Add bm users/whoami/access-key commands + CLI table flag consistency (#408)

* Add bm users/whoami/access-key commands + table flag consistency

Adds full Business Manager Data API user administration to the CLI:

- bm users list/get/search/update/delete (OCAPI /users, /user_search)
- bm whoami (OCAPI /users/this — defaults to user-auth)
- bm access-key get/create/set/delete (OCAPI /users/{login}/access_key/{scope};
  optional [LOGIN] defaults to whoami; --scope is an enum with
  WEBDAV_AND_STUDIO as the default)

A new SDK module @salesforce/b2c-tooling-sdk/operations/bm-users wraps
the underlying endpoints. Endpoints whose OCAPI documentation states
"a valid user is required" (whoami + access-key) extend a shared
BmUserAuthCommand base which defaults the auth-method priority to
['implicit'] so a fresh shell triggers browser login rather than
failing the API call with UserNotAvailableException.

Also reworks tabular output across the CLI for consistency:

- New SDK helpers columnFlagsFor() / selectColumns() replace 22 copies
  of an identical getSelectedColumns() helper. printFieldsBlock() does
  the same for *Get-style label/value detail blocks (5 commands).
- Adds --columns / --extended to ~30 list and search commands that
  previously had no column-customization (bm roles list, webdav ls,
  cap list, code list, content list, docs search, job search, logs list,
  sites list, slas client list, every mrt/* list command, plus several
  setup and scaffold commands). webdav ls --extended now exposes the
  previously-hidden modified and contentType columns.
- Renames --confirm to --force on the new bm/users delete commands to
  match the dominant codebase convention.

Skills + docs: new b2c-cli:b2c-bm-users-roles skill and a rewritten
docs/cli/bm.md page cover the four bm command groups and the user-auth
defaulting. The b2c-am skill now defers to the new BM skill.

* Migrate bm delete commands to canonical ux/confirm helper

Switches bm/users/delete and bm/access-key/delete from @inquirer/prompts
to the SDK's @salesforce/b2c-tooling-sdk/ux confirm() introduced in main.
Drops the @inquirer/prompts dependency from these two files.

* Audit pass: hoist scope enum, extend helpers to MRT, migrate confirms

Acts on findings from a post-merge audit covering both this branch and
recently-merged main work:

SDK:
- Export ACCESS_KEY_SCOPES + AccessKeyScope from operations/bm-users so
  the 4 access-key CLI commands no longer redeclare the same tuple.
- Refresh stale doc comment on getBmUserAccessKey (referenced removed
  example values 'WEBDAV', 'OCAPI', 'SCAPI').
- printFieldsBlock now accepts null in addition to undefined and
  skips both, matching the common shape of optional OpenAPI fields.
  New DetailValue type alias exported.

CLI — apply our helpers to MRT commands main introduced in PR #407:
- mrt/org/cert/list and mrt/org/member/list now use TableRenderer +
  columnFlagsFor + selectColumns instead of inline createTable.
- mrt/org/cert/get and mrt/org/member/get now use printFieldsBlock
  instead of inline cliui label/value rendering.

CLI — finish the @inquirer/prompts -> SDK ux migration begun in main:
- setup, setup/instance/remove, sandbox/reset, sandbox/alias/delete,
  and mrt/env/var/push now use confirm() from
  @salesforce/b2c-tooling-sdk/ux. The two remaining @inquirer/prompts
  importers (setup/skills, setup/instance/create) need more than just
  confirm so they stay as-is for now.

* Add tests for bm whoami, bm users, and bm access-key commands

10 new test files following the bm/roles test patterns. Each covers:
JSON-mode return shape, non-JSON output (where applicable),
flag/arg behavior, and OCAPI error paths via the expectError helper.

- whoami.test.ts (3 cases)
- users/{list,get,delete}.test.ts (3 cases each)
- users/search.test.ts (5 cases — covers convenience flags, raw --query
  passthrough, and invalid JSON rejection)
- users/update.test.ts (4 cases — covers the field→snake_case mapping
  and "no fields" guard)
- access-key/{get,delete}.test.ts cover both the explicit-login and
  whoami-fallback branches via two-call OCAPI stubs
- access-key/{create,set}.test.ts cover scope flag and PATCH body shape

CLI tests now: 1218 passing (was 1184). SDK tests unchanged at 1722.

