@girardmedia/bootspring 1.2.0 → 2.0.3

package/cli/auth.js

@@ -5,8 +5,75 @@
  */
 
 const readline = require('readline');
+const { exec } = require('child_process');
+const os = require('os');
+const https = require('https');
+const http = require('http');
 const auth = require('../core/auth');
 const api = require('../core/api-client');
+const session = require('../core/session');
+
+const API_BASE = process.env.BOOTSPRING_API_URL || 'https://www.bootspring.com';
+
+/**
+ * Make a direct API request (without v1 prefix)
+ */
+async function directRequest(method, path) {
+  const apiKey = auth.getApiKey();
+  const token = auth.getToken();
+  const deviceId = auth.getDeviceId();
+  const url = new URL(`/api${path}`, API_BASE);
+  const isHttps = url.protocol === 'https:';
+  const httpModule = isHttps ? https : http;
+
+  const headers = {
+    'Content-Type': 'application/json',
+    'User-Agent': `bootspring-cli/${require('../package.json').version}`,
+    'X-Device-Id': deviceId
+  };
+
+  if (apiKey) {
+    headers['X-API-Key'] = apiKey;
+  } else if (token) {
+    headers['Authorization'] = `Bearer ${token}`;
+  }
+
+  return new Promise((resolve, reject) => {
+    const req = httpModule.request(url, {
+      method,
+      headers,
+      timeout: 30000
+    }, (res) => {
+      let body = '';
+      res.on('data', chunk => body += chunk);
+      res.on('end', () => {
+        try {
+          const json = JSON.parse(body);
+          if (res.statusCode >= 400) {
+            const error = new Error(json.error || json.message || 'API Error');
+            error.status = res.statusCode;
+            reject(error);
+          } else {
+            resolve(json);
+          }
+        } catch {
+          if (res.statusCode >= 400) {
+            reject(new Error(`API Error: ${res.statusCode}`));
+          } else {
+            resolve(body);
+          }
+        }
+      });
+    });
+
+    req.on('error', reject);
+    req.on('timeout', () => {
+      req.destroy();
+      reject(new Error('Request timeout'));
+    });
+    req.end();
+  });
+}
 
 // ANSI colors
 const colors = {
@@ -70,52 +137,171 @@ function prompt(question, hidden = false) {
 }
 
 /**
- * Login command
+ * Open URL in default browser
  */
-async function login(args = []) {
-  console.log(`\n${colors.bold}Bootspring Login${colors.reset}\n`);
+function openBrowser(url) {
+  const platform = os.platform();
+  let cmd;
 
-  // Check for --api-key flag
-  const apiKeyIndex = args.findIndex(a => a === '--api-key' || a === '-k');
-  const apiKey = apiKeyIndex !== -1 ? args[apiKeyIndex + 1] : null;
+  switch (platform) {
+    case 'darwin':
+      cmd = `open "${url}"`;
+      break;
+    case 'win32':
+      cmd = `start "" "${url}"`;
+      break;
+    default:
+      cmd = `xdg-open "${url}"`;
+  }
 
-  // Check if already logged in
-  if (auth.isAuthenticated()) {
-    const user = auth.getUser();
-    console.log(`${colors.yellow}You are already logged in as ${user.email}${colors.reset}`);
-    const confirm = await prompt('Do you want to log in with a different account? (y/N): ');
-    if (confirm.toLowerCase() !== 'y') {
-      return;
-    }
+  return new Promise((resolve) => {
+    exec(cmd, (error) => {
+      resolve(!error);
+    });
+  });
+}
+
+/**
+ * Device authorization flow - browser-based login
+ */
+async function loginWithBrowser(noBrowser = false) {
+  console.log(`${colors.dim}Requesting device code...${colors.reset}`);
+
+  let deviceResponse;
+  try {
+    deviceResponse = await api.requestDeviceCode();
+  } catch (error) {
+    console.log(`\n${colors.red}✗ Failed to start device flow: ${error.message}${colors.reset}`);
+    console.log(`\n${colors.dim}Try: bootspring auth login --password${colors.reset}`);
+    return;
   }
 
