agent-messenger 2.22.0 → 2.23.0

package/src/platforms/webex/commands/auth.test.ts

@@ -1,11 +1,21 @@
-import { afterEach, beforeEach, describe, expect, spyOn, it } from 'bun:test'
+import { afterEach, beforeEach, describe, expect, mock, spyOn, it } from 'bun:test'
 import * as childProcess from 'node:child_process'
+import * as fs from 'node:fs'
 
 import { WebexClient } from '../client'
 import { WebexCredentialManager } from '../credential-manager'
+import * as passwordLogin from '../password-login'
 import { WebexTokenExtractor } from '../token-extractor'
 import { WebexError } from '../types'
-import { extractAction, loginAction, logoutAction, statusAction } from './auth'
+import { extractAction, loginAction, logoutAction, oauthAction, statusAction } from './auth'
+
+let promptQueue: string[] = []
+mock.module('node:readline/promises', () => ({
+  createInterface: () => ({
+    question: async () => promptQueue.shift() ?? '',
+    close: () => {},
+  }),
+}))
 
 class ProcessExit extends Error {
   constructor(readonly code?: string | number | null) {
@@ -18,6 +28,7 @@ describe('auth commands', () => {
   let consoleErrorSpy: ReturnType<typeof spyOn>
   let execSpy: ReturnType<typeof spyOn>
   let stderrWriteSpy: ReturnType<typeof spyOn>
+  let stdoutWriteSpy: ReturnType<typeof spyOn>
   const protoSpies: ReturnType<typeof spyOn>[] = []
   let originalStdinTTY: boolean | undefined
   let originalStdoutTTY: boolean | undefined
@@ -42,10 +53,12 @@ describe('auth commands', () => {
   }
 
