[Feature] Support OAuth (Browser Login) for Alibaba Cloud credentials

[Prodesire]

Problem or Motivation

Currently iac-code only supports three credential modes for Alibaba Cloud: AK, STS Token, and RAM Role. All three require users to manually obtain and paste sensitive credentials (AccessKey ID/Secret), which introduces security risks (key leakage) and is cumbersome for individual developers.

Modern CLI tools increasingly support browser-based OAuth login to eliminate manual key management. aliyun-cli already supports this via aliyun configure --mode OAuth, which implements a full OAuth 2.0 Authorization Code + PKCE flow — the user simply logs in through the browser, and the CLI automatically obtains and refreshes temporary credentials.

Proposed Solution

Add OAuth (Browser Login) as a new credential mode in iac-code auth, alongside the existing AK / STS Token / RAM Role options.

User-facing flow

$ iac-code auth
> Configure IaC Cloud Service
  > Alibaba Cloud
    > Credential
      > AccessKey
      > STS Token
      > RAM Role
      > OAuth Login (Browser)    ← new

Select "OAuth Login (Browser)":
  1. Choose site type: China / International
  2. Browser opens automatically to Alibaba Cloud sign-in page
  3. User logs in via browser
  4. CLI receives callback and exchanges for temporary AK/SK/STS credentials
  5. Done — "Configured: Alibaba Cloud OAuth credentials saved"

Key behaviors

• Authorization Code + PKCE: start a local HTTP server, open the browser to signin.aliyun.com (or signin.alibabacloud.com for INTL), receive the callback with the authorization code, and exchange it for OAuth tokens.
• Token → Temporary AK/SK/STS: exchange the OAuth access token for temporary credentials via the /v1/exchange endpoint, which are then used for actual API calls.
• Auto-refresh: when STS credentials expire, automatically use the OAuth access token to re-exchange; when the access token expires, use the refresh token to renew it; only prompt for re-login when the refresh token expires.
• Credential storage: persist OAuth tokens (access_token, refresh_token, expiration) and temporary AK/SK/STS in ~/.iac-code/.cloud-credentials.yml.

Reference: aliyun-cli OAuth support

aliyun-cli already has a mature OAuth implementation:

• Mode: aliyun configure --mode OAuth [--oauth-site-type CN|INTL]
• Flow: Authorization Code + PKCE, local callback server on 127.0.0.1:12345-12349
• Endpoints: oauth.aliyun.com (CN) / oauth.alibabacloud.com (INTL) for token exchange; signin.aliyun.com / signin.alibabacloud.com for browser sign-in
• Token lifecycle: automatic refresh via refresh_token → access_token → STS, with re-login prompt only when refresh_token expires
• Client IDs: pre-registered OAuth applications (CN: 4038181954557748008, INTL: 4103531455503354461)

Alternatives Considered

1. Delegate to aliyun-cli: read the OAuth profile from ~/.aliyun/config.json and call aliyun to refresh expired tokens. Simpler but adds a hard dependency on aliyun-cli installation.
2. Stay with AK-only: users continue managing AccessKeys manually. This is the current state and doesn't address the security/usability gap.

Additional Context

• OAuth login is the recommended authentication method in aliyun-cli (shown as (Recommended) in its help text).
• This would align iac-code's auth experience with aliyun-cli, reducing friction for users who already use OAuth there.

[guima-why]

Implemented and merged in PR #65.

• Added Alibaba Cloud OAuth browser login as a credential mode.
• The REPL refreshes cloud tooling after OAuth login.
• ros_stack_instances polling re-fetches the client so refreshed STS credentials can take effect.

Closing as completed.