default_claude_max_20x",
+                }
+            }
+            CLAUDE_CREDENTIALS_PATH.parent.mkdir(parents=True, exist_ok=True)
+            CLAUDE_CREDENTIALS_PATH.write_text(json.dumps(creds_data, indent=2))
+            os.chmod(CLAUDE_CREDENTIALS_PATH, 0o600)  # Restrict to owner-only read/write
+            has_creds = True
+
+            # Update last_used_at for the account
+            db.update_account(account["id"], last_used_at=datetime.utcnow().isoformat())
+
+        try:
+            yield has_creds
+        finally:
+            # Capture any token refresh that happened during execution
+            if has_creds and CLAUDE_CREDENTIALS_PATH.exists():
+                try:
+                    current_creds = json.loads(CLAUDE_CREDENTIALS_PATH.read_text())
+                    oauth = current_creds.get("claudeAiOauth", {})
+                    new_refresh = oauth.get("refreshToken")
+
+                    if new_refresh and new_refresh != account.get("refresh_token"):
+                        db.update_account(
+                            account["id"],
+                            access_token=oauth.get("accessToken"),
+                            refresh_token=new_refresh,
+                            expires_at=int(oauth.get("expiresAt", 0) / 1000),
+                        )
+                        auth_log.info(
+                            "account_token_captured",
+                            f"Captured refreshed token for account {account.get('email')}",
+                            account_id=account["id"],
+                        )
+                except Exception as e:
+                    auth_log.warning(
+                        "account_token_capture_failed",
+                        f"Failed to capture refreshed token for account: {e}",
+                        account_id=account.get("id"),
+                    )
+
+            # Restore user's original credentials
+            restoration_success = False
+            try:
+                if had_backup and CLAUDE_CREDENTIALS_BACKUP.exists():
+                    shutil.copy2(CLAUDE_CREDENTIALS_BACKUP, CLAUDE_CREDENTIALS_PATH)
+                    restoration_success = True
+                elif not had_backup and has_creds:
+                    CLAUDE_CREDENTIALS_PATH.unlink(missing_ok=True)
+                    restoration_success = True
+                else:
+                    restoration_success = True
+            except Exception as e:
+                auth_log.error(
+                    "account_restoration_failed",
+                    f"Failed to restore credentials after account swap: {e}",
+                )
+
+            if restoration_success and CLAUDE_CREDENTIALS_BACKUP.exists():
+                try:
+                    CLAUDE_CREDENTIALS_BACKUP.unlink()
+                except Exception:
+                    pass
+
+            _credential_swap_active = False
+    finally:
+        _credential_swap_active = False
+        try:
+            fcntl.flock(lock_file.fileno(), fcntl.LOCK_UN)
+            lock_file.close()
+        except Exception:
+            pass
+
+
+async def _do_token_refresh(account: dict, project_id: Optional[str] = None) -> bool:
+    """Actually perform the token refresh via OAuth for an account.
+
+    Args:
+        account: Account dict from database with id, refresh_token, email
         project_id: Optional project ID for logging
 
     Returns:
         True if refresh succeeded, False otherwise
     """
-    if not creds.get("refresh_token"):
+    if not account.get("refresh_token"):
         auth_log.warning(
             "token_refresh_failed",
-            f"No refresh token available ({creds.get('scope', 'unknown')})",
-            scope=creds.get("scope"),
+            f"No refresh token available for account {account.get('email', 'unknown')}",
+            email=account.get("email"),
             project_id=project_id,
         )
         return False
@@ -282,7 +451,7 @@ async def _do_token_refresh(creds: dict, project_id: Optional[str] = None) -> bo
                 TOKEN_URL,
                 json={
                     "grant_type": "refresh_token",
-                    "refresh_token": creds["refresh_token"],
+                    "refresh_token": account["refresh_token"],
                     "client_id": CLIENT_ID,
                 },
                 headers={
@@ -295,8 +464,9 @@ async def _do_token_refresh(creds: dict, project_id: Optional[str] = None) -> bo
                 error_body = resp.text[:200] if resp.text else "no response body"
                 auth_log.warning(
                     "token_refresh_failed",
-                    f"Token refresh failed ({creds['scope']}): HTTP {resp.status_code} - {error_body}",
-                    scope=creds["scope"],
+                    f"Token refresh failed for {account.get('email')}: HTTP {resp.status_code} - {error_body}",
+                    email=account.get("email"),
+                    account_id=account.get("id"),
                     project_id=project_id,
                     status_code=resp.status_code,
                 )
@@ -304,6 +474,8 @@ async def _do_token_refresh(creds: dict, project_id: Optional[str] = None) -> bo
                 try:
                     error_json = resp.json()
                     if error_json.get("error") == "invalid_grant":
+                        # Mark account as inactive since token is revoked
+                        db.update_account(account["id"], is_active=False, last_error="invalid_grant")
                         raise InvalidGrantError("Refresh token expired or revoked. Please re-login.")
                 except (ValueError, KeyError):
                     pass
@@ -312,33 +484,37 @@ async def _do_token_refresh(creds: dict, project_id: Optional[str] = None) -> bo
             tokens = resp.json()
             new_expires_at = int(time.time()) + tokens.get("expires_in", 28800)
 
