Fix milestones 422 + acc-mgr user + reset-apikey endpoint

- Fix: /milestones?project_id= now accepts project_code (str) not just int
- Add: built-in acc-mgr user created on wizard init (account-manager role, no login, undeletable)
- Add: POST /users/{id}/reset-apikey with permission-based access control
- Add: GET /auth/me/apikey-permissions for frontend capability check
- Add: user.reset-self-apikey and user.reset-apikey permissions
- Protect admin and acc-mgr accounts from deletion
- Block acc-mgr from login (/auth/token returns 403)

app/api/routers/misc.py

@@ -149,10 +149,21 @@ def create_milestone(ms: schemas.MilestoneCreate, db: Session = Depends(get_db),
 
 
 @router.get("/milestones", response_model=List[schemas.MilestoneResponse], tags=["Milestones"])
-def list_milestones(project_id: int = None, status_filter: str = None, db: Session = Depends(get_db)):
+def list_milestones(project_id: str = None, status_filter: str = None, db: Session = Depends(get_db)):
     query = db.query(MilestoneModel)
     if project_id:
-        query = query.filter(MilestoneModel.project_id == project_id)
+        # Resolve project_id by numeric id or project_code
+        resolved_project = None
+        try:
+            pid = int(project_id)
+            resolved_project = db.query(models.Project).filter(models.Project.id == pid).first()
+        except (ValueError, TypeError):
+            pass
+        if not resolved_project:
+            resolved_project = db.query(models.Project).filter(models.Project.project_code == project_id).first()
+        if not resolved_project:
+            raise HTTPException(status_code=404, detail="Project not found")
+        query = query.filter(MilestoneModel.project_id == resolved_project.id)
     if status_filter:
         query = query.filter(MilestoneModel.status == status_filter)
     return query.order_by(MilestoneModel.due_date.is_(None), MilestoneModel.due_date.asc()).all()