PyPI - ssof - Versions diffs - 0.1.0__py3-none-any.whl - Mend

ssof 0.1.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

ssof-0.1.0.dist-info/METADATA +232 -0
ssof-0.1.0.dist-info/RECORD +7 -0
ssof-0.1.0.dist-info/WHEEL +5 -0
ssof-0.1.0.dist-info/entry_points.txt +2 -0
ssof-0.1.0.dist-info/top_level.txt +1 -0
tori/cli.py +215 -0
tori/sso_manager.py +869 -0

ssof-0.1.0.dist-info/METADATA ADDED Viewed

@@ -0,0 +1,232 @@
+Metadata-Version: 2.4
+Name: ssof
+Version: 0.1.0
+Summary: A simple CLI tool to manage AWS SSO sessions
+Author-email: Your Name <your.email@example.com>
+License: MIT
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+Requires-Dist: click>=8.3.0
+Requires-Dist: boto3>=1.43.0
+Requires-Dist: questionary>=2.1.0
+Provides-Extra: dev
+Requires-Dist: pytest>=9.0.0; extra == "dev"
+Requires-Dist: black>=26.0.0; extra == "dev"
+# Tori - AWS SSO Session Manager
+Ultra-simple CLI tool to manage AWS SSO sessions across multiple organizations. Configure once per org, then just `tori assume <account>` and you're in!
+## Installation
+Tori uses [uv](https://docs.astral.sh/uv/) for dependency management.
+```bash
+# Install uv if you don't have it
+brew install uv  # or: curl -LsSf https://astral.sh/uv/install.sh | sh
+# Sync dependencies and install tori in editable mode
+uv sync
+# Run tori via uv (no activation needed)
+uv run tori --help
+# Or activate the venv to use `tori` directly
+source .venv/bin/activate
+tori --help
+```
+## Quick Start
+1. **Configure Tori with your SSO details**:
+```bash
+tori configure my-org
+```
+Enter your SSO start URL and region when prompted. Tori will authenticate and cache all available accounts.
+2. **List available accounts**:
+```bash
+tori list
+```
+This shows all AWS accounts you have access to via SSO across all configured orgs.
+3. **Assume a role**:
+```bash
+tori assume my-account-name
+```
+This will:
+- Authenticate with AWS SSO (if needed)
+- Get temporary credentials
+- Back up your current default profile (if exists) to a named profile
+- Configure your default AWS CLI profile automatically
+- You're ready to use AWS CLI immediately!
+## Commands
+### `tori configure <org-name>`
+Configure AWS SSO settings for an organization. You can configure multiple orgs.
+**Example:**
+```bash
+tori configure my-company
+# Enter SSO start URL: https://my-company.awsapps.com/start
+# Enter SSO region: us-east-1
+```
+The first org you configure becomes the default. All accounts will be cached automatically.
+### `tori assume <account> [org-name]`
+Assume an AWS SSO role and configure the default AWS profile with credentials.
+**Examples:**
+```bash
+# Assume by account name (uses default org)
+tori assume production
+# Assume by account ID
+tori assume 123456789012
+# Assume from specific org
+tori assume production my-company
+# Assume with specific role (skips interactive selection)
+tori assume production my-company --role AdminRole
+```
+**Profile Backup:** When you assume a new role, Tori automatically backs up your current default profile to `profile_<account_id>_<role_name>` so you can switch back later.
+### `tori refresh [org-name]`
+Refresh cached accounts for an organization. Use this when new accounts or roles are added.
+**Examples:**
+```bash
+# Refresh default org
+tori refresh
+# Refresh specific org
+tori refresh my-company
+```
+### `tori list [org-name]`
+List all configured orgs and their AWS SSO accounts.
+**Examples:**
+```bash
+# List all orgs and accounts
+tori list
+# List accounts for specific org
+tori list my-company
+```
+### `tori status`
+Check your current AWS credentials status and see all backed up profiles.
+### `tori default <org-name>`
+Set the default organization to use when org name is not specified.
+**Example:**
+```bash
+tori default my-company
+```
+## Configuration
+Tori stores its configuration in `~/.tori/config.yaml`:
+```yaml
+default_org: my-company
+orgs:
+  my-company:
+    sso_start_url: https://my-company.awsapps.com/start
+    sso_region: us-east-1
+    cached_accounts:
+      production:
+        accountId: '123456789012'
+        accountName: production
+        email: aws-prod@company.com
+        roles:
+          - AdminRole
+          - ReadOnlyRole
+  another-org:
+    sso_start_url: https://another-org.awsapps.com/start
+    sso_region: us-west-2
+    cached_accounts: {}
+active_profiles:
+  profile_123456789012_AdminRole:
+    account_id: '123456789012'
+    role_name: AdminRole
+    timestamp: '2025-11-21T10:30:00'
+```
+Credentials are automatically written to `~/.aws/credentials` (default profile).
+## Multi-Org Workflow
+Tori supports multiple SSO organizations:
+1. **Configure multiple orgs**:
+```bash
+tori configure company-prod
+tori configure company-dev
+tori configure client-org
+```
+2. **Set a default org** (optional):
+```bash
+tori default company-prod
+```
+3. **Assume roles**:
+```bash
+# Uses default org
+tori assume my-account
+# Uses specific org
+tori assume my-account company-dev
+```
+4. **List all orgs**:
+```bash
+tori list
+```
+## Profile Management
+When you assume a new role, Tori:
+1. Backs up your current default profile to a named profile
+2. Sets the new credentials as the default profile
+3. Tracks all backed up profiles in the config
+**Backed up profile naming:** `profile_<account_id>_<role_name>`
+**View backed up profiles:**
+```bash
+tori status
+```
+**Switch back to a previous profile:**
+Simply use `tori assume` with the account and role you want to switch to.
+## How it Works
+1. **One-time setup per org**: Store your SSO start URL and region
+2. **Automatic caching**: Accounts and roles are cached during configuration
+3. **Explicit refresh**: Only re-fetch accounts when you run `tori refresh`
+4. **Assume roles**:
+   - Authenticate via AWS SSO (browser-based, only when needed)
+   - Get temporary credentials for the selected account and role
+   - Backup current default profile
+   - Write new credentials to default AWS profile
+   - Use AWS CLI normally!
+No need to manage multiple profiles manually or remember account details - just use the account name!
+## Requirements
+- Python 3.8+
+- boto3 (AWS SDK)
+- click (CLI framework)
+- questionary (interactive prompts)
+- pyyaml (config management)
+- Internet connection for SSO authentication

