feat(auth): --profile flag + x auth browsers for multi-profile users

User reported `x auth import` auto-detect picked Chrome `Profile 8`
which had stale cookies → 403 from UserByRestId. Their actual logged-in
session was on `Profile 6`. Need a way to (a) see which profiles are
available and (b) pin a specific one.

internal/browsercookies:
  Load(ctx, browser, profile, domain) — new `profile` parameter,
    case-insensitive substring match against the browser profile
    name. Returns the FIRST matching store plus a list of
    Alternatives (other browser/profile pairs that also have cookies
    for the same domain). The chosen Result now carries Profile and
    Alternatives fields.
  List(ctx, domain) — new helper that enumerates every (browser,
    profile) pair with at least one cookie for the domain, sorted in
    kooky's traversal order. Used by the new `x auth browsers`
    subcommand.
  Match struct gained a Count field so the diagnostic listing can
    show "12 cookies" per row.

cmd/auth.go:
  --profile <name>          pin a browser profile (substring match)
  x auth browsers           list every browser/profile with x.com
                            cookies, marked with `*` for the one
                            auto-detect would pick

  acquireCookieString reorganised. The browser-cookie path now runs
  whenever --from-browser OR --profile is set (not just both).

  After a successful browser read, x-cli prints the chosen
  browser/profile and a list of alternatives so the user immediately
  sees "you picked Profile 8 but Profile 6 also has cookies — re-run
  with --profile 'Profile 6' if you want that one". No more silent
  wrong-profile selection.

internal/browsercookies/browsercookies_test.go:
  Updated Load callsites for the new signature, added
  TestListEmptyDomain.

Verified locally:
  ./bin/x auth browsers      # lists profiles
  ./bin/x auth import --profile "Profile 6"
  ./bin/x auth import --from-browser chrome --profile work

Author: lroolle

cmd/auth.go

@@ -17,6 +17,7 @@ import (
 
 var (
 	authFromBrowser string
+	authProfile     string
 	authCookieFlag  string
 	authForcePaste  bool
 )
@@ -73,6 +74,8 @@ var authLogoutCmd = &cobra.Command{
 func init() {
 	authImportCmd.Flags().StringVar(&authFromBrowser, "from-browser", "",
 		"pin to a specific browser: chrome | firefox | brave | edge | chromium")
+	authImportCmd.Flags().StringVar(&authProfile, "profile", "",
+		"pin to a specific browser profile (substring match, e.g. \"Profile 6\", \"Default\", \"work\")")
 	authImportCmd.Flags().StringVar(&authCookieFlag, "cookie", "",
 		"non-interactive: pass the full cookie header (visible in shell history)")
 	authImportCmd.Flags().BoolVar(&authForcePaste, "paste", false,
@@ -81,9 +84,47 @@ func init() {
 	authCmd.AddCommand(authImportCmd)
 	authCmd.AddCommand(authStatusCmd)
 	authCmd.AddCommand(authLogoutCmd)
+	authCmd.AddCommand(authBrowsersCmd)
 	rootCmd.AddCommand(authCmd)
 }
 
+var authBrowsersCmd = &cobra.Command{
+	Use:   "browsers",
+	Short: "List local browser profiles that have an x.com session",
+	Long: `Enumerate every browser cookie store on this machine that contains
+at least one cookie for x.com. Use this to discover what to pass to
+` + "`--from-browser`" + ` and ` + "`--profile`" + ` when ` + "`auth import`" + `'s auto-detect picks
+the wrong profile.`,
+	RunE: runAuthBrowsers,
+}
+
+func runAuthBrowsers(cmd *cobra.Command, _ []string) error {
+	ctx, cancel := context.WithTimeout(cmd.Context(), 30*time.Second)
+	defer cancel()
+	matches, err := browsercookies.List(ctx, "x.com")
+	if err != nil {
+		return err
+	}
+	if len(matches) == 0 {
+		cmdutil.Warn("no browser cookie stores have an x.com session")
+		return nil
+	}
+	tw := cmdutil.NewTabPrinter(os.Stdout)
+	for i, m := range matches {
+		marker := " "
+		if i == 0 {
+			marker = "*" // first match is what auto-detect would pick
+		}
+		tw.Row(marker+" "+m.Browser, fmt.Sprintf("%-20s  %d cookie(s)  %s", m.Profile, m.Count, m.Source))
+	}
+	if err := tw.Flush(); err != nil {
+		return err
+	}
+	fmt.Fprintln(os.Stdout)
+	fmt.Fprintln(os.Stdout, "* = auto-detect default. Override with --from-browser and --profile.")
+	return nil
+}
+
 // cookieNamesWanted is the subset of browser cookies x-cli imports.
 // auth_token and ct0 are required; twid carries the user id so we can
 // skip a UserByScreenName roundtrip on `auth status`; the others are
@@ -152,14 +193,18 @@ func runAuthImport(cmd *cobra.Command, _ []string) error {
 
