@indigoai-us/hq-cloud 5.22.0 → 5.23.0

package/dist/vault-client.d.ts

@@ -92,6 +92,122 @@ export interface CreateEntityInput {
 export interface CreateEntityResult {
     entity: EntityInfo;
 }
+/**
+ * Source kind for an explicit per-company file-ACL grant. Mirrors the
+ * server enum in hq-pro `vault-service/handlers/files-grants.ts`.
+ *
+ * `'open'` collapses two server-side shapes that are indistinguishable to
+ * the caller — the legacy `acl.open === true` floor and an explicit
+ * `granteeType: 'company-wide'` row. Both mean "every active member of
+ * this company sees this prefix".
+ */
+export type GrantSource = "person" | "email" | "group" | "open";
+/** Permission level surfaced on a grant row. Matches `AclPermission`. */
+export type GrantPermission = "read" | "write" | "admin";
+/**
+ * One row in the response of `GET /v1/files/grants?company={uid}`.
+ *
+ * Role-bypass (owner/admin) entries are intentionally excluded by the
+ * server — this is the caller's EXPLICIT grant graph, not the full set
+ * of prefixes they can touch by virtue of role.
+ */
+export interface ExplicitGrant {
+    companyUid: string;
+    path: string;
+    permission: GrantPermission;
+    source: GrantSource;
+}
+/**
+ * Effective sync mode for a single membership. Mirrors the server's
+ * resolved view from `GET /v1/memberships/{id}/sync-config`:
+ *
+ *   - `shared` — sync only `shared/` and the caller's `personal/` prefix
+ *   - `all`    — sync every prefix the caller has read access to
+ *   - `custom` — sync the explicit `customPaths` list (server validates)
+ *
+ * `isDefault: true` means no row exists in DDB and the server is
+ * falling back to its built-in default (currently `'all'` for legacy
+ * memberships created pre-US-003). When `true`, `updatedAt`/`updatedBy`
+ * are absent because there's no row to attribute.
+ */
+export type SyncMode = "shared" | "all" | "custom";
+export interface MembershipSyncConfig {
+    membershipId: string;
+    syncMode: SyncMode;
+    customPaths?: string[];
+    /**
+     * `true` when the server returned the built-in default because no
+     * sync-config row exists for this membership. PUT always returns
+     * `false` — writing the row is what makes it non-default.
+     */
+    isDefault: boolean;
+    /** Present only when a sync-config row exists (i.e. `isDefault: false`). */
+    updatedAt?: string;
+    /** Present only when a sync-config row exists. PersonUid of the writer. */
+    updatedBy?: string;
+}
+/**
+ * Input shape for {@link VaultClient.setMembershipSyncConfig}. The server
+ * validates the combination — `customPaths` is required when `syncMode`
+ * is `'custom'` and rejected otherwise.
+ */
+export interface SetMembershipSyncConfigInput {
+    syncMode: SyncMode;
+    customPaths?: string[];
+}
+/**
+ * Why the caller is requesting STS-scoped credentials. Mirrors the
+ * hq-pro vault-service enum (`src/vault-service/policy-builder.ts`).
+ *
+ *   - `'sync'`   — background machine sync. Role-bypass MUST NOT widen
+ *     the path set: credentials are scoped to exactly the requested
+ *     paths (which the sync engine has already narrowed via US-005).
+ *   - `'browse'` — interactive exploration (hq-console Explore,
+ *     `hq files browse`, admin spelunking). Admin/owner role-bypass
+ *     APPLIES — the caller may receive credentials covering paths
+ *     beyond their explicit ACL grants.
+ *
+ * The server defaults missing/empty to `'sync'` (the safer choice).
+ * The client doesn't mirror that default — every caller should be
+ * explicit about its intent so audit rows are accurate.
+ */
+export type VendPurpose = "sync" | "browse";
+export type VaultOperation = "read-only" | "read-write" | "staged-write";
+/**
+ * Input shape for {@link VaultClient.vend}. The server validates
+ * combinations — e.g. `purpose: 'sync'` rejects bucket-wide `'*'` paths
+ * as defense in depth against role-bypass widening on the sync path.
+ */
+export interface VendInput {
+    paths: string[];
+    operations: VaultOperation;
+    /** Why these credentials are being vended. See {@link VendPurpose}. */
+    purpose: VendPurpose;
+    /** STS session lifetime in seconds. Server default is 900 (15m). */
+    duration?: number;
+}
+export interface VendCredentials {
+    accessKeyId: string;
+    secretAccessKey: string;
+    sessionToken: string;
+    /** ISO-8601 STS-native expiration string. */
+    expiration: string;
+}
+export interface VendResult {
+    credentials: VendCredentials;
+    /** Echo of the server-resolved paths after ACL intersection. */
+    paths: string[];
+    operations: VaultOperation;
+    /** Echo of the effective purpose (server-defaulted to 'sync' if absent). */
+    purpose: VendPurpose;
+    /**
+     * Size of the rendered IAM session policy in characters. Lets the
+     * caller detect when it's nearing the 2048-char IAM ceiling so it can
+     * fan out across multiple vends or shrink its path set.
