feat: user reset-apikey supports acc-mgr-token auth

Allows reset-apikey to use --acc-mgr-token or auto-resolve from
secret-mgr in padded-cell mode, enabling API key provisioning
without an existing user Bearer token.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

cmd/hf/main.go

@@ -345,7 +345,7 @@ func handleUserCommand(subCmd string, args []string) {
 		if len(filtered) < 1 {
 			output.Error("usage: hf user reset-apikey <username>")
 		}
-		commands.RunUserResetAPIKey(filtered[0], tokenFlag)
+		commands.RunUserResetAPIKey(filtered[0], tokenFlag, accMgrTokenFlag)
 	default:
 		output.Errorf("hf user %s is not implemented yet", subCmd)
 	}

internal/commands/user.go

@@ -400,13 +400,28 @@ type resetAPIKeyResponse struct {
 }
 
 // RunUserResetAPIKey implements `hf user reset-apikey <username>`.
-func RunUserResetAPIKey(username, tokenFlag string) {
-	token := ResolveToken(tokenFlag)
+func RunUserResetAPIKey(username, tokenFlag, accMgrTokenFlag string) {
 	cfg, err := config.Load()
 	if err != nil {
 		output.Errorf("config error: %v", err)
 	}
-	c := client.New(cfg.BaseURL, token)
+
+	// Try acc-mgr-token first (allows provisioning without existing user token)
+	var c *client.Client
+	if accMgrTokenFlag != "" {
+		c = client.NewWithAPIKey(cfg.BaseURL, accMgrTokenFlag)
+	} else if mode.IsPaddedCell() {
+		if tok, err := passmgr.GetAccountManagerToken(); err == nil && tok != "" {
+			c = client.NewWithAPIKey(cfg.BaseURL, tok)
+		} else {
+			token := ResolveToken(tokenFlag)
+			c = client.New(cfg.BaseURL, token)
+		}
+	} else {
+		token := ResolveToken(tokenFlag)
+		c = client.New(cfg.BaseURL, token)
+	}
+
 	data, err := c.Post("/users/"+username+"/reset-apikey", nil)
 	if err != nil {
 		output.Errorf("failed to reset API key: %v", err)