corclient 0.1.0__py3-none-any.whl

corclient-0.1.0.dist-info/METADATA

@@ -0,0 +1,393 @@
+Metadata-Version: 2.4
+Name: corclient
+Version: 0.1.0
+Summary: Internal CLI tool for microservices management, infrastructure administration and monitoring with AWS Cognito authentication
+Author: Carlos Ferrer
+Author-email: Carlos Ferrer <cferrer@projectcor.com>
+Maintainer-email: Carlos Ferrer <cferrer@projectcor.com>
+License: MIT
+Project-URL: Homepage, https://github.com/ProjectCORTeam/corcli
+Project-URL: Documentation, https://github.com/ProjectCORTeam/corcli#readme
+Project-URL: Repository, https://github.com/ProjectCORTeam/corcli.git
+Project-URL: Bug Tracker, https://github.com/ProjectCORTeam/corcli/issues
+Project-URL: Changelog, https://github.com/ProjectCORTeam/corcli/releases
+Keywords: cli,microservices,infrastructure,devops,monitoring,aws,internal-tools
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: System Administrators
+Classifier: Intended Audience :: Information Technology
+Classifier: Topic :: System :: Monitoring
+Classifier: Topic :: System :: Systems Administration
+Classifier: Topic :: Software Development :: Build Tools
+Classifier: Topic :: Internet :: WWW/HTTP :: Dynamic Content
+Classifier: Topic :: Utilities
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Operating System :: OS Independent
+Classifier: Environment :: Console
+Classifier: Natural Language :: English
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: typer>=0.12
+Requires-Dist: rich>=13
+Requires-Dist: flask>=2.3
+Requires-Dist: requests>=2.31
+Provides-Extra: dev
+Requires-Dist: ruff>=0.1.0; extra == "dev"
+Requires-Dist: black>=23.0.0; extra == "dev"
+Requires-Dist: mypy>=1.0.0; extra == "dev"
+Requires-Dist: pytest>=7.0.0; extra == "dev"
+Requires-Dist: types-requests>=2.31.0; extra == "dev"
+Dynamic: author
+Dynamic: license-file
+Dynamic: requires-python
+
+# CoreCLI
+
+[![PyPI version](https://img.shields.io/pypi/v/corclient.svg)](https://pypi.org/project/corclient/)
+[![Python versions](https://img.shields.io/pypi/pyversions/corclient.svg)](https://pypi.org/project/corclient/)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
+Internal CLI tool for microservices management, infrastructure administration and monitoring with AWS Cognito authentication.
+
+## Features
+
+- 🔐 **AWS Cognito Authentication** - Secure authentication using PKCE (Proof Key for Code Exchange) flow
+- 🚀 **Microservices Management** - Interact with internal microservices infrastructure
+- 📊 **Basic Monitoring** - Monitor and manage microservices health
+- 🔄 **Token Management** - Automatic token refresh and session handling
+- 💻 **CLI-First Design** - Built with modern CLI best practices using Typer
+
+## Requirements
+
+- Python 3.9 or higher
+- AWS Cognito user pool configured with Hosted UI
+- Valid AWS Cognito credentials
+
+## Installation
+
+### Via pip (Recommended)
+
+```bash
+pip install corclient
+```
+
+### Via Homebrew (macOS/Linux)
+
+```bash
+# Add the tap
+brew tap ProjectCORTeam/corcli https://github.com/ProjectCORTeam/corcli.git
+
+# Install
+brew install corclient
+```
+
+To update:
+```bash
+brew update && brew upgrade corclient
+```
+
+### Development Installation
+
+```bash
+git clone https://github.com/ProjectCORTeam/corcli.git
+cd corcli
+pip install -e .
+```
+
+## Quick Start
+
+### 1. Login
+
+Authenticate with AWS Cognito using the Hosted UI:
+
+```bash
+cor login
+```
+
+This will:
+- Open your browser to the Cognito Hosted UI
+- Start a local callback server
+- Complete the PKCE flow
+- Store tokens securely
+
+#### Custom Redirect URI
+
+If you need to redirect to a custom app scheme:
+
+```bash
+cor login --app-redirect myapp://callback
+```
+
+### 2. Check Authentication Status
+
+View your current authentication details:
+
+```bash
+cor whoami
+```
+
+This displays:
+- User information from the ID token
+- Token expiration time
+- Active session details
+
+### 3. Refresh Tokens
+
+Manually refresh your access tokens:
+
+```bash
+cor refresh
+```
+
+The CLI automatically refreshes tokens when needed, but you can manually trigger a refresh if required.
+
+### 4. Logout
+
+Clear local session and revoke tokens:
+
+```bash
+cor logout
+```
+
+This will:
+- Revoke active tokens with Cognito
+- Clear local token storage
+- End your authentication session
+
+## Configuration
+
+CoreCLI requires the following environment variables or configuration:
+
+```bash
+# AWS Cognito Configuration
+COGNITO_DOMAIN=your-domain.auth.region.amazoncognito.com
+COGNITO_CLIENT_ID=your-client-id
+COGNITO_REDIRECT_URI=http://localhost:8080/callback
+```
+
+Configuration can be set via:
+- Environment variables
+- Configuration file (`.corecli/config`)
+- Command-line arguments
+
+## Usage Examples
+
+### Basic Authentication Flow
+
+```bash
+# Login to Cognito
+cor login
+
+# Check who is logged in
+cor whoami
+
+# When done, logout
+cor logout
+```
+
+### Using with Custom Applications
+
+```bash
+# Login and redirect to custom app