   beforeEach(() => {
+    promptQueue = []
     consoleSpy = spyOn(console, 'log').mockImplementation(() => {})
     consoleErrorSpy = spyOn(console, 'error').mockImplementation(() => {})
     execSpy = spyOn(childProcess, 'exec').mockImplementation((() => {}) as any)
     stderrWriteSpy = spyOn(process.stderr, 'write').mockImplementation(() => true)
+    stdoutWriteSpy = spyOn(process.stdout, 'write').mockImplementation(() => true)
     originalStdinTTY = process.stdin.isTTY
     originalStdoutTTY = process.stdout.isTTY
     // Default to interactive TTY for existing tests; non-interactive tests override.
@@ -62,6 +75,7 @@ describe('auth commands', () => {
     consoleErrorSpy.mockRestore()
     execSpy.mockRestore()
     stderrWriteSpy.mockRestore()
+    stdoutWriteSpy.mockRestore()
     for (const s of protoSpies) s.mockRestore()
     protoSpies.length = 0
     setTTY(originalStdinTTY)
@@ -99,9 +113,170 @@ describe('auth commands', () => {
       expect(savedConfig.expiresAt).toBe(0)
       expect(savedConfig.refreshToken).toBe('')
     })
+
+    it('still allows --token login when non-interactive (bot/PAT path)', async () => {
+      setTTY(false)
+      protoSpy(WebexClient.prototype, 'login').mockResolvedValue(new WebexClient())
+      protoSpy(WebexClient.prototype, 'testAuth').mockResolvedValue(mockPerson)
+      protoSpy(WebexCredentialManager.prototype, 'saveConfig').mockResolvedValue(undefined)
+
+      await loginAction({ token: 'bot-token-123', pretty: false })
+
+      const lastCall = consoleSpy.mock.calls[consoleSpy.mock.calls.length - 1][0] as string
+      const output = JSON.parse(lastCall)
+      expect(output.authenticated).toBe(true)
+      expect(output.user.displayName).toBe('Test User')
+    })
+  })
+
+  describe('loginAction with --email/--password', () => {
+    const passwordConfig = {
+      accessToken: 'pw-access-token',
+      refreshToken: 'pw-refresh-token',
+      expiresAt: Date.now() + 3_600_000,
+      deviceUrl: 'https://wdm-r.wbx2.com/wdm/api/v1/devices/test-device',
+      userId: 'user-1',
+    }
+
+    it('logs in with email/password and saves the password token type', async () => {
+      const pwSpy = protoSpy(passwordLogin, 'loginWithPassword').mockResolvedValue(passwordConfig)
+      const saveSpy = protoSpy(WebexCredentialManager.prototype, 'saveConfig').mockResolvedValue(undefined)
+      protoSpy(WebexClient.prototype, 'login').mockResolvedValue(new WebexClient())
+      protoSpy(WebexClient.prototype, 'testAuth').mockResolvedValue(mockPerson)
+
+      await loginAction({ email: 'alice@example.com', password: 'hunter2', pretty: false })
+
+      expect(pwSpy).toHaveBeenCalledWith('alice@example.com', 'hunter2', { idbrokerHost: undefined })
+      const savedConfig = saveSpy.mock.calls[0][0] as { tokenType: string; clientId: string }
+      expect(savedConfig.tokenType).toBe('password')
+      expect(savedConfig.clientId).toBe(passwordLogin.WEB_CLIENT_ID)
+
+      const lastCall = consoleSpy.mock.calls[consoleSpy.mock.calls.length - 1][0] as string
+      const output = JSON.parse(lastCall)
+      expect(output.authenticated).toBe(true)
+      expect(output.user.displayName).toBe('Test User')
+    })
+
+    it('forwards --idbroker-host to the password login flow', async () => {
+      const pwSpy = protoSpy(passwordLogin, 'loginWithPassword').mockResolvedValue(passwordConfig)
+      protoSpy(WebexCredentialManager.prototype, 'saveConfig').mockResolvedValue(undefined)
+      protoSpy(WebexClient.prototype, 'login').mockResolvedValue(new WebexClient())
+      protoSpy(WebexClient.prototype, 'testAuth').mockResolvedValue(mockPerson)
+
+      await loginAction({
+        email: 'alice@example.com',
+        password: 'hunter2',
+        idbrokerHost: 'https://idbroker.example.com',
+        pretty: false,
+      })
+
+      expect(pwSpy).toHaveBeenCalledWith('alice@example.com', 'hunter2', {
+        idbrokerHost: 'https://idbroker.example.com',
+      })
+    })
+
+    it('reads the password from stdin with --password-stdin', async () => {
+      const pwSpy = protoSpy(passwordLogin, 'loginWithPassword').mockResolvedValue(passwordConfig)
+      protoSpy(fs, 'readFileSync').mockReturnValue('stdin-secret\n')
+      protoSpy(WebexCredentialManager.prototype, 'saveConfig').mockResolvedValue(undefined)
+      protoSpy(WebexClient.prototype, 'login').mockResolvedValue(new WebexClient())
+      protoSpy(WebexClient.prototype, 'testAuth').mockResolvedValue(mockPerson)