+     */
+    policySize: number;
+    requestId?: string;
+}
 export type TaskAction = "read" | "write";
 export interface TaskScope {
     /** S3 key prefixes the child may access (e.g. ["drafts/"]). */
@@ -201,6 +317,46 @@ export declare class VaultClient {
     listMembersOfCompany(companyUid: string): Promise<Membership[]>;
     updateRole(input: UpdateRoleInput): Promise<Membership>;
     listPendingInvites(companyUid: string): Promise<Membership[]>;
+    /**
+     * List the caller's EXPLICIT per-company file-ACL grants. Backed by
+     * `GET /v1/files/grants?company={companyUid}` (hq-pro US-002).
+     *
+     * Role-bypass (owner/admin) entries are excluded server-side — the
+     * response is the caller's actual grant graph, not the full set of
+     * prefixes they can touch by virtue of role. Used by the
+     * browse-vs-sync UI to render an honest grant graph and by the
+     * sync engine to narrow what it pulls.
+     *
+     * Returns `[]` (NOT a 404) when the caller has no explicit grants in
+     * this company, so call sites can treat "empty graph" as a normal
+     * state without catching errors.
+     */
+    listMyExplicitGrants(companyUid: string): Promise<ExplicitGrant[]>;
+    /**
+     * Read the effective sync-mode for a single membership. Backed by
+     * `GET /v1/memberships/{id}/sync-config` (hq-pro US-003).
+     *
+     * The server resolves the effective view — when no row exists for the
+     * membership it returns the built-in default with `isDefault: true`
+     * and omits `updatedAt`/`updatedBy`. Callers should treat `isDefault:
+     * true` as "no explicit config yet" rather than special-casing 404.
+     *
+     * Authorization: caller must own the membership OR hold admin/owner
+     * on the company that the membership belongs to. The server 404s
+     * tombstoned/revoked memberships.
+     */
+    getMembershipSyncConfig(membershipId: string): Promise<MembershipSyncConfig>;
+    /**
+     * Write the sync-mode for a single membership. Backed by
+     * `PUT /v1/memberships/{id}/sync-config` (hq-pro US-003).
+     *
+     * Server validates: `customPaths` is required when `syncMode` is
+     * `'custom'` and rejected otherwise. The returned row reflects the
+     * persisted state with `isDefault: false` (writing the row is what
+     * makes it non-default) and the server-assigned `updatedAt` +
+     * `updatedBy`.
+     */
+    setMembershipSyncConfig(membershipId: string, partial: SetMembershipSyncConfigInput): Promise<MembershipSyncConfig>;
     readonly entity: {
         get: (uid: string) => Promise<EntityInfo>;
         /**
@@ -251,6 +407,28 @@ export declare class VaultClient {
         bucketName: string;
         kmsKeyId: string;
     }>;
+    /**
+     * POST `/vend` — vend STS-scoped credentials for an explicit path list.
+     *
+     * This is the legacy raw-vend endpoint (distinct from `/sts/vend`,
+     * `/sts/vend-self`, and `/sts/vend-child`). Per US-009 it accepts a
+     * `purpose` discriminator that controls whether admin/owner
+     * role-bypass widens the resulting session policy beyond the
+     * caller's explicit ACL grants:
+     *
+     *   - `purpose: 'browse'` — role-bypass APPLIES (interactive
+     *     `hq files browse`, admin spelunking).
+     *   - `purpose: 'sync'`   — role-bypass SUPPRESSED (background sync;
+     *     credentials are scoped to exactly what the caller has explicitly
+     *     been granted, regardless of role).
+     *
+     * The server defaults missing/empty to `'sync'` but every first-party
+     * caller should be explicit so audit attribution is correct.
+     *
+     * Used by `hq files browse`/`hq files cat` (US-008) to peek at vault
+     * objects without ever materialising them under `companies/{co}/`.
