oauth-cli-kit 0.1.1__tar.gz

oauth_cli_kit-0.1.1/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 nanobot contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

oauth_cli_kit-0.1.1/PKG-INFO

@@ -0,0 +1,16 @@
+Metadata-Version: 2.4
+Name: oauth-cli-kit
+Version: 0.1.1
+Summary: Reusable OAuth 2.0 + PKCE helpers for CLI applications
+Author: nanobot contributors
+License: MIT
+License-File: LICENSE
+Keywords: auth,cli,oauth,pkce
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Requires-Python: >=3.11
+Requires-Dist: httpx>=0.25.0
+Requires-Dist: platformdirs>=4.0.0

oauth_cli_kit-0.1.1/README.md

@@ -0,0 +1,3 @@
+# oauth-cli-kit
+
+A small, reusable OAuth 2.0 + PKCE helper focused on CLI apps. Ships with a default OpenAI Codex configuration but supports custom providers.

oauth_cli_kit-0.1.1/oauth_cli_kit/__init__.py

@@ -0,0 +1,13 @@
+"""oauth-cli-kit public API."""
+
+from oauth_cli_kit.constants import OPENAI_CODEX_PROVIDER
+from oauth_cli_kit.flow import get_token, login_oauth_interactive
+from oauth_cli_kit.models import OAuthProviderConfig, OAuthToken
+
+__all__ = [
+    "OPENAI_CODEX_PROVIDER",
+    "OAuthProviderConfig",
+    "OAuthToken",
+    "get_token",
+    "login_oauth_interactive",
+]

oauth_cli_kit-0.1.1/oauth_cli_kit/constants.py

@@ -0,0 +1,31 @@
+"""Default provider settings and constants."""
+
+from __future__ import annotations
+
+from oauth_cli_kit.models import OAuthProviderConfig
+
+SUCCESS_HTML = (
+    "<!doctype html>"
+    "<html lang=\"en\">"
+    "<head>"
+    "<meta charset=\"utf-8\" />"
+    "<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" />"
+    "<title>Authentication successful</title>"
+    "</head>"
+    "<body>"
+    "<p>Authentication successful. Return to your terminal to continue.</p>"
+    "</body>"
+    "</html>"
+)
+
+OPENAI_CODEX_PROVIDER = OAuthProviderConfig(
+    client_id="app_EMoamEEZ73f0CkXaXp7hrann",
+    authorize_url="https://auth.openai.com/oauth/authorize",
+    token_url="https://auth.openai.com/oauth/token",
+    redirect_uri="http://localhost:1455/auth/callback",
+    scope="openid profile email offline_access",
+    jwt_claim_path="https://api.openai.com/auth",
+    account_id_claim="chatgpt_account_id",
+    default_originator="nanobot",
+    token_filename="codex.json",
+)

