direct-cli 0.3.2__tar.gz → 0.3.3__tar.gz

direct_cli-0.3.3/CHANGELOG.md

@@ -0,0 +1,11 @@
+# Changelog
+
+## 0.3.3
+
+**BREAKING CHANGE:** OAuth profiles created before 0.3.3 (without `refresh_token` and `expires_at`) are no longer accepted. Any such profile will fail immediately with an "incomplete profile" error. Run `direct auth login --profile <name>` to re-authenticate and create a valid 0.3.3 profile.
+
+- Added refresh token persistence for OAuth profiles.
+- Added automatic OAuth access token refresh before expiry.
+- Added `expires_in` details to `direct auth status`.
+- Added JSON output for `direct auth status`.
+- Kept `direct auth login --oauth-token` as a manual access-token import without auto-refresh.

{direct_cli-0.3.2 → direct_cli-0.3.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: direct-cli
-Version: 0.3.2
+Version: 0.3.3
 Summary: Command-line interface for Yandex Direct API
 Author: axisrow
 License: MIT
@@ -83,7 +83,6 @@ OAuth and profile commands:
 direct auth login
 direct auth login --profile agency1
 direct auth login --code abc123 --profile agency1
-direct auth login --oauth-token y0_example --profile agency1
 direct auth list
 direct auth use --profile agency1
 direct auth status --profile agency1
@@ -95,6 +94,8 @@ Notes:
 - Select credentials with `--profile`.
 - `--login` remains Direct client login.
 - Authorization is performed via `direct auth login`.
+- OAuth profiles store refresh tokens and refresh access tokens automatically.
+- `direct auth login --oauth-token TOKEN` is a manual access-token import and does not auto-refresh.
 - Alias `auth_login` is not supported.
 
 Credential resolution priority:
@@ -156,18 +157,24 @@ direct v4events get-events-log --from 2026-04-14T00:00:00 --to 2026-04-15T00:00:
 
 ### V4 Live Finance
 
-`get-credit-limits` requires a financial token and operation number. Pass them
-with `--finance-token` and `--operation-num`, or set
-`YANDEX_DIRECT_FINANCE_TOKEN` and `YANDEX_DIRECT_OPERATION_NUM`.
-Money mutation commands are dry-run-only in this release and always require
-`--dry-run`; dry-run output masks the financial token.
+Finance methods require an extra financial token for money operations. In the
+Yandex Direct web UI, open Tools -> API -> Financial operations, enable the
+financial operations checkbox, click Save, then issue the master token on the
+same Financial operations page and confirm by SMS. Direct CLI can compute the
+per-request token from `--master-token`, `--operation-num`, and
+`--finance-login`; alternatively pass a precomputed token with `--finance-token`.
+Environment variables are
+`YANDEX_DIRECT_MASTER_TOKEN`, `YANDEX_DIRECT_FINANCE_LOGIN`,
+`YANDEX_DIRECT_FINANCE_TOKEN`, and `YANDEX_DIRECT_OPERATION_NUM`. Money mutation
+commands are dry-run-only in this release and always require `--dry-run`; dry-run
+output masks the financial token.
 
 ```bash
-direct v4finance get-credit-limits --logins client-login --finance-token FINANCE_TOKEN --operation-num 123
+direct v4finance get-credit-limits --logins client-login --master-token MASTER_TOKEN --operation-num 123 --finance-login agency-login
 direct v4finance get-credit-limits --logins client-login,other-client --format table
 direct v4finance check-payment --custom-transaction-id A123456789012345678901234567890B
-direct v4finance transfer-money --from-campaign-id 123 --to-campaign-id 456 --amount 100.50 --finance-token FINANCE_TOKEN --operation-num 123 --dry-run
-direct v4finance pay-campaigns --campaign-id 123 --amount 100.50 --contract-id CONTRACT_ID --pay-method CREDIT --finance-token FINANCE_TOKEN --operation-num 123 --dry-run
+direct v4finance transfer-money --from-campaign-id 123 --to-campaign-id 456 --amount 100.50 --currency RUB --master-token MASTER_TOKEN --operation-num 123 --finance-login agency-login --dry-run
+direct v4finance pay-campaigns --campaign-ids 123,456 --amount 100.50 --currency RUB --contract-id CONTRACT_ID --pay-method Bank --master-token MASTER_TOKEN --operation-num 123 --finance-login agency-login --dry-run
 ```
 