+
+      await loginAction({ email: 'alice@example.com', passwordStdin: true, pretty: false })
+
+      expect(pwSpy).toHaveBeenCalledWith('alice@example.com', 'stdin-secret', { idbrokerHost: undefined })
+    })
+
+    it('rejects passing both --password and --password-stdin', async () => {
+      const exitSpy = protoSpy(process, 'exit').mockImplementation((code?: string | number | null) => {
+        throw new ProcessExit(code)
+      })
+
+      await expect(
+        loginAction({ email: 'alice@example.com', password: 'p', passwordStdin: true, pretty: false }),
+      ).rejects.toThrow(ProcessExit)
+
+      const lastCall = stderrWriteSpy.mock.calls[stderrWriteSpy.mock.calls.length - 1][0] as string
+      const output = JSON.parse(lastCall)
+      expect(output.error).toContain('Use only one of --password or --password-stdin')
+      expect(exitSpy).toHaveBeenCalledWith(1)
+    })
+  })
+
+  describe('loginAction interactive prompts', () => {
+    const passwordConfig = {
+      accessToken: 'pw-access-token',
+      refreshToken: 'pw-refresh-token',
+      expiresAt: Date.now() + 3_600_000,
+      deviceUrl: 'https://wdm-r.wbx2.com/wdm/api/v1/devices/test-device',
+      userId: 'user-1',
+    }
+
+    it('prompts for email and password when none are provided', async () => {
+      promptQueue = ['alice@example.com', 'prompted-secret']
+      const pwSpy = protoSpy(passwordLogin, 'loginWithPassword').mockResolvedValue(passwordConfig)
+      protoSpy(WebexCredentialManager.prototype, 'saveConfig').mockResolvedValue(undefined)
+      protoSpy(WebexClient.prototype, 'login').mockResolvedValue(new WebexClient())
+      protoSpy(WebexClient.prototype, 'testAuth').mockResolvedValue(mockPerson)
+
+      await loginAction({ pretty: false })
+
+      expect(pwSpy).toHaveBeenCalledWith('alice@example.com', 'prompted-secret', { idbrokerHost: undefined })
+    })
+
+    it('prompts only for the password when --email is provided without a password', async () => {
+      promptQueue = ['prompted-secret']
+      const pwSpy = protoSpy(passwordLogin, 'loginWithPassword').mockResolvedValue(passwordConfig)
+      protoSpy(WebexCredentialManager.prototype, 'saveConfig').mockResolvedValue(undefined)
+      protoSpy(WebexClient.prototype, 'login').mockResolvedValue(new WebexClient())
+      protoSpy(WebexClient.prototype, 'testAuth').mockResolvedValue(mockPerson)
+
+      await loginAction({ email: 'alice@example.com', pretty: false })
+
+      expect(pwSpy).toHaveBeenCalledWith('alice@example.com', 'prompted-secret', { idbrokerHost: undefined })
+    })
+
+    it('preserves whitespace in the prompted password', async () => {
+      promptQueue = ['  spaced secret  ']
+      const pwSpy = protoSpy(passwordLogin, 'loginWithPassword').mockResolvedValue(passwordConfig)
+      protoSpy(WebexCredentialManager.prototype, 'saveConfig').mockResolvedValue(undefined)
+      protoSpy(WebexClient.prototype, 'login').mockResolvedValue(new WebexClient())
+      protoSpy(WebexClient.prototype, 'testAuth').mockResolvedValue(mockPerson)
+
+      await loginAction({ email: 'alice@example.com', pretty: false })
+
+      expect(pwSpy).toHaveBeenCalledWith('alice@example.com', '  spaced secret  ', { idbrokerHost: undefined })
+    })
+  })
+
+  describe('loginAction non-interactive without credentials', () => {
+    it('errors when no email is provided and points to auth oauth', async () => {
+      setTTY(false)
+      const exitSpy = protoSpy(process, 'exit').mockImplementation(() => undefined as never)
+
+      await loginAction({ pretty: false })
+
+      const lastCall = consoleSpy.mock.calls[consoleSpy.mock.calls.length - 1][0] as string
+      const output = JSON.parse(lastCall)
+      expect(output.error).toContain('Email required')
+      expect(output.error).toContain('auth oauth')
+      expect(exitSpy).toHaveBeenCalledWith(1)
+    })
+
+    it('errors when --email is provided but no password is available', async () => {
+      setTTY(false)
+      const exitSpy = protoSpy(process, 'exit').mockImplementation(() => undefined as never)
+
+      await loginAction({ email: 'alice@example.com', pretty: false })
+
+      const lastCall = consoleSpy.mock.calls[consoleSpy.mock.calls.length - 1][0] as string
+      const output = JSON.parse(lastCall)
+      expect(output.error).toContain('Password required')
+      expect(exitSpy).toHaveBeenCalledWith(1)
+    })
   })
 
