agent-relay 2.1.28-beta.0 → 2.2.0

package/dist/src/cli/index.js

@@ -24,6 +24,7 @@ import { RelayPtyOrchestrator, getTmuxPath } from '@agent-relay/wrapper';
 import { AgentSpawner, readWorkersMetadata, getWorkerLogsDir, selectShadowCli, ensureMcpPermissions } from '@agent-relay/bridge';
 import { generateAgentName, checkForUpdatesInBackground, checkForUpdates } from '@agent-relay/utils';
 import { getShadowForAgent, getProjectPaths, loadRuntimeConfig } from '@agent-relay/config';
+import { CLI_AUTH_CONFIG, stripAnsiCodes, findMatchingError } from '@agent-relay/config/cli-auth-config';
 import { createStorageAdapter } from '@agent-relay/storage/adapter';
 import { initTelemetry, track, enableTelemetry, disableTelemetry, getStatus, isDisabledByEnv, } from '@agent-relay/telemetry';
 import { installMcpConfig } from '@agent-relay/mcp';
@@ -3592,17 +3593,518 @@ program
     console.log(`Profiling ${agentName}... Press Ctrl+C to stop.`);
 });
 // ============================================================================
-// codex-auth - SSH tunnel helper for Codex/OpenAI authentication
+// auth - SSH-based interactive provider authentication (cloud workspaces)
 // ============================================================================
 program
-    .command('codex-auth')
-    .description('Connect Codex via SSH tunnel to workspace (run this when connecting Codex in Agent Relay)')
-    .option('--workspace <id>', 'Workspace ID to connect to')
-    .option('--cloud-url <url>', 'Cloud API URL', process.env.AGENT_RELAY_CLOUD_URL || 'https://agent-relay.com')
-    .option('--token <token>', 'CLI authentication token (from dashboard)')
-    .option('--session-cookie <cookie>', 'Session cookie for authentication (deprecated, use --token)')
+    .command('auth <provider>')
+    .description('Authenticate a provider CLI in a cloud workspace over SSH (interactive)')
+    .option('--workspace <id>', 'Workspace ID to authenticate in')
+    .option('--token <token>', 'One-time CLI token from dashboard (skips cloud config requirement)')
+    .option('--cloud-url <url>', 'Cloud API URL (overrides linked config and AGENT_RELAY_CLOUD_URL)')
     .option('--timeout <seconds>', 'Timeout in seconds (default: 300)', '300')
-    .action(async (options) => {
+    .action(async (providerArg, options) => {
+    const cyan = (s) => `\x1b[36m${s}\x1b[0m`;
+    const green = (s) => `\x1b[32m${s}\x1b[0m`;
+    const yellow = (s) => `\x1b[33m${s}\x1b[0m`;
+    const red = (s) => `\x1b[31m${s}\x1b[0m`;
+    const dim = (s) => `\x1b[2m${s}\x1b[0m`;
+    const timeoutSeconds = parseInt(options.timeout, 10);
+    if (!Number.isFinite(timeoutSeconds) || timeoutSeconds <= 0) {
+        console.log(red(`Invalid --timeout value: ${options.timeout}`));
+        process.exit(1);
+    }
+    const TIMEOUT_MS = timeoutSeconds * 1000;
+    if (!process.stdin.isTTY || !process.stdout.isTTY) {
+        console.log(red('This command requires an interactive terminal (TTY).'));
+        console.log(dim('Run it directly in your terminal (not piped/redirected).'));
+        process.exit(1);
+    }
+    const providerInput = providerArg.toLowerCase().trim();
+    const providerMap = {
+        claude: 'anthropic',
+        codex: 'openai',
+        gemini: 'google',
+    };
+    const provider = providerMap[providerInput] || providerInput;
+    const providerConfig = CLI_AUTH_CONFIG[provider];
+    if (!providerConfig) {
+        const known = Object.keys(CLI_AUTH_CONFIG).sort();
+        console.log(red(`Unknown provider: ${providerArg}`));
+        console.log('');
+        console.log('Examples:');
+        console.log(`  ${cyan('npx agent-relay auth claude --workspace=<ID>')}`);
+        console.log(`  ${cyan('npx agent-relay auth codex --workspace=<ID>')}`);
+        console.log(`  ${cyan('npx agent-relay auth gemini --workspace=<ID>')}`);
+        console.log('');
+        console.log('Supported provider ids:');
+        console.log(`  ${known.join(', ')}`);
+        process.exit(1);
+    }
+    const shellEscape = (s) => {
+        // Basic POSIX shell escaping for args (remote exec uses a shell).
