@marcusrbrown/infra 0.5.0 → 0.7.0

package/src/commands/cliproxy/setup.ts

@@ -3,7 +3,7 @@
 import type {SpinnerResult} from '@clack/prompts'
 import type {goke} from 'goke'
 
-import {cancel, confirm, intro, isCancel, log, note, outro, select, spinner, text} from '@clack/prompts'
+import {cancel, confirm, intro, isCancel, log, multiselect, note, outro, select, spinner, text} from '@clack/prompts'
 import {z} from 'zod'
 
 import {resolveManagementKey} from './config'
@@ -11,8 +11,6 @@ import {toStringArray} from './keys'
 
 const DEFAULT_CLIPROXY_URL = 'https://cliproxy.fro.bot'
 const HTTP_TIMEOUT_MS = 10_000
-const DEFAULT_OMO_PROVIDERS = 'claude-max20'
-const DEFAULT_FRO_BOT_MODEL = 'anthropic/claude-sonnet-4-6'
 
 const harnessSchema = z.enum(['opencode', 'claude-code', 'generic'])
 const ghRepoViewSchema = z.object({
@@ -23,10 +21,146 @@ const ghNameListSchema = z.array(z.object({name: z.string()}))
 
 export type Harness = z.infer<typeof harnessSchema>
 
+const providerIdSchema = z.enum(['anthropic', 'openai'])
+export type ProviderId = z.infer<typeof providerIdSchema>
+
+const MODEL_ID_RE = /^(?:anthropic|openai)\/[a-z\d](?:[a-z\d.\-]*[a-z\d])?$/
+
+/**
+ * Parse a comma-separated provider list string into a validated ProviderId array.
+ * Rejects empty input, unknown providers, and duplicates.
+ */
+export function parseProviders(input: string): ProviderId[] {
+  const parts = input
+    .split(',')
+    .map(p => p.trim())
+    .filter(Boolean)
+
+  if (parts.length === 0) {
+    throw new Error('--providers must not be empty. Supported values: anthropic, openai')
+  }
+
+  const parsed = parts.map(p => {
+    const result = providerIdSchema.safeParse(p)
+    if (!result.success) {
+      throw new Error(`Unknown provider "${p}". Supported values: anthropic, openai`)
+    }
+    return result.data
+  })
+
+  const deduped = new Set(parsed)
+  if (deduped.size < parsed.length) {
+    throw new Error(`--providers contains duplicate values: ${parsed.join(',')}`)
+  }
+
+  return parsed
+}
+
+const PROVIDER_DEFAULTS: Record<ProviderId, string> = {
+  anthropic: 'anthropic/claude-sonnet-4-6',
+  openai: 'openai/gpt-5.4-mini',
+}
+
+const CUSTOM_MODEL_SENTINEL = '__custom__'
+
+/**
+ * Interactively prompt the user to select one or more providers.
+ * Anthropic is pre-checked. Empty selection re-prompts.
+ */
+export async function promptForProviders(): Promise<ProviderId[]> {
+  let providers: ProviderId[] = []
+
+  do {
+    const result = await multiselect<ProviderId>({
+      message: 'Select providers to configure',
+      options: [
+        {value: 'anthropic', label: 'Anthropic'},
+        {value: 'openai', label: 'OpenAI'},
+      ],
+      initialValues: ['anthropic'],
+      required: false,
+    })
+
+    if (isCancel(result)) {
+      cancelAndExit('Setup cancelled before selecting providers.')
+    }
+
+    providers = result as ProviderId[]
+  } while (providers.length === 0)
+
+  return providers
+}
+
+/**
+ * Interactively prompt the user to select a default model.
+ * When only one provider is selected, returns that provider's default immediately.
+ * When multiple providers are selected, shows a select with preset options and a custom entry.
+ */
+export async function promptForModel(providers: ProviderId[]): Promise<string> {
+  if (providers.length === 1) {
+    return PROVIDER_DEFAULTS[providers[0] as ProviderId]
+  }
+
+  const chosen = await select<string>({
+    message: 'Choose a default model',
+    options: [
+      {value: 'openai/gpt-5.4-mini', label: 'openai/gpt-5.4-mini'},
+      {value: 'anthropic/claude-sonnet-4-6', label: 'anthropic/claude-sonnet-4-6'},
+      {value: CUSTOM_MODEL_SENTINEL, label: 'Enter custom model ID...'},
+    ],
+  })
+
+  if (isCancel(chosen)) {
+    cancelAndExit('Setup cancelled before selecting a model.')
+  }
+
+  if (chosen === CUSTOM_MODEL_SENTINEL) {
+    return promptForCustomModel()
+  }
+
+  return chosen as string
+}
+
+async function promptForCustomModel(): Promise<string> {
+  let modelId: string | undefined
+
+  do {
+    const result = await text({
+      message: 'Enter a custom model ID (e.g. openai/gpt-5.4-mini)',
+      placeholder: 'provider/model-name',
+      validate: value => {
+        if (!MODEL_ID_RE.test(value ?? '')) {
+          return 'Model ID must match provider/model-name (lowercase, digits, dots, hyphens only)'
+        }
+        return undefined
+      },
+    })
+
+    if (isCancel(result)) {
+      cancelAndExit('Setup cancelled before entering a custom model ID.')
+    }
+
+    const candidate = result as string
+    if (MODEL_ID_RE.test(candidate)) {
+      modelId = candidate
+    }
+    // If the mock bypasses clack's internal validate and returns a bad value,
+    // loop again to re-prompt.
+  } while (!modelId)
+
+  return modelId
+}
+
 export interface SetupOptions {
   key?: string
   repo?: string
   harness?: Harness
+  /** Raw comma-separated provider list string (e.g. "anthropic,openai"). Use parseProviders() to validate. */
+  providers?: string
+  model?: string
+  force?: boolean
+  dryRun?: boolean
+  verifySmoke?: boolean
 }
 