 // acquireCookieString resolves the cookie string in priority order:
 //
-//  1. --cookie '...'                  (explicit one-shot)
-//  2. --from-browser <name>           (explicit browser pin)
-//  3. --paste                         (explicit interactive paste)
-//  4. (default) auto-scan all browsers, fall through to paste if empty
+//  1. --cookie '...'                       (explicit one-shot)
+//  2. --paste                              (explicit interactive paste)
+//  3. --from-browser / --profile           (pinned browser cookie read)
+//  4. (default) auto-scan, fall through to paste if empty
 //
 // The default mode is the only one that can SOFT-FAIL: if no browser
 // has an x.com session, we silently drop to the paste prompt without
 // error. Explicit modes hard-fail on their own terms.
+//
+// In every browser-cookie path, alternatives (other browser/profile
+// pairs that also have x.com cookies) are surfaced so the user can
+// re-run with `--profile` if auto-detect picked the wrong one.
 func acquireCookieString() (string, error) {
 	switch {
 	case authCookieFlag != "":
@@ -168,55 +213,65 @@ func acquireCookieString() (string, error) {
 	case authForcePaste:
 		return promptCookiePaste()
 
-	case authFromBrowser != "":
-		raw, _, err := readBrowserCookies(authFromBrowser, false)
+	case authFromBrowser != "" || authProfile != "":
+		raw, err := readBrowserCookies(authFromBrowser, authProfile, false)
 		return raw, err
 
 	default:
-		// Auto-detect: any browser. Falls through to paste on miss.
-		raw, source, err := readBrowserCookies("", true)
+		raw, err := readBrowserCookies("", "", true)
 		if err == nil && raw != "" {
-			cmdutil.Success("auto-detected x.com session in %s", source)
 			return raw, nil
 		}
 		if err != nil {
 			cmdutil.Warn("auto-detect: %v", err)
 		}
-		cmdutil.Info("falling back to interactive paste (use --from-browser to pin a specific browser)")
+		cmdutil.Info("falling back to interactive paste (use --from-browser / --profile to pin)")
 		return promptCookiePaste()
 	}
 }
 
-// readBrowserCookies runs kooky against the named browser (or all
-// browsers when name == ""). On success returns the formatted cookie
-// header and a friendly source description. On no-cookies-found returns
-// an empty string and a non-nil error if `hardError` is false (caller
-// will treat as soft miss); when `hardError` is true the error is
-// surfaced verbatim.
-func readBrowserCookies(browser string, softMiss bool) (cookieHeader, source string, err error) {
+// readBrowserCookies runs kooky against the named browser/profile (both
+// optional — empty string means "any"). softMiss controls whether the
+// "no cookies found" path returns an error (false → silently miss for
+// auto-detect fallthrough; true → return the error verbatim).
+//
+// On success it prints the chosen (browser, profile, source) and any
+// alternatives so the user knows what auto-detect picked AND what
+// other profiles are available.
+func readBrowserCookies(browser, profile string, softMiss bool) (string, error) {
 	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 	defer cancel()
 
-	res, err := browsercookies.Load(ctx, browser, "x.com")
+	res, err := browsercookies.Load(ctx, browser, profile, "x.com")
 	if err != nil {
 		if softMiss {
-			return "", "", err
+			return "", err
 		}
-		if browser != "" {
-			return "", "", fmt.Errorf("--from-browser %s: %w", browser, err)
+		switch {
+		case browser != "" && profile != "":
+			return "", fmt.Errorf("--from-browser %s --profile %q: %w", browser, profile, err)
+		case browser != "":
+			return "", fmt.Errorf("--from-browser %s: %w", browser, err)
+		case profile != "":
+			return "", fmt.Errorf("--profile %q: %w", profile, err)
 		}
-		return "", "", err
+		return "", err
 	}
 