oauth_cli_kit-0.1.1/oauth_cli_kit/flow.py

@@ -0,0 +1,284 @@
+"""OAuth login and token management."""
+
+from __future__ import annotations
+
+import asyncio
+import sys
+import threading
+import time
+import urllib.parse
+import webbrowser
+from typing import Callable
+
+import httpx
+
+from oauth_cli_kit.constants import OPENAI_CODEX_PROVIDER
+from oauth_cli_kit.models import OAuthProviderConfig, OAuthToken
+from oauth_cli_kit.pkce import (
+    _create_state,
+    _decode_account_id,
+    _generate_pkce,
+    _parse_authorization_input,
+    _parse_token_payload,
+)
+from oauth_cli_kit.server import _start_local_server
+from oauth_cli_kit.storage import FileTokenStorage, TokenStorage, _FileLock
+
+
+def _exchange_code_for_token_async(
+    code: str,
+    verifier: str,
+    provider: OAuthProviderConfig,
+) -> Callable[[], OAuthToken]:
+    async def _run() -> OAuthToken:
+        data = {
+            "grant_type": "authorization_code",
+            "client_id": provider.client_id,
+            "code": code,
+            "code_verifier": verifier,
+            "redirect_uri": provider.redirect_uri,
+        }
+        async with httpx.AsyncClient(timeout=30.0) as client:
+            response = await client.post(
+                provider.token_url,
+                data=data,
+                headers={"Content-Type": "application/x-www-form-urlencoded"},
+            )
+        if response.status_code != 200:
+            raise RuntimeError(f"Token exchange failed: {response.status_code} {response.text}")
+
+        payload = response.json()
+        access, refresh, expires_in = _parse_token_payload(payload, "Token response missing fields")
+
+        account_id = _decode_account_id(access, provider.jwt_claim_path, provider.account_id_claim)
+        return OAuthToken(
+            access=access,
+            refresh=refresh,
+            expires=int(time.time() * 1000 + expires_in * 1000),
+            account_id=account_id,
+        )
+
+    return _run
+
+
+def _refresh_token(refresh_token: str, provider: OAuthProviderConfig) -> OAuthToken:
+    data = {
+        "grant_type": "refresh_token",
+        "refresh_token": refresh_token,
+        "client_id": provider.client_id,
+    }
+    with httpx.Client(timeout=30.0) as client:
+        response = client.post(
+            provider.token_url,
+            data=data,
+            headers={"Content-Type": "application/x-www-form-urlencoded"},
+        )
+    if response.status_code != 200:
+        raise RuntimeError(f"Token refresh failed: {response.status_code} {response.text}")
+
+    payload = response.json()
+    access, refresh, expires_in = _parse_token_payload(payload, "Token refresh response missing fields")
+
+    account_id = _decode_account_id(access, provider.jwt_claim_path, provider.account_id_claim)
+    return OAuthToken(
+        access=access,
+        refresh=refresh,
+        expires=int(time.time() * 1000 + expires_in * 1000),
+        account_id=account_id,
+    )
+
+
+def get_token(
+    provider: OAuthProviderConfig = OPENAI_CODEX_PROVIDER,
+    storage: TokenStorage | None = None,
+    min_ttl_seconds: int = 60,
+) -> OAuthToken:
+    """Get an available token (refresh if needed)."""
+    storage = storage or FileTokenStorage(token_filename=provider.token_filename)
+    token = storage.load()
+    if not token:
+        raise RuntimeError("OAuth credentials not found. Please run the login command.")
+
+    # Refresh early.
+    now_ms = int(time.time() * 1000)
+    if token.expires - now_ms > min_ttl_seconds * 1000:
+        return token
+
+    lock_path = storage.get_token_path().with_suffix(".lock")
+    with _FileLock(lock_path):
+        # Re-read to avoid stale token if another process refreshed it.
+        token = storage.load() or token
+        now_ms = int(time.time() * 1000)
+        if token.expires - now_ms > min_ttl_seconds * 1000:
+            return token
+        try:
+            refreshed = _refresh_token(token.refresh, provider)
+            storage.save(refreshed)
+            return refreshed
+        except Exception:
+            # If refresh fails, re-read the file to avoid false negatives.
+            latest = storage.load()
+            if latest and latest.expires - now_ms > 0:
+                return latest
+            raise
+
+
+async def _read_stdin_line() -> str:
+    loop = asyncio.get_running_loop()
+    if hasattr(loop, "add_reader") and sys.stdin:
+        future: asyncio.Future[str] = loop.create_future()
+
+        def _on_readable() -> None:
+            line = sys.stdin.readline()
+            if not future.done():
+                future.set_result(line)
+
+        try:
+            loop.add_reader(sys.stdin, _on_readable)
+        except Exception:
+            return await loop.run_in_executor(None, sys.stdin.readline)
+
+        try:
+            return await future
+        finally:
+            try:
+                loop.remove_reader(sys.stdin)
+            except Exception:
+                pass
+
+    return await loop.run_in_executor(None, sys.stdin.readline)
