@marcusrbrown/infra 0.4.11 → 0.6.0

package/src/commands/cliproxy/keys.ts

@@ -1,7 +1,12 @@
 import type {goke} from 'goke'
 
+import type {ActionCtx} from '../../lib/action-ctx'
+
 import {z} from 'zod'
 
+/** Minimal ctx surface consumed by cliproxy keys actions. Satisfied by both GokeExecutionContext and CapturedCtx. */
+// ActionCtx imported from lib/action-ctx — single source of truth for action ctx shape
+
 const DEFAULT_CLIPROXY_URL = 'https://cliproxy.fro.bot'
 const HTTP_TIMEOUT_MS = 10_000
 
@@ -64,6 +69,114 @@ export function toStringArray(payload: unknown): string[] {
   return []
 }
 
+export interface KeysListOptions {
+  url?: string
+  key?: string
+  json?: boolean
+}
+
+export async function cliproxyKeysListAction(options: KeysListOptions, ctx: ActionCtx): Promise<string[]> {
+  try {
+    const baseUrl = resolveBaseUrl(options.url)
+    const managementKey = resolveManagementKey(options.key)
+    const endpoint = `${baseUrl}/v0/management/api-keys`
+    const payload = await requestJson(endpoint, {
+      method: 'GET',
+      headers: managementHeaders(managementKey),
+    })
+
+    const keys = toStringArray(payload)
+    ctx.console.error('⚠️  Output contains API keys — avoid logging or storing in shared locations')
+
+    if (options.json) {
+      ctx.console.log(JSON.stringify(keys, null, 2))
+    } else if (keys.length === 0) {
+      ctx.console.log('No API keys configured')
+    } else {
+      for (const [index, apiKey] of keys.entries()) {
+        ctx.console.log(`${index + 1}. ${apiKey}`)
+      }
+    }
+
+    return keys
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error)
+    ctx.console.error(message)
+    ctx.process.exit(1)
+    return [] // unreachable; satisfies TS that all paths return
+  }
+}
+
+export interface KeysAddOptions {
+  url?: string
+  key?: string
+}
+
+export async function cliproxyKeysAddAction(
+  apiKeyToAdd: string,
+  options: KeysAddOptions,
+  ctx: ActionCtx,
+): Promise<void> {
+  try {
+    const baseUrl = resolveBaseUrl(options.url)
+    const managementKey = resolveManagementKey(options.key)
+    const endpoint = `${baseUrl}/v0/management/api-keys`
+
+    const currentPayload = await requestJson(endpoint, {
+      method: 'GET',
+      headers: managementHeaders(managementKey),
+    })
+    const currentKeys = toStringArray(currentPayload)
+
+    if (currentKeys.includes(apiKeyToAdd)) {
+      ctx.console.log('Key already present; no update required.')
+      return
+    }
+
+    const nextKeys = [...currentKeys, apiKeyToAdd]
+    await requestJson(endpoint, {
+      method: 'PUT',
+      headers: managementHeaders(managementKey),
+      body: JSON.stringify(nextKeys),
+    })
+
+    ctx.console.log(`Added key "${apiKeyToAdd}". Current key count: ${nextKeys.length}.`)
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error)
+    ctx.console.error(message)
+    ctx.process.exit(1)
+  }
+}
+
+export interface KeysRemoveOptions {
+  url?: string
+  key?: string
+}
+
+export async function cliproxyKeysRemoveAction(
+  apiKeyToRemove: string,
+  options: KeysRemoveOptions,
+  ctx: ActionCtx,
+): Promise<void> {
+  try {
+    const baseUrl = resolveBaseUrl(options.url)
+    const managementKey = resolveManagementKey(options.key)
+    const params = new URLSearchParams({value: apiKeyToRemove})
+    const endpoint = `${baseUrl}/v0/management/api-keys?${params.toString()}`
+
+    const payload = await requestJson(endpoint, {
+      method: 'DELETE',
+      headers: managementHeaders(managementKey),
+    })
+
+    ctx.console.log(JSON.stringify(payload, null, 2))
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error)
+    ctx.console.error(message)
+    ctx.process.exit(1)
+  }
+}
+
 export function registerCliproxyKeys(cli: ReturnType<typeof goke>): void {
   cli
     .command('cliproxy keys list', 'List CLIProxyAPI API keys from the management API.')
@@ -80,28 +193,7 @@ export function registerCliproxyKeys(cli: ReturnType<typeof goke>): void {
       z.string().describe('Management API key. Falls back to CLIPROXY_MANAGEMENT_KEY when omitted.'),
     )
     .option('--json', 'Output raw JSON array instead of a numbered list.')
-    .action(async options => {
-      const baseUrl = resolveBaseUrl(options.url)
-      const managementKey = resolveManagementKey(options.key)
-      const endpoint = `${baseUrl}/v0/management/api-keys`
-      const payload = await requestJson(endpoint, {
-        method: 'GET',
-        headers: managementHeaders(managementKey),
-      })
-
-      const keys = toStringArray(payload)
-      console.error('⚠️  Output contains API keys — avoid logging or storing in shared locations')
-
-      if (options.json) {
-        console.log(JSON.stringify(keys, null, 2))
-      } else if (keys.length === 0) {
-        console.log('No API keys configured')
-      } else {
-        for (const [index, key] of keys.entries()) {
-          console.log(`${index + 1}. ${key}`)
-        }
-      }
-    })
+    .action(cliproxyKeysListAction)
 