+        if (s.length === 0)
+            return "''";
+        if (/^[a-zA-Z0-9_/\\.=:-]+$/.test(s))
+            return s;
+        return `'${s.replace(/'/g, `'\"'\"'`)}'`;
+    };
+    // Build the fallback command to run on the remote workspace.
+    // For Cursor, the installer creates both "agent" (primary) and "cursor-agent" (legacy)
+    // symlinks. Try the primary first, fall back to legacy if not found.
+    const primaryCmd = [providerConfig.command, ...providerConfig.args].map(shellEscape).join(' ');
+    const fallbackCmd = provider === 'cursor'
+        ? `command -v agent >/dev/null 2>&1 && ${primaryCmd} || cursor-agent ${providerConfig.args.map(shellEscape).join(' ')}`
+        : primaryCmd;
+    const remoteCommandFallback = fallbackCmd;
+    // When --token is provided (from dashboard CLI command), skip cloud config requirement.
+    // The token authenticates directly with the /start endpoint.
+    const cliToken = options.token;
+    let cloudConfig = {};
+    if (!cliToken) {
+        const dataDir = process.env.AGENT_RELAY_DATA_DIR || path.join(homedir(), '.local', 'share', 'agent-relay');
+        const configPath = path.join(dataDir, 'cloud-config.json');
+        if (!fs.existsSync(configPath)) {
+            console.log(red('Cloud config not found.'));
+            console.log(dim(`Expected: ${configPath}`));
+            console.log('');
+            console.log(`Run ${cyan('agent-relay cloud link')} first to link this machine to Agent Relay Cloud.`);
+            process.exit(1);
+        }
+        try {
+            cloudConfig = JSON.parse(fs.readFileSync(configPath, 'utf-8'));
+        }
+        catch (err) {
+            console.log(red(`Failed to read cloud config: ${err instanceof Error ? err.message : String(err)}`));
+            process.exit(1);
+        }
+        if (!cloudConfig.apiKey) {
+            console.log(red('Cloud config is missing apiKey.'));
+            console.log(dim(`Config path: ${configPath}`));
+            console.log(`Re-link with ${cyan('agent-relay cloud link')}.`);
+            process.exit(1);
+        }
+    }
+    const CLOUD_URL = (options.cloudUrl || process.env.AGENT_RELAY_CLOUD_URL || cloudConfig.cloudUrl || 'https://agent-relay.com')
+        .replace(/\/$/, '');
+    const requestedWorkspaceId = options.workspace || process.env.WORKSPACE_ID;
+    console.log('');
+    console.log(cyan('═══════════════════════════════════════════════════'));
+    console.log(cyan('        Provider Authentication (SSH)'));
+    console.log(cyan('═══════════════════════════════════════════════════'));
+    console.log('');
+    console.log(`Provider: ${providerConfig.displayName} (${provider})`);
+    console.log(`Workspace: ${requestedWorkspaceId ? `${requestedWorkspaceId.slice(0, 8)}...` : '(default)'}`);
+    console.log(dim(`Cloud: ${CLOUD_URL}`));
+    console.log('');
+    // Step 1: Request SSH session info from cloud.
