docs(auth): document paste-token token flag

liaoandi · liaoandi · commit 3b8f5adadbd7 · 2026-05-27T16:02:56.000+08:00
diff --git a/docs/cli/models.md b/docs/cli/models.md
@@ -219,9 +219,11 @@ Notes:
   method (defaulting to that provider's `setup-token` method when it exposes
   one).
 - `paste-token` accepts a token string generated elsewhere or from automation.
-- `paste-token` requires `--provider`, prompts for the token value, and writes
-  it to the default profile id `<provider>:manual` unless you pass
+- `paste-token` requires `--provider`, prompts for the token value by default,
+  and writes it to the default profile id `<provider>:manual` unless you pass
   `--profile-id`.
+- In automation, pipe the token on stdin instead of passing it as an argument so
+  provider credentials do not appear in shell history or process lists.
 - `paste-token --expires-in <duration>` stores an absolute token expiry from a
   relative duration such as `365d` or `12h`.
 - For `openai-codex`, OpenAI API keys and ChatGPT/OAuth token material are
diff --git a/src/agents/auth-profiles.ensureauthprofilestore.test.ts b/src/agents/auth-profiles.ensureauthprofilestore.test.ts
@@ -1046,6 +1046,7 @@ describe("ensureAuthProfileStore", () => {
               missing_provider: 1,
               non_object: 1,
             },
+            validTypes: ["api_key", "oauth", "token"],
             keys: ["anthropic:missing-type", "openai:missing-provider", "qwen:not-object"],
           },
         );
diff --git a/src/cli/models-cli.ts b/src/cli/models-cli.ts
@@ -333,10 +333,7 @@ export function registerModelsCli(program: Command) {
     .option("--provider <id>", "Provider id registered by a plugin")
     .option("--method <id>", "Provider auth method id")
     .option("--device-code", "Use the provider device-code auth method", false)
-    .option(
-      "--profile-id <id>",
-      "Auth profile id override for single-profile login methods",
-    )
+    .option("--profile-id <id>", "Auth profile id override for single-profile login methods")
     .option("--set-default", "Apply the provider's default model recommendation", false)
     .action(async (opts, command) => {
       if (opts.deviceCode && typeof opts.method === "string" && opts.method !== "device-code") {
@@ -389,7 +386,6 @@ export function registerModelsCli(program: Command) {
       "--expires-in <duration>",
       "Optional expiry duration (e.g. 365d, 12h). Stored as absolute expiresAt.",
     )
-    .option("--token <value>", "Token value (skip interactive prompt)")
     .action(async (opts, command) => {
       await withModelsRuntime(async ({ defaultRuntime, resolveModelAgentOption }) => {
         const agent = resolveModelAgentOption(command);
@@ -400,7 +396,6 @@ export function registerModelsCli(program: Command) {
             profileId: opts.profileId as string | undefined,
             expiresIn: opts.expiresIn as string | undefined,
             agent,
-            token: opts.token as string | undefined,
           },
           defaultRuntime,
         );
diff --git a/src/commands/models/auth.test.ts b/src/commands/models/auth.test.ts
@@ -55,6 +55,7 @@ const mocks = vi.hoisted(() => ({
   logConfigUpdated: vi.fn(),
   openUrl: vi.fn(),
   isRemoteEnvironment: vi.fn(() => false),
+  validateAnthropicSetupToken: vi.fn<() => string | undefined>(() => undefined),
   loadAuthProfileStoreForRuntime: vi.fn(),
   listProfilesForProvider: vi.fn(),
   promoteAuthProfileInOrder: vi.fn(),
@@ -170,7 +171,7 @@ vi.mock("../../plugins/provider-oauth-flow.js", () => ({
 }));
 
 vi.mock("../auth-token.js", () => ({
-  validateAnthropicSetupToken: vi.fn(() => undefined),
+  validateAnthropicSetupToken: mocks.validateAnthropicSetupToken,
 }));
 
 vi.mock("../../plugins/provider-auth-choice-helpers.js", async (importOriginal) => {
@@ -356,6 +357,8 @@ describe("modelsAuthLoginCommand", () => {
     mocks.clackPassword.mockReset();
     mocks.clackSelect.mockReset();
     mocks.clackText.mockReset();
+    mocks.validateAnthropicSetupToken.mockReset();
+    mocks.validateAnthropicSetupToken.mockReturnValue(undefined);
     mocks.upsertAuthProfileWithLock.mockReset();
     mocks.upsertAuthProfileWithLock.mockResolvedValue({ version: 1, profiles: {} });
     mocks.promoteAuthProfileInOrder.mockReset();
diff --git a/src/commands/models/auth.ts b/src/commands/models/auth.ts
@@ -573,7 +573,6 @@ export async function modelsAuthPasteTokenCommand(
     profileId?: string;
     expiresIn?: string;
     agent?: string;
-    token?: string;
   },
   runtime: RuntimeEnv,
 ) {
@@ -601,23 +600,11 @@ export async function modelsAuthPasteTokenCommand(
     }
     return undefined;
   };
-  const rawToken = normalizeOptionalString(opts.token);
-  if (opts.token !== undefined && !rawToken) {
-    throw new Error("--token value must not be empty");
-  }
-  if (rawToken !== undefined) {
-    const rawTokenValidation = validateTokenInput(rawToken);
-    if (rawTokenValidation) {
-      throw new Error(rawTokenValidation);
-    }
-  }
-  const tokenInput =
-    rawToken ??
-    (await readPastedSecret({
-      message: `Paste token for ${provider}`,
-      masked: false,
-      validate: validateTokenInput,
-    }));
+  const tokenInput = await readPastedSecret({
+    message: `Paste token for ${provider}`,
+    masked: false,
+    validate: validateTokenInput,
+  });
   const token =
     provider === "anthropic"
       ? tokenInput.replaceAll(/\s+/g, "").trim()