+cor login --app-redirect myapp://authenticated
+
+# The CLI will handle authentication and redirect to your app
+```
+
+## Command Reference
+
+| Command | Description | Options |
+|---------|-------------|---------|
+| `cor login` | Authenticate with Cognito | `--app-redirect, -r` - Custom redirect URI |
+| `cor whoami` | Show authenticated user info | None |
+| `cor refresh` | Refresh authentication tokens | None |
+| `cor logout` | End session and revoke tokens | None |
+
+## Development
+
+### Setup Development Environment
+
+```bash
+# Clone repository
+git clone https://github.com/ProjectCORTeam/corcli.git
+cd corcli
+
+# Install in development mode with dev dependencies
+pip install -e ".[dev]"
+
+# Install pre-commit hooks (optional but recommended)
+pip install pre-commit
+pre-commit install
+
+# Run the CLI
+cor --help
+```
+
+### Development Tools
+
+The project uses modern Python development tools:
+
+- **Ruff** - Fast Python linter (replaces flake8, isort, and more)
+- **Black** - Code formatter
+- **MyPy** - Static type checker
+- **Pre-commit** - Git hooks for automated checks
+
+### Running Checks Locally
+
+```bash
+# Run linting
+make lint
+
+# Fix linting issues automatically
+make lint-fix
+
+# Format code
+make format
+
+# Check formatting (without modifying)
+make format-check
+
+# Run type checking
+make type-check
+
+# Build and verify package
+make build
+
+# Run all checks
+make all
+
+# Clean build artifacts
+make clean
+```
+
+Or manually:
+
+```bash
+# Linting
+ruff check corecli/
+
+# Formatting
+black corecli/
+
+# Type checking
+mypy corecli/
+
+# Build
+python -m build
+twine check dist/*
+```
+
+### Project Structure
+
+```
+corecli/
+├── corecli/
+│   ├── __init__.py      # Package initialization
+│   ├── cli.py           # CLI commands and interface
+│   ├── auth.py          # Authentication logic
+│   ├── pkce.py          # PKCE flow implementation
+│   └── utils.py         # Utility functions
+├── pyproject.toml       # Project metadata
+├── setup.py             # Package setup
+└── README.md            # This file
+```
+
+## Security Considerations
+
+- **PKCE Flow**: Uses the industry-standard PKCE flow for secure OAuth 2.0 authentication
+- **Token Storage**: Tokens are stored securely in the local user directory
+- **Automatic Refresh**: Access tokens are automatically refreshed before expiration
+- **Session Management**: Proper logout flow revokes tokens server-side
+
+## Troubleshooting
+
+### Authentication Fails
+
+If authentication fails, check:
+1. Cognito domain and client ID are correct
+2. Redirect URI is whitelisted in Cognito
+3. User pool has Hosted UI enabled
+4. Network connectivity to Cognito endpoints
+
+### Token Refresh Issues
+
+If token refresh fails:
+1. Check that refresh token hasn't expired
+2. Verify Cognito client settings allow refresh tokens
+3. Try logging out and logging in again
+
+### Port Already in Use
+
+If the callback server can't start:
+```bash
+# The default port (8080) might be in use
+# Kill the process or configure a different port
+```
+
+## Contributing
+
+This is an internal tool for ProjectCOR Team. If you're a team member:
+
+1. Fork the repository
+2. Create a feature branch (`git checkout -b feature/amazing-feature`)
+3. Make your changes and ensure they pass all checks:
+   ```bash
+   make lint
+   make format
+   make type-check
+   make build
+   ```
+4. Commit your changes using [Conventional Commits](https://www.conventionalcommits.org/):
+   ```bash
+   git commit -m 'feat: add amazing feature'
+   git commit -m 'fix: resolve authentication issue'
+   git commit -m 'docs: update README'
+   ```
+5. Push to the branch (`git push origin feature/amazing-feature`)
+6. Open a Pull Request
+
+### Quality Checks
+
+All pull requests must pass:
+- ✅ **Ruff linting** - Code quality and style checks
+- ✅ **Black formatting** - Consistent code formatting
+- ✅ **MyPy type checking** - Static type validation (warnings allowed)
+- ✅ **Package build** - Successful package creation
+- ✅ **Twine validation** - PyPI metadata verification
+
+These checks run automatically on every release.
+
+## Versioning
+
+We use [Semantic Versioning](https://semver.org/) via semantic-release. Versions are automatically generated based on commit messages following [Conventional Commits](https://www.conventionalcommits.org/).
+
+### Commit Message Format
+
+- `feat:` - New feature (minor version bump)
+- `fix:` - Bug fix (patch version bump)
+- `feat!:` or `BREAKING CHANGE:` - Breaking change (major version bump)
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
+
+## Support
+
+For internal support:
+- Report issues: [GitHub Issues](https://github.com/ProjectCORTeam/corcli/issues)
+- Documentation: [GitHub Wiki](https://github.com/ProjectCORTeam/corcli#readme)
+- Releases: [GitHub Releases](https://github.com/ProjectCORTeam/corcli/releases)
+
+## Authors
+
+- **Carlos Ferrer** - *Initial work* - [ProjectCOR Team](https://github.com/ProjectCORTeam)
+
+---
+
+Built with ❤️ by the ProjectCOR Team