+    console.log('Requesting SSH session from cloud...');
+    let start;
+    try {
+        const headers = { 'Content-Type': 'application/json' };
+        if (!cliToken && cloudConfig.apiKey) {
+            headers['Authorization'] = `Bearer ${cloudConfig.apiKey}`;
+        }
+        const response = await fetch(`${CLOUD_URL}/api/auth/ssh/start`, {
+            method: 'POST',
+            headers,
+            body: JSON.stringify({
+                provider,
+                workspaceId: requestedWorkspaceId,
+                ...(cliToken && { token: cliToken }),
+            }),
+        });
+        if (!response.ok) {
+            let details = response.statusText;
+            try {
+                const json = await response.json();
+                details = json.error || json.message || details;
+            }
+            catch {
+                try {
+                    details = await response.text();
+                }
+                catch {
+                    // ignore
+                }
+            }
+            console.log(red(`Failed to start SSH auth session: ${details || response.statusText}`));
+            process.exit(1);
+        }
+        start = await response.json();
+    }
+    catch (err) {
+        console.log(red(`Failed to connect to cloud API: ${err instanceof Error ? err.message : String(err)}`));
+        process.exit(1);
+    }
+    const sshPort = typeof start.ssh?.port === 'string' ? parseInt(start.ssh.port, 10) : start.ssh?.port;
+    if (!start.sessionId || !start.workspaceId || !start.ssh?.host || !sshPort || !start.ssh.user || !start.ssh.password) {
+        console.log(red('Cloud returned invalid SSH session details.'));
+        process.exit(1);
+    }
+    const baseCommand = (typeof start.command === 'string' && start.command.trim().length > 0)
+        ? start.command.trim()
+        : remoteCommandFallback;
+    // Set per-user HOME so credentials persist to the authenticated user's directory.
+    // Multi-user workspaces use /data/users/{userId} as per-user HOME (see entrypoint.sh).
+    // Include /home/workspace/.local/bin in PATH since SSH direct commands don't source
+    // /etc/profile.d/ scripts where the workspace PATH is normally configured.
+    const remoteCommand = start.userId
+        ? `mkdir -p /data/users/${shellEscape(start.userId)} && HOME=/data/users/${shellEscape(start.userId)} PATH=/home/workspace/.local/bin:$PATH ${baseCommand}`
+        : `PATH=/home/workspace/.local/bin:$PATH ${baseCommand}`;
+    console.log(green('✓ SSH session created'));
+    if (start.workspaceName) {
+        console.log(`Workspace: ${cyan(start.workspaceName)} (${start.workspaceId.slice(0, 8)}...)`);
+    }
+    else {
+        console.log(`Workspace: ${start.workspaceId.slice(0, 8)}...`);
+    }
+    console.log(dim(`  SSH: ${start.ssh.user}@${start.ssh.host}:${sshPort}`));
+    console.log(dim(`  Command: ${remoteCommand}`));
+    console.log('');
+    const { Client } = await import('ssh2');
+    const net = await import('node:net');
+    const TUNNEL_PORT = 1455;
+    const sshClient = new Client();
+    let sshReady = false;
+    const tunnel = { server: null };
+    const sshReadyPromise = new Promise((resolve, reject) => {
+        sshClient.on('ready', () => {
+            sshReady = true;
+            // Set up port forwarding for OAuth callbacks: localhost:1455 -> workspace:1455
+            tunnel.server = net.createServer((localSocket) => {
+                sshClient.forwardOut('127.0.0.1', TUNNEL_PORT, 'localhost', TUNNEL_PORT, (err, stream) => {
+                    if (err) {
+                        localSocket.end();
+                        return;
+                    }
+                    localSocket.pipe(stream).pipe(localSocket);
+                });
+            });
+            tunnel.server.on('error', (err) => {
+                if (err.code === 'EADDRINUSE') {
+                    console.log(dim(`Note: Port ${TUNNEL_PORT} in use, OAuth callbacks may not work.`));
+                }
+                // Non-fatal: resolve anyway so the auth command still runs.
+                // Device-flow providers don't need port forwarding.