-  describe('loginAction with --client-id and --client-secret', () => {
+  describe('oauthAction with --client-id and --client-secret', () => {
     it('uses provided credentials for Device Grant flow', async () => {
       protoSpy(WebexCredentialManager.prototype, 'requestDeviceCode').mockResolvedValue({
         deviceCode: 'd',
@@ -120,7 +295,7 @@ describe('auth commands', () => {
       protoSpy(WebexClient.prototype, 'login').mockResolvedValue(new WebexClient())
       protoSpy(WebexClient.prototype, 'testAuth').mockResolvedValue(mockPerson)
 
-      await loginAction({ clientId: 'my-id', clientSecret: 'my-secret', pretty: false })
+      await oauthAction({ clientId: 'my-id', clientSecret: 'my-secret', pretty: false })
 
       expect(WebexCredentialManager.prototype.requestDeviceCode).toHaveBeenCalledWith('my-id')
       expect(WebexCredentialManager.prototype.pollDeviceToken).toHaveBeenCalledWith(
@@ -150,7 +325,7 @@ describe('auth commands', () => {
       protoSpy(WebexClient.prototype, 'login').mockResolvedValue(new WebexClient())
       protoSpy(WebexClient.prototype, 'testAuth').mockResolvedValue(mockPerson)
 
-      await loginAction({ clientId: 'my-id', clientSecret: 'my-secret', pretty: false })
+      await oauthAction({ clientId: 'my-id', clientSecret: 'my-secret', pretty: false })
 
       const savedConfig = saveSpy.mock.calls[0][0] as { tokenType: string }
       expect(savedConfig.tokenType).toBe('oauth')
@@ -174,7 +349,7 @@ describe('auth commands', () => {
       protoSpy(WebexClient.prototype, 'login').mockResolvedValue(new WebexClient())
       protoSpy(WebexClient.prototype, 'testAuth').mockResolvedValue(mockPerson)
 
-      await loginAction({ clientId: 'my-id', clientSecret: 'my-secret', pretty: false })
+      await oauthAction({ clientId: 'my-id', clientSecret: 'my-secret', pretty: false })
 
       const savedConfig = saveSpy.mock.calls[0][0] as { clientId: string; clientSecret: string }
       expect(savedConfig.clientId).toBe('my-id')
@@ -182,7 +357,7 @@ describe('auth commands', () => {
     })
   })
 
-  describe('loginAction non-interactive (no TTY)', () => {
+  describe('oauthAction non-interactive (no TTY)', () => {
     const device = {
       deviceCode: 'webex-device-code-abc123',
       userCode: 'USER-CODE',
@@ -199,7 +374,7 @@ describe('auth commands', () => {
       const pollSpy = protoSpy(WebexCredentialManager.prototype, 'pollDeviceToken')
       const exitSpy = protoSpy(process, 'exit').mockImplementation(() => undefined as never)
 
-      await loginAction({ pretty: false })
+      await oauthAction({ pretty: false })
 
       expect(requestSpy).toHaveBeenCalled()
       expect(exchangeSpy).not.toHaveBeenCalled()
@@ -212,7 +387,7 @@ describe('auth commands', () => {
       expect(output.verification_uri_complete).toBe(device.verificationUriComplete)
       expect(output.user_code).toBe(device.userCode)
       expect(output.device_code).toBe(device.deviceCode)
-      expect(output.message).toContain('--device-code')
+      expect(output.message).toContain('auth oauth --device-code')
       expect(exitSpy).toHaveBeenCalledWith(0)
     })
 
@@ -221,7 +396,7 @@ describe('auth commands', () => {
       protoSpy(WebexCredentialManager.prototype, 'requestDeviceCode').mockResolvedValue(device)
       protoSpy(process, 'exit').mockImplementation(() => undefined as never)
 