 	raw := browsercookies.FormatCookieHeader(res.Cookies, cookieNamesWanted)
 	if raw == "" {
-		miss := fmt.Errorf("required cookies (auth_token, ct0) not in %s store — are you logged in?", res.Browser)
-		if softMiss {
-			return "", "", miss
+		return "", fmt.Errorf("required cookies (auth_token, ct0) not in %s/%s — are you logged in to x.com on that profile?", res.Browser, res.Profile)
+	}
+
+	cmdutil.Success("using %s / %s (%s)", res.Browser, res.Profile, res.Source)
+	if len(res.Alternatives) > 0 {
+		cmdutil.Warn("also found x.com sessions in:")
+		for _, a := range res.Alternatives {
+			cmdutil.Warn("    %s / %s  (%d cookies)", a.Browser, a.Profile, a.Count)
 		}
-		return "", "", miss
+		cmdutil.Warn("re-run with --profile <name> if you want a different one")
 	}
-	return raw, fmt.Sprintf("%s (%s)", res.Browser, res.Source), nil
+	return raw, nil
 }
 
 func promptCookiePaste() (string, error) {

internal/browsercookies/browsercookies.go

@@ -46,72 +46,156 @@ var Browsers = []string{"chrome", "firefox", "brave", "edge", "chromium"}
 // Result is what Load returns: a flat map of cookie name → value, plus
 // some diagnostic context for the caller to render or log.
 type Result struct {
-	Cookies map[string]string
-	Source  string // human-readable description of the cookie store path
-	Browser string // matched browser name
+	Cookies      map[string]string
+	Source       string // file path of the chosen cookie store
+	Browser      string // matched browser name (chrome, firefox, ...)
+	Profile      string // matched profile name (Default, Profile 6, ...)
+	Alternatives []Match
+}
+
+// Match identifies one cookie store that contains the requested domain.
+// Returned in Result.Alternatives so the caller can warn the user when
+// auto-detect picked one of several candidates.
+type Match struct {
+	Browser string
+	Profile string
+	Source  string
+	Count   int // number of cookies matched at this store
 }
 
 // Load reads cookies for the given domain from one or more local cookie
-// stores belonging to the named browser. Returns the merged cookie map.
+// stores belonging to the named browser. Returns the merged cookie map
+// for the FIRST matching store, plus a list of the other stores it saw
+// (Result.Alternatives) so the caller can warn the user about ambiguity.
 //
 // browser is matched case-insensitively against the known list. Pass ""
-// to scan ALL detected browsers — useful when you don't care which
-// browser is logged in, just that some browser is.
+// to scan ALL detected browsers.
+//
+// profile is matched case-insensitively as a substring against the
+// browser profile name (e.g. "default", "profile 6", "work"). Pass ""
+// to accept any profile.
 //
 // domain is matched as a host suffix (so "x.com" picks up cookies on
 // ".x.com" too).
-func Load(ctx context.Context, browser, domain string) (*Result, error) {
+func Load(ctx context.Context, browser, profile, domain string) (*Result, error) {
 	if domain == "" {
 		return nil, errors.New("browsercookies: domain required")
 	}
 
-	out := map[string]string{}
-	matchedBrowser := ""
-	matchedSource := ""
+	// Group cookies by (browser, profile, source) so we can build a
+	// stable list of all matching stores in the order kooky yields them.
+	type storeKey struct {
+		browser string
+		profile string
+		source  string
+	}
+	type bucket struct {
+		key     storeKey
+		cookies map[string]string
+	}
+	var order []storeKey
+	stores := map[storeKey]*bucket{}
 
-	// kooky.TraverseCookies returns an iter.Seq2[*Cookie, error] that
-	// walks every registered cookie store finder and yields cookies as
-	// it goes. We filter by browser in our own code so the caller can
-	// pass an empty string to mean "any browser".
 	for c, err := range kooky.TraverseCookies(ctx, kooky.Valid, kooky.DomainHasSuffix(domain)) {
-		if err != nil {
-			// Skip unreadable stores instead of bailing — kooky reports
-			// per-store failures as soft errors. We surface only "found
-			// nothing" at the end.
+		if err != nil || c == nil || c.Browser == nil {
 			continue
 		}
-		if c == nil || c.Browser == nil {
+		actualBrowser := c.Browser.Browser()
+		actualProfile := c.Browser.Profile()
+		if browser != "" && !strings.EqualFold(actualBrowser, browser) {
 			continue
 		}
-		actual := c.Browser.Browser()
-		if browser != "" && !strings.EqualFold(actual, browser) {
+		if profile != "" && !strings.Contains(strings.ToLower(actualProfile), strings.ToLower(profile)) {
 			continue
 		}
-		// First write wins so the most recently traversed store's
-		// values are preserved. kooky lists default profiles first.
-		if _, exists := out[c.Name]; !exists {
-			out[c.Name] = c.Value
+		key := storeKey{browser: actualBrowser, profile: actualProfile, source: c.Browser.FilePath()}
+		b, ok := stores[key]
+		if !ok {
+			b = &bucket{key: key, cookies: map[string]string{}}
+			stores[key] = b
+			order = append(order, key)
 		}
-		if matchedBrowser == "" {
-			matchedBrowser = actual
-			matchedSource = c.Browser.FilePath()
+		// First-write-wins per store so later cookies in the same store
+		// don't overwrite earlier ones.
+		if _, exists := b.cookies[c.Name]; !exists {
+			b.cookies[c.Name] = c.Value
 		}
 	}
 