+                resolve();
+            });
+            tunnel.server.listen(TUNNEL_PORT, '127.0.0.1', () => {
+                resolve();
+            });
+        });
+        sshClient.on('error', (err) => {
+            let msg;
+            if (err.message.includes('Authentication')) {
+                msg = 'SSH authentication failed.';
+            }
+            else if (err.message.includes('ECONNREFUSED')) {
+                msg = `Cannot connect to SSH server at ${start.ssh.host}:${sshPort}. Is the workspace running and SSH enabled?`;
+            }
+            else if (err.message.includes('ENOTFOUND') || err.message.includes('getaddrinfo')) {
+                msg = `Cannot resolve hostname: ${start.ssh.host}. Check network connectivity.`;
+            }
+            else if (err.message.includes('ETIMEDOUT')) {
+                msg = `Connection timed out to ${start.ssh.host}:${sshPort}. Is the workspace running?`;
+            }
+            else {
+                msg = `SSH error: ${err.message}`;
+            }
+            reject(new Error(msg));
+        });
+        sshClient.on('close', () => {
+            if (!sshReady) {
+                reject(new Error(`SSH connection to ${start.ssh.host}:${sshPort} closed unexpectedly.`));
+            }
+        });
+    });
+    console.log(yellow('Connecting via SSH...'));
+    console.log(dim(`  Tunnel: localhost:${TUNNEL_PORT} → workspace:${TUNNEL_PORT}`));
+    console.log(dim(`  Running: ${remoteCommand}`));
+    console.log('');
+    try {
+        sshClient.connect({
+            host: start.ssh.host,
+            port: sshPort,
+            username: start.ssh.user,
+            password: start.ssh.password,
+            readyTimeout: 10000,
+            // Workspace containers use ephemeral SSH hosts; skip host key checking.
+            hostVerifier: () => true,
+        });
+        await Promise.race([
+            sshReadyPromise,
+            new Promise((_, reject) => setTimeout(() => reject(new Error('SSH connection timeout')), 15000)),
+        ]);
+    }
+    catch (err) {
+        console.log(red(`Failed to connect via SSH: ${err instanceof Error ? err.message : String(err)}`));
+        if (tunnel.server)
+            tunnel.server.close();
+        sshClient.end();
+        process.exit(1);
+    }
+    // Get success/error patterns from CLI_AUTH_CONFIG for auto-detection
+    const successPatterns = providerConfig.successPatterns || [];
+    const errorPatterns = providerConfig.errorPatterns || [];
+    const execInteractive = async (cmd, timeoutMs) => {
+        return await new Promise((resolve, reject) => {
+            const cols = process.stdout.columns || 80;
+            const rows = process.stdout.rows || 24;
+            const term = process.env.TERM || 'xterm-256color';
+            sshClient.exec(cmd, { pty: { term, cols, rows } }, (err, stream) => {
+                if (err)
+                    return reject(err);
+                let exitCode = null;
+                let exitSignal = null;
+                let authDetected = false;
+                let outputBuffer = ''; // Rolling buffer for pattern matching
+                const stdin = process.stdin;
+                const stdout = process.stdout;
+                const stderr = process.stderr;
+                const wasRaw = stdin.isRaw ?? false;
+                try {
+                    stdin.setRawMode?.(true);
+                }
+                catch {
+                    // ignore
+                }
+                stdin.resume();
+                const onStdinData = (data) => {
+                    // Escape (0x1b) or Ctrl+C (0x03) after auth success → close session
+                    if (authDetected && (data[0] === 0x1b || data[0] === 0x03)) {
+                        cleanup();
+                        clearTimeout(timer);
+                        try {
+                            stream.close();
+                        }
+                        catch {
+                            // ignore
+                        }
+                        return;
+                    }
+                    stream.write(data);
+                };
+                stdin.on('data', onStdinData);
+                const cleanup = () => {
+                    stdin.off('data', onStdinData);
+                    stdout.off('resize', onResize);
+                    try {
+                        stdin.setRawMode?.(wasRaw);
+                    }
+                    catch {
+                        // ignore
+                    }
+                    stdin.pause();
+                };
+                // Notify user when auth success is detected
+                const closeOnAuthSuccess = () => {
+                    authDetected = true;
+                    // Don't try to auto-navigate post-login prompts (trust directory,
+                    // bypass permissions, etc.) — they vary by CLI version and are fragile
+                    // to automate. Just tell the user they're done.
