feat: add --user-auth flag, AM error guidance, and Account Manager guide (#120)

Add --user-auth flag as a shorthand for --auth-methods implicit on all
OAuth commands. Normalize AM auth order to match other commands
(client-credentials first). Override catch() in AmCommand to provide
contextual role-specific suggestions when authentication fails.

Add dedicated Account Manager guide covering authentication options,
CI/CD automation, common workflows, and troubleshooting. Remove dead
IDE Support sidebar link.

Author: clavery

.changeset/user-auth-flag-am-error-guidance.md

@@ -0,0 +1,6 @@
+---
+'@salesforce/b2c-tooling-sdk': minor
+'@salesforce/b2c-cli': minor
+---
+
+Add `--user-auth` flag for simplified browser-based authentication. AM commands now use standard auth method order; enhanced error messages provide role-specific guidance for Account Manager operations.

docs/.vitepress/config.mts

@@ -48,8 +48,8 @@ const guideSidebar = [
     text: 'Guides',
     items: [
       { text: 'Authentication Setup', link: '/guide/authentication' },
+      { text: 'Account Manager', link: '/guide/account-manager' },
       { text: 'Scaffolding', link: '/guide/scaffolding' },
-      { text: 'IDE Support', link: '/guide/ide-support' },
       { text: 'Security', link: '/guide/security' },
       { text: 'Storefront Next', link: '/guide/storefront-next' },
     ],

docs/cli/account-manager.md

@@ -13,19 +13,23 @@ These flags are available on all Account Manager commands:
 | Flag | Environment Variable | Description |
 |------|---------------------|-------------|
 | `--account-manager-host` | `SFCC_ACCOUNT_MANAGER_HOST` | Account Manager hostname (e.g., `account.demandware.com`) |
+| `--user-auth` | — | Use browser-based user authentication (implicit OAuth flow) |
 
 ## Authentication
 
 Account Manager commands work out of the box using the CLI's built-in public client, which authenticates via browser login (implicit flow). No API client configuration is required for interactive use.
 
-For automation or CI/CD, you can provide your own API client credentials.
+For automation or CI/CD, you can provide your own API client credentials. Use `--user-auth` to force browser-based authentication when you have client credentials configured but want to use your user account's roles instead.
 
-### Required Roles
+### Required Roles by Subtopic
 
-| Auth Method | Role | Configured On |
-|-------------|------|---------------|
-| Built-in client (default) | Uses your user account's roles | Your user account |
-| Client Credentials | `User Administrator` or higher | The API client |
+Different Account Manager operations require different roles depending on the authentication method:
+
+| Subtopic | Client Credentials (roles on API client) | User Auth / built-in client (roles on user) |
+|----------|------------------------------------------|---------------------------------------------|
+| `users`, `roles` | User Administrator | Account Administrator or User Administrator |
+| `orgs` | Not supported — use `--user-auth` | Account Administrator |
+| `clients` | Not supported — use `--user-auth` | Account Administrator or API Administrator |
 