 export interface SecretAssignment {
@@ -77,7 +211,26 @@ export function validateSetupOptions(options: SetupOptions, isInteractive: boole
     return
   }
 
-  if (!options.key) {
+  // Validate providers/model first (independent of key/repo/harness)
+  if (options.providers) {
+    const providers = parseProviders(options.providers)
+
+    if (providers.length > 1 && !options.model) {
+      throw new Error('Pass --model <provider/model-id> when selecting multiple providers.')
+    }
+
+    if (options.model) {
+      const slashIndex = options.model.indexOf('/')
+      const prefix = slashIndex === -1 ? options.model : options.model.slice(0, slashIndex)
+      if (!providers.includes(prefix as ProviderId)) {
+        throw new Error(
+          `Model prefix ${prefix} does not match selected providers (${providers.join(', ')}). Valid prefixes: ${providers.join(', ')}/`,
+        )
+      }
+    }
+  }
+
+  if (!options.dryRun && !options.key) {
     throw new Error('--key is required when stdin is not a TTY. Provide an existing CLIProxyAPI key value.')
   }
 
@@ -100,31 +253,69 @@ export function getHarnessTemplate(
     keyValue?: string
     baseUrl?: string
     genericSecretNames?: GenericSecretNames
+    providers?: ProviderId[]
+    model?: string
   } = {},
 ): HarnessTemplate {
   const keyValue = values.keyValue ?? 'sk-placeholder'
   const baseUrl = stripTrailingSlash(values.baseUrl ?? DEFAULT_CLIPROXY_URL)
 
