feat(connector): include team access in package collaborators

- Add listTeamPackages function to fetch packages a team can access
- Modify /package/:pkg/collaborators endpoint to also return teams
- For scoped packages, fetch all org teams and check their access
- Merge team access into collaborators response

This fixes an issue where team access wasn't visible in the UI because
npm access list collaborators only returns users, not teams.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: neutrino2211

cli/src/npm-client.ts

@@ -548,6 +548,16 @@ export async function listUserPackages(user: string): Promise<NpmExecResult> {
   return execNpm(['access', 'list', 'packages', `@${user}`, '--json'], { silent: true })
 }
 
+/**
+ * Lists all packages that a team has access to.
+ * Uses `npm access list packages {scopeTeam} --json`
+ * Returns a map of package name to permission level
+ */
+export async function listTeamPackages(scopeTeam: string): Promise<NpmExecResult> {
+  validateScopeTeam(scopeTeam)
+  return execNpm(['access', 'list', 'packages', scopeTeam, '--json'], { silent: true })
+}
+
 /**
  * Initialize and publish a new package to claim the name.
  * Creates a minimal package.json in a temp directory and publishes it.

cli/src/server.ts

@@ -48,6 +48,7 @@ import {
   accessGrant,
   accessRevoke,
   accessListCollaborators,
+  listTeamPackages,
   ownerAdd,
   ownerRemove,
   packageInit,
@@ -674,7 +675,10 @@ export function createConnectorApp(expectedToken: string) {
       throw new HTTPError({ statusCode: 400, message: pkgValidation.error })
     }
 
-    const result = await accessListCollaborators(pkgValidation.data)
+    const pkg = pkgValidation.data
+
+    // Get user collaborators
+    const result = await accessListCollaborators(pkg)
     if (result.exitCode !== 0) {
       return {
         success: false,
@@ -684,6 +688,48 @@ export function createConnectorApp(expectedToken: string) {
 
     try {
       const collaborators = JSON.parse(result.stdout) as Record<string, 'read-only' | 'read-write'>
+
+      // For scoped packages, also fetch team access
+      if (pkg.startsWith('@')) {
+        const orgMatch = pkg.match(/^@([^/]+)\//)
+        if (orgMatch) {
+          const org = orgMatch[1]
+
+          // Get all teams in the org
+          const teamsResult = await teamListTeams(org)
+          if (teamsResult.exitCode === 0) {
+            try {
+              const teams = JSON.parse(teamsResult.stdout) as string[]
+
+              // Check each team's package access
+              await Promise.all(
+                teams.map(async team => {
+                  // Add @ prefix to team name since we expect scoped packages
+                  team = '@' + team
+                  const teamPkgsResult = await listTeamPackages(team)
+                  if (teamPkgsResult.exitCode === 0) {
+                    try {
+                      const teamPkgs = JSON.parse(teamPkgsResult.stdout) as Record<
+                        string,
+                        'read-only' | 'read-write'
+                      >
+                      // If this team has access to the package, add it to collaborators
+                      if (teamPkgs[pkg]) {
+                        collaborators[team] = teamPkgs[pkg]
+                      }
+                    } catch {
+                      // Ignore parse errors for individual teams
+                    }
+                  }
+                }),
+              )
+            } catch {
+              // Ignore team list parse errors, return user collaborators only
+            }
+          }
+        }
+      }
+
       return {
         success: true,
         data: collaborators,