+     */
+    vend(input: VendInput): Promise<VendResult>;
     readonly sts: {
         /**
          * Vend task-scoped child credentials strictly narrower than the caller's

package/dist/vault-client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"vault-client.d.ts","sourceRoot":"","sources":["../src/vault-client.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAc,kBAAkB,EAAE,MAAM,YAAY,CAAC;AAOjE,qBAAa,gBAAiB,SAAQ,KAAK;aAGvB,UAAU,EAAE,MAAM;aAClB,IAAI,CAAC,EAAE,MAAM;gBAF7B,OAAO,EAAE,MAAM,EACC,UAAU,EAAE,MAAM,EAClB,IAAI,CAAC,EAAE,MAAM,YAAA;CAKhC;AAED,qBAAa,cAAe,SAAQ,gBAAgB;gBACtC,OAAO,SAAuD;CAI3E;AAED,qBAAa,0BAA2B,SAAQ,gBAAgB;gBAClD,OAAO,SAA4C;CAIhE;AAED,qBAAa,kBAAmB,SAAQ,gBAAgB;gBAC1C,OAAO,SAAuB;CAI3C;AAED,qBAAa,kBAAmB,SAAQ,gBAAgB;gBAC1C,OAAO,SAA+D;CAInF;AAMD,MAAM,MAAM,cAAc,GAAG,OAAO,GAAG,OAAO,GAAG,QAAQ,GAAG,OAAO,CAAC;AACpE,MAAM,MAAM,gBAAgB,GAAG,SAAS,GAAG,QAAQ,GAAG,SAAS,CAAC;AAEhE,MAAM,WAAW,UAAU;IACzB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,cAAc,CAAC;IACrB,MAAM,EAAE,gBAAgB,CAAC;IACzB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,cAAc,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,UAAU,EAAE,UAAU,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,kBAAkB;IACjC,UAAU,EAAE,UAAU,CAAC;CACxB;AAED,MAAM,WAAW,eAAe;IAC9B,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,cAAc,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,qFAAqF;IACrF,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,yEAAyE;IACzE,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,wBAAgB,yBAAyB,CACvC,IAAI,EAAE,UAAU,EAAE,GACjB,UAAU,GAAG,IAAI,CAanB;AAED,MAAM,WAAW,oBAAoB;IACnC,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,cAAc,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,QAAQ,GAAG,SAAS,CAAC;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,UAAU,CAAC;CACpB;AAID,MAAM,MAAM,UAAU,GAAG,MAAM,GAAG,OAAO,CAAC;AAE1C,MAAM,WAAW,SAAS;IACxB,+DAA+D;IAC/D,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,0EAA0E;IAC1E,cAAc,CAAC,EAAE,UAAU,EAAE,CAAC;CAC/B;AAED,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,gFAAgF;IAChF,MAAM,EAAE,MAAM,CAAC;IACf,mFAAmF;IACnF,eAAe,EAAE,MAAM,CAAC;IACxB,SAAS,EAAE,SAAS,CAAC;IACrB;;;;OAIG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,mBAAmB;IAClC,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;IACxB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B,WAAW,EAAE,mBAAmB,CAAC;IACjC;+EAC2E;IAC3E,WAAW,EAAE,MAAM,CAAC;IACpB,mCAAmC;IACnC,SAAS,EAAE,MAAM,CAAC;CACnB;AAMD,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED,MAAM,WAAW,UAAU;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,EAAE,MAAM,CAAC;IACzB;;;;;;;OAOG;IACH,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;CACxC;AAED,MAAM,WAAW,iBAAiB;IAChC,EAAE,EAAE,OAAO,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,KAAK,CAAC;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAChE;AAqBD,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAwB;IACrD,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAyB;gBAExC,MAAM,EAAE,kBAAkB;IAkBhC,YAAY,CAAC,KAAK,EAAE,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAQnE,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAQjF;;;;;OAKG;IACG,gBAAgB,CAAC,aAAa,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIhF;;;;;;;;;;;;;;OAcG;IACG,iBAAiB,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;IAKhD;;;;;;;;OAQG;IACG,2BAA2B,IAAI,OAAO,CAAC,oBAAoB,EAAE,CAAC;IAOpE;;;;OAIG;IACG,0BAA0B,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI5D,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAO/D,UAAU,CAAC,KAAK,EAAE,eAAe,GAAG,OAAO,CAAC,UAAU,CAAC;IAQvD,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IASnE,QAAQ,CAAC,MAAM;mBACI,MAAM,KAAG,OAAO,CAAC,UAAU,CAAC;QAK7C;;;;;;;;;;WAUG;2BACsB,MAAM,QAAQ,MAAM,KAAG,OAAO,CAAC,UAAU,CAAC;QAOnE;;;;;;;;;;;WAWG;kCAEK,MAAM,QACN,MAAM,KACX,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