   cli
     .command(
@@ -122,31 +214,7 @@ export function registerCliproxyKeys(cli: ReturnType<typeof goke>): void {
     )
     .example('# Add a new API key to the current key set')
     .example('infra cliproxy keys add sk-live-123')
-    .action(async (apiKeyToAdd, options) => {
-      const baseUrl = resolveBaseUrl(options.url)
-      const managementKey = resolveManagementKey(options.key)
-      const endpoint = `${baseUrl}/v0/management/api-keys`
-
-      const currentPayload = await requestJson(endpoint, {
-        method: 'GET',
-        headers: managementHeaders(managementKey),
-      })
-      const currentKeys = toStringArray(currentPayload)
-
-      if (currentKeys.includes(apiKeyToAdd)) {
-        console.log('Key already present; no update required.')
-        return
-      }
-
-      const nextKeys = [...currentKeys, apiKeyToAdd]
-      await requestJson(endpoint, {
-        method: 'PUT',
-        headers: managementHeaders(managementKey),
-        body: JSON.stringify(nextKeys),
-      })
-
-      console.log(`Added key "${apiKeyToAdd}". Current key count: ${nextKeys.length}.`)
-    })
+    .action(cliproxyKeysAddAction)
 
   cli
     .command('cliproxy keys remove <key>', 'Remove an API key via management API endpoint query parameter.')
@@ -164,17 +232,5 @@ export function registerCliproxyKeys(cli: ReturnType<typeof goke>): void {
     )
     .example('# Remove an API key from CLIProxyAPI')
     .example('infra cliproxy keys remove sk-live-123')
-    .action(async (apiKeyToRemove, options) => {
-      const baseUrl = resolveBaseUrl(options.url)
-      const managementKey = resolveManagementKey(options.key)
-      const params = new URLSearchParams({value: apiKeyToRemove})
-      const endpoint = `${baseUrl}/v0/management/api-keys?${params.toString()}`
-
-      const payload = await requestJson(endpoint, {
-        method: 'DELETE',
-        headers: managementHeaders(managementKey),
-      })
-
-      console.log(JSON.stringify(payload, null, 2))
-    })
+    .action(cliproxyKeysRemoveAction)
 }

package/src/commands/cliproxy/login.test.ts

@@ -1,13 +1,13 @@
-import {resolve} from 'node:path'
-import {afterEach, beforeEach, describe, expect, it} from 'bun:test'
+import type {SpawnFn} from './login'
 
-const cliDir = resolve(import.meta.dir, '../../..')
+import {afterEach, beforeEach, describe, expect, it} from 'bun:test'
 
 const envKeys = ['CLIPROXY_DOMAIN', 'HOME', 'PATH', 'SSH_AUTH_SOCK'] as const
 
 type ManagedEnvKey = (typeof envKeys)[number]
 
 let originalEnv: Partial<Record<ManagedEnvKey, string | undefined>>
+let originalIsTTY: boolean | undefined
 
 function restoreManagedEnv(): void {
   for (const key of envKeys) {
@@ -22,80 +22,84 @@ function restoreManagedEnv(): void {
   }
 }
 
