Andy 1e72c8d773 feat: Multi-profile account swapping with token refresh and queue routing (#1496)
* refactor: streamline profile management and enhance usage monitoring

- Consolidated profile management logic to improve clarity and maintainability.
- Enhanced usage monitoring to support both OAuth and API profiles, ensuring accurate data retrieval.
- Updated error handling for API requests to provide better feedback and prevent silent failures.
- Improved test coverage for profile detection and usage monitoring functionalities.

These changes aim to optimize the user experience by ensuring that profile-related data is handled consistently and that usage metrics are accurately reported across different authentication methods.

* fix(tests): update tests for new auth badge display behavior

- Update AuthStatusIndicator tests to expect "Claude Code"/"API Key" badge labels
  instead of provider names (Anthropic, z.ai, ZHIPU AI)
- Fix usage-monitor tests that relied on console.warn calls (now uses debugLog)
- Add missing mock Response headers to prevent TypeError in fetch tests
- Convert dynamic require to static import in claude-profile-manager

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: Address PR review findings for account swapping

- Add `persistenceFailed` flag to EnsureValidTokenResult for callers
  to detect when token refresh succeeded but keychain write failed
- Add collision detection to profile migration to handle cases where
  two profile names sanitize to the same directory name
- Change hardcoded 'default' to 'unknown' in updateTaskSession when
  no profile assignment exists, and add optional profileInfo parameter

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: Resolve CodeQL security alerts

- Fix TOCTOU race condition in profile migration by using 'wx' flag
  for atomic file creation instead of existsSync check
- Remove unused imports: DEFAULT_CLAUDE_CONFIG_DIR, BrowserWindow,
  IPC_CHANNELS, User

The medium severity alerts for "Network data written to file" and
"File data in outbound network request" are expected behavior for
credential management and API authentication respectively.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat(linux): Add Secret Service support for credential storage

Linux credentials now use the Secret Service API (gnome-keyring/kwallet)
via the `secret-tool` CLI, matching how macOS uses Keychain and Windows
uses Credential Manager.

Implementation:
- getCredentialsFromLinuxSecretService: Retrieve tokens from Secret Service
- getFullCredentialsFromLinuxSecretService: Retrieve full OAuth credentials
- updateLinuxSecretServiceCredentials: Store refreshed tokens
- Automatic fallback to .credentials.json file if Secret Service unavailable

The `secret-tool` command is part of libsecret-tools package, commonly
available on most Linux desktop distributions. This provides secure
credential storage instead of plaintext file storage.

Credentials are stored with:
- Label: "Claude Code-credentials"
- Attribute: application=claude-code (or claude-code-{hash} for profiles)

Fixes security gap where Linux used file storage while macOS and Windows
used proper secure credential stores.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* docs: Add guidelines against providing time estimates in development

Introduced a critical section in the development guidelines emphasizing the avoidance of time estimates for tasks. This change highlights the misleading nature of traditional time predictions in AI-assisted development and encourages a focus on actionable steps and priority-based ordering instead. Examples of incorrect and correct approaches are provided for clarity.

* fix: address PR review findings for account swapping

MEDIUM severity fixes:
- Implement getBestProfileForTask handler with actual profile selection logic
- Refactor credential-utils.ts to eliminate code duplication with shared helpers
- Fix PowerShell escaping vulnerabilities with proper character escaping
- Use base64 encoding for JSON data passed to PowerShell scripts
- Add warning that returned token may be revoked after server-side refresh failure
- Document side effect in getBestAvailableProfileEnv function

LOW severity fixes:
- Reduce token fingerprint logging from 12+4 to 4+2 chars
- Document >= threshold as intentional (proactive switching before limits)
- Move writeFileSync import to top of file with other fs imports
- Remove unnecessary existsSync checks (mkdirSync recursive is idempotent)
- Add homedir to top-level imports from 'os'
- Add comment noting acceptable TOCTOU race window in profile-storage.ts