ssof-0.1.0.dist-info/RECORD ADDED Viewed

@@ -0,0 +1,7 @@
+tori/cli.py,sha256=5ftBo0YtFlomQbqgePBH6s5e-W9zm1MCyBKSnbZ1bYs,7269
+tori/sso_manager.py,sha256=2lvktGkikY4C7r5_STjR1mmNXjNexQnoBFzy4XUBjUc,35212
+ssof-0.1.0.dist-info/METADATA,sha256=RC3PvQmP9PNf9_7GA-pWAGkszGpNCrI6wog31VP8vSE,5780
+ssof-0.1.0.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
+ssof-0.1.0.dist-info/entry_points.txt,sha256=QUl1uF_fp2nQLJIWwG2qqHX5sOtoZY7ABkI2OlrcAa0,38
+ssof-0.1.0.dist-info/top_level.txt,sha256=6r-1m2MoXcq1D2SH_y3WuK_bsBZKAs1lceoQH5kve14,5
+ssof-0.1.0.dist-info/RECORD,,

ssof-0.1.0.dist-info/WHEEL ADDED Viewed

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (82.0.1)
+Root-Is-Purelib: true
+Tag: py3-none-any

ssof-0.1.0.dist-info/entry_points.txt ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ [console_scripts]
2	+ ssof = tori.cli:cli

