From f1ebc52cca2ece82e12e08820a2b63f8bfa219e6 Mon Sep 17 00:00:00 2001
From: hzhang <hzhang@hangman-lab.top>
Date: Thu, 16 Apr 2026 22:32:30 +0100
Subject: [PATCH] fix: allow reset-apikey command without user.manage
 permission

The reset-apikey command has its own auth mechanism via --acc-mgr-token,
so it should not be gated by permission introspection. This matches the
behavior of "user create" which is also Permitted: true.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 internal/help/surface.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/help/surface.go b/internal/help/surface.go
index 4954209..d589b57 100644
--- a/internal/help/surface.go
+++ b/internal/help/surface.go
@@ -40,7 +40,7 @@ func CommandSurface() []Group {
 				{Name: "activate", Description: "Activate a user", Permitted: has(perms, "user.manage")},
 				{Name: "deactivate", Description: "Deactivate a user", Permitted: has(perms, "user.manage")},
 				{Name: "delete", Description: "Delete a user", Permitted: has(perms, "user.manage")},
-				{Name: "reset-apikey", Description: "Reset a user's API key", Permitted: has(perms, "user.manage")},
+				{Name: "reset-apikey", Description: "Reset a user's API key", Permitted: true},
 			},
 		},
 		{