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: clear credential cache after platform credential updates

Add clearCredentialCache() calls to all platform-specific update functions
to prevent stale cached tokens from being returned after successful updates:
- updateMacOSKeychainCredentials
- updateLinuxSecretServiceCredentials
- updateLinuxFileCredentials
- updateWindowsCredentialManagerCredentials

This ensures callers always get fresh credential values after token refresh,
rather than waiting for the 5-minute cache TTL to expire.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: handle persistenceFailed flag in token refresh calls

When token refresh succeeds but fails to persist to keychain, the user
needs to be notified to re-authenticate. Previously, the persistenceFailed
flag was ignored, which could lead to authentication errors on app restart.

Now all three call sites for ensureValidToken/reactiveTokenRefresh properly:
- Check the persistenceFailed flag
- Add the profile to needsReauthProfiles set when persistence fails
- Log a warning about the persistence failure
- Clear from needsReauthProfiles only when both refresh AND persistence succeed

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: enhance credential management and re-authentication flow

- Updated macOS keychain handling to ensure existing credentials are deleted before adding new ones, preventing stale tokens.
- Integrated credential checks in profile authentication to verify token presence in the keychain, improving user experience by flagging profiles needing re-authentication.
- Enhanced the UsageIndicator component to provide clearer messaging for re-authentication requirements, improving user feedback.
- Added new localization strings for re-authentication prompts in both English and French.

This update addresses critical issues with credential persistence and user notifications, ensuring a smoother authentication experience across platforms.

* fix(auth): prevent false auth failures from file names in logs

Change auth failure pattern from \s* to \s+ to require at least one
whitespace character between "auth" and "failure/error/failed".

This fixes false positives where log lines like "[ParallelOrchestrator]
Reading AuthFailureModal.tsx" were incorrectly triggering auth failure
modals. The pattern matched "AuthFailure" (zero whitespace) even though
the OAuth token was valid.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix(auth): use imported homedir instead of inline require

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-25 15:02:25 +01:00
2025-12-22 14:17:08 +01:00
2026-01-12 15:27:47 +01:00
2026-01-02 11:56:36 +01:00
2025-12-10 09:10:55 +01:00
2026-01-02 11:56:36 +01:00
2026-01-21 11:35:44 +01:00
2026-01-02 11:56:36 +01:00
2025-12-22 14:17:08 +01:00
2026-01-02 11:56:36 +01:00
2026-01-02 11:56:36 +01:00
2025-12-15 21:10:27 +01:00

Auto Claude

Autonomous multi-agent coding framework that plans, builds, and validates software for you.

Auto Claude Kanban Board

License Discord YouTube CI


Download

Stable Release

Stable

Platform Download
Windows Auto-Claude-2.7.5-win32-x64.exe
macOS (Apple Silicon) Auto-Claude-2.7.5-darwin-arm64.dmg
macOS (Intel) Auto-Claude-2.7.5-darwin-x64.dmg
Linux Auto-Claude-2.7.5-linux-x86_64.AppImage
Linux (Debian) Auto-Claude-2.7.5-linux-amd64.deb
Linux (Flatpak) Auto-Claude-2.7.5-linux-x86_64.flatpak

Beta Release

⚠️ Beta releases may contain bugs and breaking changes. View all releases

Beta

Platform Download
Windows Auto-Claude-2.7.2-beta.10-win32-x64.exe
macOS (Apple Silicon) Auto-Claude-2.7.2-beta.10-darwin-arm64.dmg
macOS (Intel) Auto-Claude-2.7.2-beta.10-darwin-x64.dmg
Linux Auto-Claude-2.7.2-beta.10-linux-x86_64.AppImage
Linux (Debian) Auto-Claude-2.7.2-beta.10-linux-amd64.deb
Linux (Flatpak) Auto-Claude-2.7.2-beta.10-linux-x86_64.flatpak

All releases include SHA256 checksums and VirusTotal scan results for security verification.