-            # Extract email from account field if present
-            account = tokens.get("account", {})
-            email = account.get("email_address")
+            # Build update dict - capture subscription/plan info if present
+            update_data = {
+                "access_token": tokens["access_token"],
+                "refresh_token": tokens.get("refresh_token", account["refresh_token"]),
+                "expires_at": new_expires_at,
+                "consecutive_failures": 0,  # Reset failure count on success
+            }
+            if tokens.get("subscription_type"):
+                update_data["subscription_type"] = tokens["subscription_type"]
+            if tokens.get("rate_limit_tier"):
+                update_data["rate_limit_tier"] = tokens["rate_limit_tier"]
 
             # CRITICAL: If DB update fails after refresh, we've consumed the
             # refresh_token but not saved the new one. Log this clearly.
             try:
-                db.update_credentials(
-                    creds["id"],
-                    access_token=tokens["access_token"],
-                    refresh_token=tokens.get("refresh_token", creds["refresh_token"]),
-                    expires_at=new_expires_at,
-                    email=email if email else creds.get("email"),
-                )
+                db.update_account(account["id"], **update_data)
             except Exception as db_error:
                 auth_log.error(
                     "token_db_update_failed",
-                    f"Failed to save refreshed token ({creds['scope']}): {db_error}. Token may be lost!",
-                    scope=creds["scope"],
+                    f"Failed to save refreshed token for {account.get('email')}: {db_error}. Token may be lost!",
+                    email=account.get("email"),
+                    account_id=account.get("id"),
                     project_id=project_id,
                 )
                 return False
 
             auth_log.info(
                 "token_refresh",
-                f"Token refreshed ({creds['scope']})",
-                scope=creds["scope"],
+                f"Token refreshed for {account.get('email')}",
+                email=account.get("email"),
+                account_id=account.get("id"),
                 project_id=project_id,
                 expires_in=tokens.get("expires_in", 28800),
             )
@@ -346,53 +522,55 @@ async def _do_token_refresh(creds: dict, project_id: Optional[str] = None) -> bo
     except httpx.HTTPError as http_error:
         auth_log.warning(
             "token_refresh_failed",
-            f"Token refresh HTTP error ({creds['scope']}): {http_error}",
-            scope=creds["scope"],
+            f"Token refresh HTTP error for {account.get('email')}: {http_error}",
+            email=account.get("email"),
+            account_id=account.get("id"),
             project_id=project_id,
         )
         return False
     except Exception as e:
         auth_log.warning(
             "token_refresh_failed",
-            f"Token refresh failed ({creds['scope']}): {e}",
-            scope=creds["scope"],
+            f"Token refresh failed for {account.get('email')}: {e}",
+            email=account.get("email"),
+            account_id=account.get("id"),
             project_id=project_id,
         )
         return False
 
 
-async def validate_token_health(creds: dict) -> tuple[bool, str]:
-    """Validate OAuth token by attempting a refresh.
+async def validate_account_token(account: dict) -> tuple[bool, str]:
+    """Validate account's OAuth token by attempting a refresh.
 
     Since we're using OAuth tokens (not API keys), we validate by
     trying to refresh the token. If the refresh_token is still valid,
     we'll get a new access_token. If it's expired/revoked, we get an error.
 
