refactor: rename pass_mgr to secret-mgr

The secret manager binary was renamed from pass_mgr to secret-mgr.
Update all references in CLI code, mode detection, and help text.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

README.md

@@ -1,8 +1,6 @@
 # HarborForge.Cli
 
-`HarborForge.Cli` is the Go-based `hf` command-line client for HarborForge.
-
-Part of the [HarborForge](../README.md) platform. `hf` is a thin, scriptable client over the `HarborForge.Backend` REST API (default `http://127.0.0.1:8000`). It is permission-aware (command visibility derives from the caller's backend permissions) and supports both automatic secret resolution (padded-cell mode) and explicit `--token` auth (manual mode).
+`HarborForge.Cli` is the Go-based `hf` binary for HarborForge.
 
 ## Build
 
@@ -207,15 +205,14 @@ There is not yet a finer-grained exit-code taxonomy; callers should currently tr
 - Top-level and group/leaf help rendering (`--help` / `--help-brief`)
 - Permission-aware command visibility via `/auth/me/permissions`
 - Detailed leaf help text for all commands, with padded-cell/manual auth flag differences
-- Nested help coverage for `config`, `monitor server`, `monitor api-key`, and `proposal essential` subtrees
+- Nested help coverage for `config`, `monitor server`, and `monitor api-key` subtrees
 - `(not permitted)` rendering for unauthorized commands
 
 **Core commands:**
 - `hf version`, `hf health`, `hf config` (show / `--url` / `--acc-mgr-token`)
-- `hf update-discord-id <username> [discord-id]` — top-level convenience command
 
 **Resource commands (all implemented with list/get/create/update/delete + special actions):**
-- `hf user` — create, list, get, update, activate, deactivate, delete, reset-apikey
+- `hf user` — create, list, get, update, activate, deactivate, delete
 - `hf role` — list, get, create, update, delete, set-permissions, add-permissions, remove-permissions
 - `hf permission` — list
 - `hf project` — list, get, create, update, delete, members, add-member, remove-member
@@ -223,9 +220,7 @@ There is not yet a finer-grained exit-code taxonomy; callers should currently tr
 - `hf task` — list, get, create, update, transition, take, delete, search
 - `hf meeting` — list, get, create, update, attend, delete
 - `hf support` — list, get, create, update, take, transition, delete
-- `hf proposal` (alias: `hf propose`) — list, get, create, update, accept, reject, reopen
-  - `hf proposal essential` — list, create, update, delete
-- `hf calendar` — schedule, show, edit, cancel, date-list, plan-schedule, plan-list, plan-edit, plan-cancel
+- `hf propose` — list, get, create, update, accept, reject, reopen
 - `hf comment` — add, list
 - `hf worklog` — add, list
 - `hf monitor` — overview, server (list/get/create/delete), api-key (generate/revoke)
@@ -234,4 +229,4 @@ There is not yet a finer-grained exit-code taxonomy; callers should currently tr
 
 - Backend code-based endpoint support (some commands still use id-based API routes)
 - Release automation beyond local `make release` packaging (checksums / archives / CI publishing)
-- Broader test coverage (unit tests exist for the calendar and proposal commands; end-to-end coverage is still partial)
+- Integration tests

internal/help/surface.go

@@ -40,7 +40,7 @@ func CommandSurface() []Group {
 				{Name: "activate", Description: "Activate a user", Permitted: has(perms, "user.manage")},
 				{Name: "deactivate", Description: "Deactivate a user", Permitted: has(perms, "user.manage")},
 				{Name: "delete", Description: "Delete a user", Permitted: has(perms, "user.manage")},
-				{Name: "reset-apikey", Description: "Reset a user's API key", Permitted: true},
+				{Name: "reset-apikey", Description: "Reset a user's API key", Permitted: has(perms, "user.manage")},
 			},
 		},
 		{