+                    stdout.write('\n');
+                    stdout.write(green('  ✓ Authentication successful!') + '\n');
+                    stdout.write(dim('  Press Escape or Ctrl+C to exit.') + '\n');
+                    stdout.write('\n');
+                };
+                stream.on('data', (data) => {
+                    stdout.write(data);
+                    // Accumulate output for pattern matching (keep last 8KB to avoid memory growth)
+                    // Ink-based CLIs use heavy ANSI escape codes, so raw output is much
+                    // larger than visible text. 8KB ensures success patterns aren't truncated.
+                    const text = data.toString();
+                    outputBuffer += text;
+                    if (outputBuffer.length > 8192) {
+                        outputBuffer = outputBuffer.slice(-8192);
+                    }
+                    // Check for auth success patterns
+                    if (!authDetected && successPatterns.length > 0) {
+                        const clean = stripAnsiCodes(outputBuffer);
+                        for (const pattern of successPatterns) {
+                            if (pattern.test(clean)) {
+                                closeOnAuthSuccess();
+                                break;
+                            }
+                        }
+                    }
+                    // Check for auth error patterns (early exit instead of waiting for timeout)
+                    if (!authDetected && errorPatterns.length > 0) {
+                        const matched = findMatchingError(outputBuffer, errorPatterns);
+                        if (matched) {
+                            clearTimeout(timer);
+                            cleanup();
+                            try {
+                                stream.close();
+                            }
+                            catch { /* ignore */ }
+                            reject(new Error(matched.message + (matched.hint ? ` ${matched.hint}` : '')));
+                        }
+                    }
+                });
+                stream.stderr.on('data', (data) => {
+                    stderr.write(data);
+                });
+                const onResize = () => {
+                    try {
+                        stream.setWindow(stdout.rows || 24, stdout.columns || 80, 0, 0);
+                    }
+                    catch {
+                        // ignore
+                    }
+                };
+                stdout.on('resize', onResize);
+                const timer = setTimeout(() => {
+                    cleanup();
+                    try {
+                        stream.close();
+                    }
+                    catch {
+                        // ignore
+                    }
+                    reject(new Error(`Authentication timed out after ${Math.floor(timeoutMs / 1000)}s`));
+                }, timeoutMs);
+                stream.on('exit', (code, signal) => {
+                    if (typeof code === 'number')
+                        exitCode = code;
+                    if (typeof signal === 'string')
+                        exitSignal = signal;
+                });
+                stream.on('close', () => {
+                    clearTimeout(timer);
+                    cleanup();
+                    resolve({ exitCode, exitSignal, authDetected });
+                });
+                stream.on('error', (e) => {
+                    clearTimeout(timer);
+                    cleanup();
+                    reject(e instanceof Error ? e : new Error(String(e)));
+                });
+            });
+        });
+    };
+    let execResult = null;
+    let execError = null;
+    try {
+        console.log(yellow('Starting interactive authentication...'));
+        console.log(dim('Follow the prompts below. The session will close automatically when auth completes.'));
+        console.log('');
+        execResult = await execInteractive(remoteCommand, TIMEOUT_MS);
+    }
+    catch (err) {
+        execError = err instanceof Error ? err : new Error(String(err));
+        console.log('');
+        console.log(red(`Remote auth command failed: ${execError.message}`));
+    }
+    finally {
+        if (tunnel.server)
+            tunnel.server.close();
+        sshClient.end();
+    }
+    // Step 2: Notify cloud completion (cloud will verify and persist credentials).