-      await loginAction({ pretty: false })
+      await oauthAction({ pretty: false })
 
       expect(execSpy).not.toHaveBeenCalled()
     })
@@ -232,7 +407,7 @@ describe('auth commands', () => {
       const requestSpy = protoSpy(WebexCredentialManager.prototype, 'requestDeviceCode')
       const exitSpy = protoSpy(process, 'exit').mockImplementation(() => undefined as never)
 
-      await loginAction({ deviceCode: 'webex-device-code-abc123', pretty: false })
+      await oauthAction({ deviceCode: 'webex-device-code-abc123', pretty: false })
 
       expect(requestSpy).not.toHaveBeenCalled()
 
@@ -253,7 +428,7 @@ describe('auth commands', () => {
       protoSpy(WebexClient.prototype, 'login').mockResolvedValue(new WebexClient())
       protoSpy(WebexClient.prototype, 'testAuth').mockResolvedValue(mockPerson)
 
-      await loginAction({
+      await oauthAction({
         deviceCode: 'webex-device-code-abc123',
         clientId: 'my-id',
         clientSecret: 'my-secret',
@@ -276,7 +451,7 @@ describe('auth commands', () => {
       protoSpy(WebexCredentialManager.prototype, 'exchangeDeviceCode').mockResolvedValue({ status: 'expired' })
       const exitSpy = protoSpy(process, 'exit').mockImplementation(() => undefined as never)
 
-      await loginAction({ deviceCode: 'webex-device-code-abc123', pretty: false })
+      await oauthAction({ deviceCode: 'webex-device-code-abc123', pretty: false })
 
       const lastCall = consoleSpy.mock.calls[consoleSpy.mock.calls.length - 1][0] as string
       const output = JSON.parse(lastCall)
@@ -297,26 +472,12 @@ describe('auth commands', () => {
       protoSpy(WebexClient.prototype, 'login').mockResolvedValue(new WebexClient())
       protoSpy(WebexClient.prototype, 'testAuth').mockResolvedValue(mockPerson)
 
-      await loginAction({ deviceCode: 'webex-device-code-abc123', pretty: false })
+      await oauthAction({ deviceCode: 'webex-device-code-abc123', pretty: false })
 
       expect(exchangeSpy).toHaveBeenCalled()
       expect(requestSpy).not.toHaveBeenCalled()
       expect(pollSpy).not.toHaveBeenCalled()
     })
-
-    it('still allows --token login when non-interactive (bot/PAT path)', async () => {
-      setTTY(false)
-      protoSpy(WebexClient.prototype, 'login').mockResolvedValue(new WebexClient())
-      protoSpy(WebexClient.prototype, 'testAuth').mockResolvedValue(mockPerson)
-      protoSpy(WebexCredentialManager.prototype, 'saveConfig').mockResolvedValue(undefined)
-
-      await loginAction({ token: 'bot-token-123', pretty: false })
-
-      const lastCall = consoleSpy.mock.calls[consoleSpy.mock.calls.length - 1][0] as string
-      const output = JSON.parse(lastCall)
-      expect(output.authenticated).toBe(true)
-      expect(output.user.displayName).toBe('Test User')
-    })
   })
 
   describe('statusAction', () => {

package/src/platforms/webex/commands/auth.ts

@@ -1,14 +1,18 @@
+import { readFileSync } from 'node:fs'
+import { Writable } from 'node:stream'
+
 import { Command } from 'commander'
 
 import { collectBrowserProfileOption } from '@/shared/chromium'
 import { handleError } from '@/shared/utils/error-handler'
 import { isInteractive } from '@/shared/utils/interactive'
 import { formatOutput } from '@/shared/utils/output'
-import { info, debug } from '@/shared/utils/stderr'
+import { info, debug, error as stderrError } from '@/shared/utils/stderr'
 
 import { getWebexAppCredentials } from '../app-config'
 import { WebexClient } from '../client'
 import { WebexCredentialManager } from '../credential-manager'
+import { loginWithPassword, WEB_CLIENT_ID, WEB_CLIENT_SECRET } from '../password-login'
 import { WebexTokenExtractor } from '../token-extractor'
 import { WebexError } from '../types'
 