   if (harness === 'opencode') {
+    // Normalize provider list: default to anthropic-only, always sort anthropic first
+    const rawProviders = values.providers ?? ['anthropic']
+    // Stable ordering: anthropic always before openai regardless of input order
+    const PROVIDER_ORDER: ProviderId[] = ['anthropic', 'openai']
+    const providers = PROVIDER_ORDER.filter(p => rawProviders.includes(p))
+
+    // Resolve model
+    let model: string
+    if (values.model) {
+      model = values.model
+    } else if (providers.length === 1) {
+      model = PROVIDER_DEFAULTS[providers[0] as ProviderId]
+    } else {
+      throw new Error('model required when multiple providers selected')
+    }
+
+    // OMO_PROVIDERS token map
+    const OMO_TOKEN: Record<ProviderId, string> = {
+      anthropic: 'claude-max20',
+      openai: 'openai',
+    }
+
+    // Build auth JSON object (anthropic-first insertion order)
+    const authObj: Record<string, {type: string; key: string}> = {}
+    for (const p of providers) {
+      authObj[p] = {type: 'api', key: keyValue}
+    }
+
+    // Build config JSON object (anthropic-first insertion order)
+    const providerConfig: Record<string, {options: {baseURL: string}}> = {}
+    for (const p of providers) {
+      providerConfig[p] = {options: {baseURL: `${baseUrl}/v1`}}
+    }
+
+    const omoProviders = providers.map(p => OMO_TOKEN[p]).join(',')
+
     return {
       secrets: [
         {
           name: 'OPENCODE_AUTH_JSON',
-          value: JSON.stringify({anthropic: {type: 'api', key: keyValue}}),
+          value: JSON.stringify(authObj),
         },
         {
           name: 'OPENCODE_CONFIG',
-          value: JSON.stringify({provider: {anthropic: {options: {baseURL: `${baseUrl}/v1`}}}}),
+          value: JSON.stringify({provider: providerConfig}),
         },
         {
           name: 'OMO_PROVIDERS',
-          value: DEFAULT_OMO_PROVIDERS,
+          value: omoProviders,
         },
       ],
       variables: [
         {
           name: 'FRO_BOT_MODEL',
-          value: DEFAULT_FRO_BOT_MODEL,
+          value: model,
         },
       ],
     }
@@ -344,6 +535,11 @@ export type FroBotWorkflowCheck =
 // github-token and prompt are intentionally excluded from this check:
 // github-token is harness-agnostic (PAT wiring, not secret-routing) and prompt is
 // workflow-defined (the user's prompt body, not a harness default).
+//
+// NOTE: `enable-omo: true` is NOT a required input.
+// For proxy-routed providers configured via OPENCODE_CONFIG.provider.<name>.options.baseURL,
+// the fro-bot/agent action honors auth.json directly (regardless of oMo state).
+// Source: fro-bot/agent@v0.44.3+ action.yaml lines 99-104; verified by librarian 2026-05-25.
 const REQUIRED_OPENCODE_INPUTS = ['auth-json', 'opencode-config', 'omo-providers', 'model'] as const
 
 /**
@@ -452,6 +648,82 @@ export function formatWorkflowSnippet(missingInputs: readonly string[]): string
   return missingInputs.map(input => `          ${inputMap[input]}`).join('\n')
 }
 
