feat: add release wf and doc (#3)

Author: MatteoManzoni

.github/workflows/release.yml

@@ -0,0 +1,33 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Validate tag matches version
+        run: |
+          TAG="${GITHUB_REF#refs/tags/v}"
+          PKG_VERSION=$(python3 -c "
+          import tomllib, pathlib
+          d = tomllib.loads(pathlib.Path('pyproject.toml').read_text())
+          print(d['project']['version'])
+          ")
+          if [ "$TAG" != "$PKG_VERSION" ]; then
+            echo "::error::Tag v$TAG does not match pyproject.toml version $PKG_VERSION"
+            exit 1
+          fi
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          generate_release_notes: true

.gitignore

@@ -4,3 +4,5 @@ __pycache__/
 dist/
 build/
 *.pyc
+.claude/settings.local.json
+.DS_Store

AGENTS.md

@@ -0,0 +1,69 @@
+# AGENTS.md — team-cli
+
+## Project
+
+CLI for AWS TEAM (Temporary Elevated Access Management). Python 3.11+, distributed via Homebrew.
+
+## Open-source readiness
+
+This repo will be open-sourced. All contributions must follow these rules:
+
+### Never include in code, comments, commits, or docs
+
+- AWS account IDs, ARNs, or resource identifiers
+- Cognito domain URLs, client IDs, user pool IDs
+- AppSync endpoint URLs
+- Internal domain names (*.docplanner.*, *.awsapps.com, etc.)
+- Employee names, emails, or usernames
+- Internal ticket IDs, Slack channels, or Jira project keys
+- IP addresses, VPN endpoints, or internal URLs
+- SSO start URLs or session names
+- Any value from `config.example.toml` that contains real deployment data
+
+### Safe to include
+
+- Generic examples using placeholder values (`example.com`, `123456789012`, `my-org`)
+- Architecture descriptions that don't reference specific infrastructure
+
+## Contributing
+
+### Structure
+
+```
+team_cli/
+  cli.py          — argparse entry point, command handlers
+  api.py          — GraphQL AppSync client
+  auth.py         — OAuth2 + PKCE authentication
+  config.py       — config and token management
+  audit.py        — audit query and CloudTrail correlation
+  interactive.py  — InquirerPy prompts (fuzzy search)
+  queries.py      — GraphQL query definitions
+  sync.py         — AWS config profile sync
+Formula/
+  team-cli.rb     — Homebrew formula
+completions/
+  team.bash       — bash completions
+```
+
+### Commands
+
+All commands follow the pattern `cmd_<name>(args)` in `cli.py`, dispatched via a `COMMANDS` dict.
+
+Interactive prompts use `inquirer.fuzzy` for searchable selection. All pickers fall back to numbered menus when InquirerPy is unavailable.
+
+### Releasing
+
+1. Bump version in `pyproject.toml`, `team_cli/__init__.py`, and `Formula/team-cli.rb` (tag + version lines)
+2. Update `charset-normalizer` or other resources in the Formula if dependencies changed
+3. Commit to main
+4. Tag: `git tag v0.3.0 && git push --tags`
+5. The GitHub Actions workflow creates a release automatically
+6. Users update via `brew update && brew upgrade team-cli`
+
+### Formula resources
+
+When updating Python dependencies in the Formula, use sdist tarballs from PyPI. Pin `charset-normalizer` to 3.3.2 (3.4.x requires `mypy` as a build dependency which fails in Homebrew's `--no-binary :all:` environment).
+
+### Testing
+
+Run `team --help` after changes to verify the CLI loads. All commands should work both interactively (prompts) and non-interactively (flags).

Formula/team-cli.rb

@@ -3,7 +3,7 @@ class TeamCli < Formula
 
   desc "CLI for AWS TEAM (Temporary Elevated Access Management)"
   homepage "https://github.com/DocPlanner/team-cli"
-  url "https://github.com/DocPlanner/team-cli.git", branch: "main"
+  url "https://github.com/DocPlanner/team-cli.git", tag: "v0.2.0"
   version "0.2.0"
 
 
@@ -15,8 +15,8 @@ class TeamCli < Formula
   end
 
   resource "charset-normalizer" do
-    url "https://files.pythonhosted.org/packages/e4/33/89c2ced2b67d1c2a61c19c6751aa8902d46ce3dacb23600a283619f5a12d/charset_normalizer-3.4.2.tar.gz"
-    sha256 "5baececa9ecba31eff645232d59845c07aa030f0c81ee70184a90d35099a0e63"
+    url "https://files.pythonhosted.org/packages/63/09/c1bc53dab74b1816a00d8d030de5bf98f724c52c1635e07681d312f20be8/charset-normalizer-3.3.2.tar.gz"
+    sha256 "f30c3cb33b24454a82faecaf01b19c18562b1e89558fb6c56de4d9118a032fd5"
   end
 
   resource "idna" do
@@ -56,6 +56,7 @@ class TeamCli < Formula
 
   def install
     virtualenv_install_with_resources
+    bash_completion.install "completions/team.bash" => "team"
   end
 
   test do

README.md

@@ -192,6 +192,14 @@ Accounts already present in `~/.aws/config` (matched by `sso_account_id`) are sk
 
 3. **Sync** — `team sync` reads your TEAM-eligible accounts and permissions, then writes matching SSO profiles into `~/.aws/config`. It creates an `sso-session` block if missing and only adds profiles for permission sets listed in your `profile_map`.
 
+## Bash completions
+
+Installed automatically via Homebrew. For non-Homebrew installs:
+
+```bash
+source /path/to/completions/team.bash
+```
+
 ## License
 
 MIT

completions/team.bash

@@ -0,0 +1,26 @@
+_team() {
+    local cur="${COMP_WORDS[COMP_CWORD]}"
+    local commands="login logout accounts roles request requests status approve reject revoke cancel pending sync audit configure"
+
+    case "${COMP_WORDS[1]}" in
+        request)
+            [[ "$cur" == -* ]] && COMPREPLY=($(compgen -W "--account -a --role -r --duration -d --justification -j --ticket -t --start -s --wait -w --wait-timeout" -- "$cur"))
+            return ;;
+        accounts)
+            [[ "$cur" == -* ]] && COMPREPLY=($(compgen -W "--json" -- "$cur"))
+            return ;;
+        status|approve|reject|revoke|cancel)
+            [[ "$cur" == -* ]] && COMPREPLY=($(compgen -W "--comment -c" -- "$cur"))
+            return ;;
+        audit)
+            [[ "$cur" == -* ]] && COMPREPLY=($(compgen -W "--actor --account --role --from --to --status --json --no-logs --limit" -- "$cur"))
+            return ;;
+        configure)
+            [[ "$cur" == -* ]] && COMPREPLY=($(compgen -W "--show --edit" -- "$cur"))
+            return ;;
+    esac
+
+    [[ $COMP_CWORD -eq 1 ]] && COMPREPLY=($(compgen -W "$commands" -- "$cur"))
+}
+
+complete -F _team team