@@ -28,6 +32,39 @@ async function openBrowser(url: string): Promise<void> {
   exec(command)
 }
 
+async function promptText(message: string): Promise<string | undefined> {
+  const { createInterface } = await import('node:readline/promises')
+  const rl = createInterface({ input: process.stdin, output: process.stdout, terminal: true })
+  try {
+    const answer = await rl.question(`${message}: `)
+    return answer.trim() || undefined
+  } finally {
+    rl.close()
+  }
+}
+
+async function promptHidden(message: string): Promise<string | undefined> {
+  const { createInterface } = await import('node:readline/promises')
+  const hiddenOutput = new (class extends Writable {
+    muted = false
+    _write(chunk: Buffer | string, encoding: BufferEncoding, cb: (error?: Error | null) => void): void {
+      if (!this.muted) process.stdout.write(chunk, encoding)
+      cb()
+    }
+  })()
+  const rl = createInterface({ input: process.stdin, output: hiddenOutput, terminal: true })
+  try {
+    hiddenOutput.muted = true
+    process.stdout.write(`${message}: `)
+    const answer = await rl.question('')
+    process.stdout.write('\n')
+    return answer === '' ? undefined : answer
+  } finally {
+    hiddenOutput.muted = false
+    rl.close()
+  }
+}
+
 async function resolveClientCredentials(options: {
   clientId?: string
   clientSecret?: string
@@ -46,9 +83,10 @@ async function resolveClientCredentials(options: {
 
 interface LoginOptions {
   token?: string
-  deviceCode?: string
-  clientId?: string
-  clientSecret?: string
+  email?: string
+  password?: string
+  passwordStdin?: boolean
+  idbrokerHost?: string
   pretty?: boolean
 }
 
@@ -57,26 +95,134 @@ export async function loginAction(options: LoginOptions): Promise<void> {
     const credManager = new WebexCredentialManager()
 
     if (options.token) {
-      const client = await new WebexClient().login({ token: options.token })
-      const person = await client.testAuth()
-      await credManager.saveConfig({
-        accessToken: options.token,
-        refreshToken: '',
-        expiresAt: 0,
-        tokenType: 'manual',
-      })
-      console.log(
-        formatOutput(
-          {
-            user: { id: person.id, displayName: person.displayName, emails: person.emails },
-            authenticated: true,
-          },
-          options.pretty,
-        ),
-      )
+      await loginWithToken(credManager, options.token, options.pretty)
       return
     }
 