+/**
+ * Pre-mutation validator: probes /v1/models to assert the resolved model is
+ * available and (when providers includes openai) that at least one OpenAI model
+ * is present on the proxy.
+ *
+ * Short-circuits immediately for anthropic-only setups — no fetch is made.
+ * Never echoes the Authorization header in any error message.
+ */
+export async function verifyModelsAvailable(
+  baseUrl: string,
+  key: string,
+  providers: ProviderId[],
+  model: string,
+): Promise<void> {
+  // Anthropic-only: no fetch needed
+  if (providers.length === 1 && providers[0] === 'anthropic') {
+    return
+  }
+
+  const endpoint = `${baseUrl}/v1/models`
+  const response = await fetch(endpoint, {
+    headers: {Authorization: `Bearer ${key}`},
+    signal: AbortSignal.timeout(10_000),
+  })
+
+  if (response.status === 401 || response.status === 403) {
+    throw new Error('Proxy key rejected. Verify with `cliproxy keys list` or rerun setup to create a new one.')
+  }
+
+  if (!response.ok) {
+    const rawBody = await response.text()
+    // Redact any Authorization headers or sk-* token-shaped strings that the server might echo
+    const redacted = rawBody
+      .replaceAll(/Bearer\s+[^\s"]+/g, 'Bearer <redacted>')
+      .replaceAll(/sk-[\w.-]{8,}/g, 'sk-<redacted>')
+    const excerpt = redacted.slice(0, 200)
+    throw new Error(`/v1/models returned HTTP ${response.status}: ${excerpt}`)
+  }
+
+  const json = (await response.json()) as unknown
+  const data = (json as Record<string, unknown>)?.data
+
+  if (!Array.isArray(data)) {
+    throw new TypeError('Unexpected response from /v1/models: data is not an array.')
+  }
+
+  interface ModelEntry {
+    id: string
+    owned_by: string
+  }
+  const entries = data as ModelEntry[]
+
+  // OpenAI presence check
+  if (providers.includes('openai')) {
+    const hasOpenAi = entries.some(e => e.owned_by === 'openai')
+    if (!hasOpenAi) {
+      throw new Error('No OpenAI models on proxy — is the Codex token loaded? Try `cliproxy login codex`.')
+    }
+  }
+
+  // Model presence check: strip provider prefix to get bare id
+  const slashIndex = model.indexOf('/')
+  const bareId = slashIndex === -1 ? model : model.slice(slashIndex + 1)
+  const providerPrefix = slashIndex >= 0 ? model.slice(0, slashIndex) : undefined
+
+  const modelPresent = entries.some(e => e.id === bareId)
+  if (!modelPresent) {
+    // List available ids for the matching provider only
+    const matchingIds = providerPrefix
+      ? entries.filter(e => e.owned_by === providerPrefix).map(e => e.id)
+      : entries.map(e => e.id)
+    const available = matchingIds.length > 0 ? matchingIds.join(', ') : '(none)'
+    throw new Error(`Model "${bareId}" not found on proxy. Available ${providerPrefix ?? 'models'}: ${available}`)
+  }
+}
+
 async function assertProxyReachable(baseUrl: string): Promise<void> {
   try {
     const response = await fetch(baseUrl, {
@@ -706,6 +978,14 @@ async function buildInteractivePlan(options: SetupOptions, baseUrl: string): Pro
         ),
       )
 
+  let providers: ProviderId[] | undefined
+  let model: string | undefined
+
+  if (harness === 'opencode') {
+    providers = await promptForProviders()
+    model = await promptForModel(providers)
+  }
+
   const keyValue = options.key ?? buildApiKeyValue(keyName ?? 'cliproxy')
   const genericSecretNames = harness === 'generic' ? await promptGenericSecretNames() : undefined
 
@@ -715,21 +995,303 @@ async function buildInteractivePlan(options: SetupOptions, baseUrl: string): Pro
     keyValue,
     keyName,
     createKey,
-    template: getHarnessTemplate(harness, {keyValue, baseUrl, genericSecretNames}),
+    template: getHarnessTemplate(harness, {keyValue, baseUrl, genericSecretNames, providers, model}),
+  }
+}
+
+/**
+ * Returns true when the provider list includes anything beyond anthropic-only.
+ * Anthropic-only repos see no behavior change (G7 invariant).
+ */
+export function mustConfirmDestructive(providers: ProviderId[]): boolean {
+  return !(providers.length === 1 && providers[0] === 'anthropic')
+}
+
+export interface DryRunPreviewOptions {
+  repo: string
+  harness: Harness
+  providers: ProviderId[]
+  model: string
+  template: HarnessTemplate
+}
+
+/**
+ * Format a dry-run preview string. The proxy key value is NEVER included —
+ * it is rendered as `<proxy-key>` in all positions.
+ */
+export function formatDryRunPreview(opts: DryRunPreviewOptions): string {
+  const {repo, harness, providers, model, template} = opts
+
+  const lines: string[] = [
+    `Dry run: cliproxy setup --harness ${harness}`,
+    `Repository: ${repo}`,
+    `Providers: ${providers.join(', ')}`,
+    `Model: ${model}`,
+    'Planned secrets:',
+  ]
+
+  for (const secret of template.secrets) {
+    const size = new TextEncoder().encode(secret.value).byteLength
+    lines.push(`  - ${secret.name} (${size} bytes)`)
+  }
+
+  lines.push('Planned variables:')
+  for (const variable of template.variables) {
+    lines.push(`  - ${variable.name} = ${variable.value}`)
   }
+
+  lines.push('Proxy key (redacted): <proxy-key>')
+  lines.push('No mutations will be performed.')
+
+  return lines.join('\n')
 }
 