-  // API Key authentication
-  if (apiKey) {
-    // Validate API key format
-    if (!apiKey.match(/^(bs|sk)_(live|test)_[A-Za-z0-9_-]{16,}$/)) {
-      console.log(`${colors.red}Invalid API key format${colors.reset}`);
-      console.log(`${colors.dim}API keys should start with bs_live_ or bs_test_${colors.reset}`);
-      return;
+  const { device_code, user_code, verification_uri_complete, expires_in, interval } = deviceResponse;
+
+  // Show the URL
+  console.log(`\n${colors.bold}Opening browser to complete authentication...${colors.reset}`);
+  console.log(`${colors.cyan}${verification_uri_complete}${colors.reset}\n`);
+
+  // Open browser (unless --no-browser)
+  if (!noBrowser) {
+    const opened = await openBrowser(verification_uri_complete);
+    if (!opened) {
+      console.log(`${colors.yellow}Could not open browser. Please visit the URL above manually.${colors.reset}\n`);
     }
+  } else {
+    console.log(`${colors.dim}Open the URL above in your browser to continue.${colors.reset}\n`);
+  }
 
-    console.log(`${colors.dim}Validating API key...${colors.reset}`);
+  console.log(`${colors.dim}Your code: ${colors.reset}${colors.bold}${user_code}${colors.reset}`);
+  console.log(`\n${colors.dim}Waiting for authorization... (press Ctrl+C to cancel)${colors.reset}`);
+
+  // Start polling
+  const pollInterval = (interval || 5) * 1000; // Convert to ms
+  const timeout = (expires_in || 900) * 1000; // Convert to ms
+  const startTime = Date.now();
+
+  // Spinner animation
+  const spinnerFrames = ['⠋', '⠙', '⠹', '⠸', '⠼', '⠴', '⠦', '⠧', '⠇', '⠏'];
+  let spinnerIndex = 0;
+
+  const pollForToken = () => {
+    return new Promise((resolve, reject) => {
+      const poll = async () => {
+        // Check timeout
+        if (Date.now() - startTime > timeout) {
+          reject(new Error('Authorization timed out. Please try again.'));
+          return;
+        }
 
-    try {
-      const response = await api.loginWithApiKey(apiKey);
+        // Update spinner
+        process.stdout.write(`\r${colors.cyan}${spinnerFrames[spinnerIndex]}${colors.reset} Waiting for browser authorization...`);
+        spinnerIndex = (spinnerIndex + 1) % spinnerFrames.length;
+
+        try {
+          const response = await api.pollDeviceToken(device_code);
+
+          // Success!
+          process.stdout.write('\r' + ' '.repeat(50) + '\r'); // Clear line
+          // Device flow returns API key, not JWT token
+          if (response.api_key) {
+            auth.loginWithApiKey(response.api_key, response.user);
+          } else {
+            auth.login(response);
+          }
+          resolve(response);
+        } catch (error) {
+          if (error.message?.includes('authorization_pending') ||
+              error.code === 'authorization_pending' ||
+              error.status === 400 && error.details?.error === 'authorization_pending') {
+            // Still waiting, continue polling
+            setTimeout(poll, pollInterval);
+          } else if (error.message?.includes('access_denied') || error.code === 'access_denied') {
+            process.stdout.write('\r' + ' '.repeat(50) + '\r');
+            reject(new Error('Authorization was denied'));
+          } else if (error.message?.includes('expired') || error.code === 'expired_token') {
+            process.stdout.write('\r' + ' '.repeat(50) + '\r');
+            reject(new Error('Device code expired. Please try again.'));
+          } else {
+            // Continue polling for other errors (network issues, etc)
+            setTimeout(poll, pollInterval);
+          }
+        }
+      };
 