+    console.log('');
+    console.log('Finalizing authentication with cloud...');
+    // Auth is successful if: success patterns were detected, OR the process exited cleanly (code 0)
+    const success = execError === null && (execResult?.authDetected === true || execResult?.exitCode === 0);
+    const providerForComplete = (typeof start.provider === 'string' && start.provider.trim().length > 0)
+        ? start.provider.trim()
+        : provider;
+    try {
+        const completeHeaders = { 'Content-Type': 'application/json' };
+        if (!cliToken && cloudConfig.apiKey) {
+            completeHeaders['Authorization'] = `Bearer ${cloudConfig.apiKey}`;
+        }
+        const response = await fetch(`${CLOUD_URL}/api/auth/ssh/complete`, {
+            method: 'POST',
+            headers: completeHeaders,
+            body: JSON.stringify({
+                sessionId: start.sessionId,
+                workspaceId: start.workspaceId,
+                provider: providerForComplete,
+                success,
+                ...(cliToken && { token: cliToken }),
+            }),
+        });
+        if (!response.ok) {
+            let details = response.statusText;
+            try {
+                const json = await response.json();
+                details = json.error || json.message || details;
+            }
+            catch {
+                try {
+                    details = await response.text();
+                }
+                catch {
+                    // ignore
+                }
+            }
+            console.log(red(`Failed to complete auth session: ${details || response.statusText}`));
+            process.exit(1);
+        }
+    }
+    catch (err) {
+        console.log(red(`Failed to complete auth session: ${err instanceof Error ? err.message : String(err)}`));
+        process.exit(1);
+    }
+    if (!success) {
+        const exitCode = execResult?.exitCode;
+        if (typeof exitCode === 'number' && exitCode !== 0) {
+            console.log('');
+            console.log(red(`Remote auth command exited with code ${exitCode}.`));
+        }
+        // Exit code 127 = command not found
+        if (execResult?.exitCode === 127) {
+            console.log('');
+            console.log(yellow(`The ${providerConfig.displayName} CLI ("${providerConfig.command}") is not installed on this workspace.`));
+            console.log(dim('Ask your workspace administrator to install it, or check the workspace Dockerfile.'));
+        }
+        process.exit(1);
+    }
+    console.log('');
+    console.log(green('═══════════════════════════════════════════════════'));
+    console.log(green('          Authentication Complete!'));
+    console.log(green('═══════════════════════════════════════════════════'));
+    console.log('');
+    console.log(`${providerConfig.displayName} is now connected to workspace ${start.workspaceId.slice(0, 8)}...`);
+    console.log('');
+});
+// ============================================================================
+// cli-auth - SSH tunnel helper for provider authentication (Claude, Codex, Cursor, etc.)
+// ============================================================================
+// Provider display names for CLI output
+const CLI_AUTH_DISPLAY_NAMES = {
+    anthropic: 'Claude',
+    openai: 'Codex',
+    google: 'Gemini',
+    cursor: 'Cursor',
+    copilot: 'GitHub Copilot',
+    opencode: 'OpenCode',
+    droid: 'Droid',
+};
+// CLI command names per provider (used in help text)
+const CLI_AUTH_COMMAND_NAMES = {
+    anthropic: 'claude',
+    openai: 'codex',
+    google: 'gemini',
+    cursor: 'cursor',
+    copilot: 'copilot',
+    opencode: 'opencode',
+    droid: 'droid',
+};
+// Provider alias mapping (CLI name → config key)
+const CLI_AUTH_PROVIDER_MAP = {
+    claude: 'anthropic',
+    codex: 'openai',
+    gemini: 'google',
+};
+/**
+ * Shared action handler for cli-auth and its provider-specific aliases.