ssof-0.1.0.dist-info/top_level.txt ADDED Viewed

	@@ -0,0 +1 @@
1	+ tori

tori/cli.py ADDED Viewed

@@ -0,0 +1,215 @@
+"""CLI interface for Tori"""
+import click
+from tori.sso_manager import SSOManager
+# Lazy: questionary pulls in prompt_toolkit (~100ms). Only construct when needed.
+_STYLE_SPEC = [
+    ('qmark', 'fg:#5fafff bold'),
+    ('question', 'fg:#ffffff bold'),
+    ('answer', 'fg:#5fafff bold'),
+    ('pointer', 'fg:#5fafff bold'),
+    ('highlighted', 'fg:#000000 bg:#5fafff bold'),
+    ('selected', 'fg:#000000 bg:#5fafff'),
+    ('completion-menu', 'bg:#3a3a3a fg:#ffffff'),
+    ('completion-menu.completion', 'bg:#3a3a3a fg:#ffffff'),
+    ('completion-menu.completion.current', 'bg:#5fafff fg:#000000 bold'),
+    ('completion-menu.meta.completion', 'bg:#3a3a3a fg:#aaaaaa'),
+    ('completion-menu.meta.completion.current', 'bg:#5fafff fg:#000000'),
+    ('scrollbar.background', 'bg:#3a3a3a'),
+    ('scrollbar.button', 'bg:#5fafff'),
+]
+def tori_style():
+    """Construct the questionary Style on first use (defers prompt_toolkit import)."""
+    from questionary import Style
+    return Style(_STYLE_SPEC)
+@click.group()
+@click.version_option()
+@click.option('-v', '--verbose', is_flag=True, help='Print full tracebacks on errors')
+@click.pass_context
+def cli(ctx, verbose):
+    """Tori - Simple AWS SSO session management"""
+    ctx.ensure_object(dict)
+    ctx.obj['verbose'] = verbose
+def _manager(ctx) -> SSOManager:
+    return SSOManager(verbose=ctx.obj.get('verbose', False) if ctx.obj else False)
+@cli.group()
+def config():
+    """Manage Tori SSO configuration (orgs)"""
+    pass
+@config.command('add')
+@click.argument('org_name')
+@click.pass_context
+def config_add(ctx, org_name):
+    """Add an SSO org configuration"""
+    _manager(ctx).add_org(org_name)
+@config.command('remove')
+@click.argument('org_name')
+@click.option('--yes', '-y', is_flag=True, help='Skip confirmation prompt')
+@click.pass_context
+def config_remove(ctx, org_name, yes):
+    """Remove an SSO org configuration"""
+    _manager(ctx).remove_org(org_name, confirm=not yes)
+@cli.command()
+@click.argument('account', required=False)
+@click.option('--role', default=None, help='Role name to assume (skips interactive selection)')
+@click.option('--profile', default='default', show_default=True,
+              help='AWS profile name to write credentials into (~/.aws/credentials)')
+@click.pass_context
+def assume(ctx, account, role, profile):
+    """Assume an AWS SSO role and write credentials to an AWS profile
+    By default writes to the [default] profile. Use --profile to write to a
+    named profile (e.g., --profile dev keeps your default untouched).
+    ACCOUNT is an account ID or name. AWS account IDs are globally unique,
+    so no org needs to be specified. If omitted, an interactive picker
+    shows accounts across all configured orgs.
+    Examples:
+      tori assume                                      # picker, writes [default]
+      tori assume 123456789012
+      tori assume my-account --role AdminRole
+      tori assume my-account --profile dev             # writes [dev]
+    """
+    manager = _manager(ctx)
+    if not account:
+        scope = manager.config.get('orgs', {})
+        if not scope:
+            click.echo("No orgs configured. Run 'tori config add <org-name>' first.")
+            return
+        choices = []
+        choice_map = {}  # label -> account_id
+        for o_name, o_config in scope.items():
+            cached = o_config.get('cached_accounts', {})
+            for acc_id, a_data in sorted(cached.items(), key=lambda kv: kv[1].get('accountName', '')):
+                label = f"{a_data.get('accountName', '')}  [{acc_id}]  ({o_name})"
+                choices.append(label)
+                choice_map[label] = acc_id
+        if not choices:
+            click.echo("No cached accounts. Run 'tori refresh' first.")
+            return
+        try:
+            import questionary
+            selection = questionary.autocomplete(
+                'Account (name, ID, or org):',
+                choices=choices,
+                match_middle=True,
+                ignore_case=True,
+                style=tori_style()
+            ).ask()
+            if not selection:
+                return
+            account = choice_map.get(selection, selection)
+        except (KeyboardInterrupt, EOFError):
+            click.echo("\nCancelled")
+            return
+    manager.assume_role(account, role, profile)
+@cli.command()
+@click.argument('org_name', required=False)
+@click.pass_context
+def refresh(ctx, org_name):
+    """Refresh cached accounts for an org (or all orgs if omitted)"""
+    manager = _manager(ctx)
+    if org_name:
+        manager.refresh_accounts(org_name)
+    else:
+        for name in manager.config.get('orgs', {}).keys():
+            print(f"\n=== Refreshing '{name}' ===")
+            manager.refresh_accounts(name)
+@cli.command()
+@click.argument('org_name', required=False)
+@click.pass_context
+def list(ctx, org_name):
+    """List all configured orgs"""
+    _manager(ctx).list_accounts(org_name)
+@cli.command()
+@click.option('--profile', default='default', show_default=True,
+              help='AWS profile whose credentials to sign in with')
+@click.option('--destination', default=None,
+              help='Console URL to land on (defaults to region console homepage)')
+@click.pass_context
+def console(ctx, profile, destination):
+    """Open the AWS web console signed in with the current session"""
+    _manager(ctx).open_console(profile=profile, destination=destination)
+@cli.command()
+@click.option('--all', 'clear_sso', is_flag=True, help='Also clear cached SSO tokens (forces re-auth next time)')
+@click.pass_context
+def logout(ctx, clear_sso):
+    """Clear the default AWS profile (and optionally SSO tokens)"""
+    _manager(ctx).logout(clear_sso=clear_sso)
+@cli.command()
+@click.argument('profile_name', required=False)
+@click.option('--profile', 'target', default='default', show_default=True,
+              help='AWS profile to write the restored credentials into')
+@click.pass_context
+def switch(ctx, profile_name, target):
+    """Switch a backed-up tori session into an AWS profile (default: [default])"""
+    _manager(ctx).switch_profile(profile_name, target=target)
+@cli.command()
+@click.option('--verify', is_flag=True, help='Verify credentials with AWS STS (slower)')
+@click.pass_context
+def status(ctx, verify):
+    """Check AWS credentials status and backed up profiles"""
+    _manager(ctx).show_status(verify=verify)
+@cli.command('_complete_accounts', hidden=True)
+def _complete_accounts():
+    """Print cached account names and IDs (for shell tab-completion)."""
+    import json as _json
+    from pathlib import Path as _Path
+    config_file = _Path.home() / '.tori' / 'config.json'
+    if not config_file.exists():
+        return
+    try:
+        with open(config_file, 'r') as f:
+            config = _json.load(f)
+    except (ValueError, OSError):
+        return
+    seen = set()
+    for org_config in config.get('orgs', {}).values():
+        for acc_id, acc_data in org_config.get('cached_accounts', {}).items():
+            name = acc_data.get('accountName', '')
+            for candidate in (name, acc_id):
+                if candidate and candidate not in seen:
+                    seen.add(candidate)
+                    click.echo(candidate)
+if __name__ == '__main__':
+    cli()