corclient-0.1.0.dist-info/RECORD

@@ -0,0 +1,12 @@
+corclient-0.1.0.dist-info/licenses/LICENSE,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+corecli/__init__.py,sha256=YahZFfcGjK3dKwjCDZ9v5ZZ9R6-G3Nr28_3djZUh2kY,138
+corecli/_version.py,sha256=KOV2vc17OypCoLGU5NvcmuqpYxasPtk2grDJBCoULbY,264
+corecli/auth.py,sha256=F7Hq1TiFhsQ0Ai_e6TzlTEyXutbda-aX9_Q7QA6nzv4,13501
+corecli/cli.py,sha256=mwA7pOqr96MtXL0ROIQh2Wy66_3XB_GvtzadXzGX3V0,955
+corecli/pkce.py,sha256=eZkbryW2A74wFSr9ark-fU-wQeC6Qh1LXhHiBj5Wo7g,435
+corecli/utils.py,sha256=9NDqjMEM5rxyZQR7FK3ivg4NLa581AeUEJN8lTBNG_I,1136
+corclient-0.1.0.dist-info/METADATA,sha256=qBQKJST1Id8I3aTxMxFplKVoPRoeLkrlEz5aG-CxY7c,10187
+corclient-0.1.0.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+corclient-0.1.0.dist-info/entry_points.txt,sha256=kVyCipMY9yXvgIMJnwONt8v-_ZfMbUPlRO7MzpuwbfQ,40
+corclient-0.1.0.dist-info/top_level.txt,sha256=JoPv54lgmqVztIG_JrKHt7hDhK8KTGidli2_NfpK-4o,8
+corclient-0.1.0.dist-info/RECORD,,