-function buildNonInteractivePlan(options: SetupOptions, baseUrl: string): SetupPlan {
+export async function buildNonInteractivePlan(options: SetupOptions, baseUrl: string): Promise<SetupPlan> {
   const harness = harnessSchema.parse(options.harness)
   const repo = ensureRepoFormat(options.repo ?? '')
   const keyValue = options.key ?? ''
 
+  const providers: ProviderId[] = options.providers ? parseProviders(options.providers) : ['anthropic']
+
+  let model: string
+  if (options.model) {
+    model = options.model
+  } else if (providers.length === 1) {
+    model = PROVIDER_DEFAULTS[providers[0] as ProviderId]
+  } else {
+    // Unreachable: validateSetupOptions enforces model when providers.length > 1
+    throw new Error('Pass --model <provider/model-id> when selecting multiple providers.')
+  }
+
+  // --dry-run: skip verifyModelsAvailable and force check; return plan for preview
+  if (options.dryRun) {
+    return {
+      repo,
+      harness,
+      keyValue,
+      createKey: false,
+      template: getHarnessTemplate(harness, {keyValue: keyValue || 'sk-placeholder', baseUrl, providers, model}),
+    }
+  }
+
+  await verifyModelsAvailable(baseUrl, keyValue, providers, model)
+
+  // Destructive overwrite gate: non-anthropic-only requires --force in non-interactive mode
+  if (mustConfirmDestructive(providers) && !options.force) {
+    throw new Error(
+      'Pass `--force` to confirm overwriting existing OPENCODE_AUTH_JSON/OPENCODE_CONFIG/OMO_PROVIDERS/FRO_BOT_MODEL. Run with `--dry-run` first to preview.',
+    )
+  }
+
   return {
     repo,
     harness,
     keyValue,
     createKey: false,
-    template: getHarnessTemplate(harness, {keyValue, baseUrl}),
+    template: getHarnessTemplate(harness, {keyValue, baseUrl, providers, model}),
+  }
+}
+
+// ─── Smoke test runner ────────────────────────────────────────────────────────
+
+export type SmokeResult =
+  | {kind: 'pass'; message: string; runUrl: string}
+  | {kind: 'fail'; message: string; runUrl: string}
+  | {kind: 'unverified'; message: string; runUrl?: string}
+
+interface GhRunEntry {
+  databaseId: number
+  status: string
+  conclusion: string | null
+  url: string
+  createdAt: string
+}
+
+/** Options for testability: override poll delays and trigger time. */
+interface SmokeTestInternals {
+  /** Override per-poll delay in ms (default: real backoff schedule). */
+  _testDelayMs?: number
+  /** Override the trigger timestamp used for createdAt heuristic. */
+  _testTriggerTime?: Date
+}
+
+/**
+ * Run an optional post-mutation smoke test by triggering `fro-bot.yaml` and
+ * polling for completion. Returns a non-blocking SmokeResult — never throws.
+ *
+ * Race-safe: captures the highest existing run ID before triggering, then
+ * filters poll results to runs with databaseId > baselineId. When no prior
+ * runs exist (baselineId=null), falls back to createdAt > triggerTime.
+ *
+ * Known edge case: if a concurrent contributor's run appears before ours,
+ * we pick the highest databaseId above baseline — this may misattribute
+ * the concurrent run as ours. This is the best heuristic available without
+ * a run-specific correlation ID from `gh workflow run`.
+ */
+export async function runSmokeTest(
+  repo: string,
+  _model: string,
+  internals: SmokeTestInternals = {},
+): Promise<SmokeResult> {
+  const BACKOFF_MS = [5_000, 15_000, 30_000, 60_000, 60_000]
+  const delayFn = async (ms: number): Promise<void> => {
+    if (internals._testDelayMs !== undefined) {
+      if (internals._testDelayMs > 0) {
+        await new Promise(resolve => setTimeout(resolve, internals._testDelayMs))
+      }
+      return
+    }
+    await new Promise(resolve => setTimeout(resolve, ms))
+  }
+
+  const repoUrl = `https://github.com/${repo}`
+
+  // ── Step 1: Capture baseline run ID ──────────────────────────────────────
+  let baselineId: number | null = null
+  try {
+    const baselineChild = Bun.spawn(
+      ['gh', 'run', 'list', '--workflow=fro-bot.yaml', '--repo', repo, '--limit', '1', '--json', 'databaseId'],
+      {stdout: 'pipe', stderr: 'pipe', env: process.env},
+    )
+    const [baselineStdout, , baselineExit] = await Promise.all([
+      new Response(baselineChild.stdout).text(),
+      new Response(baselineChild.stderr).text(),
+      baselineChild.exited,
+    ])
+    if (baselineExit === 0) {
+      const parsed = JSON.parse(baselineStdout) as {databaseId: number}[]
+      if (parsed.length > 0 && parsed[0]) {
