add auth resolve order explain (#22)

update auth doc to explain the validation check order

Author: hi-lei

internal/verda-cli/cmd/auth/README.md

@@ -52,6 +52,49 @@ The `login` command enters interactive wizard mode when `--client-id` or `--clie
 
 `use` and `show` are always non-interactive.
 
+## Credential Resolution Order
+
+Authentication credentials are resolved from multiple sources. The table below
+shows the order of precedence (highest first):
+
+| Priority | Source | Example |
+|----------|--------|---------|
+| 1 | CLI flags | `--auth.client-id=xxx --auth.client-secret=yyy` |
+| 2 | Config file (viper) | `auth.client-id` in `~/.verda/config.yaml` |
+| 3 | Environment variables | `VERDA_CLIENT_ID`, `VERDA_CLIENT_SECRET` |
+| 4 | Credentials file profile | `[default]` section in `~/.verda/credentials` |
+
+### Supported Environment Variables
+
+| Variable | Description |
+|----------|-------------|
+| `VERDA_CLIENT_ID` | API client ID |
+| `VERDA_CLIENT_SECRET` | API client secret |
+| `VERDA_PROFILE` | Credentials profile name |
+| `VERDA_SHARED_CREDENTIALS_FILE` | Path to credentials file |
+| `VERDA_AGENT` | Enable agent mode (`1` or `true`) |
+| `VERDA_HOME` | Base directory for config (default `~/.verda`) |
+
+### Explicit Profile Override
+
+When `--auth.profile` is passed explicitly, the credentials file values for that
+profile override env vars and config file values — but CLI flags still win.
+
+For example:
+
+```bash
+# Env var is set
+export VERDA_CLIENT_ID=env-id
+
+# Explicit profile overrides the env var
+verda compute list --auth.profile=staging
+# → uses client ID from [staging] in ~/.verda/credentials, not env-id
+
+# But a CLI flag always wins
+verda compute list --auth.profile=staging --auth.client-id=flag-id
+# → uses flag-id
+```
+
 ## Architecture Notes
 
 - **auth.go** -- Parent command registration; adds `login`, `use`, `show` subcommands.