corclient-0.1.0.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (80.9.0)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

corclient-0.1.0.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+cor = corecli.cli:app

corclient-0.1.0.dist-info/top_level.txt

@@ -0,0 +1 @@
+corecli

corecli/__init__.py

@@ -0,0 +1,5 @@
+"""CoreCLI - CLI para autenticación con AWS Cognito usando PKCE."""
+
+from corecli._version import __version__
+
+__all__ = ["__version__"]

corecli/_version.py

@@ -0,0 +1,9 @@
+# File generated by setuptools-scm
+# DO NOT EDIT - version is managed by Git tags
+
+try:
+    from setuptools_scm import get_version
+
+    __version__ = get_version(root="..", relative_to=__file__)
+except (ImportError, LookupError):
+    __version__ = "0.0.0+unknown"

corecli/auth.py

@@ -0,0 +1,440 @@
+import json
+import sys
+import webbrowser
+from http.server import BaseHTTPRequestHandler, HTTPServer
+from typing import Optional
+from urllib.parse import parse_qs, urlparse
+
+import requests
+from rich import box
+from rich.console import Console
+from rich.panel import Panel
+from rich.table import Table
+
+from corecli.pkce import generate_pkce_pair
+from corecli.utils import clear_tokens, decode_jwt, load_tokens, save_tokens
+
+console = Console()
+
+
+# =====================
+# CONFIG FIJA (NO SE MODIFICA)
+# =====================
+CLIENT_ID = "1gd8tf85qs07ra4b38vcm4mih5"  # <-- tu Client ID
+COGNITO_DOMAIN = "https://corcli.projectcor.com"
+REDIRECT_URI = "http://localhost:8000/callback"
+SCOPES = ["openid", "email", "profile"]
+LOGOUT_REDIRECT_URI = "http://localhost:8000/logout"
+
+
+# =====================
+# HTTP HANDLER PARA CALLBACK
+# =====================
+class CallbackHandler(BaseHTTPRequestHandler):
+    def log_message(self, format, *args):
+        # Silencia logs de acceso/informativos
+        return
+
+    def log_error(self, format, *args):
+        # Muestra únicamente errores a stderr
+        try:
+            sys.stderr.write(
+                f"{self.address_string()} - - [{self.log_date_time_string()}] ERROR: {format % args}\n"
+            )
+        except Exception:
+            pass
+
+    def do_GET(self):
+        if self.path.startswith("/callback"):
+            query = parse_qs(urlparse(self.path).query)
+            self.server.auth_code = query.get("code", [None])[0]
+            app_redirect = getattr(self.server, "app_redirect", None)
+            js_app_redirect = json.dumps(app_redirect) if app_redirect else "null"
+
+            self.send_response(200)
+            self.send_header("Content-Type", "text/html; charset=utf-8")
+            self.end_headers()
+
+            html = f"""
+<!doctype html>
+<html lang=\"es\">
+<head>
+  <meta charset=\"utf-8\" />
+  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" />
+  <title>CoreCLI · Login exitoso</title>
+  <style>
+    :root {{
+      --bg: #0b1020;
+      --card: #121a33;
+      --accent: #8ab4f8;
+      --ok: #34d399;
+      --text: #e5e7eb;
+      --muted: #94a3b8;
+    }}
+    * {{ box-sizing: border-box; }}
+    body {{
+      margin: 0;
+      min-height: 100vh;
+      display: grid;
+      place-items: center;
+      background: radial-gradient(1200px 600px at 20% -10%, #1f2a52 0%, #0b1020 70%);
+      color: var(--text);
+      font-family: ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Inter, Arial, sans-serif;
+    }}
+    .card {{
+      width: min(680px, 92vw);
+      background: linear-gradient(180deg, rgba(255,255,255,0.04), rgba(255,255,255,0.02));
+      border: 1px solid rgba(255,255,255,0.08);
+      border-radius: 16px;
+      padding: 28px 24px;