tori/sso_manager.py ADDED Viewed

@@ -0,0 +1,869 @@
+"""AWS SSO session management logic"""
+import os
+import json
+import configparser
+import hashlib
+import time
+import webbrowser
+from pathlib import Path
+from typing import Optional, List
+from datetime import datetime, timezone
+# boto3 and questionary are imported lazily inside methods that need them
+# to keep cold-start fast for commands like list/status/whoami/logout/switch.
+class SSOManager:
+    def __init__(self, verbose: bool = False):
+        self.verbose = verbose
+        self.config_dir = Path.home() / '.tori'
+        self.config_file = self.config_dir / 'config.json'
+        self.config_dir.mkdir(exist_ok=True)
+        self.config = self._load_config()
+        self.aws_config_path = Path.home() / '.aws' / 'config'
+        self.aws_credentials_path = Path.home() / '.aws' / 'credentials'
+        self.tori_credentials_path = self.config_dir / 'credentials'
+        self._prune_expired_profiles()
+    def _prune_expired_profiles(self):
+        """Remove expired backed-up sessions from config and ~/.aws/credentials."""
+        active = self.config.get('active_profiles', {})
+        if not active:
+            return
+        now = time.time()
+        expired = [
+            name for name, info in active.items()
+            if info.get('expires_at') and info['expires_at'] < now
+        ]
+        if not expired:
+            return
+        for name in expired:
+            del active[name]
+        # Strip the matching sections from ~/.tori/credentials
+        if self.tori_credentials_path.exists():
+            cp = configparser.ConfigParser()
+            cp.read(self.tori_credentials_path)
+            removed = False
+            for name in expired:
+                if name in cp:
+                    cp.remove_section(name)
+                    removed = True
+            if removed:
+                with open(self.tori_credentials_path, 'w') as f:
+                    cp.write(f)
+        self._save_config()
+    def _load_config(self) -> dict:
+        """Load tori configuration"""
+        if self.config_file.exists():
+            with open(self.config_file, 'r') as f:
+                return json.load(f) or self._empty_config()
+        return self._empty_config()
+    @staticmethod
+    def _empty_config() -> dict:
+        return {'orgs': {}, 'active_profiles': {}, 'last_assumed_role': None}
+    def _save_config(self):
+        with open(self.config_file, 'w') as f:
+            json.dump(self.config, f, indent=2)
+    def _get_org(self, org_name: Optional[str] = None) -> tuple:
+        """Get org config by name. If omitted and only one org exists, use it."""
+        if not org_name:
+            orgs = self.config.get('orgs', {})
+            if len(orgs) == 1:
+                org_name = next(iter(orgs))
+            else:
+                raise Exception("Multiple orgs configured. Specify which org to use.")
+        if org_name not in self.config['orgs']:
+            raise Exception(f"Org '{org_name}' not found. Run 'tori config add {org_name}' first.")
+        return org_name, self.config['orgs'][org_name]
+    def _find_account(self, account: str):
+        """Find account across all orgs by ID (exact) or name (substring).
+        Returns (org_name, account_data) or (None, None)."""
+        scope = self.config.get('orgs', {})
+        account_lower = account.lower()
+        exact_id = []
+        name_partial = []
+        for o_name, o_config in scope.items():
+            cached = o_config.get('cached_accounts', {})
+            for acc_id, a_data in cached.items():
+                if acc_id == account:
+                    exact_id.append((o_name, a_data))
+                else:
+                    a_name = a_data.get('accountName', '')
+                    if a_name == account:
+                        exact_id.append((o_name, a_data))
+                    elif account_lower in a_name.lower():
+                        name_partial.append((o_name, a_data))
+        if len(exact_id) == 1:
+            return exact_id[0]
+        if len(exact_id) > 1:
+            # Should be impossible for IDs since they're unique; can happen for duplicate names
+            labels = [f"{a['accountName']} [{a['accountId']}] ({o})" for o, a in exact_id]
+            raise Exception(f"Multiple accounts named '{account}': {', '.join(labels)}. Use the account ID.")
+        if len(name_partial) == 1:
+            return name_partial[0]
+        if len(name_partial) > 1:
+            labels = [f"{a['accountName']} [{a['accountId']}]" for _, a in name_partial]
+            raise Exception(f"Multiple matches: {', '.join(labels)}. Be more specific or use the account ID.")
+        return None, None
+    def _get_sso_token(self, org_name: str, org_config: dict) -> str:
+        """Get SSO access token"""
+        sso_start_url = org_config.get('sso_start_url')
+        sso_region = org_config.get('sso_region')
+        if not sso_start_url or not sso_region:
+            raise Exception(f"SSO not configured for org '{org_name}'. Run 'tori config add {org_name}' first.")
+        # Construct the cache file path using the same logic as _sso_login
+        sso_cache_dir = Path.home() / '.aws' / 'sso' / 'cache'
+        cache_key = hashlib.sha1(sso_start_url.encode()).hexdigest()
+        token_file = sso_cache_dir / f"{cache_key}.json"
+        if not token_file.exists():
+            raise Exception("No SSO token found for this org. Please authenticate.")
+        with open(token_file, 'r') as f:
+            token_data = json.load(f)
+        # Check if token is expired
+        expires_at = token_data.get('expiresAt')
+        if expires_at:
+            # Handle both timestamp and ISO format
+            try:
+                if isinstance(expires_at, (int, float)):
+                    expires_dt = datetime.fromtimestamp(expires_at, tz=timezone.utc)
+                else:
+                    expires_dt = datetime.fromisoformat(expires_at.replace('Z', '+00:00'))
+                if expires_dt < datetime.now(timezone.utc):
+                    raise Exception("SSO token expired. Please authenticate again.")
+            except ValueError as e:
+                print(f"Warning: Could not parse token expiration: {e}")
+        access_token = token_data.get('accessToken')
+        if not access_token:
+            raise Exception("Invalid token cache - no accessToken found")
+        return access_token
+    def _get_or_refresh_sso_token(self, org_name: str, org_config: dict) -> Optional[str]:
+        """Return a valid SSO access token, re-authenticating only if missing or expired."""
+        try:
+            return self._get_sso_token(org_name, org_config)
+        except FileNotFoundError:
+            pass  # token cache missing
+        except Exception as e:
+            msg = str(e).lower()
+            if 'expired' in msg or 'no sso token' in msg or 'no accesstoken' in msg:
+                pass  # expected — fall through to re-auth