 ### V4 Live Shared Account
@@ -583,7 +590,7 @@ CI runs a scheduled API coverage workflow that:
 
 `WRITE_SANDBOX` smoke is a live check against the Yandex Direct **sandbox**.
 It does not replay stored HTTP traffic and it does not create new recordings.
-Run it only when you intentionally want to call `api-sandbox.direct.yandex.com`:
+Run it only when you intentionally want to call `api-sandbox.direct.yandex.ru`:
 
 ```bash
 set -a && source .env && set +a
@@ -725,13 +732,16 @@ OAuth и profile-команды:
 direct auth login
 direct auth login --profile agency1
 direct auth login --code abc123 --profile agency1
-direct auth login --oauth-token y0_example --profile agency1
 direct auth list
 direct auth use --profile agency1
 direct auth status --profile agency1
 direct --profile agency1 campaigns get
 ```
 
+Примечания:
+- OAuth profiles сохраняют refresh token и автоматически обновляют access token.
+- `direct auth login --oauth-token TOKEN` импортирует access token вручную и не включает auto-refresh.
+
 Порядок выбора credentials:
 
 | Приоритет | Источник | Пример |
@@ -1176,7 +1186,7 @@ YANDEX_DIRECT_LIVE_WRITE=1 pytest -m integration_live_write -v --record-mode=rew
 `WRITE_SANDBOX` smoke — это live-проверка против **sandbox-окружения**
 Яндекс Директа. Она не воспроизводит сохранённый HTTP-трафик и не создаёт
 новые записи. Запускайте её только когда намеренно хотите обратиться к
-`api-sandbox.direct.yandex.com`:
+`api-sandbox.direct.yandex.ru`:
 
 ```bash
 set -a && source .env && set +a

{direct_cli-0.3.2 → direct_cli-0.3.3}/README.md

@@ -44,7 +44,6 @@ OAuth and profile commands:
 direct auth login
 direct auth login --profile agency1
 direct auth login --code abc123 --profile agency1
-direct auth login --oauth-token y0_example --profile agency1
 direct auth list
 direct auth use --profile agency1
 direct auth status --profile agency1
@@ -56,6 +55,8 @@ Notes:
 - Select credentials with `--profile`.
 - `--login` remains Direct client login.
 - Authorization is performed via `direct auth login`.
+- OAuth profiles store refresh tokens and refresh access tokens automatically.
+- `direct auth login --oauth-token TOKEN` is a manual access-token import and does not auto-refresh.
 - Alias `auth_login` is not supported.
 
 Credential resolution priority:
@@ -117,18 +118,24 @@ direct v4events get-events-log --from 2026-04-14T00:00:00 --to 2026-04-15T00:00:
 
 ### V4 Live Finance
 
-`get-credit-limits` requires a financial token and operation number. Pass them
-with `--finance-token` and `--operation-num`, or set
-`YANDEX_DIRECT_FINANCE_TOKEN` and `YANDEX_DIRECT_OPERATION_NUM`.
-Money mutation commands are dry-run-only in this release and always require
-`--dry-run`; dry-run output masks the financial token.
+Finance methods require an extra financial token for money operations. In the
+Yandex Direct web UI, open Tools -> API -> Financial operations, enable the
+financial operations checkbox, click Save, then issue the master token on the
+same Financial operations page and confirm by SMS. Direct CLI can compute the
+per-request token from `--master-token`, `--operation-num`, and
+`--finance-login`; alternatively pass a precomputed token with `--finance-token`.
+Environment variables are
+`YANDEX_DIRECT_MASTER_TOKEN`, `YANDEX_DIRECT_FINANCE_LOGIN`,
+`YANDEX_DIRECT_FINANCE_TOKEN`, and `YANDEX_DIRECT_OPERATION_NUM`. Money mutation
+commands are dry-run-only in this release and always require `--dry-run`; dry-run
+output masks the financial token.
 