+      box-shadow: 0 20px 60px rgba(0,0,0,0.35), inset 0 1px 0 rgba(255,255,255,0.06);
+      backdrop-filter: blur(6px);
+    }}
+    h1 {{
+      margin: 0 0 8px;
+      font-size: 24px;
+      letter-spacing: 0.2px;
+    }}
+    p {{
+      margin: 6px 0;
+      color: var(--muted);
+      line-height: 1.6;
+    }}
+    .ok {{ color: var(--ok); font-weight: 600; }}
+    .meta {{
+      margin-top: 16px;
+      display: grid;
+      grid-template-columns: 1fr 1fr;
+      gap: 8px 16px;
+      font-size: 14px;
+      color: #c7d2fe;
+    }}
+    .countdown {{
+      margin-top: 14px;
+      padding: 10px 12px;
+      border: 1px dashed rgba(138,180,248,0.4);
+      border-radius: 10px;
+      background: rgba(26, 35, 75, 0.35);
+      color: var(--accent);
+      font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, monospace;
+    }}
+    .small {{ font-size: 13px; color: var(--muted); }}
+    a.btn {{
+      display: inline-block;
+      margin-top: 16px;
+      padding: 10px 14px;
+      border-radius: 10px;
+      background: #22315f;
+      color: #e8eeff;
+      text-decoration: none;
+      border: 1px solid rgba(138,180,248,0.25);
+    }}
+    a.btn:hover {{ background: #2b3c70; }}
+  </style>
+  <script>
+    const appRedirect = {js_app_redirect};
+    if (appRedirect) {{
+      // Intenta volver a la app que abrió el login
+      setTimeout(() => {{ window.location.href = appRedirect; }}, 0);
+    }}
+    let secs = 10;
+    function tick() {{
+      const el = document.getElementById('secs');
+      if (el) el.textContent = secs.toString();
+      secs -= 1;
+      if (secs < 0) {{
+        try {{
+          window.open('', '_self');
+          window.close();
+        }} catch (e) {{}}
+      }} else {{
+        setTimeout(tick, 1000);
+      }}
+    }}
+    window.addEventListener('DOMContentLoaded', tick);
+  </script>
+  <meta http-equiv=\"refresh\" content=\"35;url=about:blank\">
+  <!-- meta de respaldo: si window.close falla, al menos salimos de la página -->
+  <link rel=\"icon\" href=\"data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 64 64'><circle cx='32' cy='32' r='30' fill='%238ab4f8'/><path d='M20 34l7 7 17-17' stroke='white' stroke-width='6' fill='none' stroke-linecap='round' stroke-linejoin='round'/></svg>\" />
+
+</head>
+<body>
+  <div class=\"card\">
+    <h1>✅ Login exitoso</h1>
+    <p>Ya puedes volver a la terminal. Esta pestaña se cerrará automáticamente.</p>
+    <div class=\"countdown\">Cerrando en <span id=\"secs\">10</span> segundos…</div>
+    <p class=\"small\">Si no se cierra por políticas del navegador, puedes cerrarla manualmente.</p>
+    <a class=\"btn\" href=\"about:blank\">Cerrar ahora</a>
+  </div>
+</body>
+</html>
+"""
+            self.wfile.write(html.encode("utf-8"))
+        elif self.path.startswith("/logout"):
+            self.send_response(200)
+            self.send_header("Content-Type", "text/html; charset=utf-8")
+            self.end_headers()
+
+            html = """
+<!doctype html>
+<html lang=\"es\">
+<head>
+  <meta charset=\"utf-8\" />
+  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" />
+  <title>CoreCLI · Logout</title>
+  <style>
+    :root {
+      --bg: #0b1020;
+      --card: #121a33;
+      --accent: #fca5a5;
+      --ok: #34d399;
+      --text: #e5e7eb;
+      --muted: #94a3b8;
+    }
+    * { box-sizing: border-box; }
+    body {
+      margin: 0;
+      min-height: 100vh;
+      display: grid;
+      place-items: center;
+      background: radial-gradient(1200px 600px at 20% -10%, #1f2a52 0%, #0b1020 70%);
+      color: var(--text);
+      font-family: ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Inter, Arial, sans-serif;