+
+
+async def _await_manual_input(print_fn: Callable[[str], None]) -> str:
+    print_fn("[cyan]Paste the authorization code (or full redirect URL), or wait for the browser callback:[/cyan]")
+    return await _read_stdin_line()
+
+
+def login_oauth_interactive(
+    print_fn: Callable[[str], None],
+    prompt_fn: Callable[[str], str],
+    provider: OAuthProviderConfig = OPENAI_CODEX_PROVIDER,
+    originator: str | None = None,
+    storage: TokenStorage | None = None,
+) -> OAuthToken:
+    """Interactive login flow."""
+
+    async def _login_async() -> OAuthToken:
+        verifier, challenge = _generate_pkce()
+        state = _create_state()
+
+        params = {
+            "response_type": "code",
+            "client_id": provider.client_id,
+            "redirect_uri": provider.redirect_uri,
+            "scope": provider.scope,
+            "code_challenge": challenge,
+            "code_challenge_method": "S256",
+            "state": state,
+            "id_token_add_organizations": "true",
+            "codex_cli_simplified_flow": "true",
+            "originator": originator or provider.default_originator,
+        }
+        url = f"{provider.authorize_url}?{urllib.parse.urlencode(params)}"
+
+        loop = asyncio.get_running_loop()
+        code_future: asyncio.Future[str] = loop.create_future()
+
+        def _notify(code_value: str) -> None:
+            if code_future.done():
+                return
+            loop.call_soon_threadsafe(code_future.set_result, code_value)
+
+        server, server_error = _start_local_server(state, on_code=_notify)
+        print_fn("[cyan]A browser window will open for login. If it doesn't, open this URL manually:[/cyan]")
+        print_fn(url)
+        try:
+            webbrowser.open(url)
+        except Exception:
+            pass
+
+        if not server and server_error:
+            print_fn(
+                "[yellow]"
+                f"Local callback server could not start ({server_error}). "
+                "You will need to paste the callback URL or authorization code."
+                "[/yellow]"
+            )
+
+        code: str | None = None
+        try:
+            if server:
+                print_fn("[dim]Waiting for browser callback...[/dim]")
+
+                tasks: list[asyncio.Task[object]] = []
+                callback_task = asyncio.create_task(asyncio.wait_for(code_future, timeout=120))
+                tasks.append(callback_task)
+                manual_task = asyncio.create_task(_await_manual_input(print_fn))
+                tasks.append(manual_task)
+
+                done, pending = await asyncio.wait(tasks, return_when=asyncio.FIRST_COMPLETED)
+                for task in pending:
+                    task.cancel()
+
+                for task in done:
+                    try:
+                        result = task.result()
+                    except asyncio.TimeoutError:
+                        result = None
+                    if not result:
+                        continue
+                    if task is manual_task:
+                        parsed_code, parsed_state = _parse_authorization_input(result)
+                        if parsed_state and parsed_state != state:
+                            raise RuntimeError("State validation failed.")
+                        code = parsed_code
+                    else:
+                        code = result
+                    if code:
+                        break
+
+            if not code:
+                prompt = "Please paste the callback URL or authorization code:"
+                raw = await loop.run_in_executor(None, prompt_fn, prompt)
+                parsed_code, parsed_state = _parse_authorization_input(raw)
+                if parsed_state and parsed_state != state:
+                    raise RuntimeError("State validation failed.")
+                code = parsed_code
+
+            if not code:
+                raise RuntimeError("Authorization code not found.")
+
+            print_fn("[dim]Exchanging authorization code for tokens...[/dim]")
+            token = await _exchange_code_for_token_async(code, verifier, provider)()
+            (storage or FileTokenStorage(token_filename=provider.token_filename)).save(token)
+            return token
+        finally:
+            if server:
+                server.shutdown()
+                server.server_close()
+
+    try:
+        asyncio.get_running_loop()
+    except RuntimeError:
+        return asyncio.run(_login_async())
+
+    result: list[OAuthToken] = []
+    error: list[Exception] = []
+
+    def _runner() -> None:
+        try:
+            result.append(asyncio.run(_login_async()))
+        except Exception as exc:
+            error.append(exc)
+
+    thread = threading.Thread(target=_runner)
+    thread.start()
+    thread.join()
+    if error:
+        raise error[0]
+    return result[0]
+
+
+# Backward-compatible aliases.
+login_codex_oauth_interactive = login_oauth_interactive
+get_codex_token = get_token