+            else:
+                if self.verbose:
+                    print(f"Token check failed: {e}")
+                else:
+                    print(f"Token check failed: {e}")
+                return None
+        print("Re-authenticating...")
+        return self._sso_login(org_name, org_config)
+    def _sso_login(self, org_name: str, org_config: dict):
+        """Perform SSO login"""
+        sso_start_url = org_config.get('sso_start_url')
+        sso_region = org_config.get('sso_region')
+        print(f"Authenticating with AWS SSO (org: {org_name})...")
+        print(f"  Start URL: {sso_start_url}")
+        print(f"  Region: {sso_region}")
+        try:
+            import boto3
+            sso_oidc = boto3.client('sso-oidc', region_name=sso_region)
+            # Register client
+            client_response = sso_oidc.register_client(
+                clientName='tori-cli',
+                clientType='public'
+            )
+            client_id = client_response['clientId']
+            client_secret = client_response['clientSecret']
+            # Start device authorization
+            auth_response = sso_oidc.start_device_authorization(
+                clientId=client_id,
+                clientSecret=client_secret,
+                startUrl=sso_start_url
+            )
+            device_code = auth_response['deviceCode']
+            user_code = auth_response['userCode']
+            verification_uri = auth_response['verificationUriComplete']
+            print(f"Opening browser for authentication...")
+            print(f"  Verification URL: {verification_uri}")
+            print(f"  User code: {user_code}")
+            # Open browser
+            webbrowser.open(verification_uri)
+            print(f"Waiting for authentication...")
+            # Poll for token
+            expires_at = time.time() + auth_response['expiresIn']
+            interval = auth_response['interval']
+            while time.time() < expires_at:
+                try:
+                    token_response = sso_oidc.create_token(
+                        clientId=client_id,
+                        clientSecret=client_secret,
+                        grantType='urn:ietf:params:oauth:grant-type:device_code',
+                        deviceCode=device_code
+                    )
+                    access_token = token_response['accessToken']
+                    # Save token to cache
+                    sso_cache_dir = Path.home() / '.aws' / 'sso' / 'cache'
+                    sso_cache_dir.mkdir(parents=True, exist_ok=True)
+                    # Use a stable filename based on start URL
+                    cache_key = hashlib.sha1(sso_start_url.encode()).hexdigest()
+                    cache_file = sso_cache_dir / f"{cache_key}.json"
+                    expires_timestamp = datetime.now(timezone.utc).timestamp() + token_response['expiresIn']
+                    expires_iso = datetime.fromtimestamp(expires_timestamp, tz=timezone.utc).isoformat()
+                    with open(cache_file, 'w') as f:
+                        json.dump({
+                            'accessToken': access_token,
+                            'expiresAt': expires_iso,
+                            'region': sso_region,
+                            'startUrl': sso_start_url
+                        }, f)
+                    print(f"Authentication successful!")
+                    return access_token
+                except sso_oidc.exceptions.AuthorizationPendingException:
+                    time.sleep(interval)
+                except Exception as e:
+                    print(f"Authentication failed: {e}")
+                    raise
+            raise Exception("Authentication timed out")
+        except Exception as e:
+            print(f"SSO login failed: {e}")
+            if self.verbose:
+                import traceback as _tb; _tb.print_exc()
+            return None
+    def _cache_accounts(self, org_name: str, org_config: dict, access_token: str):
+        """Cache all AWS SSO accounts for an org"""
+        import boto3
+        sso_region = org_config.get('sso_region')
+        sso = boto3.client('sso', region_name=sso_region)
+        print("Fetching all accounts (this may take a while for large organizations)...")
+        all_accounts = []
+        next_token = None
+        page_num = 1
+        while True:
+            try:
+                print(f"  - Fetching account page {page_num}...")
+                if next_token:
+                    accounts_response = sso.list_accounts(accessToken=access_token, nextToken=next_token)
+                else:
+                    accounts_response = sso.list_accounts(accessToken=access_token)
+                all_accounts.extend(accounts_response.get('accountList', []))
+                next_token = accounts_response.get('nextToken')
+                if not next_token:
+                    break
+                page_num += 1
+            except Exception as e:
+                print(f"Error fetching accounts: {e}")
+                return
+        # Cache keyed by account ID (globally unique). Roles fetched on demand.
+        account_cache = {}
+        for account in all_accounts:
+            acc_id = account.get('accountId')
+            account_cache[acc_id] = {
+                'accountId': acc_id,
+                'accountName': account.get('accountName', ''),
+            }
+        org_config['cached_accounts'] = account_cache
+        self._save_config()
+        print(f"Cached {len(account_cache)} accounts for org '{org_name}'")
+    def _fetch_roles(self, sso_client, access_token: str, account_id: str) -> List[str]:
+        """Fetch roles for a single account on demand (paginated)."""
+        all_roles = []
+        next_token = None
+        while True:
+            kwargs = {'accessToken': access_token, 'accountId': account_id}
+            if next_token:
+                kwargs['nextToken'] = next_token
+            response = sso_client.list_account_roles(**kwargs)
+            all_roles.extend(response.get('roleList', []))
+            next_token = response.get('nextToken')
+            if not next_token:
+                break
+        return [role['roleName'] for role in all_roles]
+    def _select_role_interactive(self, roles: List[str], account_name: str) -> Optional[str]:
+        """Interactive role selection with arrow keys"""
+        if not roles:
+            return None
+        if len(roles) == 1:
+            return roles[0]
+        try:
+            import questionary
+            from tori.cli import tori_style
+            role = questionary.select(
+                f"Select role for {account_name}:",
+                choices=roles,
+                use_arrow_keys=True,
+                style=tori_style()
+            ).ask()
+            return role
+        except (KeyboardInterrupt, EOFError):
+            print("\nCancelled")
+            return None
+    def _backup_current_profile(self, last_role: dict, source_profile: str = 'default'):