 ```bash
-direct v4finance get-credit-limits --logins client-login --finance-token FINANCE_TOKEN --operation-num 123
+direct v4finance get-credit-limits --logins client-login --master-token MASTER_TOKEN --operation-num 123 --finance-login agency-login
 direct v4finance get-credit-limits --logins client-login,other-client --format table
 direct v4finance check-payment --custom-transaction-id A123456789012345678901234567890B
-direct v4finance transfer-money --from-campaign-id 123 --to-campaign-id 456 --amount 100.50 --finance-token FINANCE_TOKEN --operation-num 123 --dry-run
-direct v4finance pay-campaigns --campaign-id 123 --amount 100.50 --contract-id CONTRACT_ID --pay-method CREDIT --finance-token FINANCE_TOKEN --operation-num 123 --dry-run
+direct v4finance transfer-money --from-campaign-id 123 --to-campaign-id 456 --amount 100.50 --currency RUB --master-token MASTER_TOKEN --operation-num 123 --finance-login agency-login --dry-run
+direct v4finance pay-campaigns --campaign-ids 123,456 --amount 100.50 --currency RUB --contract-id CONTRACT_ID --pay-method Bank --master-token MASTER_TOKEN --operation-num 123 --finance-login agency-login --dry-run
 ```
 
 ### V4 Live Shared Account
@@ -544,7 +551,7 @@ CI runs a scheduled API coverage workflow that:
 
 `WRITE_SANDBOX` smoke is a live check against the Yandex Direct **sandbox**.
 It does not replay stored HTTP traffic and it does not create new recordings.
-Run it only when you intentionally want to call `api-sandbox.direct.yandex.com`:
+Run it only when you intentionally want to call `api-sandbox.direct.yandex.ru`:
 
 ```bash
 set -a && source .env && set +a
@@ -686,13 +693,16 @@ OAuth и profile-команды:
 direct auth login
 direct auth login --profile agency1
 direct auth login --code abc123 --profile agency1
-direct auth login --oauth-token y0_example --profile agency1
 direct auth list
 direct auth use --profile agency1
 direct auth status --profile agency1
 direct --profile agency1 campaigns get
 ```
 
+Примечания:
+- OAuth profiles сохраняют refresh token и автоматически обновляют access token.
+- `direct auth login --oauth-token TOKEN` импортирует access token вручную и не включает auto-refresh.
+
 Порядок выбора credentials:
 
 | Приоритет | Источник | Пример |
@@ -1137,7 +1147,7 @@ YANDEX_DIRECT_LIVE_WRITE=1 pytest -m integration_live_write -v --record-mode=rew
 `WRITE_SANDBOX` smoke — это live-проверка против **sandbox-окружения**
 Яндекс Директа. Она не воспроизводит сохранённый HTTP-трафик и не создаёт
 новые записи. Запускайте её только когда намеренно хотите обратиться к
-`api-sandbox.direct.yandex.com`:
+`api-sandbox.direct.yandex.ru`:
 
 ```bash
 set -a && source .env && set +a

direct_cli-0.3.3/direct_cli/_vendor/tapi_yandex_direct/endpoints.py

@@ -0,0 +1,14 @@
+"""Runtime endpoints for Yandex Direct API transports."""
+
+from typing import Any, Dict
+
+DIRECT_API_PRODUCTION_ROOT = "https://api.direct.yandex.ru/"
+DIRECT_API_SANDBOX_ROOT = "https://api-sandbox.direct.yandex.ru/"
+DIRECT_DEBUG_ROOT = "https://"
+
+
+def get_direct_api_root(api_params: Dict[str, Any]) -> str:
+    """Return the Direct API root for production or sandbox requests."""
+    if api_params.get("is_sandbox"):
+        return DIRECT_API_SANDBOX_ROOT
+    return DIRECT_API_PRODUCTION_ROOT

{direct_cli-0.3.2 → direct_cli-0.3.3}/direct_cli/_vendor/tapi_yandex_direct/tapi_yandex_direct.py