oauth_cli_kit-0.1.1/oauth_cli_kit/models.py

@@ -0,0 +1,34 @@
+"""OAuth data models."""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+
+
+@dataclass(frozen=True)
+class OAuthProviderConfig:
+    """Configuration for an OAuth 2.0 provider."""
+
+    client_id: str
+    authorize_url: str
+    token_url: str
+    redirect_uri: str
+    scope: str
+    jwt_claim_path: str | None = None
+    account_id_claim: str | None = None
+    default_originator: str = "oauth-cli-kit"
+    token_filename: str = "oauth.json"
+
+
+@dataclass
+class OAuthToken:
+    """OAuth token data structure."""
+
+    access: str
+    refresh: str
+    expires: int
+    account_id: str | None = None
+
+
+# Backward-compatible alias for earlier Codex naming.
+CodexToken = OAuthToken

oauth_cli_kit-0.1.1/oauth_cli_kit/pkce.py

@@ -0,0 +1,81 @@
+"""PKCE and authorization helpers."""
+
+from __future__ import annotations
+
+import base64
+import hashlib
+import json
+import os
+import urllib.parse
+from typing import Any
+
+
+def _base64url(data: bytes) -> str:
+    return base64.urlsafe_b64encode(data).rstrip(b"=").decode("utf-8")
+
+
+def _decode_base64url(data: str) -> bytes:
+    padding = "=" * (-len(data) % 4)
+    return base64.urlsafe_b64decode(data + padding)
+
+
+def _generate_pkce() -> tuple[str, str]:
+    verifier = _base64url(os.urandom(32))
+    challenge = _base64url(hashlib.sha256(verifier.encode("utf-8")).digest())
+    return verifier, challenge
+
+
+def _create_state() -> str:
+    return _base64url(os.urandom(16))
+
+
+def _parse_authorization_input(raw: str) -> tuple[str | None, str | None]:
+    value = raw.strip()
+    if not value:
+        return None, None
+    try:
+        url = urllib.parse.urlparse(value)
+        qs = urllib.parse.parse_qs(url.query)
+        code = qs.get("code", [None])[0]
+        state = qs.get("state", [None])[0]
+        if code:
+            return code, state
+    except Exception:
+        pass
+
+    if "#" in value:
+        parts = value.split("#", 1)
+        return parts[0] or None, parts[1] or None
+
+    if "code=" in value:
+        qs = urllib.parse.parse_qs(value)
+        return qs.get("code", [None])[0], qs.get("state", [None])[0]
+
+    return value, None
+
+
+def _decode_account_id(
+    access_token: str,
+    jwt_claim_path: str | None,
+    account_id_claim: str | None,
+) -> str | None:
+    if not jwt_claim_path or not account_id_claim:
+        return None
+    parts = access_token.split(".")
+    if len(parts) != 3:
+        raise ValueError("Invalid JWT token")
+    payload = json.loads(_decode_base64url(parts[1]).decode("utf-8"))
+    auth = payload.get(jwt_claim_path) or {}
+    account_id = auth.get(account_id_claim)
+    if not account_id:
+        return None
+    return str(account_id)
+
+
+def _parse_token_payload(payload: dict[str, Any], missing_message: str) -> tuple[str, str, int]:
+    access = payload.get("access_token")
+    refresh = payload.get("refresh_token")
+    expires_in = payload.get("expires_in")
+    if not access or not refresh or not isinstance(expires_in, int):
+        raise RuntimeError(missing_message)
+    return access, refresh, expires_in