     Args:
-        creds: Credentials dict with refresh_token
+        account: Account dict with refresh_token
 
     Returns:
         Tuple of (is_valid, error_message)
     """
-    if not creds:
-        return False, "No credentials"
+    if not account:
+        return False, "No account"
 
-    if not creds.get("refresh_token"):
+    if not account.get("refresh_token"):
         return False, "No refresh token available"
 
     try:
         # Use lock to prevent concurrent refresh operations.
-        # Re-read creds inside lock in case another process already refreshed.
+        # Re-read account inside lock in case another process already refreshed.
         async with _token_refresh_lock():
-            # Re-fetch credentials to get any updates from concurrent refresh
+            # Re-fetch account to get any updates from concurrent refresh
             db = Database()
-            fresh_creds = db.get_credentials_by_id(creds["id"])
-            if fresh_creds and fresh_creds.get("refresh_token") != creds.get("refresh_token"):
+            fresh_account = db.get_account(account["id"])
+            if fresh_account and fresh_account.get("refresh_token") != account.get("refresh_token"):
                 # Another process already refreshed - we have fresh tokens
                 auth_log.info(
                     "token_already_refreshed",
                     "Token was refreshed by another process",
-                    scope=creds.get("scope"),
+                    email=account.get("email"),
                 )
                 return True, ""
 
@@ -402,7 +580,7 @@ async def validate_token_health(creds: dict) -> tuple[bool, str]:
                     TOKEN_URL,
                     json={
                         "grant_type": "refresh_token",
-                        "refresh_token": creds["refresh_token"],
+                        "refresh_token": account["refresh_token"],
                         "client_id": CLIENT_ID,
                     },
                     headers={
@@ -415,32 +593,35 @@ async def validate_token_health(creds: dict) -> tuple[bool, str]:
                     # Token is valid and we got a new one - update it
                     tokens = resp.json()
                     new_expires_at = int(time.time()) + tokens.get("expires_in", 28800)
-                    account = tokens.get("account", {})
-                    email = account.get("email_address")
 
-                    # db already created above in lock, but re-use is fine
+                    # Build update dict - capture subscription/plan info if present
+                    update_data = {
+                        "access_token": tokens["access_token"],
+                        "refresh_token": tokens.get("refresh_token", account["refresh_token"]),
+                        "expires_at": new_expires_at,
+                        "consecutive_failures": 0,
+                    }
+                    if tokens.get("subscription_type"):
+                        update_data["subscription_type"] = tokens["subscription_type"]
+                    if tokens.get("rate_limit_tier"):
+                        update_data["rate_limit_tier"] = tokens["rate_limit_tier"]
+
                     # CRITICAL: If DB update fails, we've consumed the refresh_token
                     # but not saved the new one. Handle this carefully.
                     try:
-                        db.update_credentials(
-                            creds["id"],
-                            access_token=tokens["access_token"],
-                            refresh_token=tokens.get("refresh_token", creds["refresh_token"]),
-                            expires_at=new_expires_at,
-                            email=email if email else creds.get("email"),
-                        )
+                        db.update_account(account["id"], **update_data)
                     except Exception as db_error:
                         auth_log.error(
                             "token_db_update_failed",
                             f"Failed to save refreshed token: {db_error}. Token may be lost!",
-                            scope=creds.get("scope"),
+                            email=account.get("email"),
                         )
                         return False, f"Token refresh succeeded but failed to save: {db_error}"
 
                     auth_log.info(
                         "token_validated",
-                        f"Token validated and refreshed ({creds.get('scope', 'unknown')})",
-                        scope=creds.get("scope"),
+                        f"Token validated and refreshed for {account.get('email')}",
+                        email=account.get("email"),
                     )
                     return True, ""
 
@@ -450,6 +631,8 @@ async def validate_token_health(creds: dict) -> tuple[bool, str]:
                         error_type = error_json.get("error", "unknown")
                         error_desc = error_json.get("error_description", "")
                         if error_type == "invalid_grant":
+                            # Mark account as needing re-auth
+                            db.update_account(account["id"], is_active=False, last_error="invalid_grant")
                             return False, f"Refresh token expired or revoked: {error_desc}. Please re-login."
                         return False, f"OAuth error: {error_type} - {error_desc}"
                     except Exception:
@@ -493,65 +676,81 @@ async def refresh_token_if_needed(
     """Auto-refresh token if expired. Returns True if valid token available.
 