+        baselineId = parsed[0].databaseId
+      }
+    }
+    // If baseline call fails, baselineId stays null — we'll use createdAt heuristic
+  } catch {
+    // Network/parse error — continue with null baseline
+  }
+
+  // ── Step 2: Trigger the workflow ──────────────────────────────────────────
+  const triggerTime = internals._testTriggerTime ?? new Date()
+
+  const triggerChild = Bun.spawn(
+    ['gh', 'workflow', 'run', 'fro-bot.yaml', '--repo', repo, '-f', 'prompt=reply with exactly: ack'],
+    {stdout: 'pipe', stderr: 'pipe', env: process.env},
+  )
+  const [, triggerStderr, triggerExit] = await Promise.all([
+    new Response(triggerChild.stdout).text(),
+    new Response(triggerChild.stderr).text(),
+    triggerChild.exited,
+  ])
+
+  if (triggerExit !== 0) {
+    const redacted = triggerStderr.slice(0, 200)
+    return {kind: 'unverified', message: `gh workflow run failed: ${redacted}`}
+  }
+
+  // ── Step 3: Poll for the new run ──────────────────────────────────────────
+  let latestMatchedRun: GhRunEntry | undefined
+
+  for (const BACKOFF_M of BACKOFF_MS) {
+    await delayFn(BACKOFF_M ?? 60_000)
+
+    let pollRuns: GhRunEntry[] = []
+    try {
+      const pollChild = Bun.spawn(
+        [
+          'gh',
+          'run',
+          'list',
+          '--workflow=fro-bot.yaml',
+          '--repo',
+          repo,
+          '--limit',
+          '5',
+          '--json',
+          'databaseId,status,conclusion,url,createdAt',
+        ],
+        {stdout: 'pipe', stderr: 'pipe', env: process.env},
+      )
+      const [pollStdout, , pollExit] = await Promise.all([
+        new Response(pollChild.stdout).text(),
+        new Response(pollChild.stderr).text(),
+        pollChild.exited,
+      ])
+      if (pollExit === 0) {
+        pollRuns = JSON.parse(pollStdout) as GhRunEntry[]
+      }
+    } catch {
+      // Parse/network error — retry on next poll
+      continue
+    }
+
+    // Filter to runs triggered after our baseline
+    const candidates = pollRuns.filter(run => {
+      if (baselineId !== null) {
+        return run.databaseId > baselineId
+      }
+      // No baseline: use createdAt heuristic
+      return new Date(run.createdAt) > triggerTime
+    })
+
+    if (candidates.length === 0) {
+      // Our run not visible yet — keep polling
+      continue
+    }
+
+    // Pick the highest databaseId from candidates (most likely ours)
+    const matched = candidates.reduce((best, run) => (run.databaseId > best.databaseId ? run : best))
+    latestMatchedRun = matched
+
+    const {status, conclusion, url: runUrl} = matched
+
+    // Environment approval gate
+    if (status === 'waiting' || (status === 'pending' && /approval/i.test(conclusion ?? ''))) {
+      return {kind: 'unverified', message: `Workflow requires environment approval at ${runUrl}`, runUrl}
+    }
+
+    if (status === 'completed') {
+      if (conclusion === 'success') {
+        // Best-effort log grep for "ack"
+        let logNote = ''
+        try {
+          const logChild = Bun.spawn(['gh', 'run', 'view', String(matched.databaseId), '--log', '--repo', repo], {
+            stdout: 'pipe',
+            stderr: 'pipe',
+            env: process.env,
+          })
+          const [logStdout, , logExit] = await Promise.all([
+            new Response(logChild.stdout).text(),
+            new Response(logChild.stderr).text(),
+            logChild.exited,
+          ])
+          if (logExit !== 0) {
+            logNote = ' (log fetch failed, but run conclusion is success)'
+          } else if (!/\back\b/i.test(logStdout)) {
+            logNote = ' (log fetch succeeded but "ack" not found in output)'
+          }
+        } catch {
+          logNote = ' (log fetch failed, but run conclusion is success)'
+        }
+        return {kind: 'pass', message: `Smoke test passed${logNote}`, runUrl}
+      }
+
+      return {kind: 'fail', message: `Run completed with conclusion=${conclusion ?? 'unknown'}`, runUrl}
+    }
+
+    // Still in progress (queued, in_progress) — continue polling
+  }
+
+  // All polls exhausted
+  if (latestMatchedRun) {
+    return {
+      kind: 'unverified',
+      message: `Smoke test did not complete in 5 minutes; check ${latestMatchedRun.url}`,
+      runUrl: latestMatchedRun.url,
+    }
+  }
+
+  return {
+    kind: 'unverified',
+    message: `Smoke test trigger not yet visible; check ${repoUrl}/actions`,
   }
 }
 