-      console.log(`\n${colors.green}✓ API key validated!${colors.reset}`);
-      console.log(`\n  ${colors.bold}Welcome, ${response.user.name || response.user.email}!${colors.reset}`);
-      console.log(`  ${colors.dim}Tier: ${colors.reset}${colors.cyan}${response.user.tier}${colors.reset}`);
-      console.log(`  ${colors.dim}Auth: ${colors.reset}${colors.magenta}API Key${colors.reset}`);
-      console.log(`\n  ${colors.dim}Credentials stored in: ${auth.getCredentialsPath()}${colors.reset}`);
-    } catch (error) {
-      console.log(`\n${colors.red}✗ API key validation failed: ${error.message}${colors.reset}`);
-      console.log(`\n${colors.dim}Generate API keys at: https://bootspring.com/dashboard/keys${colors.reset}`);
+      // Handle Ctrl+C
+      const cleanup = () => {
+        process.stdout.write('\r' + ' '.repeat(50) + '\r');
+        reject(new Error('Cancelled'));
+      };
+      process.once('SIGINT', cleanup);
+
+      // Start polling after initial delay
+      setTimeout(poll, pollInterval);
+    });
+  };
+
+  try {
+    const response = await pollForToken();
+
+    console.log(`${colors.green}✓ Login successful!${colors.reset}`);
+    console.log(`\n  ${colors.bold}Welcome, ${response.user.name || response.user.email}!${colors.reset}`);
+    console.log(`  ${colors.dim}Tier: ${colors.reset}${colors.cyan}${response.user.tier}${colors.reset}`);
+
+    console.log(`\n  ${colors.dim}Credentials stored in: ${auth.getCredentialsPath()}${colors.reset}`);
+
+    // Check if this directory already has a local config (already locked to a project)
+    const existingConfig = session.findLocalConfig();
+    if (existingConfig && existingConfig._dir === process.cwd()) {
+      console.log(`\n  ${colors.dim}Project: ${colors.reset}${colors.green}${existingConfig.projectName}${colors.reset} ${colors.dim}(from local config)${colors.reset}`);
+    } else if (response.project) {
+      // Project was selected on web during device flow - use it automatically
+      console.log(`\n  ${colors.dim}Project: ${colors.reset}${colors.green}${response.project.name}${colors.reset} ${colors.dim}(selected on web)${colors.reset}`);
+
+      // Save to session
+      session.setCurrentProject(response.project);
+      session.addRecentProject(response.project);
+
+      // Create local config to lock directory
+      try {
+        const configPath = session.createLocalConfig(process.cwd(), response.project);
+        console.log(`  ${colors.dim}Locked directory to "${response.project.name}"${colors.reset}`);
+        console.log(`  ${colors.dim}Config: ${configPath}${colors.reset}`);
+      } catch (error) {
+        console.log(`  ${colors.yellow}Warning: Could not create local config: ${error.message}${colors.reset}`);
+      }
+    } else {
+      // No project selected on web - prompt for selection
+      await requireProjectSelection({ force: true, lockToDirectory: true });
     }
-    return;
+  } catch (error) {
+    console.log(`\n${colors.red}✗ ${error.message}${colors.reset}`);
   }
+}
 
-  // Email/password authentication
+/**
+ * Email/password login (legacy)
+ */
+async function loginWithPassword() {
   const email = await prompt(`${colors.cyan}Email:${colors.reset} `);
   if (!email) {
     console.log(`${colors.red}Email is required${colors.reset}`);
@@ -137,6 +323,15 @@ async function login(args = []) {
     console.log(`\n  ${colors.bold}Welcome, ${response.user.name || response.user.email}!${colors.reset}`);
     console.log(`  ${colors.dim}Tier: ${colors.reset}${colors.cyan}${response.user.tier}${colors.reset}`);
     console.log(`\n  ${colors.dim}Credentials stored in: ${auth.getCredentialsPath()}${colors.reset}`);
+
+    // Check if this directory already has a local config
+    const existingConfig = session.findLocalConfig();
+    if (existingConfig && existingConfig._dir === process.cwd()) {
+      console.log(`\n  ${colors.dim}Project: ${colors.reset}${colors.green}${existingConfig.projectName}${colors.reset} ${colors.dim}(from local config)${colors.reset}`);
+    } else {
+      // Force project selection for new directories
+      await requireProjectSelection({ force: true, lockToDirectory: true });
+    }
   } catch (error) {
     console.log(`\n${colors.red}✗ Login failed: ${error.message}${colors.reset}`);
 