     Args:
-        project_id: Optional project ID to check for project-scoped creds
+        project_id: Optional project ID to get effective account for
         validate: If True, actually validate the token by calling API
 
     Returns:
-        True if valid credentials exist (either not expired or successfully refreshed)
-        False if no credentials or refresh failed
+        True if valid account exists (either not expired or successfully refreshed)
+        False if no account or refresh failed
     """
     db = Database()
-    creds = db.get_credentials(project_id)
+    account = db.get_effective_account(project_id)
 
-    if not creds:
+    if not account:
         return False
 
     now = int(time.time())
 
     # If validation requested, actually test the token
-    # Note: validate_token_health() attempts a refresh as part of validation.
+    # Note: validate_account_token() attempts a refresh as part of validation.
     # If it fails, the refresh already failed - no point retrying immediately.
     if validate:
-        is_valid, error = await validate_token_health(creds)
+        is_valid, error = await validate_account_token(account)
         if not is_valid:
             auth_log.warning(
                 "token_invalid",
                 f"Token validation failed: {error}",
-                scope=creds.get("scope"),
+                email=account.get("email"),
                 project_id=project_id,
             )
-            # Don't retry - validate_token_health already tried to refresh.
+            # Don't retry - validate_account_token already tried to refresh.
             # The error message explains what went wrong.
             return False
         return True
 
     # Otherwise just check expiry timestamp (5 minute buffer)
-    if now < creds["expires_at"] - 300:
+    if now < account["expires_at"] - 300:
         return True  # Token assumed valid based on expiry
 
-    return await _do_token_refresh(creds, project_id)
+    # Use lock to prevent concurrent refresh operations.
+    # Re-read account inside lock in case another process already refreshed.
+    async with _token_refresh_lock():
+        # Re-fetch account to get latest token state
+        fresh_account = db.get_effective_account(project_id)
+        if not fresh_account:
+            return False
+        # Check if another process already refreshed while we waited for lock
+        if int(time.time()) < fresh_account["expires_at"] - 300:
+            return True
+        return await _do_token_refresh(fresh_account, project_id)
 
 
 async def force_refresh_token(project_id: Optional[str] = None) -> dict:
     """Force refresh a token regardless of expiry time.
 
     Args:
-        project_id: Optional project ID to check for project-scoped creds
+        project_id: Optional project ID to get effective account for
 
     Returns:
         dict with success status and message
     """
     db = Database()
-    creds = db.get_credentials(project_id)
+    account = db.get_effective_account(project_id)
 
-    if not creds:
-        return {"success": False, "error": "No credentials found"}
+    if not account:
+        return {"success": False, "error": "No account found"}
 
-    if not creds.get("refresh_token"):
+    if not account.get("refresh_token"):
         return {"success": False, "error": "No refresh token available"}
 
     try:
-        success = await _do_token_refresh(creds, project_id)
+        # Use lock to prevent concurrent refresh operations.
+        # Re-read account inside lock in case another process already refreshed.
+        async with _token_refresh_lock():
+            fresh_account = db.get_effective_account(project_id)
+            if not fresh_account or not fresh_account.get("refresh_token"):
+                return {"success": False, "error": "No account or refresh token available"}
+            success = await _do_token_refresh(fresh_account, project_id)
         if success:
             return {"success": True, "message": "Token refreshed successfully"}
         else:
@@ -561,7 +760,7 @@ async def force_refresh_token(project_id: Optional[str] = None) -> dict:
 
 
 async def refresh_all_expiring_tokens(buffer_seconds: int = 7200) -> dict:
-    """Refresh all tokens expiring within buffer_seconds.
+    """Refresh all account tokens expiring within buffer_seconds.
 
     Called by background task to proactively keep tokens fresh.
 
@@ -575,35 +774,39 @@ async def refresh_all_expiring_tokens(buffer_seconds: int = 7200) -> dict:
     now = int(time.time())
     result = {"checked": 0, "refreshed": 0, "failed": 0}
 
-    # Get all credentials (global + all projects)
-    all_creds = db.get_all_credentials()
+    # Get all active accounts
+    all_accounts = db.list_accounts(include_inactive=False, include_deleted=False)
 
-    for creds in all_creds:
+    for account in all_accounts:
         result["checked"] += 1
 
         # Skip if not expiring soon
-        if now < creds["expires_at"] - buffer_seconds:
+        if now < account["expires_at"] - buffer_seconds:
             continue
 
         # Skip if no refresh token
-        if not creds.get("refresh_token"):
+        if not account.get("refresh_token"):
             continue
 