+    }
+    .card {
+      width: min(680px, 92vw);
+      background: linear-gradient(180deg, rgba(255,255,255,0.04), rgba(255,255,255,0.02));
+      border: 1px solid rgba(255,255,255,0.08);
+      border-radius: 16px;
+      padding: 28px 24px;
+      box-shadow: 0 20px 60px rgba(0,0,0,0.35), inset 0 1px 0 rgba(255,255,255,0.06);
+      backdrop-filter: blur(6px);
+    }
+    h1 {
+      margin: 0 0 8px;
+      font-size: 24px;
+      letter-spacing: 0.2px;
+    }
+    p {
+      margin: 6px 0;
+      color: var(--muted);
+      line-height: 1.6;
+    }
+    .countdown {
+      margin-top: 14px;
+      padding: 10px 12px;
+      border: 1px dashed rgba(252,165,165,0.35);
+      border-radius: 10px;
+      background: rgba(75, 26, 35, 0.25);
+      color: var(--accent);
+      font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, monospace;
+    }
+    .small { font-size: 13px; color: var(--muted); }
+    a.btn {
+      display: inline-block;
+      margin-top: 16px;
+      padding: 10px 14px;
+      border-radius: 10px;
+      background: #5f2222;
+      color: #ffe8e8;
+      text-decoration: none;
+      border: 1px solid rgba(252,165,165,0.35);
+    }
+    a.btn:hover { background: #703030; }
+  </style>
+  <script>
+    let secs = 5;
+    function tick() {
+      const el = document.getElementById('secs');
+      if (el) el.textContent = secs.toString();
+      secs -= 1;
+      if (secs < 0) {
+        try {
+          window.open('', '_self');
+          window.close();
+        } catch (e) {}
+      } else {
+        setTimeout(tick, 1000);
+      }
+    }
+    window.addEventListener('DOMContentLoaded', tick);
+  </script>
+  <meta http-equiv=\"refresh\" content=\"10;url=about:blank\">
+</head>
+<body>
+  <div class=\"card\">
+    <h1>👋 Sesión cerrada</h1>
+    <p>Ya puedes volver a la terminal. Esta pestaña se cerrará automáticamente.</p>
+    <div class=\"countdown\">Cerrando en <span id=\"secs\">5</span> segundos…</div>
+    <a class=\"btn\" href=\"about:blank\">Cerrar ahora</a>
+  </div>
+</body>
+</html>
+"""
+            self.wfile.write(html.encode("utf-8"))
+
+
+def start_local_server(app_redirect: Optional[str] = None):
+    server = HTTPServer(("localhost", 8000), CallbackHandler)
+    # adjunta destino para que la página callback pueda redirigir
+    server.app_redirect = app_redirect  # type: ignore[attr-defined]
+    server.handle_request()
+    return server.auth_code  # type: ignore[attr-defined]
+
+
+# =====================
+# AUTH FLOW
+# =====================
+def login(app_redirect: Optional[str] = None):
+    code_verifier, code_challenge = generate_pkce_pair()
+
+    auth_url = (
+        f"{COGNITO_DOMAIN}/oauth2/authorize?"
+        f"response_type=code&client_id={CLIENT_ID}"
+        f"&redirect_uri={REDIRECT_URI}"
+        f"&scope={' '.join(SCOPES)}"
+        f"&code_challenge={code_challenge}&code_challenge_method=S256"
+    )
+
+    console.print(
+        Panel.fit(
+            "Abriendo navegador para autenticación…\n\n"
+            "Si no se abre automáticamente, copia y pega esta URL:\n"
+            f"[cyan]{auth_url}[/cyan]",
+            title="[bold cyan]CoreCLI · Login",
+            border_style="cyan",
+        )
+    )
+    webbrowser.open(auth_url)
+
+    auth_code = start_local_server(app_redirect=app_redirect)
+    if not auth_code:
+        console.print(
+            Panel(
+                "No se recibió el código de autorización.", title="[red]Error", border_style="red"
+            )
+        )
+        raise Exception("No se recibió el código de autorización.")
+
+    token_url = f"{COGNITO_DOMAIN}/oauth2/token"