@@ -757,10 +1319,38 @@ export function registerCliproxySetup(cli: ReturnType<typeof goke>): void {
         'Harness template to configure. Choose opencode, claude-code, or generic. Generic remains interactive-only.',
       ),
     )
+    .option(
+      '--providers [providers]',
+      z
+        .string()
+        .describe(
+          'Comma-separated list of providers to enable. Supported values: anthropic, openai. Example: --providers anthropic,openai',
+        ),
+    )
+    .option(
+      '--model [model]',
+      z
+        .string()
+        .regex(MODEL_ID_RE)
+        .describe(
+          'Override the default model. Must be provider-prefixed and lowercase. Examples: anthropic/claude-sonnet-4-6, openai/gpt-4o',
+        ),
+    )
+    .option(
+      '--force',
+      z.boolean().optional().describe('Overwrite existing GitHub secrets and variables without prompting.'),
+    )
+    .option('--dry-run', z.boolean().optional().describe('Print the plan without applying any changes.'))
+    .option(
+      '--verify-smoke',
+      z.boolean().optional().describe('Run a smoke test against the proxy after setup completes.'),
+    )
     .example('# Run the interactive onboarding wizard')
     .example('infra cliproxy setup')
     .example('# Run non-interactively with an existing key')
     .example('infra cliproxy setup --key sk-test --repo owner/repo --harness opencode')
+    .example('# Enable both providers non-interactively')
+    .example('infra cliproxy setup --key sk-test --repo owner/repo --harness opencode --providers anthropic,openai')
     .action(async options => {
       const interactive = Boolean(process.stdin.isTTY)
       const baseUrl = resolveBaseUrl()
@@ -772,18 +1362,35 @@ export function registerCliproxySetup(cli: ReturnType<typeof goke>): void {
       }
 
       try {
-        await withSpinner('Checking GitHub CLI availability', async () => {
-          await assertGhInstalled()
-          await assertGhAuthenticated()
-        })
+        if (!options.dryRun) {
+          await withSpinner('Checking GitHub CLI availability', async () => {
+            await assertGhInstalled()
+            await assertGhAuthenticated()
+          })
 