Requirements

  • Claude Pro/Max subscription - Get one here
  • Claude Code CLI - npm install -g @anthropic-ai/claude-code
  • Git repository - Your project must be initialized as a git repo

Quick Start

  1. Download and install the app for your platform
  2. Open your project - Select a git repository folder
  3. Connect Claude - The app will guide you through OAuth setup
  4. Create a task - Describe what you want to build
  5. Watch it work - Agents plan, code, and validate autonomously

Features

Feature Description
Autonomous Tasks Describe your goal; agents handle planning, implementation, and validation
Parallel Execution Run multiple builds simultaneously with up to 12 agent terminals
Isolated Workspaces All changes happen in git worktrees - your main branch stays safe
Self-Validating QA Built-in quality assurance loop catches issues before you review
AI-Powered Merge Automatic conflict resolution when integrating back to main
Memory Layer Agents retain insights across sessions for smarter builds
GitHub/GitLab Integration Import issues, investigate with AI, create merge requests
Linear Integration Sync tasks with Linear for team progress tracking
Cross-Platform Native desktop apps for Windows, macOS, and Linux
Auto-Updates App updates automatically when new versions are released

Interface

Kanban Board

Visual task management from planning through completion. Create tasks and monitor agent progress in real-time.

Agent Terminals

AI-powered terminals with one-click task context injection. Spawn multiple agents for parallel work.

Agent Terminals

Roadmap

AI-assisted feature planning with competitor analysis and audience targeting.

Roadmap

Additional Features

  • Insights - Chat interface for exploring your codebase
  • Ideation - Discover improvements, performance issues, and vulnerabilities
  • Changelog - Generate release notes from completed tasks

Project Structure

Auto-Claude/
├── apps/
│   ├── backend/     # Python agents, specs, QA pipeline
│   └── frontend/    # Electron desktop application
├── guides/          # Additional documentation
├── tests/           # Test suite
└── scripts/         # Build utilities

CLI Usage

For headless operation, CI/CD integration, or terminal-only workflows:

cd apps/backend

# Create a spec interactively
python spec_runner.py --interactive

# Run autonomous build
python run.py --spec 001

# Review and merge
python run.py --spec 001 --review
python run.py --spec 001 --merge

See guides/CLI-USAGE.md for complete CLI documentation.


Development

Want to build from source or contribute? See CONTRIBUTING.md for complete development setup instructions.

For Linux-specific builds (Flatpak, AppImage), see guides/linux.md.


Security

Auto Claude uses a three-layer security model:

  1. OS Sandbox - Bash commands run in isolation
  2. Filesystem Restrictions - Operations limited to project directory
  3. Dynamic Command Allowlist - Only approved commands based on detected project stack

All releases are:

  • Scanned with VirusTotal before publishing
  • Include SHA256 checksums for verification
  • Code-signed where applicable (macOS)

Available Scripts

Command Description
npm run install:all Install backend and frontend dependencies
npm start Build and run the desktop app
npm run dev Run in development mode with hot reload
npm run package Package for current platform
npm run package:mac Package for macOS
npm run package:win Package for Windows
npm run package:linux Package for Linux
npm run package:flatpak Package as Flatpak (see guides/linux.md)
npm run lint Run linter
npm test Run frontend tests
npm run test:backend Run backend tests

Contributing

We welcome contributions! Please read CONTRIBUTING.md for:

  • Development setup instructions
  • Code style guidelines
  • Testing requirements
  • Pull request process

Community


License

AGPL-3.0 - GNU Affero General Public License v3.0

Auto Claude is free to use. If you modify and distribute it, or run it as a service, your code must also be open source under AGPL-3.0.

Commercial licensing available for closed-source use cases.


Star History

GitHub Repo stars

Star History Chart

S
Description
Autonomous multi-session AI coding
Readme AGPL-3.0 59 MiB
Languages
TypeScript 98.7%
JavaScript 0.6%
CSS 0.5%
Shell 0.2%