         # Attempt refresh with lock to prevent race conditions
         try:
             async with _token_refresh_lock():
-                # Re-fetch credentials to check if another process already refreshed
-                fresh_creds = db.get_credentials_by_id(creds["id"])
-                if fresh_creds and now < fresh_creds["expires_at"] - buffer_seconds:
+                # Re-fetch account to check if another process already refreshed
+                fresh_account = db.get_account(account["id"])
+                if fresh_account and now < fresh_account["expires_at"] - buffer_seconds:
                     # Token was refreshed by another process, skip
                     continue
 
+                # Use fresh_account's refresh_token (not the pre-lock stale one)
+                # Another process may have refreshed and changed the token while we waited
+                refresh_token = fresh_account["refresh_token"] if fresh_account else account["refresh_token"]
+
                 async with httpx.AsyncClient() as client:
                     resp = await client.post(
                         TOKEN_URL,
                         json={
                             "grant_type": "refresh_token",
-                            "refresh_token": creds["refresh_token"],
+                            "refresh_token": refresh_token,
                             "client_id": CLIENT_ID,
                         },
                         headers={
@@ -615,72 +818,66 @@ async def refresh_all_expiring_tokens(buffer_seconds: int = 7200) -> dict:
                     if resp.status_code == 200:
                         tokens = resp.json()
                         new_expires_at = int(time.time()) + tokens.get("expires_in", 28800)
-                        account = tokens.get("account", {})
-                        email = account.get("email_address")
+
+                        # Build update dict - capture subscription/plan info if present
+                        # Use refresh_token (the fresh value used for this request) as fallback,
+                        # not account["refresh_token"] which is the pre-lock stale copy
+                        update_data = {
+                            "access_token": tokens["access_token"],
+                            "refresh_token": tokens.get("refresh_token", refresh_token),
+                            "expires_at": new_expires_at,
+                            "consecutive_failures": 0,
+                        }
+                        if tokens.get("subscription_type"):
+                            update_data["subscription_type"] = tokens["subscription_type"]
+                        if tokens.get("rate_limit_tier"):
+                            update_data["rate_limit_tier"] = tokens["rate_limit_tier"]
 
                         try:
-                            db.update_credentials(
-                                creds["id"],
-                                access_token=tokens["access_token"],
-                                refresh_token=tokens.get("refresh_token", creds["refresh_token"]),
-                                expires_at=new_expires_at,
-                                email=email if email else creds.get("email"),
-                            )
+                            db.update_account(account["id"], **update_data)
                             result["refreshed"] += 1
                             auth_log.info(
                                 "token_refresh",
-                                f"Token refreshed ({creds['scope']})",
-                                scope=creds["scope"],
-                                project_id=creds.get("project_id"),
+                                f"Token refreshed for {account.get('email')}",
+                                email=account.get("email"),
+                                account_id=account.get("id"),
                                 expires_in=tokens.get("expires_in", 28800),
                             )
                         except Exception as db_error:
                             result["failed"] += 1
                             auth_log.error(
                                 "token_db_update_failed",
-                                f"Failed to save refreshed token ({creds['scope']}): {db_error}",
-                                scope=creds["scope"],
-                                project_id=creds.get("project_id"),
+                                f"Failed to save refreshed token for {account.get('email')}: {db_error}",
+                                email=account.get("email"),
+                                account_id=account.get("id"),
                             )
                     else:
                         result["failed"] += 1
+                        # Track consecutive failures (use fresh_account for accurate count)
+                        failure_count = (fresh_account or account).get("consecutive_failures", 0)
+                        db.update_account(
+                            account["id"],
+                            consecutive_failures=failure_count + 1,
+                        )
                         auth_log.warning(
                             "token_refresh_failed",
-                            f"Token refresh failed ({creds['scope']}): HTTP {resp.status_code}",
-                            scope=creds["scope"],
-                            project_id=creds.get("project_id"),
+                            f"Token refresh failed for {account.get('email')}: HTTP {resp.status_code}",
+                            email=account.get("email"),
+                            account_id=account.get("id"),
                         )
         except Exception as e:
             result["failed"] += 1
             auth_log.error(
                 "token_refresh_error",
-                f"Token refresh error ({creds['scope']}): {e}",
-                scope=creds["scope"],
-                project_id=creds.get("project_id"),
+                f"Token refresh error for {account.get('email')}: {e}",
+                email=account.get("email"),
+                account_id=account.get("id"),
                 error=str(e),
             )
 