;wBAWP,iBAAiB,KAAG,OAAO,CAAC,UAAU,CAAC;QAK7D,yEAAyE;2BAChD,MAAM,KAAG,OAAO,CAAC,UAAU,EAAE,CAAC;MAMvD;IAIF;;;;;;;;;;OAUG;IACG,oBAAoB,CAAC,KAAK,EAAE;QAChC,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;KACrB,GAAG,OAAO,CAAC,UAAU,CAAC;IAqBjB,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;IAU5F,QAAQ,CAAC,GAAG;QACV;;;;;;;;;;;;WAYG;2BACsB,cAAc,KAAG,OAAO,CAAC,eAAe,CAAC;0BAI1C;YAAE,SAAS,EAAE,MAAM,CAAC;YAAC,eAAe,CAAC,EAAE,MAAM,CAAA;SAAE,KAAG,OAAO,CAAC;YAChF,WAAW,EAAE;gBAAE,WAAW,EAAE,MAAM,CAAC;gBAAC,eAAe,EAAE,MAAM,CAAC;gBAAC,YAAY,EAAE,MAAM,CAAA;aAAE,CAAC;YACpF,SAAS,EAAE,MAAM,CAAC;SACnB,CAAC;MAGF;IAUF;;;;;;OAMG;IACG,iBAAiB,IAAI,OAAO,CAAC,sBAAsB,CAAC;IAI1D;;;;;;;OAOG;IACG,SAAS,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,iBAAiB,CAAC;YAMhD,GAAG;YAIH,IAAI;YAIJ,OAAO;IAkDrB,OAAO,CAAC,QAAQ;IAiBhB,OAAO,CAAC,cAAc;CAQvB"}
+{"version":3,"file":"vault-client.d.ts","sourceRoot":"","sources":["../src/vault-client.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAc,kBAAkB,EAAE,MAAM,YAAY,CAAC;AAOjE,qBAAa,gBAAiB,SAAQ,KAAK;aAGvB,UAAU,EAAE,MAAM;aAClB,IAAI,CAAC,EAAE,MAAM;gBAF7B,OAAO,EAAE,MAAM,EACC,UAAU,EAAE,MAAM,EAClB,IAAI,CAAC,EAAE,MAAM,YAAA;CAKhC;AAED,qBAAa,cAAe,SAAQ,gBAAgB;gBACtC,OAAO,SAAuD;CAI3E;AAED,qBAAa,0BAA2B,SAAQ,gBAAgB;gBAClD,OAAO,SAA4C;CAIhE;AAED,qBAAa,kBAAmB,SAAQ,gBAAgB;gBAC1C,OAAO,SAAuB;CAI3C;AAED,qBAAa,kBAAmB,SAAQ,gBAAgB;gBAC1C,OAAO,SAA+D;CAInF;AAMD,MAAM,MAAM,cAAc,GAAG,OAAO,GAAG,OAAO,GAAG,QAAQ,GAAG,OAAO,CAAC;AACpE,MAAM,MAAM,gBAAgB,GAAG,SAAS,GAAG,QAAQ,GAAG,SAAS,CAAC;AAEhE,MAAM,WAAW,UAAU;IACzB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,cAAc,CAAC;IACrB,MAAM,EAAE,gBAAgB,CAAC;IACzB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,cAAc,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,UAAU,EAAE,UAAU,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,kBAAkB;IACjC,UAAU,EAAE,UAAU,CAAC;CACxB;AAED,MAAM,WAAW,eAAe;IAC9B,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,cAAc,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,qFAAqF;IACrF,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,yEAAyE;IACzE,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,wBAAgB,yBAAyB,CACvC,IAAI,EAAE,UAAU,EAAE,GACjB,UAAU,GAAG,IAAI,CAanB;AAED,MAAM,WAAW,oBAAoB;IACnC,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,cAAc,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,QAAQ,GAAG,SAAS,CAAC;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,UAAU,CAAC;CACpB;AAID;;;;;;;;GAQG;AACH,MAAM,MAAM,WAAW,GAAG,QAAQ,GAAG,OAAO,GAAG,OAAO,GAAG,MAAM,CAAC;AAEhE,yEAAyE;AACzE,MAAM,MAAM,eAAe,GAAG,MAAM,GAAG,OAAO,GAAG,OAAO,CAAC;AAEzD;;;;;;GAMG;AACH,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,eAAe,CAAC;IAC5B,MAAM,EAAE,WAAW,CAAC;CACrB;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,QAAQ,GAAG,QAAQ,GAAG,KAAK,GAAG,QAAQ,CAAC;AAEnD,MAAM,WAAW,oBAAoB;IACnC,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,QAAQ,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB;;;;OAIG;IACH,SAAS,EAAE,OAAO,CAAC;IACnB,4EAA4E;IAC5E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,2EAA2E;IAC3E,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;GAIG;AACH,MAAM,WAAW,4BAA4B;IAC3C,QAAQ,EAAE,QAAQ,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;CACxB;AAID;;;;;;;;;;;;;;;GAeG;AACH,MAAM,MAAM,WAAW,GAAG,MAAM,GAAG,QAAQ,CAAC;AAE5C,MAAM,MAAM,cAAc,GAAG,WAAW,GAAG,YAAY,GAAG,cAAc,CAAC;AAEzE;;;;GAIG;AACH,MAAM,WAAW,SAAS;IACxB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,UAAU,EAAE,cAAc,CAAC;IAC3B,uEAAuE;IACvE,OAAO,EAAE,WAAW,CAAC;IACrB,oEAAoE;IACpE,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;IACxB,YAAY,EAAE,MAAM,CAAC;IACrB,6CAA6C;IAC7C,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,UAAU;IACzB,WAAW,EAAE,eAAe,CAAC;IAC7B,gEAAgE;IAChE,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,UAAU,EAAE,cAAc,CAAC;IAC3B,4EAA4E;IAC5E,OAAO,EAAE,WAAW,CAAC;IACrB;;;;OAIG;IACH,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAID,MAAM,MAAM,UAAU,GAAG,MAAM,GAAG,OAAO,CAAC;AAE1C,MAAM,WAAW,SAAS;IACxB,+DAA+D;IAC/D,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,0EAA0E;IAC1E,cAAc,CAAC,EAAE,UAAU,EAAE,CAAC;CAC/B;AAED,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,gFAAgF;IAChF,MAAM,EAAE,MAAM,CAAC;IACf,mFAAmF;IACnF,eAAe,EAAE,MAAM,CAAC;IACxB,SAAS,EAAE,SAAS,CAAC;IACrB;;;;OAIG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,mBAAmB;IAClC,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;IACxB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B,WAAW,EAAE,mBAAmB,CAAC;IACjC;+EAC2E;IAC3E,WAAW,EAAE,MAAM,CAAC;IACpB,mCAAmC;IACnC,SAAS,EAAE,MAAM,CAAC;CACnB;AAMD,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED,MAAM,WAAW,UAAU;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,EAAE,MAAM,CAAC;IACzB;;;;;;;OAOG;IACH,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;CACxC;AAED,MAAM,WAAW,iBAAiB;IAChC,EAAE,EAAE,OAAO,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,KAAK,CAAC;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAChE;AAqBD,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAwB;IACrD,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAyB;gBAExC,MAAM,EAAE,kBAAkB;IAkBhC,YAAY,CAAC,KAAK,EAAE,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAQnE,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAQjF;;;;;OAKG;IACG,gBAAgB,CAAC,aAAa,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIhF;;;;;;;;;;;;;;OAcG;IACG,iBAAiB,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;IAKhD;;;;;;;;OAQG;IACG,2BAA2B,IAAI,OAAO,CAAC,oBAAoB,EAAE,CAAC;IAOpE;;;;OAIG;IACG,0BAA0B,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI5D,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAO/D,UAAU,CAAC,KAAK,EAAE,eAAe,GAAG,OAAO,CAAC,UAAU,CAAC;IAQvD,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IASnE;;;;;;;;;;;;;OAaG;IACG,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAOxE;;;;;;;;;;;;OAYG;IACG,uBAAuB,CAC3B,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,oBAAoB,CAAC;IAMhC;;;;;;;;;OASG;IACG,uBAAuB,CAC3B,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,4BAA4B,GACpC,OAAO,CAAC,oBAAoB,CAAC;IAUhC,QAAQ,CAAC,MAAM;mBACI,MAAM,KAAG,OAAO,CAAC,UAAU,CAAC;QAK7C;;;;;;;;;;WAUG;2BACsB,MAAM,QAAQ,MAAM,KAAG,OAAO,CAAC,UAAU,CAAC;QAOnE;;;;;;;;;;;WAWG;kCAEK,MAAM,QACN,MAAM,KACX,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;wBAWP,iBAAiB,KAAG,OAAO,CAAC,UAAU,CAAC;QAK7D,yEAAyE;2BAChD,MAAM,KAAG,OAAO,CAAC,UAAU,EAAE,CAAC;MAMvD;IAIF;;;;;;;;;;OAUG;IACG,oBAAoB,CAAC,KAAK,EAAE;QAChC,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;KACrB,GAAG,OAAO,CAAC,UAAU,CAAC;IAqBjB,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;IAU5F;;;;;;;;;;;;;;;;;;;;OAoBG;IACG,IAAI,CAAC,KAAK,EAAE,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC;IAMjD,QAAQ,CAAC,GAAG;QACV;;;;;;;;;;;;WAYG;2BACsB,cAAc,KAAG,OAAO,CAAC,eAAe,CAAC;0BAI1C;YAAE,SAAS,EAAE,MAAM,CAAC;YAAC,eAAe,CAAC,EAAE,MAAM,CAAA;SAAE,KAAG,OAAO,CAAC;YAChF,WAAW,EAAE;gBAAE,WAAW,EAAE,MAAM,CAAC;gBAAC,eAAe,EAAE,MAAM,CAAC;gBAAC,YAAY,EAAE,MAAM,CAAA;aAAE,CAAC;YACpF,SAAS,EAAE,MAAM,CAAC;SACnB,CAAC;MAGF;IAUF;;;;;;OAMG;IACG,iBAAiB,IAAI,OAAO,CAAC,sBAAsB,CAAC;IAI1D;;;;;;;OAOG;IACG,SAAS,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,iBAAiB,CAAC;YAMhD,GAAG;YAIH,IAAI;YAIJ,OAAO;IAkDrB,OAAO,CAAC,QAAQ;IAiBhB,OAAO,CAAC,cAAc;CAQvB"}

package/dist/vault-client.js

@@ -162,6 +162,54 @@ export class VaultClient {
         const data = await this.get(`/membership/company/${encodeURIComponent(companyUid)}/pending`);
         return data.invites;
     }
+    // -- Browse-vs-sync (US-002, US-003, US-004) -----------------------------
+    /**
+     * List the caller's EXPLICIT per-company file-ACL grants. Backed by
+     * `GET /v1/files/grants?company={companyUid}` (hq-pro US-002).