+        """Snapshot the current AWS profile creds into ~/.tori/credentials with metadata."""
+        account_id = last_role.get('account_id')
+        role_name = last_role.get('role_name')
+        if not account_id or not role_name:
+            return None
+        # Read current creds from ~/.aws/credentials
+        aws_cp = configparser.ConfigParser()
+        if self.aws_credentials_path.exists():
+            aws_cp.read(self.aws_credentials_path)
+        else:
+            return None
+        if source_profile not in aws_cp:
+            return None
+        backup_profile_name = f"profile_{account_id}_{role_name}"
+        # Write into ~/.tori/credentials
+        tori_cp = configparser.ConfigParser()
+        if self.tori_credentials_path.exists():
+            tori_cp.read(self.tori_credentials_path)
+        if backup_profile_name not in tori_cp:
+            tori_cp[backup_profile_name] = {}
+        for key in ['aws_access_key_id', 'aws_secret_access_key', 'aws_session_token']:
+            if key in aws_cp[source_profile]:
+                tori_cp[backup_profile_name][key] = aws_cp[source_profile][key]
+        with open(self.tori_credentials_path, 'w') as f:
+            tori_cp.write(f)
+        os.chmod(self.tori_credentials_path, 0o600)
+        self.config['active_profiles'][backup_profile_name] = {
+            'account_id': account_id,
+            'account_name': last_role.get('account_name'),
+            'role_name': role_name,
+            'org_name': last_role.get('org_name'),
+            'region': last_role.get('region'),
+            'expires_at': last_role.get('expires_at'),
+            'timestamp': datetime.now().isoformat(),
+        }
+        self._save_config()
+        return backup_profile_name
+    def assume_role(self, account: str, role: Optional[str] = None, profile: str = 'default'):
+        """Assume an AWS SSO role and write credentials to the named AWS profile (default: [default])."""
+        try:
+            org_name, target_account = self._find_account(account)
+        except Exception as e:
+            print(f"Error: {e}")
+            return
+        if not target_account:
+            print(f"Account '{account}' not found. Run 'tori list' to see configured orgs.")
+            return
+        org_config = self.config['orgs'][org_name]
+        print(f"Assuming AWS SSO session for: {target_account['accountName']} (org: {org_name})")
+        account_id = target_account['accountId']
+        account_name = target_account['accountName']
+        try:
+            access_token = self._get_or_refresh_sso_token(org_name, org_config)
+            if not access_token:
+                print("Failed to get access token")
+                return
+            import boto3
+            sso_region = org_config.get('sso_region')
+            sso = boto3.client('sso', region_name=sso_region)
+            # Fetch roles for this account on demand
+            print(f"Fetching available roles for {account_name}...")
+            available_roles = self._fetch_roles(sso, access_token, account_id)
+            if not available_roles:
+                print(f"No roles available for account {account_name}")
+                return
+            # Determine role
+            if role:
+                if role not in available_roles:
+                    print(f"Role '{role}' not found. Available roles: {', '.join(available_roles)}")
+                    return
+                role_name = role
+            elif len(available_roles) > 1:
+                role_name = self._select_role_interactive(available_roles, account_name)
+                if not role_name:
+                    return
+            else:
+                role_name = available_roles[0]
+            print(f"Using role: {role_name}")
+            # Get role credentials
+            creds_response = sso.get_role_credentials(
+                accessToken=access_token,
+                accountId=account_id,
+                roleName=role_name
+            )
+            credentials = creds_response['roleCredentials']
+            # Back up the existing creds in the target profile (if tori-managed)
+            aws_cp = configparser.ConfigParser()
+            if self.aws_credentials_path.exists():
+                aws_cp.read(self.aws_credentials_path)
+                last_role = self.config.get('last_assumed_role')
+                if (profile in aws_cp
+                        and 'aws_session_token' in aws_cp[profile]
+                        and last_role):
+                    backup_name = self._backup_current_profile(last_role, source_profile=profile)
+                    if backup_name:
+                        print(f"Backed up previous session to: {backup_name}")
+            # Write credentials to ~/.aws/credentials under [<profile>]
+            print(f"Writing credentials to AWS profile: {profile}")
+            aws_dir = Path.home() / '.aws'
+            aws_dir.mkdir(exist_ok=True)
+            cred_cp = configparser.ConfigParser()
+            if self.aws_credentials_path.exists():
+                cred_cp.read(self.aws_credentials_path)
+            if profile not in cred_cp:
+                cred_cp[profile] = {}
+            cred_cp[profile]['aws_access_key_id'] = credentials['accessKeyId']
+            cred_cp[profile]['aws_secret_access_key'] = credentials['secretAccessKey']
+            cred_cp[profile]['aws_session_token'] = credentials['sessionToken']
+            with open(self.aws_credentials_path, 'w') as f:
+                cred_cp.write(f)
+            # Update region in ~/.aws/config — note: section is [default] for default,
+            # and [profile <name>] for named profiles
+            cfg_cp = configparser.ConfigParser()
+            if self.aws_config_path.exists():
+                cfg_cp.read(self.aws_config_path)
+            cfg_section = 'default' if profile == 'default' else f'profile {profile}'
+            if cfg_section not in cfg_cp:
+                cfg_cp[cfg_section] = {}
+            cfg_cp[cfg_section]['region'] = sso_region
+            with open(self.aws_config_path, 'w') as f:
+                cfg_cp.write(f)
+            expires_timestamp = credentials['expiration'] / 1000
+            expires_dt = datetime.fromtimestamp(expires_timestamp)
+            # Update last assumed role in config
+            self.config['last_assumed_role'] = {
+                'account_id': account_id,
+                'account_name': account_name,
+                'role_name': role_name,
+                'org_name': org_name,
+                'region': sso_region,
+                'expires_at': expires_timestamp,
+            }
+            self._save_config()
+            print(f"\nSuccess! AWS profile '{profile}' configured")
+            print(f"  Org: {org_name}")
+            print(f"  Account: {account_name} ({account_id})")
+            print(f"  Role: {role_name}")
+            print(f"  Region: {sso_region}")
+            print(f"  Expires: {expires_dt.strftime('%Y-%m-%d %H:%M:%S')}")