+ */
+async function runCliAuth(providerArg, options) {
+    // Resolve provider alias
+    const provider = CLI_AUTH_PROVIDER_MAP[providerArg.toLowerCase()] || providerArg.toLowerCase();
+    const displayName = CLI_AUTH_DISPLAY_NAMES[provider] || provider;
+    const cliName = CLI_AUTH_COMMAND_NAMES[provider] || provider;
     const TIMEOUT_MS = parseInt(options.timeout, 10) * 1000;
     const CLOUD_URL = options.cloudUrl.replace(/\/$/, '');
     const TUNNEL_PORT = 1455;
@@ -3614,25 +4116,26 @@ program
     const dim = (s) => `\x1b[2m${s}\x1b[0m`;
     console.log('');
     console.log(cyan('═══════════════════════════════════════════════════'));
-    console.log(cyan('       Codex Authentication Helper'));
+    console.log(cyan(`       ${displayName} Authentication Helper`));
     console.log(cyan('═══════════════════════════════════════════════════'));
     console.log('');
     if (!options.workspace) {
         console.log(red('Missing --workspace parameter.'));
         console.log('');
-        console.log('To connect Codex, follow these steps:');
+        console.log(`To connect ${displayName}, follow these steps:`);
         console.log('');
         console.log('  1. Go to the Agent Relay dashboard');
-        console.log('  2. Click "Connect with Codex" (Settings → AI Providers)');
+        console.log(`  2. Click "Connect with ${displayName}" (Settings → AI Providers)`);
         console.log('  3. Copy the command shown (it includes the workspace ID and token)');
         console.log('  4. Run the command in your terminal');
         console.log('');
         console.log('The command will look like:');
-        console.log(cyan('  npx agent-relay codex-auth --workspace=<ID> --token=<TOKEN>'));
+        console.log(cyan(`  npx agent-relay cli-auth ${cliName} --workspace=<ID> --token=<TOKEN>`));
         console.log('');
         process.exit(1);
     }
     const workspaceId = options.workspace;
+    console.log(`Provider: ${displayName}`);
     console.log(`Workspace: ${workspaceId.slice(0, 8)}...`);
     // Get tunnel info from cloud API
     console.log('Getting workspace connection info...');
@@ -3644,18 +4147,19 @@ program
     if (!options.token && !options.sessionCookie) {
         console.log(red('Missing --token parameter.'));
         console.log('');
-        console.log('The token is provided by the dashboard when you click "Connect with Codex".');
+        console.log(`The token is provided by the dashboard when you click "Connect with ${displayName}".`);
         console.log('Copy the complete command from the dashboard and paste it here.');
         console.log('');
         process.exit(1);
     }
     let tunnelInfo;
     try {
-        // Build URL with token query parameter
+        // Build URL with token and provider query parameters
         const tunnelInfoUrl = new URL(`${CLOUD_URL}/api/auth/codex-helper/tunnel-info/${workspaceId}`);
         if (options.token) {
             tunnelInfoUrl.searchParams.set('token', options.token);
         }
+        tunnelInfoUrl.searchParams.set('provider', provider);
         const response = await fetch(tunnelInfoUrl.toString(), {
             method: 'GET',
             headers,
@@ -3784,8 +4288,8 @@ program
         console.log('');
         console.log(cyan(tunnelInfo.authUrl));
         console.log('');
-        console.log(dim('The browser will redirect to localhost:1455, which tunnels to the workspace.'));
-        console.log(dim('The Codex CLI in the workspace will receive the callback and complete auth.'));
+        console.log(dim(`The browser will redirect to localhost:${TUNNEL_PORT}, which tunnels to the workspace.`));
+        console.log(dim(`The ${displayName} CLI in the workspace will receive the callback and complete auth.`));
         console.log('');
     }
     else {
@@ -3800,11 +4304,12 @@ program
     while (!authenticated && (Date.now() - startTime) < TIMEOUT_MS) {
         await new Promise(resolve => setTimeout(resolve, 3000));
         try {
-            // Build URL with token for authentication
+            // Build URL with token and provider for authentication
             const authStatusUrl = new URL(`${CLOUD_URL}/api/auth/codex-helper/auth-status/${workspaceId}`);
             if (options.token) {
                 authStatusUrl.searchParams.set('token', options.token);
             }
+            authStatusUrl.searchParams.set('provider', provider);
             const statusResponse = await fetch(authStatusUrl.toString(), { method: 'GET', headers, credentials: 'include' });
             if (statusResponse.ok) {
                 const statusData = await statusResponse.json();
@@ -3832,7 +4337,7 @@ program
         console.log(green('          Authentication Complete!'));
         console.log(green('═══════════════════════════════════════════════════'));
         console.log('');
-        console.log('Your Codex account is now connected to the workspace.');
+        console.log(`Your ${displayName} account is now connected to the workspace.`);
         console.log('You can close this terminal and return to the dashboard.');
         console.log('');
     }
@@ -3844,6 +4349,63 @@ program
         console.log('the callback. Check if the SSH tunnel was working correctly.');
         process.exit(1);
     }
+}
+// Shared options for all cli-auth commands
+const cliAuthOptions = {
+    workspace: '--workspace <id>',
+    cloudUrl: '--cloud-url <url>',
+    token: '--token <token>',
+    sessionCookie: '--session-cookie <cookie>',
+    timeout: '--timeout <seconds>',
+};
+const defaultCloudUrl = process.env.AGENT_RELAY_CLOUD_URL || 'https://agent-relay.com';
+// cli-auth <provider> - Generic command
+program
+    .command('cli-auth <provider>')
+    .description('Connect a provider via SSH tunnel to workspace (Claude, Codex, Cursor, etc.)')