@@ -9,6 +9,7 @@ from tapi2 import TapiAdapter, generate_wrapper_from_adapter, JSONAdapterMixin
 from tapi2.exceptions import ResponseProcessException, ClientError, TapiException
 
 from . import exceptions
+from .endpoints import DIRECT_DEBUG_ROOT, get_direct_api_root
 from .resource_mapping import RESOURCE_MAPPING_V5
 
 logger = logging.getLogger(__name__)
@@ -72,11 +73,8 @@ class YandexDirectClientAdapter(JSONAdapterMixin, TapiAdapter):
 
     def get_api_root(self, api_params: dict, resource_name: str) -> str:
         if resource_name == "debugtoken":
-            return "https://"
-        elif api_params.get("is_sandbox"):
-            return "https://api-sandbox.direct.yandex.com/"
-        else:
-            return "https://api.direct.yandex.com/"
+            return DIRECT_DEBUG_ROOT
+        return get_direct_api_root(api_params)
 
     def get_request_kwargs(self, api_params: dict, *args, **kwargs) -> dict:
         """Обогащение запроса, параметрами"""
@@ -154,7 +152,7 @@ class YandexDirectClientAdapter(JSONAdapterMixin, TapiAdapter):
                 "The report generation time has exceeded the server limit. "
                 "Please try to change the request parameters, "
                 "reduce the period or the amount of requested data.",
-                **kwargs
+                **kwargs,
             )
         elif response.status_code == 405:
             raise exceptions.YandexDirectApiError(
@@ -162,7 +160,7 @@ class YandexDirectClientAdapter(JSONAdapterMixin, TapiAdapter):
                 "This resource does not support the HTTP method {}\n".format(
                     response.request.method
                 ),
-                **kwargs
+                **kwargs,
             )
 
         data = self.response_to_native(response)
@@ -190,7 +188,7 @@ class YandexDirectClientAdapter(JSONAdapterMixin, TapiAdapter):
         response: Response,
         request_kwargs: dict,
         api_params: dict,
-        **kwargs
+        **kwargs,
     ) -> None:
         if response.status_code in (201, 202):
             pass
@@ -230,7 +228,7 @@ class YandexDirectClientAdapter(JSONAdapterMixin, TapiAdapter):
         response: Response,
         request_kwargs: dict,
         api_params: dict,
-        **kwargs
+        **kwargs,
     ) -> bool:
         status_code = response.status_code
         error_data = error_message.get("error", {})
@@ -283,7 +281,7 @@ class YandexDirectClientAdapter(JSONAdapterMixin, TapiAdapter):
         response: Response,
         request_kwargs: dict,
         api_params: dict,
-        **kwargs
+        **kwargs,
     ) -> Optional[dict]:
         limit = response_data["result"].get("LimitedBy")
         if limit:

{direct_cli-0.3.2 → direct_cli-0.3.3}/direct_cli/_vendor/tapi_yandex_direct/v4/adapter.py

@@ -18,6 +18,7 @@ from tapi2 import JSONAdapterMixin, TapiAdapter, generate_wrapper_from_adapter
 from tapi2.exceptions import ClientError, ResponseProcessException, TapiException
 
 from .. import exceptions
+from ..endpoints import get_direct_api_root
 from .resource_mapping import (
     RESOURCE_MAPPING_V4_LIVE,
     SUPPORTED_V4_METHODS,
@@ -33,9 +34,7 @@ class V4LiveClientAdapter(JSONAdapterMixin, TapiAdapter):
         super().__init__(*args, **kwargs)
 
     def get_api_root(self, api_params: dict, resource_name: str) -> str:
-        if api_params.get("is_sandbox"):
-            return "https://api-sandbox.direct.yandex.ru/"
-        return "https://api.direct.yandex.ru/"
+        return get_direct_api_root(api_params)
 
     def get_request_kwargs(self, api_params: dict, *args, **kwargs) -> dict:
         params = super().get_request_kwargs(api_params, *args, **kwargs)
@@ -107,7 +106,9 @@ class V4LiveClientAdapter(JSONAdapterMixin, TapiAdapter):
                 data = None
         return data
 