+    if (options.password && options.passwordStdin) {
+      throw new Error('Use only one of --password or --password-stdin.')
+    }
+
+    const interactive = isInteractive()
+
+    let email = options.email
+    if (!email) {
+      if (!interactive) {
+        console.log(
+          formatOutput(
+            {
+              error:
+                'Email required. Use --email <email> with --password or --password-stdin, ' +
+                'or run "agent-webex auth oauth" for browser-based login.',
+            },
+            options.pretty,
+          ),
+        )
+        process.exit(1)
+        return
+      }
+      email = await promptText('Webex email')
+      if (!email) {
+        stderrError('Email is required.')
+        process.exit(1)
+        return
+      }
+    }
+
+    let password = options.password
+    if (!password && options.passwordStdin) {
+      password = readFileSync(0, 'utf-8').replace(/\r?\n$/, '')
+    }
+    if (!password) {
+      if (!interactive) {
+        console.log(
+          formatOutput(
+            { error: 'Password required. Use --password or --password-stdin, or run interactively to be prompted.' },
+            options.pretty,
+          ),
+        )
+        process.exit(1)
+        return
+      }
+      password = await promptHidden('Password')
+      if (!password) {
+        stderrError('Password is required.')
+        process.exit(1)
+        return
+      }
+    }
+
+    await loginWithEmailPassword(credManager, email, password, options)
+  } catch (error) {
+    handleError(error as Error)
+  }
+}
+
+async function loginWithToken(credManager: WebexCredentialManager, token: string, pretty?: boolean): Promise<void> {
+  const client = await new WebexClient().login({ token })
+  const person = await client.testAuth()
+  await credManager.saveConfig({
+    accessToken: token,
+    refreshToken: '',
+    expiresAt: 0,
+    tokenType: 'manual',
+  })
+  console.log(
+    formatOutput(
+      {
+        user: { id: person.id, displayName: person.displayName, emails: person.emails },
+        authenticated: true,
+      },
+      pretty,
+    ),
+  )
+}
+
+async function loginWithEmailPassword(
+  credManager: WebexCredentialManager,
+  email: string,
+  password: string,
+  options: LoginOptions,
+): Promise<void> {
+  const config = await loginWithPassword(email, password, { idbrokerHost: options.idbrokerHost })
+
+  await credManager.saveConfig({
+    ...config,
+    tokenType: 'password',
+    clientId: WEB_CLIENT_ID,
+    clientSecret: WEB_CLIENT_SECRET,
+    encryptionKeys: {},
+  })
+
+  const client = await new WebexClient().login({
+    token: config.accessToken,
+    deviceUrl: config.deviceUrl,
+    tokenType: 'password',
+  })
+  const person = await client.testAuth()
+
+  console.log(
+    formatOutput(
+      {
+        authenticated: true,
+        user: { id: person.id, displayName: person.displayName, emails: person.emails },
+      },
+      options.pretty,
+    ),
+  )
+}
+
+interface OAuthOptions {
+  deviceCode?: string
+  clientId?: string
+  clientSecret?: string
+  pretty?: boolean
+}
+
+export async function oauthAction(options: OAuthOptions): Promise<void> {
+  try {
+    const credManager = new WebexCredentialManager()
+
     if (options.deviceCode) {
       await finishDeviceGrant(credManager, options)
       return
@@ -126,7 +272,7 @@ export async function loginAction(options: LoginOptions): Promise<void> {
 
 async function startNonInteractiveDeviceGrant(
   credManager: WebexCredentialManager,
-  options: LoginOptions,
+  options: OAuthOptions,
 ): Promise<void> {
   const { clientId } = await resolveClientCredentials(options)
   const device = await credManager.requestDeviceCode(clientId)
@@ -142,7 +288,7 @@ async function startNonInteractiveDeviceGrant(
         device_code: device.deviceCode,
         expires_at: expiresAt,
         message:
-          'Show the user `verification_uri` and `user_code` (or just `verification_uri_complete`) and ask them to approve access in any browser. After they approve, run `agent-webex auth login --device-code <device_code>` to retrieve the token. The device code expires at `expires_at`. If you passed `--client-id`/`--client-secret`, pass them again on the second call.',
+          'Show the user `verification_uri` and `user_code` (or just `verification_uri_complete`) and ask them to approve access in any browser. After they approve, run `agent-webex auth oauth --device-code <device_code>` to retrieve the token. The device code expires at `expires_at`. If you passed `--client-id`/`--client-secret`, pass them again on the second call.',
       },
       options.pretty,
     ),
@@ -150,7 +296,7 @@ async function startNonInteractiveDeviceGrant(
   process.exit(0)
 }
 
-async function finishDeviceGrant(credManager: WebexCredentialManager, options: LoginOptions): Promise<void> {
+async function finishDeviceGrant(credManager: WebexCredentialManager, options: OAuthOptions): Promise<void> {
   const { clientId, clientSecret } = await resolveClientCredentials(options)
   const result = await credManager.exchangeDeviceCode(options.deviceCode!, clientId, clientSecret)
 