     return result
 
 
-def clear_credentials(
-    scope: Literal["project", "global"],
-    project_id: Optional[str] = None,
-) -> bool:
-    """Remove credentials for the specified scope from database."""
-    db = Database()
-    result = db.delete_credentials(scope, project_id if scope == "project" else None)
-
-    if result:
-        auth_log.info(
-            "logout",
-            f"Logged out ({scope})",
-            scope=scope,
-            project_id=project_id,
-        )
-    return result
-
-
 @contextmanager
 def swap_credentials_for_loop(
     project_id: Optional[str] = None,
@@ -711,7 +908,8 @@ def swap_credentials_for_loop(
     global _credential_swap_active
 
     db = Database()
-    creds = db.get_credentials(project_id)
+    # Get the effective account for this project (assigned or default)
+    account = db.get_effective_account(project_id)
 
     # Acquire exclusive lock to prevent concurrent credential access
     CREDENTIAL_LOCK_PATH.parent.mkdir(parents=True, exist_ok=True)
@@ -732,13 +930,13 @@ def swap_credentials_for_loop(
         # Mark swap as active AFTER backup is complete
         _credential_swap_active = True
 
-        # Write credentials from DB to Claude's location
+        # Write account credentials to Claude's location
         has_creds = False
-        if creds:
-            # Default scopes if not stored (for backwards compatibility)
+        if account:
+            # Default scopes if not stored
             # These are the minimum scopes Claude Code CLI needs for execution
             default_scopes = ["user:inference", "user:profile", "user:sessions:claude_code"]
-            stored_scopes = creds.get("scopes")
+            stored_scopes = account.get("scopes")
             if stored_scopes:
                 try:
                     scopes = json.loads(stored_scopes)
@@ -749,20 +947,21 @@ def swap_credentials_for_loop(
 
             creds_data = {
                 "claudeAiOauth": {
-                    "accessToken": creds["access_token"],
-                    "refreshToken": creds["refresh_token"],
-                    "expiresAt": creds["expires_at"] * 1000,  # Convert to milliseconds
+                    "accessToken": account["access_token"],
+                    "refreshToken": account["refresh_token"],
+                    "expiresAt": account["expires_at"] * 1000,  # Convert to milliseconds
                     "scopes": scopes,
                     # subscriptionType: Claude subscription tier. Values include "free", "pro", "max".
                     # Default to "max" as RalphX is designed for Max subscription users.
-                    "subscriptionType": creds.get("subscription_type") or "max",
+                    "subscriptionType": account.get("subscription_type") or "max",
                     # rateLimitTier: API rate limit tier. "default_claude_max_20x" indicates
                     # the 20x rate limit multiplier for Max subscribers.
-                    "rateLimitTier": creds.get("rate_limit_tier") or "default_claude_max_20x",
+                    "rateLimitTier": account.get("rate_limit_tier") or "default_claude_max_20x",
                 }
             }
             CLAUDE_CREDENTIALS_PATH.parent.mkdir(parents=True, exist_ok=True)
             CLAUDE_CREDENTIALS_PATH.write_text(json.dumps(creds_data, indent=2))
+            os.chmod(CLAUDE_CREDENTIALS_PATH, 0o600)  # Restrict to owner-only read/write
             has_creds = True
 
         try:
@@ -778,17 +977,18 @@ def swap_credentials_for_loop(
                     new_refresh = oauth.get("refreshToken")
 
                     # If refresh token changed, Claude CLI refreshed during execution
-                    if new_refresh and new_refresh != creds["refresh_token"]:
-                        db.update_credentials(
-                            creds["id"],
+                    if new_refresh and new_refresh != account["refresh_token"]:
+                        db.update_account(
+                            account["id"],
                             access_token=oauth.get("accessToken"),
                             refresh_token=new_refresh,
                             expires_at=int(oauth.get("expiresAt", 0) / 1000),
                         )
                         auth_log.info(
                             "token_captured",
-                            f"Captured refreshed token from Claude CLI ({creds['scope']})",
-                            scope=creds["scope"],
+                            f"Captured refreshed token from Claude CLI ({account['email']})",
+                            email=account["email"],
+                            account_id=account["id"],
                             project_id=project_id,
                         )
                 except Exception as e:
@@ -796,7 +996,7 @@ def swap_credentials_for_loop(
                     auth_log.warning(
                         "token_capture_failed",
                         f"Failed to capture refreshed token: {e}",
-                        scope=creds.get("scope") if creds else None,
+                        email=account.get("email") if account else None,
                         project_id=project_id,
                     )