@@ -146,6 +341,98 @@ async function login(args = []) {
   }
 }
 
+/**
+ * Login with API key
+ */
+async function loginWithApiKey(apiKey) {
+  // Validate API key format
+  if (!apiKey.match(/^(bs|sk)_(live|test)_[A-Za-z0-9_-]{16,}$/)) {
+    console.log(`${colors.red}Invalid API key format${colors.reset}`);
+    console.log(`${colors.dim}API keys should start with bs_live_ or bs_test_${colors.reset}`);
+    return;
+  }
+
+  console.log(`${colors.dim}Validating API key...${colors.reset}`);
+
+  try {
+    const response = await api.loginWithApiKey(apiKey);
+
+    console.log(`\n${colors.green}✓ API key validated!${colors.reset}`);
+    console.log(`\n  ${colors.dim}Tier: ${colors.reset}${colors.cyan}${response.user.tier}${colors.reset}`);
+    console.log(`  ${colors.dim}Auth: ${colors.reset}${colors.magenta}API Key${colors.reset}`);
+
+    // Show project info if key is project-scoped
+    if (response.project) {
+      console.log(`  ${colors.dim}Project: ${colors.reset}${colors.green}${response.project.name}${colors.reset} ${colors.dim}(auto-set from key)${colors.reset}`);
+    }
+
+    console.log(`\n  ${colors.dim}Credentials stored in: ${auth.getCredentialsPath()}${colors.reset}`);
+
+    // Always prompt for project selection in new directories
+    // API key scope determines permissions, but user chooses which project to link
+    const existingConfig = session.findLocalConfig();
+    if (existingConfig && existingConfig._dir === process.cwd()) {
+      console.log(`\n  ${colors.dim}Project: ${colors.reset}${colors.green}${existingConfig.projectName}${colors.reset} ${colors.dim}(from local config)${colors.reset}`);
+    } else {
+      await requireProjectSelection({ force: true, lockToDirectory: true });
+    }
+  } catch (error) {
+    console.log(`\n${colors.red}✗ API key validation failed: ${error.message}${colors.reset}`);
+    console.log(`\n${colors.dim}Generate API keys at: https://bootspring.com/dashboard/keys${colors.reset}`);
+  }
+}
+
+/**
+ * Login command
+ */
+async function login(args = []) {
+  console.log(`\n${colors.bold}Bootspring Login${colors.reset}\n`);
+
+  // Parse flags
+  const hasApiKey = args.includes('--api-key') || args.includes('-k');
+  const hasPassword = args.includes('--password') || args.includes('-p');
+  const noBrowser = args.includes('--no-browser');
+
+  // Get API key value if provided
+  const apiKeyIndex = args.findIndex(a => a === '--api-key' || a === '-k');
+  const apiKey = apiKeyIndex !== -1 ? args[apiKeyIndex + 1] : null;
+
+  // Check if already logged in
+  if (auth.isAuthenticated()) {
+    const user = auth.getUser();
+
+    // Check if this directory already has a local config
+    const existingConfig = session.findLocalConfig();
+    if (existingConfig && existingConfig._dir === process.cwd()) {
+      // Directory already linked to a project
+      console.log(`${colors.green}Already authenticated as ${user.email}${colors.reset}`);
+      console.log(`${colors.dim}Project: ${colors.reset}${colors.green}${existingConfig.projectName}${colors.reset} ${colors.dim}(from .bootspring.json)${colors.reset}`);
+      console.log(`\n${colors.dim}To switch projects, run: bootspring switch <project>${colors.reset}`);
+      console.log(`${colors.dim}To use a different account, run: bootspring auth logout${colors.reset}`);
+      return;
+    }
+
+    // Directory not linked - go through browser flow to select/create project
+    console.log(`${colors.green}Authenticated as ${user.email}${colors.reset}`);
+    console.log(`${colors.dim}This directory is not linked to a project yet.${colors.reset}\n`);
+    console.log(`${colors.dim}Opening browser to select or create a project...${colors.reset}\n`);
+
+    // Use device flow to select project via dashboard (allows creating new projects)
+    await loginWithBrowser(noBrowser);
+    return;
+  }
+
+  // Route to appropriate login method
+  if (hasApiKey && apiKey) {
+    await loginWithApiKey(apiKey);
+  } else if (hasPassword) {
+    await loginWithPassword();
+  } else {
+    // Default: browser-based device flow
+    await loginWithBrowser(noBrowser);
+  }
+}
+
 /**
  * Register command
  */
@@ -271,11 +558,56 @@ async function status() {
   const isApiKey = auth.isApiKeyAuth();
   console.log(`  ${colors.cyan}Authenticated:${colors.reset} ${isAuth ? colors.green + 'Yes' : colors.yellow + 'No'}${colors.reset}`);
 