 ### Configuration
 
@@ -37,6 +41,9 @@ b2c am users list
 export SFCC_CLIENT_ID=my-client-id
 export SFCC_CLIENT_SECRET=my-client-secret
 b2c am users list
+
+# Force browser-based login even with client credentials configured
+b2c am users list --user-auth
 ```
 
 ---

docs/guide/account-manager.md

@@ -0,0 +1,259 @@
+---
+description: Managing Account Manager users, roles, organizations, and API clients with the B2C CLI — including authentication options, CI/CD automation, and common workflows.
+---
+
+# Account Manager Guide
+
+The B2C CLI provides commands for managing Account Manager resources — users, roles, organizations, and API clients — directly from the terminal. This guide covers authentication setup, common workflows, and CI/CD automation.
+
+::: tip
+For the full command reference with all flags and options, see [Account Manager Commands](/cli/account-manager).
+:::
+
+## Authentication
+
+Account Manager commands work out of the box — no configuration required. The CLI uses a built-in public client that authenticates via browser login. For automation, you can provide your own API client credentials.
+
+### Zero-Config (Default)
+
+Just run commands. The CLI opens a browser for login using the built-in client:
+
+```bash
+# Works immediately — opens browser for login
+b2c am users list
+b2c am orgs list
+```
+
+Your user account's roles determine what operations you can perform (see [Role Requirements](#role-requirements)).
+
+### User Authentication (`--user-auth`)
+
+When you have client credentials configured but want browser-based login instead, use `--user-auth`:
+
+```bash
+# Force browser login even with SFCC_CLIENT_SECRET set
+b2c am users list --user-auth
+
+# Manage organizations (requires user auth)
+b2c am orgs list --user-auth
+```
+
+### Client Credentials
+
+Uses the API client's secret for non-interactive authentication. Best for CI/CD pipelines, scripts, and automation.
+
+```bash
+# List users with client credentials
+b2c am users list --client-id $SFCC_CLIENT_ID --client-secret $SFCC_CLIENT_SECRET
+```
+
+Requirements:
+- A `--client-id` and `--client-secret`
+- The API client must have the appropriate roles assigned (see [Role Requirements](#role-requirements))
+
+### Authentication Order
+
+By default, the CLI tries client credentials first (if `--client-secret` is provided), then falls back to browser-based user authentication (using either your configured `--client-id` or the built-in public client). To force browser-based login, pass `--user-auth`.
+
+### Role Requirements
+
+Different operations require different roles, and the required roles depend on how you authenticate:
+
+| Operations | Client Credentials (roles on API client) | User Auth (roles on user account) |
+|---|---|---|
+| Users & Roles | User Administrator | Account Administrator or User Administrator |
+| Organizations | Not supported — use `--user-auth` | Account Administrator |
+| API Clients | Not supported — use `--user-auth` | Account Administrator or API Administrator |
+
+::: warning
+Organization and API client management are **only available with user authentication**. Client credentials do not support these operations regardless of the roles assigned.
+:::
+
+If authentication fails, the CLI provides contextual error messages recommending the specific roles or `--user-auth` flag needed for the operation you attempted.
+
+## Setting Up Credentials
+
+### For Interactive Use
+
+No setup required. Account Manager commands use the CLI's built-in public client by default:
+
+```bash
+b2c am users list
+```
+
+If you need to use your own API client (for specific scopes or organization restrictions):
+
+1. In [Account Manager](https://account.demandware.com), find or create an API client
+2. Under **Redirect URLs**, add `http://localhost:8080`
+3. Under **Allowed Scopes**, add: `mail roles tenantFilter openid`
+4. Set **Default Scopes** to: `mail roles tenantFilter openid`
+
+```bash
+export SFCC_CLIENT_ID=your-client-id
+b2c am users list --user-auth
+```
+
+### For CI/CD and Automation
+
+1. In [Account Manager](https://account.demandware.com), create a dedicated API client
+2. Set a strong password (client secret) and save it securely
+3. Set **Token Endpoint Auth Method** to `client_secret_post`
+4. Under **Roles**, add **User Administrator** (for user/role management)
+5. Under **Allowed Scopes**, add: `mail roles tenantFilter openid`
+6. Set **Default Scopes** to: `mail roles tenantFilter openid`
+
+Then configure your CI/CD environment:
+
+```bash
+export SFCC_CLIENT_ID=your-client-id
+export SFCC_CLIENT_SECRET=your-client-secret
+```
+
+::: tip
+Store the client secret in your CI/CD system's secrets manager — never commit it to source control.
+:::
+
+## Common Workflows
+
+### User Onboarding
+
+Create a user, then grant them the necessary roles:
+
+```bash
+# Create the user
+b2c am users create --org $ORG_ID --mail developer@example.com \
+  --first-name Alex --last-name Developer
+
+# Grant Business Manager Admin role scoped to a specific tenant
+b2c am roles grant developer@example.com \