+    data = {
+        "grant_type": "authorization_code",
+        "client_id": CLIENT_ID,
+        "redirect_uri": REDIRECT_URI,
+        "code": auth_code,
+        "code_verifier": code_verifier,
+    }
+
+    resp = requests.post(
+        token_url, data=data, headers={"Content-Type": "application/x-www-form-urlencoded"}
+    )
+    resp.raise_for_status()
+    tokens = resp.json()
+
+    save_tokens(tokens)
+    console.print(
+        Panel.fit(
+            "✅ Autenticación exitosa, tokens guardados.", border_style="green", title="[green]OK"
+        )
+    )
+
+
+def refresh_tokens():
+    tokens = load_tokens()
+    if not tokens or "refresh_token" not in tokens:
+        console.print(
+            Panel.fit(
+                "No hay refresh token guardado. Ejecuta `core-login login` para autenticarse de nuevo.",
+                title="[yellow]Aviso",
+                border_style="yellow",
+            )
+        )
+        return
+
+    token_url = f"{COGNITO_DOMAIN}/oauth2/token"
+    data = {
+        "grant_type": "refresh_token",
+        "client_id": CLIENT_ID,
+        "refresh_token": tokens["refresh_token"],
+    }
+
+    resp = requests.post(
+        token_url, data=data, headers={"Content-Type": "application/x-www-form-urlencoded"}
+    )
+    resp.raise_for_status()
+    new_tokens = resp.json()
+
+    if "refresh_token" not in new_tokens:
+        new_tokens["refresh_token"] = tokens["refresh_token"]
+
+    save_tokens(new_tokens)
+    console.print(
+        Panel.fit("🔄 Tokens refrescados correctamente.", border_style="green", title="[green]OK")
+    )
+
+
+def whoami():
+    tokens = load_tokens()
+    if not tokens or "id_token" not in tokens:
+        console.print(
+            Panel.fit(
+                "No hay sesión activa. Ejecuta `core-login login` primero.",
+                title="[yellow]Aviso",
+                border_style="yellow",
+            )
+        )
+        return
+
+    id_token = tokens["id_token"]
+    claims = decode_jwt(id_token)
+
+    table = Table(
+        title="👤 Usuario autenticado",
+        show_header=False,
+        box=box.SIMPLE,
+        padding=(0, 1),
+        border_style="cyan",
+    )
+    table.add_row("sub", f"[white]{claims.get('sub')}[/white]")
+    table.add_row("email", f"[white]{claims.get('email')}[/white]")
+    table.add_row("username", f"[white]{claims.get('cognito:username')}[/white]")
+    console.print(table)
+
+
+def logout(local_only: bool = True):
+    """Cierra sesión local: revoca refresh token (best-effort) y borra tokens locales."""
+    tokens = load_tokens()
+
+    # Revocación opcional de refresh_token (si el pool lo permite)
+    try:
+        if tokens and tokens.get("refresh_token"):
+            revoke_url = f"{COGNITO_DOMAIN}/oauth2/revoke"
+            data = {
+                "token": tokens["refresh_token"],
+                "client_id": CLIENT_ID,
+            }
+            # best-effort
+            requests.post(
+                revoke_url,
+                data=data,
+                headers={"Content-Type": "application/x-www-form-urlencoded"},
+                timeout=5,
+            )
+    except Exception:
+        pass
+
+    # Borra tokens locales
+    cleared = clear_tokens()
+
+    # Ya no se abre Hosted UI: logout 100% local
+
+    if cleared:
+        console.print(
+            Panel.fit("🧹 Tokens locales eliminados.", border_style="green", title="[green]OK")
+        )
+    else:
+        console.print(
+            Panel.fit(
+                "No se pudieron borrar los tokens locales.", border_style="red", title="[red]Aviso"
+            )
+        )