* Strengthen authentication coverage in bm CLI docs

bm.md:
- Lead the Authentication section with the two flows (client-credentials
  vs user-auth) and explicit setup before the "defaults" table.
- Document --user-auth, --auth-methods, and SFCC_AUTH_METHODS overrides
  with concrete examples.
- Annotate the OCAPI permissions table with which command uses each
  resource so readers know what to grant.
- Add a dedicated subsection on the Manage_Users_Access_Keys BM
  functional permission required for access-key writes.
- Add Configuration Examples block.

authentication.md:
- Add "BM administration" entry under "Minimal Configuration by Feature"
  with the importable JSON snippet covering /roles, /users, /users/this,
  /users/*/access_key/*, and /user_search.
- Add a tip box explaining the user-identity requirement on whoami /
  access-key endpoints and cross-link back to /cli/bm#authentication.

Both pages now properly cross-link to each other.

Author: clavery

.changeset/bm-docs-overhaul.md

@@ -0,0 +1,5 @@
+---
+'@salesforce/b2c-dx-docs': minor
+---
+
+Replaced the BM Roles docs page with a comprehensive Business Manager reference covering all `b2c bm` commands — `bm roles` (list/get/create/delete/grant/revoke + permissions), `bm users` (list/get/search/update/delete), `bm whoami`, and `bm access-key` (get/create/set/delete). The new page documents the user-auth requirement on whoami and access-key endpoints, the access-key scope enum, and common workflows like rotating your own WebDAV password.

.changeset/bm-users-commands.md

@@ -0,0 +1,6 @@
+---
+'@salesforce/b2c-cli': minor
+'@salesforce/b2c-tooling-sdk': minor
+---
+
+Added `b2c bm users` command topic for managing instance-level Business Manager users via the OCAPI Data API: `list`, `get`, `search`, `whoami`, `update`, and `delete`. Also added `b2c bm users access-keys` (`get`, `create`, `set`, `delete`) for provisioning and rotating WebDAV/OCAPI/SCAPI access keys for externally-managed (AM/SSO) users. The SDK now exposes a matching `@salesforce/b2c-tooling-sdk/operations/bm-users` module.

.changeset/bm-users-roles-skill.md

@@ -0,0 +1,5 @@
+---
+'@salesforce/b2c-agent-plugins': minor
+---
+
+Added a new `b2c-bm-users-roles` skill covering all `b2c bm` instance commands — `bm roles`, `bm users`, `bm whoami`, and `bm access-key`. The existing `b2c-am` skill now defers to it for Business Manager content and stays focused on Account Manager (cross-instance) administration.

.changeset/cli-table-consistency.md

@@ -0,0 +1,8 @@
+---
+'@salesforce/b2c-cli': minor
+'@salesforce/b2c-tooling-sdk': minor
+---
+
+Added `--columns` and `--extended` flags to all list and search commands for consistent column selection across the CLI. Roughly 30 commands that previously had no column-customization support — including `bm roles list`, `webdav ls`, `cap list`, `code list`, `content list`, `docs search`, `job search`, `logs list`, `sites list`, `slas client list`, all `mrt` list commands, plus several `setup` and `scaffold` commands — now accept `-c id,name,...` to pick columns and `-x` to include extended fields (e.g. `webdav ls --extended` exposes the previously-hidden `modified` and `contentType` columns).
+
+The SDK now exposes shared `columnFlagsFor()` / `selectColumns()` helpers (replacing 22 duplicated implementations) and a `printFieldsBlock()` helper for rendering "label / value" detail blocks.

docs/.vitepress/config.mts

@@ -102,7 +102,7 @@ const referenceSidebar = [
       {text: 'Overview', link: '/cli/'},
       {text: 'Account Manager', link: '/cli/account-manager'},
       {text: 'Auth', link: '/cli/auth'},
-      {text: 'BM Roles', link: '/cli/bm-roles'},
+      {text: 'Business Manager', link: '/cli/bm'},
       {text: 'CIP', link: '/cli/cip'},
       {text: 'CAP (Commerce Apps)', link: '/cli/cap'},
       {text: 'Code', link: '/cli/code'},