+        except Exception as e:
+            print(f"Failed to assume role: {e}")
+            if self.verbose:
+                import traceback as _tb; _tb.print_exc()
+    def add_org(self, org_name: str):
+        """Interactively add an SSO org to the tori config and cache its accounts."""
+        print(f"Tori AWS SSO Configuration (org: {org_name})")
+        print("=" * 50)
+        print()
+        start_url = input("Enter SSO start URL: ").strip()
+        region = input("Enter SSO region (e.g., us-east-1): ").strip()
+        if start_url and region:
+            if 'orgs' not in self.config:
+                self.config['orgs'] = {}
+            self.config['orgs'][org_name] = {
+                'sso_start_url': start_url,
+                'sso_region': region,
+                'cached_accounts': {}
+            }
+            self._save_config()
+            print()
+            print("Configuration saved")
+            print(f"  Org: {org_name}")
+            print(f"  Start URL: {start_url}")
+            print(f"  Region: {region}")
+            print()
+            # Authenticate and cache accounts immediately
+            print("Authenticating and caching accounts...")
+            try:
+                access_token = self._sso_login(org_name, self.config['orgs'][org_name])
+                if access_token:
+                    self._cache_accounts(org_name, self.config['orgs'][org_name], access_token)
+                    print(f"\nDone! You can now use 'tori assume <account-name-or-id>'")
+                else:
+                    print("Authentication failed")
+            except Exception as e:
+                print(f"Error during authentication: {e}")
+        else:
+            print("Configuration cancelled")
+    def refresh_accounts(self, org_name: Optional[str] = None):
+        """Refresh cached accounts for an org"""
+        try:
+            org_name, org_config = self._get_org(org_name)
+        except Exception as e:
+            print(f"Error: {e}")
+            return
+        print(f"Refreshing accounts for org: {org_name}")
+        access_token = self._get_or_refresh_sso_token(org_name, org_config)
+        if not access_token:
+            print("Failed to get access token")
+            return
+        self._cache_accounts(org_name, org_config, access_token)
+        print("Accounts refreshed successfully")
+    def list_accounts(self, org_name: Optional[str] = None):
+        """List configured orgs with account counts"""
+        if org_name:
+            if org_name not in self.config['orgs']:
+                print(f"Org '{org_name}' not found.")
+                return
+            orgs_to_list = {org_name: self.config['orgs'][org_name]}
+        else:
+            orgs_to_list = self.config['orgs']
+        if not orgs_to_list:
+            print("No orgs configured.")
+            print("Run 'tori config add <org-name>' to set up.")
+            return
+        for name, org_config in orgs_to_list.items():
+            count = len(org_config.get('cached_accounts', {}))
+            print(f"  {name}  —  {count} account{'s' if count != 1 else ''}")
+    def open_console(self, profile: str = 'default', destination: Optional[str] = None):
+        """Open the AWS web console signed in with credentials from the given profile."""
+        import urllib.parse
+        import urllib.request
+        cp = configparser.ConfigParser()
+        if self.aws_credentials_path.exists():
+            cp.read(self.aws_credentials_path)
+        if profile not in cp or 'aws_session_token' not in cp[profile]:
+            print(f"No active session in profile '{profile}'. Run 'tori assume' first.")
+            return
+        # Resolve region: ~/.aws/config first, then last_assumed_role
+        region = None
+        cfg_cp = configparser.ConfigParser()
+        if self.aws_config_path.exists():
+            cfg_cp.read(self.aws_config_path)
+        cfg_section = 'default' if profile == 'default' else f'profile {profile}'
+        if cfg_section in cfg_cp and 'region' in cfg_cp[cfg_section]:
+            region = cfg_cp[cfg_section]['region']
+        elif self.config.get('last_assumed_role'):
+            region = self.config['last_assumed_role'].get('region')
+        if not destination:
+            destination = f"https://{region}.console.aws.amazon.com/" if region else "https://console.aws.amazon.com/"
+        session = {
+            'sessionId': cp[profile]['aws_access_key_id'],
+            'sessionKey': cp[profile]['aws_secret_access_key'],
+            'sessionToken': cp[profile]['aws_session_token'],
+        }
+        federation = 'https://signin.aws.amazon.com/federation'
+        try:
+            req_url = (
+                f"{federation}?Action=getSigninToken"
+                f"&Session={urllib.parse.quote(json.dumps(session))}"
+            )
+            with urllib.request.urlopen(req_url, timeout=10) as resp:
+                signin_token = json.loads(resp.read())['SigninToken']
+        except Exception as e:
+            print(f"Failed to get signin token: {e}")
+            return
+        login_url = (
+            f"{federation}?Action=login"
+            f"&Issuer={urllib.parse.quote('tori')}"
+            f"&Destination={urllib.parse.quote(destination)}"
+            f"&SigninToken={urllib.parse.quote(signin_token)}"
+        )
+        print(f"Opening AWS console for profile '{profile}'...")
+        webbrowser.open(login_url)
+    def logout(self, clear_sso: bool = False):
+        """Clear the default AWS profile. Optionally invalidate cached SSO tokens."""
+        cleared_default = False
+        if self.aws_credentials_path.exists():
+            cp = configparser.ConfigParser()
+            cp.read(self.aws_credentials_path)
+            if 'default' in cp:
+                cp.remove_section('default')
+                with open(self.aws_credentials_path, 'w') as f:
+                    cp.write(f)
+                cleared_default = True
+        self.config['last_assumed_role'] = None
+        self._save_config()
+        if cleared_default:
+            print("Cleared default AWS profile")
+        else:
+            print("No default profile to clear")
+        if clear_sso:
+            sso_cache_dir = Path.home() / '.aws' / 'sso' / 'cache'
+            removed = 0
+            if sso_cache_dir.exists():
+                for f in sso_cache_dir.glob('*.json'):
+                    try:
+                        f.unlink()
+                        removed += 1
+                    except OSError:
+                        pass
+            print(f"Cleared {removed} cached SSO token(s)")
+    def switch_profile(self, profile_name: Optional[str] = None, target: str = 'default'):
+        """Switch a backed-up tori session into the given AWS profile (default: [default])."""
+        active_profiles = self.config.get('active_profiles', {})
+        if not active_profiles:
+            print("No backed-up profiles. Run 'tori assume' to create one.")