corecli/cli.py

@@ -0,0 +1,43 @@
+from typing import Optional
+
+import typer
+
+from corecli import auth
+
+app = typer.Typer(help="CoreCLI - CLI de ejemplo con login en Cognito usando PKCE")
+
+
+@app.command()
+def login(
+    app_redirect: Optional[str] = typer.Option(
+        None,
+        "--app-redirect",
+        "-r",
+        help="URL o esquema (p.ej. myapp://callback) al que redirigir tras login",
+    ),
+):
+    """Inicia el flujo de autenticación con Cognito (Hosted UI + PKCE)."""
+    auth.login(app_redirect=app_redirect)
+
+
+@app.command()
+def refresh():
+    """Refresca los tokens usando refresh_token guardado."""
+    auth.refresh_tokens()
+
+
+@app.command()
+def whoami():
+    """Muestra información del usuario autenticado (id_token)."""
+    auth.whoami()
+
+
+@app.command()
+def logout():
+    """Cierra sesión local (revoca/borrado de tokens)."""
+    auth.logout()
+
+
+def main():
+    """Compatibilidad: permite ejecutar como 'python -m corecli.cli' o entrypoint antiguo."""
+    app()

corecli/pkce.py

@@ -0,0 +1,14 @@
+import base64
+import hashlib
+import secrets
+
+
+def generate_pkce_pair():
+    """Genera (code_verifier, code_challenge) para PKCE."""
+    code_verifier = base64.urlsafe_b64encode(secrets.token_bytes(32)).decode("utf-8").rstrip("=")
+    code_challenge = (
+        base64.urlsafe_b64encode(hashlib.sha256(code_verifier.encode("utf-8")).digest())
+        .decode("utf-8")
+        .rstrip("=")
+    )
+    return code_verifier, code_challenge

corecli/utils.py

@@ -0,0 +1,42 @@
+import base64
+import json
+import os
+from typing import Any
+
+CONFIG_DIR = os.path.expanduser("~/.corecli")
+TOKENS_FILE = os.path.join(CONFIG_DIR, "tokens.json")
+
+
+def save_tokens(tokens: dict):
+    os.makedirs(CONFIG_DIR, exist_ok=True)
+    with open(TOKENS_FILE, "w") as f:
+        json.dump(tokens, f, indent=2)
+
+
+def load_tokens():
+    if os.path.exists(TOKENS_FILE):
+        with open(TOKENS_FILE) as f:
+            return json.load(f)
+    return None
+
+
+def decode_jwt(token: str) -> dict[str, Any]:
+    """Decodifica un JWT (solo payload, sin validar firma)."""
+    parts = token.split(".")
+    if len(parts) != 3:
+        raise ValueError("Token JWT inválido")
+
+    payload_b64 = parts[1] + "=" * (-len(parts[1]) % 4)  # padding
+    payload_json = base64.urlsafe_b64decode(payload_b64.encode()).decode()
+    return json.loads(payload_json)  # type: ignore[no-any-return]
+
+
+def clear_tokens() -> bool:
+    """Elimina el archivo de tokens local si existe."""
+    if os.path.exists(TOKENS_FILE):
+        try:
+            os.remove(TOKENS_FILE)
+            return True
+        except OSError:
+            return False
+    return True