-async function runLoginCommand(
-  args: string[],
-  envOverrides: Partial<Record<ManagedEnvKey, string | undefined>> = {},
-): Promise<{stdout: string; stderr: string; exitCode: number}> {
-  const env = {...process.env}
-
-  for (const [key, value] of Object.entries(envOverrides)) {
-    if (value === undefined) {
-      delete env[key]
-      continue
-    }
-
-    env[key] = value
+/** Minimal SpawnFn mock for inherit-stdio calls — records invocations and resolves with exitCode. */
+function makeSpawnOk(exitCode = 0): {spawnFn: SpawnFn; calls: {cmd: string[]; opts: unknown}[]} {
+  const calls: {cmd: string[]; opts: unknown}[] = []
+  const spawnFn: SpawnFn = (cmd, opts) => {
+    calls.push({cmd, opts})
+    return {exited: Promise.resolve(exitCode)}
   }
 
-  const proc = Bun.spawn(['bun', 'src/cli.ts', 'cliproxy', 'login', ...args], {
-    cwd: cliDir,
-    env: {
-      ...env,
-      HOME: env.HOME ?? '/tmp/test-home',
-      NO_COLOR: '1',
-      PATH: env.PATH ?? '/usr/bin:/bin',
-      SSH_AUTH_SOCK: env.SSH_AUTH_SOCK ?? '/tmp/test-sock',
-    },
-    stdout: 'pipe',
-    stderr: 'pipe',
-  })
+  return {spawnFn, calls}
+}
 
-  const [stdout, stderr, exitCode] = await Promise.all([
-    new Response(proc.stdout).text(),
-    new Response(proc.stderr).text(),
-    proc.exited,
-  ])
+// Helper: a SpawnFn that must never be called (proves provider check fires before spawn)
+const neverSpawn: SpawnFn = () => {
+  throw new Error('spawn must not be called for invalid provider')
+}
 
-  return {stdout, stderr, exitCode}
+// Helper: set up a valid TTY + env so spawn-path tests can reach the spawn call
+function setValidEnv(): void {
+  Object.defineProperty(process.stdin, 'isTTY', {value: true, configurable: true})
+  process.env.SSH_AUTH_SOCK = '/tmp/test-agent.sock'
+  process.env.PATH = process.env.PATH ?? '/usr/bin'
+  process.env.HOME = process.env.HOME ?? '/root'
 }
 
 describe('cliproxy login', () => {
   beforeEach(() => {
     originalEnv = Object.fromEntries(envKeys.map(key => [key, process.env[key]]))
+    originalIsTTY = process.stdin.isTTY
   })
 
   afterEach(() => {
     restoreManagedEnv()
+    Object.defineProperty(process.stdin, 'isTTY', {value: originalIsTTY, configurable: true})
   })
 
   describe('validation', () => {
     it('rejects unsupported providers', async () => {
-      const {stderr, exitCode} = await runLoginCommand(['openai'])
-      expect(exitCode).not.toBe(0)
-      expect(stderr).toContain('Unsupported provider')
-      expect(stderr).toContain('only "claude" is supported')
+      const {cliproxyLoginAction} = await import('./login')
+      const {spawnFn} = makeSpawnOk()
+
+      // Provider check happens before TTY check — no need to set isTTY
+      await expect(cliproxyLoginAction('openai', {}, spawnFn)).rejects.toThrow('Unsupported provider')
+      await expect(cliproxyLoginAction('openai', {}, spawnFn)).rejects.toThrow('Supported: claude, codex.')
     })
 
     it('requires interactive terminal (checked before SSH_AUTH_SOCK)', async () => {
-      const {stderr, exitCode} = await runLoginCommand(['claude'], {SSH_AUTH_SOCK: undefined})
-      expect(exitCode).not.toBe(0)
-      expect(stderr).toContain('interactive terminal')
+      const {cliproxyLoginAction} = await import('./login')
+      const {spawnFn} = makeSpawnOk()
+
+      // Simulate non-TTY environment (as subprocess tests did)
+      Object.defineProperty(process.stdin, 'isTTY', {value: false, configurable: true})
+
+      await expect(cliproxyLoginAction('claude', {}, spawnFn)).rejects.toThrow('interactive terminal')
     })
   })
 
   describe('host resolution', () => {
     it('uses CLIPROXY_DOMAIN env var', async () => {
-      const {stderr, exitCode} = await runLoginCommand(['claude'], {
-        CLIPROXY_DOMAIN: 'custom.host.example',
-      })
-      expect(exitCode).not.toBe(0)
-      expect(stderr).toContain('interactive terminal')
+      const {cliproxyLoginAction} = await import('./login')
+      const {spawnFn} = makeSpawnOk()
+
+      Object.defineProperty(process.stdin, 'isTTY', {value: false, configurable: true})
+      process.env.CLIPROXY_DOMAIN = 'custom.host.example'
+
+      // TTY check fires before host resolution — error is about TTY
+      await expect(cliproxyLoginAction('claude', {}, spawnFn)).rejects.toThrow('interactive terminal')
     })
 