-	if len(out) == 0 {
-		if browser != "" {
-			return nil, fmt.Errorf("no cookies for %s in any %s cookie store — make sure %s is installed and you're logged in", domain, browser, browser)
+	if len(order) == 0 {
+		switch {
+		case browser != "" && profile != "":
+			return nil, fmt.Errorf("no cookies for %s in %s/%s — check `x auth browsers`", domain, browser, profile)
+		case browser != "":
+			return nil, fmt.Errorf("no cookies for %s in any %s profile — check `x auth browsers`", domain, browser)
+		case profile != "":
+			return nil, fmt.Errorf("no cookies for %s in any profile matching %q — check `x auth browsers`", domain, profile)
+		default:
+			return nil, fmt.Errorf("no cookies for %s in any local browser cookie store", domain)
 		}
-		return nil, fmt.Errorf("no cookies for %s in any local browser cookie store", domain)
+	}
+
+	// Choose the first match. The rest are "alternatives" the caller
+	// can surface to the user.
+	chosen := stores[order[0]]
+	alts := make([]Match, 0, len(order)-1)
+	for _, k := range order[1:] {
+		b := stores[k]
+		alts = append(alts, Match{
+			Browser: k.browser,
+			Profile: k.profile,
+			Source:  k.source,
+			Count:   len(b.cookies),
+		})
 	}
 
 	return &Result{
-		Cookies: out,
-		Source:  matchedSource,
-		Browser: matchedBrowser,
+		Cookies:      chosen.cookies,
+		Source:       chosen.key.source,
+		Browser:      chosen.key.browser,
+		Profile:      chosen.key.profile,
+		Alternatives: alts,
 	}, nil
 }
 
+// List enumerates every cookie store that has at least one cookie for
+// the given domain. Used by `x auth browsers` to show the user which
+// (browser, profile) pairs are available before they pin one.
+func List(ctx context.Context, domain string) ([]Match, error) {
+	if domain == "" {
+		return nil, errors.New("browsercookies: domain required")
+	}
+	type key struct {
+		browser, profile, source string
+	}
+	seen := map[key]int{}
+	var order []key
+	for c, err := range kooky.TraverseCookies(ctx, kooky.Valid, kooky.DomainHasSuffix(domain)) {
+		if err != nil || c == nil || c.Browser == nil {
+			continue
+		}
+		k := key{
+			browser: c.Browser.Browser(),
+			profile: c.Browser.Profile(),
+			source:  c.Browser.FilePath(),
+		}
+		if _, ok := seen[k]; !ok {
+			order = append(order, k)
+		}
+		seen[k]++
+	}
+	out := make([]Match, 0, len(order))
+	for _, k := range order {
+		out = append(out, Match{
+			Browser: k.browser,
+			Profile: k.profile,
+			Source:  k.source,
+			Count:   seen[k],
+		})
+	}
+	return out, nil
+}
+
 // FormatCookieHeader joins the relevant subset of a cookie map into a
 // `name=value; name=value` string suitable for `Cookie:` headers and
 // for x-cli's auth-import parser. Only names in `wanted` are kept; pass

internal/browsercookies/browsercookies_test.go

@@ -61,7 +61,7 @@ func TestFormatCookieHeaderNilSafe(t *testing.T) {
 func TestLoadNoBrowsersHere(t *testing.T) {
 	ctx, cancel := context.WithTimeout(context.Background(), 5_000_000_000)
 	defer cancel()
-	_, err := Load(ctx, "chrome", "x.com")
+	_, err := Load(ctx, "chrome", "", "x.com")
 	if err == nil {
 		// Some CI runners actually have a Chrome installed (Ubuntu image
 		// pulls google-chrome-stable). If so, we still expect zero cookies
@@ -71,7 +71,14 @@ func TestLoadNoBrowsersHere(t *testing.T) {
 }
 
 func TestLoadEmptyDomain(t *testing.T) {
-	_, err := Load(context.Background(), "chrome", "")
+	_, err := Load(context.Background(), "chrome", "", "")
+	if err == nil {
+		t.Error("expected error for empty domain")
+	}
+}
+
+func TestListEmptyDomain(t *testing.T) {
+	_, err := List(context.Background(), "")
 	if err == nil {
 		t.Error("expected error for empty domain")
 	}