From 53b5b88fc2e1c44090550559ca34f613c8561f04 Mon Sep 17 00:00:00 2001
From: orion <orion@op.hangman-lab.top>
Date: Thu, 16 Apr 2026 21:08:00 +0000
Subject: [PATCH] feat: user reset-apikey supports acc-mgr-token auth

Allows reset-apikey to use --acc-mgr-token or auto-resolve from
secret-mgr in padded-cell mode, enabling API key provisioning
without an existing user Bearer token.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 cmd/hf/main.go            |  2 +-
 internal/commands/user.go | 21 ++++++++++++++++++---
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/cmd/hf/main.go b/cmd/hf/main.go
index 783be85..2716e1f 100644
--- a/cmd/hf/main.go
+++ b/cmd/hf/main.go
@@ -345,7 +345,7 @@ func handleUserCommand(subCmd string, args []string) {
 		if len(filtered) < 1 {
 			output.Error("usage: hf user reset-apikey <username>")
 		}
-		commands.RunUserResetAPIKey(filtered[0], tokenFlag)
+		commands.RunUserResetAPIKey(filtered[0], tokenFlag, accMgrTokenFlag)
 	default:
 		output.Errorf("hf user %s is not implemented yet", subCmd)
 	}
diff --git a/internal/commands/user.go b/internal/commands/user.go
index c2c36d4..af2555c 100644
--- a/internal/commands/user.go
+++ b/internal/commands/user.go
@@ -400,13 +400,28 @@ type resetAPIKeyResponse struct {
 }
 
 // RunUserResetAPIKey implements `hf user reset-apikey <username>`.
-func RunUserResetAPIKey(username, tokenFlag string) {
-	token := ResolveToken(tokenFlag)
+func RunUserResetAPIKey(username, tokenFlag, accMgrTokenFlag string) {
 	cfg, err := config.Load()
 	if err != nil {
 		output.Errorf("config error: %v", err)
 	}
-	c := client.New(cfg.BaseURL, token)
+
+	// Try acc-mgr-token first (allows provisioning without existing user token)
+	var c *client.Client
+	if accMgrTokenFlag != "" {
+		c = client.NewWithAPIKey(cfg.BaseURL, accMgrTokenFlag)
+	} else if mode.IsPaddedCell() {
+		if tok, err := passmgr.GetAccountManagerToken(); err == nil && tok != "" {
+			c = client.NewWithAPIKey(cfg.BaseURL, tok)
+		} else {
+			token := ResolveToken(tokenFlag)
+			c = client.New(cfg.BaseURL, token)
+		}
+	} else {
+		token := ResolveToken(tokenFlag)
+		c = client.New(cfg.BaseURL, token)
+	}
+
 	data, err := c.Post("/users/"+username+"/reset-apikey", nil)
 	if err != nil {
 		output.Errorf("failed to reset API key: %v", err)