     it('uses --host flag', async () => {
-      const {stderr, exitCode} = await runLoginCommand(['claude', '--host', 'custom.host.example'])
-      expect(exitCode).not.toBe(0)
-      expect(stderr).toContain('interactive terminal')
+      const {cliproxyLoginAction} = await import('./login')
+      const {spawnFn} = makeSpawnOk()
+
+      Object.defineProperty(process.stdin, 'isTTY', {value: false, configurable: true})
+
+      // TTY check fires before host resolution — error is about TTY
+      await expect(cliproxyLoginAction('claude', {host: 'custom.host.example'}, spawnFn)).rejects.toThrow(
+        'interactive terminal',
+      )
     })
   })
 
@@ -131,4 +135,154 @@ describe('cliproxy login', () => {
       expect(() => requireSshAuthSock()).toThrow('SSH_AUTH_SOCK is required')
     })
   })
+
+  describe('provider flags', () => {
+    it('happy path — codex: spawn args contain --codex-device-login and --no-browser', async () => {
+      const {cliproxyLoginAction} = await import('./login')
+      const {spawnFn, calls} = makeSpawnOk(0)
+      setValidEnv()
+
+      await cliproxyLoginAction('codex', {}, spawnFn)
+
+      const cmd = calls[0]!.cmd
+      expect(cmd.join(' ')).toContain('--codex-device-login')
+      expect(cmd.join(' ')).toContain('--no-browser')
+      expect(cmd.join(' ')).not.toContain('--codex-login ')
+    })
+
+    it('happy path — claude regression: spawn args contain --claude-login and --no-browser', async () => {
+      const {cliproxyLoginAction} = await import('./login')
+      const {spawnFn, calls} = makeSpawnOk(0)
+      setValidEnv()
+
+      await cliproxyLoginAction('claude', {}, spawnFn)
+
+      const cmd = calls[0]!.cmd
+      expect(cmd.join(' ')).toContain('--claude-login')
+      expect(cmd.join(' ')).toContain('--no-browser')
+    })
+
+    it('error path — unknown provider "chatgpt": rejects with correct message, no spawn', async () => {
+      const {cliproxyLoginAction} = await import('./login')
+
+      await expect(cliproxyLoginAction('chatgpt', {}, neverSpawn)).rejects.toThrow(
+        'Unsupported provider "chatgpt". Supported: claude, codex.',
+      )
+    })
+
+    it('error path — empty provider: rejects with correct message, no spawn', async () => {
+      const {cliproxyLoginAction} = await import('./login')
+
+      await expect(cliproxyLoginAction('', {}, neverSpawn)).rejects.toThrow(
+        'Unsupported provider "". Supported: claude, codex.',
+      )
+    })
+
+    it('error path — malformed provider path traversal: rejects with correct message, no spawn', async () => {
+      const {cliproxyLoginAction} = await import('./login')
+
+      await expect(cliproxyLoginAction('../../../etc/passwd', {}, neverSpawn)).rejects.toThrow(
+        'Unsupported provider "../../../etc/passwd". Supported: claude, codex.',
+      )
+    })
+
+    it('error path — prototype-chain bypass "__proto__": rejects with correct message, no spawn', async () => {
+      const {cliproxyLoginAction} = await import('./login')
+
+      await expect(cliproxyLoginAction('__proto__', {}, neverSpawn)).rejects.toThrow(
+        'Unsupported provider "__proto__". Supported: claude, codex.',
+      )
+    })
