feat: add user reset-apikey command

Adds `hf user reset-apikey <username>` to regenerate a user API key.
Requires user.manage permission. Returns the new key (shown once only).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

cmd/hf/main.go

@@ -341,6 +341,11 @@ func handleUserCommand(subCmd string, args []string) {
 			output.Error("usage: hf user delete <username>")
 		}
 		commands.RunUserDelete(filtered[0], tokenFlag)
+	case "reset-apikey":
+		if len(filtered) < 1 {
+			output.Error("usage: hf user reset-apikey <username>")
+		}
+		commands.RunUserResetAPIKey(filtered[0], tokenFlag)
 	default:
 		output.Errorf("hf user %s is not implemented yet", subCmd)
 	}

internal/commands/user.go

@@ -390,3 +390,45 @@ func RunUserDelete(username, tokenFlag string) {
 	}
 	fmt.Printf("user deleted: %s\n", username)
 }
+
+// resetAPIKeyResponse matches the backend reset-apikey response.
+type resetAPIKeyResponse struct {
+	UserID   int    `json:"user_id"`
+	Username string `json:"username"`
+	APIKey   string `json:"api_key"`
+	Message  string `json:"message"`
+}
+
+// RunUserResetAPIKey implements `hf user reset-apikey <username>`.
+func RunUserResetAPIKey(username, tokenFlag string) {
+	token := ResolveToken(tokenFlag)
+	cfg, err := config.Load()
+	if err != nil {
+		output.Errorf("config error: %v", err)
+	}
+	c := client.New(cfg.BaseURL, token)
+	data, err := c.Post("/users/"+username+"/reset-apikey", nil)
+	if err != nil {
+		output.Errorf("failed to reset API key: %v", err)
+	}
+
+	if output.JSONMode {
+		var raw json.RawMessage
+		if err := json.Unmarshal(data, &raw); err != nil {
+			output.Errorf("invalid JSON response: %v", err)
+		}
+		output.PrintJSON(raw)
+		return
+	}
+
+	var r resetAPIKeyResponse
+	if err := json.Unmarshal(data, &r); err != nil {
+		fmt.Printf("API key reset for: %s\n", username)
+		return
+	}
+	output.PrintKeyValue(
+		"username", r.Username,
+		"api-key", r.APIKey,
+		"message", r.Message,
+	)
+}

internal/help/leaf.go

@@ -114,6 +114,7 @@ func leafHelpSpec(group, cmd string) (leafHelp, bool) {
 		"user/activate":            {Summary: "Activate a user", Usage: []string{"hf user activate <username>"}, Flags: authFlagHelp()},
 		"user/deactivate":          {Summary: "Deactivate a user", Usage: []string{"hf user deactivate <username>"}, Flags: authFlagHelp()},
 		"user/delete":              {Summary: "Delete a user", Usage: []string{"hf user delete <username>"}, Flags: authFlagHelp()},
+		"user/reset-apikey":        {Summary: "Reset a user's API key", Usage: []string{"hf user reset-apikey <username>"}, Flags: authFlagHelp(), Notes: []string{"The new API key is shown once and cannot be retrieved again."}},
 		"role/list":                {Summary: "List roles", Usage: []string{"hf role list"}, Flags: authFlagHelp()},
 		"role/get":                 {Summary: "Show a role by name", Usage: []string{"hf role get <role-name>"}, Flags: authFlagHelp()},
 		"role/create":              {Summary: "Create a role", Usage: []string{"hf role create --name <role-name> [--desc <desc>] [--global <true|false>]"}, Flags: authFlagHelp()},

internal/help/surface.go

@@ -40,6 +40,7 @@ func CommandSurface() []Group {
 				{Name: "activate", Description: "Activate a user", Permitted: has(perms, "user.manage")},
 				{Name: "deactivate", Description: "Deactivate a user", Permitted: has(perms, "user.manage")},
 				{Name: "delete", Description: "Delete a user", Permitted: has(perms, "user.manage")},
+				{Name: "reset-apikey", Description: "Reset a user's API key", Permitted: has(perms, "user.manage")},
 			},
 		},
 		{