+     *
+     * Role-bypass (owner/admin) entries are excluded server-side — the
+     * response is the caller's actual grant graph, not the full set of
+     * prefixes they can touch by virtue of role. Used by the
+     * browse-vs-sync UI to render an honest grant graph and by the
+     * sync engine to narrow what it pulls.
+     *
+     * Returns `[]` (NOT a 404) when the caller has no explicit grants in
+     * this company, so call sites can treat "empty graph" as a normal
+     * state without catching errors.
+     */
+    async listMyExplicitGrants(companyUid) {
+        const data = await this.get(`/v1/files/grants?company=${encodeURIComponent(companyUid)}`);
+        return data.grants ?? [];
+    }
+    /**
+     * Read the effective sync-mode for a single membership. Backed by
+     * `GET /v1/memberships/{id}/sync-config` (hq-pro US-003).
+     *
+     * The server resolves the effective view — when no row exists for the
+     * membership it returns the built-in default with `isDefault: true`
+     * and omits `updatedAt`/`updatedBy`. Callers should treat `isDefault:
+     * true` as "no explicit config yet" rather than special-casing 404.
+     *
+     * Authorization: caller must own the membership OR hold admin/owner
+     * on the company that the membership belongs to. The server 404s
+     * tombstoned/revoked memberships.
+     */
+    async getMembershipSyncConfig(membershipId) {
+        return this.get(`/v1/memberships/${encodeURIComponent(membershipId)}/sync-config`);
+    }
+    /**
+     * Write the sync-mode for a single membership. Backed by
+     * `PUT /v1/memberships/{id}/sync-config` (hq-pro US-003).
+     *
+     * Server validates: `customPaths` is required when `syncMode` is
+     * `'custom'` and rejected otherwise. The returned row reflects the
+     * persisted state with `isDefault: false` (writing the row is what
+     * makes it non-default) and the server-assigned `updatedAt` +
+     * `updatedBy`.
+     */
+    async setMembershipSyncConfig(membershipId, partial) {
+        return this.request("PUT", `/v1/memberships/${encodeURIComponent(membershipId)}/sync-config`, partial);
+    }
     // -- Entity operations ----------------------------------------------------
     entity = {
         get: async (uid) => {
@@ -244,6 +292,31 @@ export class VaultClient {
         const data = await this.post("/provision/bucket", { companyUid });
         return data;
     }
+    // -- Raw vend (POST /vend) ------------------------------------------------
+    /**
+     * POST `/vend` — vend STS-scoped credentials for an explicit path list.
+     *
+     * This is the legacy raw-vend endpoint (distinct from `/sts/vend`,
+     * `/sts/vend-self`, and `/sts/vend-child`). Per US-009 it accepts a
+     * `purpose` discriminator that controls whether admin/owner
+     * role-bypass widens the resulting session policy beyond the
+     * caller's explicit ACL grants:
+     *
+     *   - `purpose: 'browse'` — role-bypass APPLIES (interactive
+     *     `hq files browse`, admin spelunking).
+     *   - `purpose: 'sync'`   — role-bypass SUPPRESSED (background sync;
+     *     credentials are scoped to exactly what the caller has explicitly
+     *     been granted, regardless of role).
+     *
+     * The server defaults missing/empty to `'sync'` but every first-party
+     * caller should be explicit so audit attribution is correct.
+     *
+     * Used by `hq files browse`/`hq files cat` (US-008) to peek at vault
+     * objects without ever materialising them under `companies/{co}/`.
+     */
+    async vend(input) {
+        return this.post("/vend", input);
+    }
     // -- STS operations (VLT-8) -----------------------------------------------
     sts = {
         /**

package/dist/vault-client.js.map

@@ -1 +1 @@