+
+    it('error path — prototype-chain bypass "constructor": rejects with correct message, no spawn', async () => {
+      const {cliproxyLoginAction} = await import('./login')
+
+      await expect(cliproxyLoginAction('constructor', {}, neverSpawn)).rejects.toThrow(
+        'Unsupported provider "constructor". Supported: claude, codex.',
+      )
+    })
+
+    it('error path — prototype-chain bypass "hasOwnProperty": rejects with correct message, no spawn', async () => {
+      const {cliproxyLoginAction} = await import('./login')
+
+      await expect(cliproxyLoginAction('hasOwnProperty', {}, neverSpawn)).rejects.toThrow(
+        'Unsupported provider "hasOwnProperty". Supported: claude, codex.',
+      )
+    })
+  })
+
+  describe('host validation', () => {
+    it('rejects --host with a leading dash (ProxyCommand injection vector), no spawn', async () => {
+      const {cliproxyLoginAction} = await import('./login')
+      setValidEnv()
+
+      await expect(cliproxyLoginAction('codex', {host: '-oProxyCommand=evil'}, neverSpawn)).rejects.toThrow(
+        'Invalid CLIPROXY_DOMAIN',
+      )
+    })
+
+    it('rejects CLIPROXY_DOMAIN env with a leading dash, no spawn', async () => {
+      const {cliproxyLoginAction} = await import('./login')
+      setValidEnv()
+      process.env.CLIPROXY_DOMAIN = '-oProxyCommand=evil'
+
+      await expect(cliproxyLoginAction('codex', {}, neverSpawn)).rejects.toThrow('Invalid CLIPROXY_DOMAIN')
+    })
+
+    it('rejects --host with shell metacharacters (semicolon), no spawn', async () => {
+      const {cliproxyLoginAction} = await import('./login')
+      setValidEnv()
+
+      await expect(cliproxyLoginAction('codex', {host: 'gateway.example.com;rm -rf'}, neverSpawn)).rejects.toThrow(
+        'Invalid CLIPROXY_DOMAIN',
+      )
+    })
+  })
+
+  describe('anti-phishing notice', () => {
+    let logLines: string[]
+    let originalLog: typeof console.log
+
+    beforeEach(() => {
+      logLines = []
+      originalLog = console.log
+      console.log = (...args: unknown[]) => {
+        logLines.push(args.map(String).join(' '))
+      }
+    })
+
+    afterEach(() => {
+      console.log = originalLog
+    })
+
+    it('codex: anti-phishing notice appears before spawn', async () => {
+      const {cliproxyLoginAction} = await import('./login')
+      const linesBeforeSpawn: string[] = []
+      let spawnCalled = false
+
+      const trackingSpawn: SpawnFn = (_cmd, _opts) => {
+        linesBeforeSpawn.push(...logLines)
+        spawnCalled = true
+        return {exited: Promise.resolve(0)}
+      }
+
+      setValidEnv()
+      await cliproxyLoginAction('codex', {}, trackingSpawn)
+
+      expect(spawnCalled).toBe(true)
+      const allOutput = linesBeforeSpawn.join('\n')
+      expect(allOutput).toMatch(/openai\.com/i)
+    })
+
+    it('claude: anti-phishing notice does NOT appear', async () => {
+      const {cliproxyLoginAction} = await import('./login')
+      const {spawnFn} = makeSpawnOk(0)
+      setValidEnv()
+
+      await cliproxyLoginAction('claude', {}, spawnFn)
+
+      const allOutput = logLines.join('\n')
+      expect(allOutput).not.toMatch(/openai\.com/)
+    })
+  })
 })