oauth_cli_kit-0.1.1/oauth_cli_kit/server.py

@@ -0,0 +1,115 @@
+"""Local OAuth callback server."""
+
+from __future__ import annotations
+
+import socket
+import threading
+import urllib.parse
+from http.server import BaseHTTPRequestHandler, HTTPServer
+from typing import Any, Callable
+
+from oauth_cli_kit.constants import SUCCESS_HTML
+
+
+class _OAuthHandler(BaseHTTPRequestHandler):
+    """Local callback HTTP handler."""
+
+    server_version = "OAuthCliKit/1.0"
+    protocol_version = "HTTP/1.1"
+
+    def do_GET(self) -> None:  # noqa: N802
+        try:
+            url = urllib.parse.urlparse(self.path)
+            if url.path != "/auth/callback":
+                self.send_response(404)
+                self.end_headers()
+                self.wfile.write(b"Not found")
+                return
+
+            qs = urllib.parse.parse_qs(url.query)
+            code = qs.get("code", [None])[0]
+            state = qs.get("state", [None])[0]
+
+            if state != self.server.expected_state:
+                self.send_response(400)
+                self.end_headers()
+                self.wfile.write(b"State mismatch")
+                return
+
+            if not code:
+                self.send_response(400)
+                self.end_headers()
+                self.wfile.write(b"Missing code")
+                return
+
+            self.server.code = code
+            try:
+                if getattr(self.server, "on_code", None):
+                    self.server.on_code(code)
+            except Exception:
+                pass
+            body = SUCCESS_HTML.encode("utf-8")
+            self.send_response(200)
+            self.send_header("Content-Type", "text/html; charset=utf-8")
+            self.send_header("Content-Length", str(len(body)))
+            self.send_header("Connection", "close")
+            self.end_headers()
+            self.wfile.write(body)
+            try:
+                self.wfile.flush()
+            except Exception:
+                pass
+            self.close_connection = True
+        except Exception:
+            self.send_response(500)
+            self.end_headers()
+            self.wfile.write(b"Internal error")
+
+    def log_message(self, format: str, *args: Any) -> None:  # noqa: A003
+        # Suppress default logs to avoid noisy output.
+        return
+
+
+class _OAuthServer(HTTPServer):
+    """OAuth callback server with state."""
+
+    def __init__(
+        self,
+        server_address: tuple[str, int],
+        expected_state: str,
+        on_code: Callable[[str], None] | None = None,
+    ):
+        super().__init__(server_address, _OAuthHandler)
+        self.expected_state = expected_state
+        self.code: str | None = None
+        self.on_code = on_code
+
+
+def _start_local_server(
+    state: str,
+    on_code: Callable[[str], None] | None = None,
+) -> tuple[_OAuthServer | None, str | None]:
+    """Start a local OAuth callback server on the first available localhost address."""
+    try:
+        addrinfos = socket.getaddrinfo("localhost", 1455, type=socket.SOCK_STREAM)
+    except OSError as exc:
+        return None, f"Failed to resolve localhost: {exc}"
+
+    last_error: OSError | None = None
+    for family, _socktype, _proto, _canonname, sockaddr in addrinfos:
+        try:
+            # Support IPv4/IPv6 to avoid missing callbacks when localhost resolves to ::1.
+            class _AddrOAuthServer(_OAuthServer):
+                address_family = family
+
+            server = _AddrOAuthServer(sockaddr, state, on_code=on_code)
+            thread = threading.Thread(target=server.serve_forever, daemon=True)
+            thread.start()
+            return server, None
+        except OSError as exc:
+            last_error = exc
+            continue
+
+    if last_error:
+        return None, f"Local callback server failed to start: {last_error}"
+    return None, "Local callback server failed to start: unknown error"