-    def process_response(self, response: Response, request_kwargs: dict, **kwargs) -> dict:
+    def process_response(
+        self, response: Response, request_kwargs: dict, **kwargs
+    ) -> dict:
         # Mirror the v5 behaviour: turn the serialised body back into a dict so
         # downstream hooks (extract, retry) can read it.
         if isinstance(request_kwargs.get("data"), (bytes, bytearray, str)):
@@ -187,8 +188,13 @@ class V4LiveClientAdapter(JSONAdapterMixin, TapiAdapter):
 
         return False
 
-    def extract(self, data, response: Optional[Response] = None,
-                request_kwargs: Optional[dict] = None, **kwargs):
+    def extract(
+        self,
+        data,
+        response: Optional[Response] = None,
+        request_kwargs: Optional[dict] = None,
+        **kwargs,
+    ):
         # v4 Live always nests payload under "data". For methods returning a
         # bare scalar (TransferMoney → 1), the scalar comes through unchanged.
         # response / request_kwargs are accepted but unused — they are kept

{direct_cli-0.3.2 → direct_cli-0.3.3}/direct_cli/auth.py

@@ -5,12 +5,13 @@ Authentication module for Direct CLI
 import base64
 import hashlib
 import json
+import logging
 import os
 import secrets
 import shutil
 import subprocess
 import tempfile
-import logging
+import time
 import urllib.error
 import urllib.parse
 import urllib.request
@@ -29,6 +30,7 @@ YANDEX_OAUTH_AUTHORIZE_URL = "https://oauth.yandex.ru/authorize"
 YANDEX_OAUTH_TOKEN_URL = "https://oauth.yandex.ru/token"
 DEFAULT_OAUTH_CLIENT_ID = "dcf15d9625f6471d94d6d054d52017ba"
 AUTH_STORE_PATH = Path.home() / ".direct-cli" / "auth.json"
+OAUTH_REFRESH_SKEW_SECONDS = 60
 
 
 def op_read(ref: str) -> str:
@@ -175,17 +177,33 @@ def save_oauth_profile(
     profile: str,
     token: str,
     login: Optional[str] = None,
+    refresh_token: Optional[str] = None,
+    expires_at: Optional[float] = None,
+    client_id: str = DEFAULT_OAUTH_CLIENT_ID,
+    client_secret: Optional[str] = None,
+    source: str = "oauth",
     make_active: bool = True,
     path: Optional[Path] = None,
 ) -> None:
     """Save/update one OAuth profile without exposing secret values."""
     store = load_auth_store(path=path)
     profiles = store["profiles"]
-    profiles[profile] = {
+    item: Dict[str, Any] = {
         "token": token,
         "login": login,
-        "source": "oauth",
+        "source": source,
     }
+    if source == "oauth":
+        if not refresh_token:
+            raise ValueError("OAuth profile requires refresh_token")
+        if expires_at is None:
+            raise ValueError("OAuth profile requires expires_at")
+        item["refresh_token"] = refresh_token
+        item["expires_at"] = float(expires_at)
+        item["client_id"] = client_id
+        if client_secret:
+            item["client_secret"] = client_secret
+    profiles[profile] = item
     if make_active:
         store["active_profile"] = profile
     save_auth_store(store, path=path)
@@ -205,7 +223,7 @@ def get_active_profile(path: Optional[Path] = None) -> Optional[str]:
 
 def get_oauth_profile(
     profile: str, path: Optional[Path] = None
-) -> Optional[Dict[str, Optional[str]]]:
+) -> Optional[Dict[str, Any]]:
     """Get OAuth profile by name."""
     store = load_auth_store(path=path)
     item = store["profiles"].get(profile)
@@ -217,7 +235,13 @@ def get_oauth_profile(
         return None
     if login is not None and not isinstance(login, str):
         login = None
-    return {"token": token, "login": login}
+    result = dict(item)
+    result["token"] = token
+    result["login"] = login
+    source = result.get("source")
+    if not isinstance(source, str):
+        result["source"] = "oauth"
+    return result
 