package/src/commands/cliproxy/login.ts

@@ -2,9 +2,27 @@ import type {goke} from 'goke'
 
 import {z} from 'zod'
 
+import {validateCliproxyHost} from './host'
+
 const DEFAULT_HOST = 'cliproxy.fro.bot'
 const DEFAULT_REMOTE_USER = 'root'
 
+const PROVIDER_FLAGS = {
+  claude: '--claude-login',
+  codex: '--codex-device-login',
+} as const satisfies Record<string, string>
+
+const SUPPORTED_PROVIDERS_DISPLAY = Object.keys(PROVIDER_FLAGS).join(', ')
+
+export type SpawnFn = (
+  cmd: string[],
+  opts: {env: Record<string, string>; stdin: 'inherit'; stdout: 'inherit'; stderr: 'inherit'},
+) => {exited: Promise<number>}
+
+export interface LoginOptions {
+  host?: string
+}
+
 export function resolveHost(input?: string): string {
   const host = input ?? process.env.CLIPROXY_DOMAIN ?? DEFAULT_HOST
 
@@ -24,11 +42,72 @@ export function requireSshAuthSock(): string {
   return sshAuthSock
 }
 
+export async function cliproxyLoginAction(
+  provider: string,
+  options: LoginOptions,
+  spawnFn: SpawnFn = Bun.spawn,
+): Promise<void> {
+  if (!Object.prototype.hasOwnProperty.call(PROVIDER_FLAGS, provider)) {
+    throw new Error(`Unsupported provider "${provider}". Supported: ${SUPPORTED_PROVIDERS_DISPLAY}.`)
+  }
+  const providerFlag = PROVIDER_FLAGS[provider as keyof typeof PROVIDER_FLAGS]
+
+  if (!process.stdin.isTTY) {
+    throw new Error('cliproxy login requires an interactive terminal. Run from a shell with TTY attached.')
+  }
+
+  const host = validateCliproxyHost(resolveHost(options.host))
+  const sshAuthSock = requireSshAuthSock()
+  const path = process.env.PATH
+  const home = process.env.HOME
+
+  if (!path) {
+    throw new Error('PATH is required to invoke ssh')
+  }
+
+  if (!home) {
+    throw new Error('HOME is required to invoke ssh')
+  }
+
+  if (provider === 'codex') {
+    console.log()
+    console.log('  Verify the URL')
+    console.log('  ─────────────')
+    console.log("  Codex login uses OpenAI's device-code flow. The droplet will print a code")
+    console.log('  and a URL. Before entering the code, verify the URL points to openai.com —')
+    console.log('  only complete the flow on the official OpenAI domain.')
+    console.log()
+  }
+
+  const remoteCommand = `cd /opt/cliproxy && docker compose exec cli-proxy-api /CLIProxyAPI/CLIProxyAPI --no-browser ${providerFlag}`
+
+  const child = spawnFn(
+    ['ssh', '-tt', '-o', 'BatchMode=yes', '-o', 'ConnectTimeout=10', `${DEFAULT_REMOTE_USER}@${host}`, remoteCommand],
+    {
+      env: {
+        PATH: path,
+        HOME: home,
+        SSH_AUTH_SOCK: sshAuthSock,
+      },
+      stdin: 'inherit',
+      stdout: 'inherit',
+      stderr: 'inherit',
+    },
+  )
+
+  const exitCode = await child.exited
+  if (exitCode !== 0) {
+    throw new Error(`Remote login command failed with exit code ${exitCode}`)
+  }
+
+  console.log('If an OAuth URL was printed above, open it in your browser to complete login.')
+}
+
 export function registerCliproxyLogin(cli: ReturnType<typeof goke>): void {
   cli
     .command(
       'cliproxy login <provider>',
-      'Run provider login on the remote CLIProxyAPI host and print OAuth URL output.',
+      `Run provider login on the remote CLIProxyAPI host. Supported providers: ${SUPPORTED_PROVIDERS_DISPLAY}.`,
     )
     .option(
       '--host [host]',
@@ -38,59 +117,7 @@ export function registerCliproxyLogin(cli: ReturnType<typeof goke>): void {
     )
     .example('# Start Claude login flow on remote CLIProxyAPI instance')
     .example('infra cliproxy login claude')
-    .action(async (provider, options) => {
-      if (provider !== 'claude') {
-        throw new Error(`Unsupported provider "${provider}". Currently only "claude" is supported.`)
-      }
-
-      if (!process.stdin.isTTY) {
-        throw new Error('cliproxy login requires an interactive terminal. Run from a shell with TTY attached.')
-      }
-
-      const host = resolveHost(options.host)
-      const sshAuthSock = requireSshAuthSock()
-      const path = process.env.PATH
-      const home = process.env.HOME
-
-      if (!path) {
-        throw new Error('PATH is required to invoke ssh')
-      }
-
-      if (!home) {
-        throw new Error('HOME is required to invoke ssh')
-      }
-
-      const remoteCommand =
-        'cd /opt/cliproxy && docker compose exec cli-proxy-api /CLIProxyAPI/CLIProxyAPI --no-browser --claude-login'
-
-      const child = Bun.spawn(
-        [
-          'ssh',
-          '-tt',
-          '-o',
-          'BatchMode=yes',
-          '-o',
-          'ConnectTimeout=10',
-          `${DEFAULT_REMOTE_USER}@${host}`,
-          remoteCommand,
-        ],
-        {
-          env: {
-            PATH: path,
-            HOME: home,
-            SSH_AUTH_SOCK: sshAuthSock,
-          },
-          stdin: 'inherit',
-          stdout: 'inherit',
-          stderr: 'inherit',
-        },
-      )
-
-      const exitCode = await child.exited
-      if (exitCode !== 0) {
-        throw new Error(`Remote login command failed with exit code ${exitCode}`)
-      }
-
-      console.log('If an OAuth URL was printed above, open it in your browser to complete login.')
-    })
+    .example('# Start ChatGPT Pro login flow via device-code')
+    .example('infra cliproxy login codex')
+    .action((provider, options) => cliproxyLoginAction(provider, options))
 }