oauth_cli_kit-0.1.1/oauth_cli_kit/storage.py

@@ -0,0 +1,166 @@
+"""Token storage helpers."""
+
+from __future__ import annotations
+
+import json
+import os
+import time
+from pathlib import Path
+from typing import Protocol
+
+from platformdirs import user_data_dir
+
+from oauth_cli_kit.models import OAuthToken
+
+
+class TokenStorage(Protocol):
+    """Abstract token storage interface."""
+
+    def load(self) -> OAuthToken | None:
+        ...
+
+    def save(self, token: OAuthToken) -> None:
+        ...
+
+    def get_token_path(self) -> Path:
+        ...
+
+
+def _get_token_path(
+    token_filename: str,
+    app_name: str,
+    data_dir: Path | None = None,
+) -> Path:
+    override = os.environ.get("OAUTH_CLI_KIT_TOKEN_PATH")
+    if override:
+        return Path(override)
+    base_dir = data_dir or Path(user_data_dir(app_name, appauthor=False))
+    return base_dir / "auth" / token_filename
+
+
+def _load_token_file(path: Path) -> OAuthToken | None:
+    if not path.exists():
+        return None
+    try:
+        data = json.loads(path.read_text(encoding="utf-8"))
+        return OAuthToken(
+            access=data["access"],
+            refresh=data["refresh"],
+            expires=int(data["expires"]),
+            account_id=data.get("account_id"),
+        )
+    except Exception:
+        return None
+
+
+def _save_token_file(path: Path, token: OAuthToken) -> None:
+    path.parent.mkdir(parents=True, exist_ok=True)
+    payload = {
+        "access": token.access,
+        "refresh": token.refresh,
+        "expires": token.expires,
+    }
+    if token.account_id:
+        payload["account_id"] = token.account_id
+    path.write_text(
+        json.dumps(payload, ensure_ascii=True, indent=2),
+        encoding="utf-8",
+    )
+    try:
+        os.chmod(path, 0o600)
+    except Exception:
+        # Ignore permission setting failures.
+        pass
+
+
+def _try_import_codex_cli_token(path: Path) -> OAuthToken | None:
+    codex_path = Path.home() / ".codex" / "auth.json"
+    if not codex_path.exists():
+        return None
+    try:
+        data = json.loads(codex_path.read_text(encoding="utf-8"))
+        tokens = data.get("tokens") or {}
+        access = tokens.get("access_token")
+        refresh = tokens.get("refresh_token")
+        account_id = tokens.get("account_id")
+        if not access or not refresh or not account_id:
+            return None
+        try:
+            mtime = codex_path.stat().st_mtime
+            expires = int(mtime * 1000 + 60 * 60 * 1000)
+        except Exception:
+            expires = int(time.time() * 1000 + 60 * 60 * 1000)
+        token = OAuthToken(
+            access=str(access),
+            refresh=str(refresh),
+            expires=expires,
+            account_id=str(account_id),
+        )
+        _save_token_file(path, token)
+        return token
+    except Exception:
+        return None
+
+
+class FileTokenStorage:
+    """File-based token storage."""
+
+    def __init__(
+        self,
+        token_filename: str = "oauth.json",
+        app_name: str = "oauth-cli-kit",
+        data_dir: Path | None = None,
+        import_codex_cli: bool = True,
+    ) -> None:
+        self._token_filename = token_filename
+        self._app_name = app_name
+        self._data_dir = data_dir
+        self._import_codex_cli = import_codex_cli
+
+    def get_token_path(self) -> Path:
+        return _get_token_path(self._token_filename, self._app_name, self._data_dir)
+
+    def load(self) -> OAuthToken | None:
+        path = self.get_token_path()
+        token = _load_token_file(path)
+        if token:
+            return token
+        if self._import_codex_cli:
+            return _try_import_codex_cli_token(path)
+        return None
+
+    def save(self, token: OAuthToken) -> None:
+        _save_token_file(self.get_token_path(), token)
+
+
+class _FileLock:
+    """Simple file lock to reduce concurrent refreshes."""
+
+    def __init__(self, path: Path):
+        self._path = path
+        self._fp = None
+
+    def __enter__(self) -> "_FileLock":
+        self._path.parent.mkdir(parents=True, exist_ok=True)
+        self._fp = open(self._path, "a+")
+        try:
+            import fcntl
+
+            fcntl.flock(self._fp.fileno(), fcntl.LOCK_EX)
+        except Exception:
+            # Non-POSIX or failed lock: continue without locking.
+            pass
+        return self
+
+    def __exit__(self, exc_type, exc, tb) -> None:
+        try:
+            import fcntl
+
+            fcntl.flock(self._fp.fileno(), fcntl.LOCK_UN)
+        except Exception:
+            pass
+        try:
+            if self._fp:
+                self._fp.close()
+        except Exception:
+            pass

oauth_cli_kit-0.1.1/pyproject.toml

@@ -0,0 +1,37 @@
+[project]
+name = "oauth-cli-kit"
+dynamic = ["version"]
+description = "Reusable OAuth 2.0 + PKCE helpers for CLI applications"
+requires-python = ">=3.11"
+license = {text = "MIT"}
+authors = [{name = "nanobot contributors"}]
+keywords = ["oauth", "pkce", "cli", "auth"]
+classifiers = [
+    "Development Status :: 3 - Alpha",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: MIT License",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+]
+
+dependencies = [
+    "httpx>=0.25.0",
+    "platformdirs>=4.0.0",
+]
+
+[build-system]
+requires = ["hatchling", "hatch-vcs"]
+build-backend = "hatchling.build"
+
+[tool.hatch.build.targets.wheel]
+packages = ["oauth_cli_kit"]
+
+[tool.hatch.build.targets.sdist]
+include = [
+    "oauth_cli_kit/",
+    "README.md",
+    "LICENSE",
+]
+
+[tool.hatch.version]
+source = "vcs"