+  let keyProject = null;
+
   if (isAuth) {
     const user = auth.getUser();
-    console.log(`  ${colors.cyan}User:${colors.reset}          ${user.email}`);
+    console.log(`  ${colors.cyan}User:${colors.reset}          ${user.email || user.tier}`);
     console.log(`  ${colors.cyan}Tier:${colors.reset}          ${user.tier}`);
     console.log(`  ${colors.cyan}Auth Method:${colors.reset}   ${isApiKey ? colors.magenta + 'API Key' : colors.green + 'Session'}${colors.reset}`);
+
+    // If using API key, validate it and get the associated project
+    if (isApiKey) {
+      try {
+        const apiKey = auth.getApiKey();
+        const validation = await api.validateApiKey(apiKey);
+        if (validation && validation.project) {
+          keyProject = validation.project;
+        }
+      } catch {
+        // Ignore validation errors in status
+      }
+    }
+  }
+
+  // Check project context
+  const sessionState = session.getSessionState();
+  const currentProject = sessionState.project;
+
+  // Sync project from API key if there's a mismatch or no local project
+  if (keyProject && (!currentProject || currentProject.id !== keyProject.id)) {
+    session.setCurrentProject(keyProject);
+    session.addRecentProject(keyProject);
+    console.log(`\n${colors.bold}Project Context${colors.reset} ${colors.dim}(synced from API key)${colors.reset}`);
+    console.log(`  ${colors.cyan}Project:${colors.reset}       ${keyProject.name}`);
+    if (keyProject.slug) {
+      console.log(`  ${colors.cyan}Slug:${colors.reset}          ${keyProject.slug}`);
+    }
+    console.log(`  ${colors.cyan}Source:${colors.reset}        ${colors.dim}api-key${colors.reset}`);
+  } else if (currentProject) {
+    console.log(`\n${colors.bold}Project Context${colors.reset}`);
+    console.log(`  ${colors.cyan}Project:${colors.reset}       ${currentProject.name}`);
+    if (currentProject.slug) {
+      console.log(`  ${colors.cyan}Slug:${colors.reset}          ${currentProject.slug}`);
+    }
+    const sourceLabel = sessionState.source === 'local' ? 'local config' : 'session';
+    console.log(`  ${colors.cyan}Source:${colors.reset}        ${colors.dim}${sourceLabel}${colors.reset}`);
+    if (sessionState.hasLocalConfig) {
+      console.log(`  ${colors.cyan}Config:${colors.reset}        ${colors.dim}${sessionState.localConfigPath}${colors.reset}`);
+    }
+  } else {
+    console.log(`\n  ${colors.yellow}No project context${colors.reset}`);
+    console.log(`  ${colors.dim}Run 'bootspring switch <project>' to set a project${colors.reset}`);
   }
 
   // Check API connectivity
@@ -285,7 +617,6 @@ async function status() {
     const health = await api.healthCheck();
     if (health.connected) {
       console.log(`  ${colors.cyan}API Status:${colors.reset}    ${colors.green}Connected${colors.reset}`);
-      console.log(`  ${colors.cyan}API Version:${colors.reset}   ${health.version || 'unknown'}`);
     } else {
       console.log(`  ${colors.cyan}API Status:${colors.reset}    ${colors.red}Disconnected${colors.reset}`);
       console.log(`  ${colors.dim}Error: ${health.error}${colors.reset}`);
@@ -298,6 +629,121 @@ async function status() {
   console.log(`\n  ${colors.cyan}API URL:${colors.reset}       ${api.API_BASE}`);
 }
 