 
 def get_env_profile(profile: str) -> Tuple[Optional[str], Optional[str]]:
@@ -245,9 +269,12 @@ def list_profiles(path: Optional[Path] = None) -> List[Dict[str, Any]]:
         login = data.get("login")
         if not isinstance(token, str) or not token:
             continue
+        source = data.get("source")
+        if not isinstance(source, str):
+            source = "oauth"
         profiles[profile_name] = {
             "profile": profile_name,
-            "source": "oauth",
+            "source": source,
             "has_token": True,
             "has_login": bool(login),
             "login": login,
@@ -266,7 +293,7 @@ def list_profiles(path: Optional[Path] = None) -> List[Dict[str, Any]]:
         login = env.get(f"YANDEX_DIRECT_LOGIN_{suffix}")
         existing = profiles.get(profile_name)
         if existing:
-            existing["source"] = "oauth+env"
+            existing["source"] = f"{existing['source']}+env"
             existing["has_login"] = bool(existing["has_login"] or login)
             existing["login"] = existing["login"] or login
             continue
@@ -313,7 +340,7 @@ def exchange_oauth_code(
     client_id: str = DEFAULT_OAUTH_CLIENT_ID,
     client_secret: Optional[str] = None,
     code_verifier: Optional[str] = None,
-) -> str:
+) -> Dict[str, Any]:
     """Exchange OAuth authorization code for access token."""
     payload: Dict[str, str] = {
         "grant_type": "authorization_code",
@@ -336,22 +363,121 @@ def exchange_oauth_code(
         with urllib.request.urlopen(request, timeout=20) as response:
             result = json.loads(response.read().decode("utf-8"))
     except urllib.error.HTTPError as error:
-        details = error.read().decode("utf-8", errors="ignore")
-        if details:
-            raise RuntimeError(f"OAuth token request failed: {details}") from error
         raise RuntimeError(
             f"OAuth token request failed with HTTP {error.code}"
         ) from error
     except urllib.error.URLError as error:
+        if isinstance(error.reason, TimeoutError):
+            raise RuntimeError("OAuth token request timed out") from error
         raise RuntimeError(f"OAuth token request failed: {error.reason}") from error
-    except TimeoutError as error:
-        raise RuntimeError("OAuth token request timed out") from error
 