@@ -177,7 +323,7 @@ async function finishDeviceGrant(credManager: WebexCredentialManager, options: L
           next_action: 'still_pending',
           device_code: options.deviceCode,
           message:
-            'User has not approved access yet. Confirm with the user that they completed authorization in the browser, then run `agent-webex auth login --device-code <device_code>` again to retry.',
+            'User has not approved access yet. Confirm with the user that they completed authorization in the browser, then run `agent-webex auth oauth --device-code <device_code>` again to retry.',
         },
         options.pretty,
       ),
@@ -191,7 +337,7 @@ async function finishDeviceGrant(credManager: WebexCredentialManager, options: L
       {
         next_action: 'restart',
         error: result.status === 'expired' ? 'Device code expired.' : `Device code exchange failed: ${result.message}`,
-        message: 'This device code is no longer valid. Run `agent-webex auth login` to start a new login.',
+        message: 'This device code is no longer valid. Run `agent-webex auth oauth` to start a new login.',
       },
       options.pretty,
     ),
@@ -252,7 +398,7 @@ export async function extractAction(options: {
           {
             error:
               'No Webex token found in any browser. Make sure you are logged in at https://web.webex.com (not webex.com) in Chrome, Edge, Arc, or Brave.',
-            hint: 'Run "auth login" for OAuth Device Grant flow, or --debug for more info.',
+            hint: 'Run "auth oauth" for OAuth Device Grant flow, or --debug for more info.',
           },
           options.pretty,
         ),
@@ -304,7 +450,7 @@ export async function extractAction(options: {
           formatOutput(
             {
               error: 'Extracted browser token is expired and could not be refreshed.',
-              hint: 'Log in at https://web.webex.com (not webex.com) in your browser, then run "auth extract" again. Or use "auth login" for OAuth Device Grant flow.',
+              hint: 'Log in at https://web.webex.com (not webex.com) in your browser, then run "auth extract" again. Or use "auth oauth" for OAuth Device Grant flow.',
             },
             options.pretty,
           ),
@@ -366,21 +512,34 @@ export const authCommand = new Command('auth')
   .addCommand(
     new Command('login')
       .description(
-        'Log in to Webex. In a TTY this opens a browser and waits for approval. ' +
-          'When non-interactive (AI agents, CI/CD): first call starts the OAuth Device Grant flow ' +
-          'and returns a verification URL, user code, and device code. After the user approves in a ' +
-          'browser, call again with --device-code to exchange it for a token. Pass --token for ' +
-          'fully unattended auth.',
+        'Log in to Webex with your email and password (first-party token, messages appear as you). ' +
+          'Run with no flags in a terminal to be prompted for email and password. ' +
+          'Pass --token for a bot or personal access token. For browser-based OAuth, use `auth oauth`.',
       )
+      .option('--email <email>', 'Webex email address (prompted if omitted in a terminal)')
+      .option('--password <password>', 'Password for --email login (prompted securely if omitted in a terminal)')
+      .option('--password-stdin', 'Read the password for --email login from stdin')
+      .option('--idbroker-host <host>', 'Override IdBroker host for email/password login')
       .option('--token <token>', 'Use a bot token or personal access token directly')
+      .option('--pretty', 'Pretty print JSON output')
+      .action(loginAction),
+  )
+  .addCommand(
+    new Command('oauth')
+      .description(
+        'Log in to Webex via OAuth Device Grant. In a TTY this opens a browser and waits for approval. ' +
+          'When non-interactive (AI agents, CI/CD): the first call starts the flow and returns a verification ' +
+          'URL, user code, and device code. After the user approves in a browser, call again with --device-code ' +
+          'to exchange it for a token.',
+      )
       .option(
         '--device-code <code>',
-        'OAuth Device Grant code returned from a previous non-interactive `auth login` call',
+        'OAuth Device Grant code returned from a previous non-interactive `auth oauth` call',
       )
       .option('--client-id <id>', 'Webex Integration client ID')
       .option('--client-secret <secret>', 'Webex Integration client secret')
       .option('--pretty', 'Pretty print JSON output')
-      .action(loginAction),
+      .action(oauthAction),
   )
   .addCommand(
     new Command('extract')