+/**
+ * Switch project command - delegates to switch module
+ */
+async function switchProject(args) {
+  const switchModule = require('./switch');
+  await switchModule.run(args);
+}
+
+/**
+ * Require user to select a project interactively
+ * Project context is required for all Bootspring commands
+ * @param {object} options - Options
+ * @param {boolean} options.force - Force project selection even if session has a project
+ * @param {boolean} options.lockToDirectory - Create .bootspring.json after selection
+ */
+async function requireProjectSelection(options = {}) {
+  const { force = false, lockToDirectory = false } = options;
+
+  // If not forcing, check if project context already exists
+  if (!force) {
+    // Check if project context already exists
+    if (session.getEffectiveProject && session.getEffectiveProject()) {
+      return;
+    }
+
+    // Check legacy hasProjectContext
+    if (session.hasProjectContext && session.hasProjectContext()) {
+      return;
+    }
+
+    // Check local .bootspring.json
+    const localConfig = session.findLocalConfig && session.findLocalConfig();
+    if (localConfig?.projectId) {
+      return;
+    }
+  }
+
+  console.log(`\n${colors.yellow}Select a project for this directory${colors.reset}`);
+  console.log(`${colors.dim}This directory will be locked to the selected project.${colors.reset}\n`);
+
+  // Fetch projects
+  console.log(`${colors.dim}Fetching projects...${colors.reset}`);
+
+  let projects = [];
+  try {
+    const response = await directRequest('GET', '/projects');
+    projects = response.projects || [];
+  } catch (error) {
+    console.log(`${colors.red}Failed to fetch projects: ${error.message}${colors.reset}`);
+    console.log(`${colors.dim}Run 'bootspring switch <project>' manually to set project${colors.reset}`);
+    return;
+  }
+
+  if (projects.length === 0) {
+    console.log(`${colors.yellow}No projects found${colors.reset}`);
+    console.log(`${colors.dim}Create a project at https://bootspring.com/dashboard/projects${colors.reset}`);
+    return;
+  }
+
+  // Show numbered list
+  console.log(`\n${colors.bold}Your Projects${colors.reset}\n`);
+  for (let i = 0; i < projects.length; i++) {
+    const project = projects[i];
+    console.log(`  ${colors.cyan}[${i + 1}]${colors.reset} ${colors.bold}${project.name}${colors.reset} ${colors.dim}(${project.slug})${colors.reset}`);
+  }
+
+  // Prompt for selection
+  const selection = await prompt(`\n${colors.cyan}Enter number or name:${colors.reset} `);
+
+  if (!selection) {
+    console.log(`${colors.yellow}No project selected${colors.reset}`);
+    console.log(`${colors.dim}Run 'bootspring switch <project>' to set project later${colors.reset}`);
+    return;
+  }
+
+  // Find project by number or name
+  let selectedProject = null;
+  const num = parseInt(selection, 10);
+
+  if (!isNaN(num) && num >= 1 && num <= projects.length) {
+    selectedProject = projects[num - 1];
+  } else {
+    selectedProject = projects.find(
+      p => p.name.toLowerCase() === selection.toLowerCase() ||
+           p.slug === selection.toLowerCase()
+    );
+  }
+
+  if (!selectedProject) {
+    console.log(`${colors.red}Project not found: ${selection}${colors.reset}`);
+    console.log(`${colors.dim}Run 'bootspring switch <project>' to try again${colors.reset}`);
+    return;
+  }
+
+  // Set project in session
+  session.setCurrentProject(selectedProject);
+  session.addRecentProject(selectedProject);
+
+  console.log(`\n${colors.green}Selected: ${selectedProject.name}${colors.reset}`);
+
+  // Create local config to lock directory
+  if (lockToDirectory) {
+    try {
+      const configPath = session.createLocalConfig(process.cwd(), selectedProject);
+      console.log(`${colors.dim}Locked directory to "${selectedProject.name}"${colors.reset}`);
+      console.log(`${colors.dim}Config: ${configPath}${colors.reset}`);
+    } catch (error) {
+      console.log(`${colors.yellow}Warning: Could not create local config: ${error.message}${colors.reset}`);
+    }
+  }
+}
+
+// Alias for backwards compatibility (exported for potential external use)
+const _promptForProjectIfNeeded = requireProjectSelection;
+
 /**
  * Main command handler
  */
@@ -327,6 +773,11 @@ async function run(args) {
       await status();
       break;
 
+    case 'switch':
+    case 'project':
+      await switchProject(args.slice(1));
+      break;
+
     default:
       console.log(`\n${colors.bold}Bootspring Authentication${colors.reset}\n`);
       console.log(`${colors.cyan}Usage:${colors.reset} bootspring auth <command>\n`);
@@ -336,13 +787,19 @@ async function run(args) {
       console.log(`  ${colors.green}logout${colors.reset}    Log out and clear credentials`);
       console.log(`  ${colors.green}whoami${colors.reset}    Show current user and usage`);
       console.log(`  ${colors.green}status${colors.reset}    Check authentication and API status`);
+      console.log(`  ${colors.green}switch${colors.reset}    Switch current project context`);
       console.log(`\n${colors.bold}Login Options:${colors.reset}`);
+      console.log(`  ${colors.dim}(default)${colors.reset}      Browser-based login (opens browser)`);
+      console.log(`  ${colors.green}--password, -p${colors.reset} Use email/password login`);
       console.log(`  ${colors.green}--api-key, -k${colors.reset}  Login with an API key`);
+      console.log(`  ${colors.green}--no-browser${colors.reset}   Show URL without opening browser`);
       console.log(`\n${colors.dim}Examples:${colors.reset}`);
-      console.log('  bootspring auth login');
+      console.log('  bootspring auth login              # Opens browser for SSO');
+      console.log('  bootspring auth login --password   # Email/password prompt');
       console.log('  bootspring auth login --api-key bs_live_xxxxx');
       console.log('  bootspring auth whoami');
+      console.log('  bootspring switch my-project       # Switch project context');
   }
 }
 
-module.exports = { run };
+module.exports = { run, requireProjectSelection };