     access_token = result.get("access_token")
     if not isinstance(access_token, str) or not access_token:
         raise RuntimeError("OAuth token response does not contain access_token")
-    # TODO: Persist refresh_token/expires_in and refresh automatically.
-    return access_token
+    refresh_token = result.get("refresh_token")
+    if not isinstance(refresh_token, str) or not refresh_token:
+        raise RuntimeError("OAuth token response does not contain refresh_token")
+    expires_in = result.get("expires_in")
+    if not isinstance(expires_in, int) or expires_in <= 0:
+        raise RuntimeError("OAuth token response does not contain expires_in")
+    return {
+        "access_token": access_token,
+        "refresh_token": refresh_token,
+        "expires_in": expires_in,
+    }
+
+
+def _oauth_profile_incomplete_error(profile: str) -> ValueError:
+    return ValueError(
+        f"OAuth profile '{profile}' is incomplete. "
+        f"Run direct auth login --profile {profile} again."
+    )
+
+
+def validate_oauth_profile(profile: str, data: Dict[str, Any]) -> None:
+    refresh_token = data.get("refresh_token")
+    expires_at = data.get("expires_at")
+    if not isinstance(refresh_token, str) or not refresh_token:
+        raise _oauth_profile_incomplete_error(profile)
+    if not isinstance(expires_at, (int, float)):
+        raise _oauth_profile_incomplete_error(profile)
+
+
+def refresh_access_token(profile: str, path: Optional[Path] = None) -> Dict[str, Any]:
+    """Refresh and persist an OAuth profile access token."""
+    store = load_auth_store(path=path)
+    profiles = store["profiles"]
+    item = profiles.get(profile)
+    if not isinstance(item, dict):
+        raise ValueError(f"Profile '{profile}' is not configured.")
+    validate_oauth_profile(profile, item)
+
+    refresh_token = item["refresh_token"]
+    client_id = item.get("client_id")
+    if not isinstance(client_id, str) or not client_id:
+        client_id = DEFAULT_OAUTH_CLIENT_ID
+    client_secret = item.get("client_secret")
+
+    payload: Dict[str, str] = {
+        "grant_type": "refresh_token",
+        "client_id": client_id,
+        "refresh_token": refresh_token,
+    }
+    if isinstance(client_secret, str) and client_secret:
+        payload["client_secret"] = client_secret
+    body = urllib.parse.urlencode(payload).encode("utf-8")
+    request = urllib.request.Request(
+        YANDEX_OAUTH_TOKEN_URL,
+        data=body,
+        method="POST",
+        headers={"Content-Type": "application/x-www-form-urlencoded"},
+    )
+    try:
+        with urllib.request.urlopen(request, timeout=20) as response:
+            result = json.loads(response.read().decode("utf-8"))
+    except urllib.error.HTTPError as error:
+        if error.code in (400, 401):
+            # Concurrent-refresh race: another process may have just rotated
+            # the token. Re-read the store and, if a fresher access token is
+            # already on disk, return it instead of falsely declaring expiry.
+            fresh_store = load_auth_store(path=path)
+            fresh_item = fresh_store["profiles"].get(profile)
+            if isinstance(fresh_item, dict):
+                fresh_expires = fresh_item.get("expires_at")
+                if (
+                    isinstance(fresh_expires, (int, float))
+                    and float(fresh_expires) > time.time() + OAUTH_REFRESH_SKEW_SECONDS
+                ):
+                    return fresh_item
+            raise RuntimeError(
+                f"OAuth refresh token expired. "
+                f"Run direct auth login --profile {profile} again."
+            ) from error
+        raise RuntimeError(
+            f"OAuth refresh request failed with HTTP {error.code}"
+        ) from error
+    except urllib.error.URLError as error:
+        if isinstance(error.reason, TimeoutError):
+            raise RuntimeError("OAuth refresh request timed out") from error
+        raise RuntimeError(f"OAuth refresh request failed: {error.reason}") from error
+
+    access_token = result.get("access_token")
+    if not isinstance(access_token, str) or not access_token:
+        raise RuntimeError("OAuth refresh response does not contain access_token")
+    expires_in = result.get("expires_in")
+    if not isinstance(expires_in, int) or expires_in <= 0:
+        raise RuntimeError("OAuth refresh response does not contain expires_in")
+
+    item["token"] = access_token
+    new_refresh_token = result.get("refresh_token")
+    if isinstance(new_refresh_token, str) and new_refresh_token:
+        item["refresh_token"] = new_refresh_token
+    item["expires_at"] = time.time() + expires_in
+    item["client_id"] = client_id
+    item["source"] = "oauth"
+    profiles[profile] = item
+    save_auth_store(store, path=path)
+    return item
 
 
 def resolve_login(token: str) -> Optional[str]:
@@ -364,7 +490,12 @@ def resolve_login(token: str) -> Optional[str]:
         with urllib.request.urlopen(request, timeout=10) as response:
             data = json.loads(response.read().decode("utf-8"))
             return data.get("login")
-    except (urllib.error.URLError, urllib.error.HTTPError, OSError, json.JSONDecodeError) as exc:
+    except (
+        urllib.error.URLError,
+        urllib.error.HTTPError,
+        OSError,
+        json.JSONDecodeError,
+    ) as exc:
         logging.debug("resolve_login failed: %s", exc)
         return None
 
@@ -415,6 +546,11 @@ def get_credentials(
     if selected_profile and not final_token:
         oauth_profile = get_oauth_profile(selected_profile)
         if oauth_profile:
+            if oauth_profile.get("source") == "oauth":
+                validate_oauth_profile(selected_profile, oauth_profile)
+                expires_at = float(oauth_profile["expires_at"])
+                if expires_at <= time.time() + OAUTH_REFRESH_SKEW_SECONDS:
+                    oauth_profile = refresh_access_token(selected_profile)
             final_token = oauth_profile["token"]
             if not final_login:
                 final_login = oauth_profile["login"]