+    .option(cliAuthOptions.workspace, 'Workspace ID to connect to')
+    .option(cliAuthOptions.cloudUrl, 'Cloud API URL', defaultCloudUrl)
+    .option(cliAuthOptions.token, 'CLI authentication token (from dashboard)')
+    .option(cliAuthOptions.sessionCookie, 'Session cookie for authentication (deprecated, use --token)')
+    .option(cliAuthOptions.timeout, 'Timeout in seconds (default: 300)', '300')
+    .action(async (providerArg, options) => {
+    await runCliAuth(providerArg, options);
+});
+// codex-auth - Backward-compatible alias
+program
+    .command('codex-auth')
+    .description('Connect Codex via SSH tunnel to workspace (alias for cli-auth codex)')
+    .option(cliAuthOptions.workspace, 'Workspace ID to connect to')
+    .option(cliAuthOptions.cloudUrl, 'Cloud API URL', defaultCloudUrl)
+    .option(cliAuthOptions.token, 'CLI authentication token (from dashboard)')
+    .option(cliAuthOptions.sessionCookie, 'Session cookie for authentication (deprecated, use --token)')
+    .option(cliAuthOptions.timeout, 'Timeout in seconds (default: 300)', '300')
+    .action(async (options) => {
+    await runCliAuth('codex', options);
+});
+// claude-auth - Alias for Claude/Anthropic
+program
+    .command('claude-auth')
+    .description('Connect Claude via SSH tunnel to workspace (alias for cli-auth claude)')
+    .option(cliAuthOptions.workspace, 'Workspace ID to connect to')
+    .option(cliAuthOptions.cloudUrl, 'Cloud API URL', defaultCloudUrl)
+    .option(cliAuthOptions.token, 'CLI authentication token (from dashboard)')
+    .option(cliAuthOptions.sessionCookie, 'Session cookie for authentication (deprecated, use --token)')
+    .option(cliAuthOptions.timeout, 'Timeout in seconds (default: 300)', '300')
+    .action(async (options) => {
+    await runCliAuth('claude', options);
+});
+// cursor-auth - Alias for Cursor
+program
+    .command('cursor-auth')
+    .description('Connect Cursor via SSH tunnel to workspace (alias for cli-auth cursor)')
+    .option(cliAuthOptions.workspace, 'Workspace ID to connect to')
+    .option(cliAuthOptions.cloudUrl, 'Cloud API URL', defaultCloudUrl)
+    .option(cliAuthOptions.token, 'CLI authentication token (from dashboard)')
+    .option(cliAuthOptions.sessionCookie, 'Session cookie for authentication (deprecated, use --token)')
+    .option(cliAuthOptions.timeout, 'Timeout in seconds (default: 300)', '300')
+    .action(async (options) => {
+    await runCliAuth('cursor', options);
 });
 // init - First-time setup wizard for Agent Relay
 async function runInit(options) {