-        await withSpinner('Checking CLIProxyAPI reachability', async () => {
-          await assertProxyReachable(baseUrl)
-        })
+          await withSpinner('Checking CLIProxyAPI reachability', async () => {
+            await assertProxyReachable(baseUrl)
+          })
+        }
 
         const plan = interactive
           ? await buildInteractivePlan(options, baseUrl)
-          : buildNonInteractivePlan(options, baseUrl)
+          : await buildNonInteractivePlan(options, baseUrl)
+
+        if (options.dryRun) {
+          const providers: ProviderId[] = options.providers ? parseProviders(options.providers) : ['anthropic']
+          const model = options.model ?? PROVIDER_DEFAULTS[providers[0] as ProviderId]
+          console.log(
+            formatDryRunPreview({
+              repo: plan.repo,
+              harness: plan.harness,
+              providers,
+              model,
+              template: plan.template,
+            }),
+          )
+          return
+        }
 
         if (plan.createKey) {
           resolveManagementKey()
@@ -838,25 +1445,32 @@ export function registerCliproxySetup(cli: ReturnType<typeof goke>): void {
         const collisions = collectCollisions(plan.template, existingSecrets, existingVariables)
 
         if (collisions.length > 0) {
-          if (!interactive) {
+          if (!interactive && !options.force) {
             throw new Error(
-              `Refusing to overwrite existing GitHub values in non-interactive mode: ${collisions.join(', ')}`,
+              `Refusing to overwrite existing GitHub values in non-interactive mode: ${collisions.join(', ')}. Pass --force to confirm.`,
             )
           }
 
-          log.warn(`Existing GitHub values will be overwritten: ${collisions.join(', ')}`)
-          const overwrite = await promptValue(
-            confirm({
-              message: 'Overwrite the existing GitHub values?',
-              active: 'overwrite',
-              inactive: 'cancel',
-              initialValue: false,
-            }),
-            'Setup cancelled instead of overwriting existing values.',
-          )
+          if (!interactive && options.force) {
+            log.warn(`Overwriting existing GitHub values: ${collisions.join(', ')}`)
+            // proceed
+          }
+
+          if (interactive) {
+            log.warn(`Existing GitHub values will be overwritten: ${collisions.join(', ')}`)
+            const overwrite = await promptValue(
+              confirm({
+                message: 'Overwrite the existing GitHub values?',
+                active: 'overwrite',
+                inactive: 'cancel',
+                initialValue: false,
+              }),
+              'Setup cancelled instead of overwriting existing values.',
+            )
 
-          if (!overwrite) {
-            cancelAndExit('Existing GitHub values left unchanged.')
+            if (!overwrite) {
+              cancelAndExit('Existing GitHub values left unchanged.')
+            }
           }
         }
 
@@ -961,6 +1575,39 @@ export function registerCliproxySetup(cli: ReturnType<typeof goke>): void {
         } else {
           log.success(`Setup complete for ${plan.repo}.`)
         }
+
+        // ── Smoke test (opt-in, non-blocking) ──────────────────────────────
+        if (options.verifySmoke) {
+          const smokeResult = await withSpinner('Running smoke test', async () =>
+            runSmokeTest(plan.repo, plan.template.variables.find(v => v.name === 'FRO_BOT_MODEL')?.value ?? ''),
+          ).catch(async error => {
+            // withSpinner re-throws; catch here so smoke test never gates setup
+            return {
+              kind: 'unverified' as const,
+              message: `Smoke test error: ${extractErrorMessage(error)}`,
+              runUrl: undefined,
+            }
+          })
+
+          switch (smokeResult.kind) {
+            case 'pass': {
+              log.success(`✓ ${smokeResult.message}${smokeResult.runUrl ? ` — ${smokeResult.runUrl}` : ''}`)
+              break
+            }
+            case 'fail': {
+              log.warn(`✗ ${smokeResult.message}${smokeResult.runUrl ? ` — ${smokeResult.runUrl}` : ''}`)
+              break
+            }
+            case 'unverified': {
+              log.warn(`⚠ ${smokeResult.message}${smokeResult.runUrl ? ` — ${smokeResult.runUrl}` : ''}`)
+              break
+            }
+            default: {
+              const _exhaustive: never = smokeResult
+              throw new Error(`Unhandled SmokeResult kind: ${JSON.stringify(_exhaustive)}`)
+            }
+          }
+        }
       } catch (error) {
         const message = extractErrorMessage(error)
         if (interactive) {