+            return
+        # Interactive picker if no name given
+        if not profile_name:
+            try:
+                import questionary
+                from tori.cli import tori_style
+                choices = []
+                label_to_name = {}
+                for name, info in active_profiles.items():
+                    expires_at = info.get('expires_at')
+                    suffix = ""
+                    if expires_at:
+                        mins = int((expires_at - time.time()) / 60)
+                        suffix = f"  ({mins}m left)"
+                    label = f"{info.get('account_name') or info.get('account_id')}  /  {info.get('role_name')}{suffix}"
+                    choices.append(label)
+                    label_to_name[label] = name
+                selection = questionary.select(
+                    'Switch to which profile?',
+                    choices=choices,
+                    style=tori_style()
+                ).ask()
+                if not selection:
+                    return
+                profile_name = label_to_name[selection]
+            except (KeyboardInterrupt, EOFError):
+                print("\nCancelled")
+                return
+        if profile_name not in active_profiles:
+            print(f"Profile '{profile_name}' not found.")
+            return
+        info = active_profiles[profile_name]
+        # Read backup from ~/.tori/credentials
+        tori_cp = configparser.ConfigParser()
+        if self.tori_credentials_path.exists():
+            tori_cp.read(self.tori_credentials_path)
+        if profile_name not in tori_cp:
+            print(f"Backup credentials for '{profile_name}' missing. Run 'tori assume' to fetch fresh credentials.")
+            return
+        # Write into [<target>] of ~/.aws/credentials
+        aws_cp = configparser.ConfigParser()
+        if self.aws_credentials_path.exists():
+            aws_cp.read(self.aws_credentials_path)
+        if target not in aws_cp:
+            aws_cp[target] = {}
+        for key in ['aws_access_key_id', 'aws_secret_access_key', 'aws_session_token']:
+            if key in tori_cp[profile_name]:
+                aws_cp[target][key] = tori_cp[profile_name][key]
+        with open(self.aws_credentials_path, 'w') as f:
+            aws_cp.write(f)
+        # Update region in ~/.aws/config (default → [default], else → [profile <name>])
+        if info.get('region'):
+            cp2 = configparser.ConfigParser()
+            if self.aws_config_path.exists():
+                cp2.read(self.aws_config_path)
+            cfg_section = 'default' if target == 'default' else f'profile {target}'
+            if cfg_section not in cp2:
+                cp2[cfg_section] = {}
+            cp2[cfg_section]['region'] = info['region']
+            with open(self.aws_config_path, 'w') as f:
+                cp2.write(f)
+        # Update last_assumed_role from the stored profile info
+        self.config['last_assumed_role'] = {
+            'account_id': info.get('account_id'),
+            'account_name': info.get('account_name'),
+            'role_name': info.get('role_name'),
+            'org_name': info.get('org_name'),
+            'region': info.get('region'),
+            'expires_at': info.get('expires_at'),
+        }
+        self._save_config()
+        print(f"Switched [{target}] to: {info.get('account_name') or info.get('account_id')} / {info.get('role_name')}")
+    def remove_org(self, org_name: str, confirm: bool = True):
+        """Remove an org from the config"""
+        if org_name not in self.config.get('orgs', {}):
+            print(f"Org '{org_name}' not found.")
+            return
+        if confirm:
+            try:
+                answer = input(f"Remove org '{org_name}'? This deletes the cached config. [y/N]: ").strip().lower()
+            except (KeyboardInterrupt, EOFError):
+                print("\nCancelled")
+                return
+            if answer not in ('y', 'yes'):
+                print("Cancelled")
+                return
+        del self.config['orgs'][org_name]
+        self._save_config()
+        print(f"Removed org '{org_name}'")
+    def show_status(self, verify: bool = False):
+        """Show AWS credentials status. Reads local state by default; pass verify=True to call STS."""
+        print("AWS Credentials Status")
+        print("=" * 50)
+        # Local read — instant
+        config_parser = configparser.ConfigParser()
+        if self.aws_credentials_path.exists():
+            config_parser.read(self.aws_credentials_path)
+        has_default = (
+            'default' in config_parser
+            and 'aws_session_token' in config_parser['default']
+        )
+        last = self.config.get('last_assumed_role')
+        if has_default and last:
+            expires_at = last.get('expires_at')
+            now = time.time()
+            status_label = ""
+            remaining = ""
+            if expires_at:
+                if expires_at < now:
+                    status_label = "  [EXPIRED]"
+                else:
+                    secs = int(expires_at - now)
+                    h, rem = divmod(secs, 3600)
+                    m = rem // 60
+                    remaining = f" ({h}h {m}m left)"
+                    if secs < 600:
+                        status_label = "  [EXPIRING SOON]"
+            account_label = last.get('account_name') or last.get('account_id')
+            print(f"Active session (default profile){status_label}")
+            print(f"  Org: {last.get('org_name', 'n/a')}")
+            print(f"  Account: {account_label} ({last.get('account_id')})")
+            print(f"  Role: {last.get('role_name')}")
+            if last.get('region'):
+                print(f"  Region: {last['region']}")
+            if expires_at:
+                expires_dt = datetime.fromtimestamp(expires_at)
+                print(f"  Expires: {expires_dt.strftime('%Y-%m-%d %H:%M:%S')}{remaining}")
+        elif has_default:
+            print("Active session (default profile) — set outside tori")
+        else:
+            print("No active session")
+            print("Run 'tori assume <account-name-or-id>' to start a session")
+        active_profiles = self.config.get('active_profiles', {})
+        if active_profiles:
+            print(f"\nBacked up profiles:")
+            for profile_name, profile_info in active_profiles.items():
+                print(f"  {profile_name}")
+                print(f"    Account: {profile_info.get('account_id')}")
+                print(f"    Role: {profile_info.get('role_name')}")
+        if verify and has_default:
+            print("\nVerifying with AWS STS...")
+            try:
+                import boto3
+                sts = boto3.client('sts')
+                identity = sts.get_caller_identity()
+                print(f"  Verified ARN: {identity.get('Arn')}")
+            except Exception as e:
+                print(f"  Verification failed: {e}")