🐛 Fix 21 incorrect GCP IAM permissions in auto-generated manifest

The permission extraction heuristics produced several invalid GCP IAM
permission strings. This fixes the generator and regenerates the manifest.

**Service name prefix fixes (gcpServiceNameMap):**
- cloudresourcemanager.* → resourcemanager.* (9 permissions)
- sqladmin.* → cloudsql.* (2 permissions)
- security.* → privateca.* (3 permissions)

**Method-to-permission override table (new):**
- accessapproval.accessApprovalSettings.get → accessapproval.settings.get
- binaryauthorization.systemPolicy.get → binaryauthorization.policy.get
- cloudkms.cryptoKey.get → cloudkms.cryptoKeys.get
- cloudkms.iamPolicy.get → cloudkms.cryptoKeys.getIamPolicy
- secretmanager.iamPolicy.get → secretmanager.secrets.getIamPolicy
- secretmanager.secretVersions.list → secretmanager.versions.list
- artifactregistry.iamPolicy.get → artifactregistry.repositories.getIamPolicy
- serviceusage.service.get → serviceusage.services.get

**Non-API method filtering (new skip list):**
- monitoring.conditionAbsent.get, monitoring.conditionThreshold.get,
  monitoring.conditionMatchedLog.get, monitoring.conditionMonitoringQueryLanguage.get
  (protobuf getters, not real API calls)

**Other generator fixes:**
- Strip "Iter" suffix from gRPC iterator methods (iam.rolesIter.list → iam.roles.list)
- Map REST "Aggregated" verb to "list" (dataflow.jobs.aggregated → dataflow.jobs.list)
- Skip bare gRPC Get() calls with no resource qualifier (compute.compute.get)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: vjeffrey

providers-sdk/v1/util/permissions/permissions.go

@@ -635,15 +635,15 @@ func classifyGCPImport(path string) *gcpImportInfo {
 // gcpServiceName normalizes GCP service names.
 var gcpServiceNameMap = map[string]string{
 	"compute":              "compute",
-	"cloudresourcemanager": "cloudresourcemanager",
+	"cloudresourcemanager": "resourcemanager",
 	"iam":                  "iam",
 	"dns":                  "dns",
 	"bigquery":             "bigquery",
 	"logging":              "logging",
 	"monitoring":           "monitoring",
 	"container":            "container",
 	"storage":              "storage",
-	"sqladmin":             "sqladmin",
+	"sqladmin":             "cloudsql",
 	"serviceusage":         "serviceusage",
 	"apikeys":              "apikeys",
 	"kms":                  "cloudkms",
@@ -653,6 +653,7 @@ var gcpServiceNameMap = map[string]string{
 	"alloydb":              "alloydb",
 	"aiplatform":           "aiplatform",
 	"privateca":            "privateca",
+	"security":             "privateca",
 	"binaryauthorization":  "binaryauthorization",
 	"spanner":              "spanner",
 	"redis":                "redis",
@@ -892,8 +893,57 @@ func isGCPAPIMethod(name string) bool {
 	return false
 }
 
+// gcpPermissionOverrides maps (service, method) to the correct IAM permission
+// for cases where the automatic derivation produces incorrect results.
+var gcpPermissionOverrides = map[string]map[string]string{
+	"accessapproval": {
+		"GetAccessApprovalSettings": "accessapproval.settings.get",
+	},
+	"binaryauthorization": {
+		"GetSystemPolicy": "binaryauthorization.policy.get",
+	},
+	"cloudkms": {
+		"GetCryptoKey": "cloudkms.cryptoKeys.get",
+		"GetIamPolicy": "cloudkms.cryptoKeys.getIamPolicy",
+	},
+	"secretmanager": {
+		"ListSecretVersions": "secretmanager.versions.list",
+		"GetIamPolicy":       "secretmanager.secrets.getIamPolicy",
+	},
+	"artifactregistry": {
+		"GetIamPolicy": "artifactregistry.repositories.getIamPolicy",
+	},
+	"serviceusage": {
+		"GetService": "serviceusage.services.get",
+	},
+}
+
+// gcpSkipMethods lists method names that match isGCPAPIMethod patterns but are
+// actually protobuf getter methods or internal helpers, not real API calls.
+var gcpSkipMethods = map[string]bool{
+	"GetConditionAbsent":                  true,
+	"GetConditionThreshold":               true,
+	"GetConditionMatchedLog":              true,
+	"GetConditionMonitoringQueryLanguage": true,
+}
+
 // gcpMethodToPermission maps a gRPC method to a GCP IAM permission.
 func gcpMethodToPermission(service, method string) string {
+	// Skip known non-API methods
+	if gcpSkipMethods[method] {
+		return ""
+	}
+
+	// Strip "Iter" suffix from iterator helper methods (e.g., ListRolesIter -> ListRoles)
+	method = strings.TrimSuffix(method, "Iter")
+
+	// Check for explicit overrides
+	if overrides, ok := gcpPermissionOverrides[service]; ok {
+		if perm, ok := overrides[method]; ok {
+			return perm
+		}
+	}
+
 	// gRPC methods: ListKeyRings -> cloudkms.keyRings.list
 	// ListServiceAccounts -> iam.serviceAccounts.list
 	// GetKeyRotationStatus -> cloudkms.cryptoKeys.get
@@ -911,7 +961,7 @@ func gcpMethodToPermission(service, method string) string {
 		verb = "get"
 		resource = strings.TrimPrefix(method, "Get")
 		if resource == "" {
-			resource = service
+			return "" // bare Get without resource name is ambiguous
 		}
 	} else if strings.HasPrefix(method, "Create") {
 		verb = "create"
@@ -952,7 +1002,7 @@ func gcpRESTToPermission(service, resource, method string) string {
 	}
 	verb := ""
 	switch method {
-	case "List", "AggregatedList", "Pages":
+	case "List", "AggregatedList", "Aggregated", "Pages":
 		verb = "list"
 	case "Get", "Do":
 		verb = "get"