fix(cli): recognize account ls alias for agent role; align account show output; document edit password invariant

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

internal/cli/run_test.go

@@ -91,3 +91,33 @@ func TestTopLevelLsAlias(t *testing.T) {
 		t.Fatalf("ls should alias list (usage about --account): code=%d out=%q", code, out)
 	}
 }
+
+// TestAccountLsAliasAgentRole verifies that `account ls` is treated as an agent
+// command (not admin) so a caller with only EMCLI_KEY can use it and gets the
+// same reduced-JSON envelope as `account list`.
+func TestAccountLsAliasAgentRole(t *testing.T) {
+	adminEnv(t) // sets up both keys + initialized temp DB
+	run(t, "account", "add", "work", "--mode", "RW",
+		"--imap-host", "imap.example.com", "--smtp-host", "smtp.example.com",
+		"--username", "login@example.com", "--from", "me@example.com")
+
+	// Drop the admin key — caller is agent-only.
+	t.Setenv("EMCLI_ADMIN_KEY", "")
+
+	// `account ls` must succeed with the reduced JSON view, same as `account list`.
+	code, out, errOut := run(t, "account", "ls")
+	if code != 0 {
+		t.Fatalf("agent account ls should succeed: code=%d out=%q err=%q", code, out, errOut)
+	}
+	var env map[string]any
+	if err := json.Unmarshal([]byte(out), &env); err != nil {
+		t.Fatalf("account ls output is not JSON: %v\n%s", err, out)
+	}
+	if env["error"] == true {
+		t.Fatalf("account ls returned error envelope: %s", out)
+	}
+	// The agent view must not leak IMAP host or login username.
+	if strings.Contains(out, "imap.example.com") || strings.Contains(out, "login@example.com") {
+		t.Fatalf("account ls leaked host/username:\n%s", out)
+	}
+}