+  --role bm-admin --scope zzxy_prd
+```
+
+### User Offboarding
+
+Revoke roles and disable the user:
+
+```bash
+# Revoke all roles
+b2c am roles revoke developer@example.com --role bm-admin
+
+# Soft delete (disable) the user
+b2c am users delete developer@example.com
+
+# Permanent deletion (user must be in DELETED state first)
+b2c am users delete developer@example.com --purge
+```
+
+### Auditing
+
+Review users, roles, and organization activity:
+
+```bash
+# List all users
+b2c am users list --extended
+
+# Get user details with expanded roles and organizations
+b2c am users get developer@example.com --expand-all
+
+# View organization audit logs
+b2c am orgs audit $ORG_ID
+```
+
+### API Client Provisioning
+
+Create and configure API clients for your team or automation:
+
+```bash
+# Create an API client
+b2c am clients create \
+  --name "CI/CD Pipeline" \
+  --organizations $ORG_ID \
+  --password "SecureP@ssword123" \
+  --roles SALESFORCE_COMMERCE_API \
+  --role-tenant-filter "SALESFORCE_COMMERCE_API:zzxy_prd"
+
+# Activate the client
+b2c am clients update $CLIENT_ID --active
+```
+
+### Bulk Operations with JSON Output
+
+Use `--json` output for scripting and integration with other tools:
+
+```bash
+# Export all users as JSON
+b2c am users list --size 4000 --json
+
+# Export all organizations
+b2c am orgs list --all --json
+
+# Pipe to jq for filtering
+b2c am users list --json | jq '.[] | select(.userState == "ACTIVE")'
+```
+
+## CI/CD Examples
+
+### GitHub Actions
+
+```yaml
+jobs:
+  manage-users:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+      - run: npm install -g @salesforce/b2c-cli
+      - run: b2c am users list --json
+        env:
+          SFCC_CLIENT_ID: ${{ secrets.SFCC_CLIENT_ID }}
+          SFCC_CLIENT_SECRET: ${{ secrets.SFCC_CLIENT_SECRET }}
+```
+
+### Shell Script Automation
+
+```bash
+#!/bin/bash
+# Ensure a user has the required roles
+
+USER_EMAIL="developer@example.com"
+REQUIRED_ROLES=("bm-admin" "SALESFORCE_COMMERCE_API")
+TENANT="zzxy_prd"
+
+for role in "${REQUIRED_ROLES[@]}"; do
+  echo "Granting $role to $USER_EMAIL..."
+  b2c am roles grant "$USER_EMAIL" --role "$role" --scope "$TENANT" --json
+done
+```
+
+## Troubleshooting
+
+### "operation forbidden" or "authentication invalid"
+
+The CLI will suggest the specific role or auth method needed. Common fixes:
+
+- **For user/role operations with client credentials**: Add the **User Administrator** role to your API client, or switch to `--user-auth`
+- **For organization operations**: Use `--user-auth` — org management requires user authentication
+- **For API client operations**: Use `--user-auth` with a user that has the **Account Administrator** or **API Administrator** role
+
+### "No valid auth method available"
+
+The CLI could not find credentials for any allowed auth method:
+
+- Verify `--client-id` is set (or `SFCC_CLIENT_ID` environment variable)
+- For client credentials, verify `--client-secret` is set
+- For `--user-auth`, only `--client-id` is required
+
+### Redirect URL errors with `--user-auth`
+
+If the browser login fails with a redirect error:
+
+- In Account Manager, verify `http://localhost:8080` is in the API client's **Redirect URLs**
+- Ensure port 8080 is not in use by another application
+
+## Next Steps
+
+- [Account Manager Commands](/cli/account-manager) — Full command reference
+- [Authentication Setup](/guide/authentication) — General authentication configuration
+- [Configuration](/guide/configuration) — Environment variables and config files

docs/guide/authentication.md

@@ -39,13 +39,17 @@ The CLI supports two authentication methods:
 
 | Method | When Used | Role Configuration |
 |--------|-----------|-------------------|
-| **User Authentication** | When only `--client-id` is provided (no secret) | Roles configured on your **user account** |
+| **User Authentication** | When `--user-auth` is passed, or when only `--client-id` is provided (no secret) | Roles configured on your **user account** |
 | **Client Credentials** | When both `--client-id` and `--client-secret` are provided | Roles configured on the **API client** |
 
-**User Authentication** opens a browser for interactive login and uses roles assigned to your user account. This is ideal for development and manual operations.
+**User Authentication** opens a browser for interactive login and uses roles assigned to your user account. This is ideal for development and manual operations. Use `--user-auth` as a shorthand for `--auth-methods implicit` on any OAuth command.
 
 **Client Credentials** uses the API client's secret for non-interactive authentication. This is ideal for CI/CD pipelines and automation.
 
+::: tip
+For Account Manager operations that require user-level roles (organization and API client management), use `--user-auth` to authenticate with your user account. See [Account Manager Authentication](/cli/account-manager#authentication) for per-subtopic role requirements.
+:::
+
 ### Creating an API Client
 
 1. Log in to [Account Manager](https://account.demandware.com)