From a7eb436959ee85b1b32d5df293d6f6c508cc155b Mon Sep 17 00:00:00 2001
From: Bagas Purwa Sentika <bapung@protonmail.com>
Date: Sun, 21 Jun 2026 20:31:13 +0800
Subject: [PATCH] feat(setup): add SSO refresh script and cron job

---
 ngn-agent/setup-ngn-agent.sh | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/ngn-agent/setup-ngn-agent.sh b/ngn-agent/setup-ngn-agent.sh
index bf7a390..b16f118 100755
--- a/ngn-agent/setup-ngn-agent.sh
+++ b/ngn-agent/setup-ngn-agent.sh
@@ -495,6 +495,29 @@ SCRIPT
     echo "  ✓ archive-stale-sessions.sh written and executable"
 }
 
+# ---- Write refresh-sso.sh (AWS SSO token auto-refresh) ----
+write_refresh_sso_script() {
+    echo "  → Writing refresh-sso.sh..."
+    cat > "$HOME/.hermes/scripts/refresh-sso.sh" << 'SCRIPT'
+#!/bin/bash
+set -uo pipefail
+AWS_CONFIG="${AWS_CONFIG:-$HOME/Razer/ngn-agent/.aws/config}"
+REFRESH_BEFORE_SEC="${REFRESH_BEFORE_SEC:-3600}"
+sso_sessions=$(grep '^\[sso-session' "$AWS_CONFIG" | sed 's/\[sso-session //;s/\]//')
+for session in $sso_sessions; do
+    echo "Checking SSO session: $session"
+    if aws sso login --sso-session "$session" --no-browser 2>/dev/null; then
+        echo "  ✓ Refreshed"
+    else
+        echo "  ✗ Browser login required for session: $session"
+        echo "  Run: aws sso login --sso-session $session"
+    fi
+done
+SCRIPT
+    chmod +x "$HOME/.hermes/scripts/refresh-sso.sh"
+    echo "  ✓ refresh-sso.sh written and executable"
+}
+
 # ---- Write skill files (D-10) ----
 write_jira_skill() {
     mkdir -p "$HOME/.hermes/skills/ngn-agent/jira"
@@ -1234,6 +1257,13 @@ register_cron_jobs() {
         2>/dev/null && echo "  ✓ ngn-weekly-stale-summary registered" \
         || echo "  ⚠ ngn-weekly-stale-summary may already exist"
 
+    # 4. ngn-sso-refresh (every 4 hours — AWS SSO token refresh)
+    echo "  → Creating ngn-sso-refresh..."
+    hermes cron create --no-agent --script refresh-sso.sh \
+        '0 */4 * * *' \
+        2>/dev/null && echo "  ✓ ngn-sso-refresh registered" \
+        || echo "  ⚠ ngn-sso-refresh may already exist"
+
     # 3. ngn-weekly-archive (Sunday 20:05 SGT — 5 min after summary, per D-10)
     echo "  → Creating ngn-weekly-archive..."
     hermes cron create --no-agent --script archive-stale-sessions.sh \
@@ -1320,6 +1350,10 @@ main() {
     echo "[10/14] Writing archive script..."
     write_archive_script
 
+    # Step 12b: Write SSO refresh script
+    echo "[10b/14] Writing SSO refresh script..."
+    write_refresh_sso_script
+
     # Step 13: Write skill files
     echo "[11/14] Writing skill files..."
     write_jira_skill