-{"version":3,"file":"vault-client.js","sourceRoot":"","sources":["../src/vault-client.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAEtD,8EAA8E;AAC9E,gBAAgB;AAChB,8EAA8E;AAE9E,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IAGvB;IACA;IAHlB,YACE,OAAe,EACC,UAAkB,EAClB,IAAa;QAE7B,KAAK,CAAC,OAAO,CAAC,CAAC;QAHC,eAAU,GAAV,UAAU,CAAQ;QAClB,SAAI,GAAJ,IAAI,CAAS;QAG7B,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;IACjC,CAAC;CACF;AAED,MAAM,OAAO,cAAe,SAAQ,gBAAgB;IAClD,YAAY,OAAO,GAAG,oDAAoD;QACxE,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACpB,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;IAC/B,CAAC;CACF;AAED,MAAM,OAAO,0BAA2B,SAAQ,gBAAgB;IAC9D,YAAY,OAAO,GAAG,yCAAyC;QAC7D,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACpB,IAAI,CAAC,IAAI,GAAG,4BAA4B,CAAC;IAC3C,CAAC;CACF;AAED,MAAM,OAAO,kBAAmB,SAAQ,gBAAgB;IACtD,YAAY,OAAO,GAAG,oBAAoB;QACxC,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACpB,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;IACnC,CAAC;CACF;AAED,MAAM,OAAO,kBAAmB,SAAQ,gBAAgB;IACtD,YAAY,OAAO,GAAG,4DAA4D;QAChF,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACpB,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;IACnC,CAAC;CACF;AA+DD,MAAM,UAAU,yBAAyB,CACvC,IAAkB;IAElB,iFAAiF;IACjF,iFAAiF;IACjF,4BAA4B;IAC5B,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;IACxD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACtC,MAAM,MAAM,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACxC,MAAM,EAAE,GAAI,CAAC,CAAC,SAAgC,IAAI,EAAE,CAAC;QACrD,MAAM,EAAE,GAAI,CAAC,CAAC,SAAgC,IAAI,EAAE,CAAC;QACrD,IAAI,EAAE,KAAK,EAAE;YAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACvC,OAAO,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAChC,CAAC,CAAC,CAAC;IACH,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC;AACnB,CAAC;AA6FD,8EAA8E;AAC9E,eAAe;AACf,8EAA8E;AAE9E,MAAM,WAAW,GAAG,CAAC,CAAC;AACtB,MAAM,aAAa,GAAG,GAAG,CAAC;AAE1B,SAAS,WAAW,CAAC,MAAc;IACjC,OAAO,MAAM,KAAK,GAAG,IAAI,MAAM,IAAI,GAAG,CAAC;AACzC,CAAC;AAED,KAAK,UAAU,KAAK,CAAC,EAAU;IAC7B,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAC3D,CAAC;AAED,8EAA8E;AAC9E,cAAc;AACd,8EAA8E;AAE9E,MAAM,OAAO,WAAW;IACL,MAAM,CAAS;IACf,YAAY,CAAwB;IACpC,UAAU,CAAyB;IAEpD,YAAY,MAA0B;QACpC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAChD,yEAAyE;QACzE,0EAA0E;QAC1E,uEAAuE;QACvE,qEAAqE;QACrE,uEAAuE;QACvE,4DAA4D;QAC5D,MAAM,GAAG,GAAG,MAAM,CAAC,SAAS,CAAC;QAC7B,IAAI,CAAC,YAAY;YACf,OAAO,GAAG,KAAK,UAAU;gBACvB,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC,GAAG,EAAE;gBACnB,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC,GAAG,CAAC;QACtB,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC;IACtC,CAAC;IAED,4EAA4E;IAE5E,KAAK,CAAC,YAAY,CAAC,KAAwB;QACzC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAC1B,oBAAoB,EACpB,KAAK,CACN,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,KAAa,EAAE,SAAiB;QACjD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAC1B,oBAAoB,EACpB,EAAE,KAAK,EAAE,SAAS,EAAE,CACrB,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,gBAAgB,CAAC,aAAqB,EAAE,UAAkB;QAC9D,MAAM,IAAI,CAAC,IAAI,CAAC,oBAAoB,EAAE,EAAE,aAAa,EAAE,UAAU,EAAE,CAAC,CAAC;IACvE,CAAC;IAED;;;;;;;;;;;;;;OAcG;IACH,KAAK,CAAC,iBAAiB;QACrB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,GAAG,CAAgC,gBAAgB,CAAC,CAAC;QAC7E,OAAO,IAAI,CAAC,WAAW,CAAC;IAC1B,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,2BAA2B;QAC/B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,GAAG,CACzB,8BAA8B,CAC/B,CAAC;QACF,OAAO,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC;IAC5B,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,0BAA0B,CAAC,SAAiB;QAChD,MAAM,IAAI,CAAC,IAAI,CAAC,4BAA4B,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;IAC/D,CAAC;IAED,KAAK,CAAC,oBAAoB,CAAC,UAAkB;QAC3C,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,GAAG,CACzB,uBAAuB,kBAAkB,CAAC,UAAU,CAAC,EAAE,CACxD,CAAC;QACF,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,KAAsB;QACrC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAC1B,kBAAkB,EAClB,KAAK,CACN,CAAC;QACF,OAAO,IAAI,CAAC,UAAU,CAAC;IACzB,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,UAAkB;QACzC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,GAAG,CACzB,uBAAuB,kBAAkB,CAAC,UAAU,CAAC,UAAU,CAChE,CAAC;QACF,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,4EAA4E;IAEnE,MAAM,GAAG;QAChB,GAAG,EAAE,KAAK,EAAE,GAAW,EAAuB,EAAE;YAC9C,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,GAAG,CAAyB,WAAW,kBAAkB,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAC1F,OAAO,IAAI,CAAC,MAAM,CAAC;QACrB,CAAC;QAED;;;;;;;;;;WAUG;QACH,UAAU,EAAE,KAAK,EAAE,IAAY,EAAE,IAAY,EAAuB,EAAE;YACpE,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,GAAG,CACzB,mBAAmB,kBAAkB,CAAC,IAAI,CAAC,IAAI,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAC1E,CAAC;YACF,OAAO,IAAI,CAAC,MAAM,CAAC;QACrB,CAAC;QAED;;;;;;;;;;;WAWG;QACH,iBAAiB,EAAE,KAAK,EACtB,IAAY,EACZ,IAAY,EACgB,EAAE;YAC9B,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,CAI1B,8BAA8B,kBAAkB,CAAC,IAAI,CAAC,SAAS,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAC1F,CAAC;YACF,IAAI,KAAK,CAAC,SAAS,IAAI,CAAC,KAAK,CAAC,qBAAqB;gBAAE,OAAO,IAAI,CAAC;YACjE,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;QACtD,CAAC;QAED,MAAM,EAAE,KAAK,EAAE,KAAwB,EAAuB,EAAE;YAC9D,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAAqB,SAAS,EAAE,KAAK,CAAC,CAAC;YACnE,OAAO,IAAI,CAAC,MAAM,CAAC;QACrB,CAAC;QAED,yEAAyE;QACzE,UAAU,EAAE,KAAK,EAAE,IAAY,EAAyB,EAAE;YACxD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,GAAG,CACzB,mBAAmB,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAC9C,CAAC;YACF,OAAO,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;QAC7B,CAAC;KACF,CAAC;IAEF,4EAA4E;IAE5E;;;;;;;;;;OAUG;IACH,KAAK,CAAC,oBAAoB,CAAC,KAG1B;QACC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;QACxD,MAAM,IAAI,GAAG,yBAAyB,CAAC,QAAQ,CAAC,CAAC;QACjD,IAAI,IAAI,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC;QAE/B,MAAM,IAAI,GACR,KAAK,CAAC,WAAW;aACd,WAAW,EAAE;aACb,OAAO,CAAC,aAAa,EAAE,GAAG,CAAC;aAC3B,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC;aACvB,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,QAAQ,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;QAEtE,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;YACxB,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,KAAK,CAAC,WAAW;YACvB,IAAI;SACL,CAAC,CAAC;IACL,CAAC;IAED,+EAA+E;IAE/E,KAAK,CAAC,eAAe,CAAC,UAAkB;QACtC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAC1B,mBAAmB,EACnB,EAAE,UAAU,EAAE,CACf,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,4EAA4E;IAEnE,GAAG,GAAG;QACb;;;;;;;;;;;;WAYG;QACH,SAAS,EAAE,KAAK,EAAE,KAAqB,EAA4B,EAAE;YACnE,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAAkB,iBAAiB,EAAE,KAAK,CAAC,CAAC;YACxE,OAAO,IAAI,CAAC;QACd,CAAC;QACD,QAAQ,EAAE,KAAK,EAAE,KAAsD,EAGpE,EAAE;YACH,OAAO,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,KAAK,CAAC,CAAC;QAC5C,CAAC;KACF,CAAC;IAEF,4EAA4E;IAC5E,EAAE;IACF,qEAAqE;IACrE,8EAA8E;IAC9E,mEAAmE;IACnE,8EAA8E;IAC9E,wEAAwE;IAExE;;;;;;OAMG;IACH,KAAK,CAAC,iBAAiB;QACrB,OAAO,IAAI,CAAC,GAAG,CAAyB,kBAAkB,CAAC,CAAC;IAC9D,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,SAAS,CAAC,KAAiB;QAC/B,OAAO,IAAI,CAAC,IAAI,CAAoB,WAAW,EAAE,KAAK,CAAC,CAAC;IAC1D,CAAC;IAED,4EAA4E;IAEpE,KAAK,CAAC,GAAG,CAAI,IAAY;QAC/B,OAAO,IAAI,CAAC,OAAO,CAAI,KAAK,EAAE,IAAI,CAAC,CAAC;IACtC,CAAC;IAEO,KAAK,CAAC,IAAI,CAAI,IAAY,EAAE,IAAc;QAChD,OAAO,IAAI,CAAC,OAAO,CAAI,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;IAC7C,CAAC;IAEO,KAAK,CAAC,OAAO,CAAI,MAAc,EAAE,IAAY,EAAE,IAAc;QACnE,IAAI,SAA4B,CAAC;QAEjC,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,IAAI,WAAW,EAAE,OAAO,EAAE,EAAE,CAAC;YACxD,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC;gBAChB,MAAM,KAAK,GAAG,aAAa,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC;gBACvD,MAAM,KAAK,CAAC,KAAK,CAAC,CAAC;YACrB,CAAC;YAED,MAAM,OAAO,GAA2B;gBACtC,aAAa,EAAE,UAAU,MAAM,IAAI,CAAC,YAAY,EAAE,EAAE;gBACpD,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,kBAAkB,CAAC,IAAI,CAAC,UAAU,CAAC;aACvC,CAAC;YAEF,MAAM,IAAI,GAAgB,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;YAE9C,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;gBACvB,OAAO,CAAC,cAAc,CAAC,GAAG,kBAAkB,CAAC;gBAC7C,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;YACnC,CAAC;YAED,IAAI,GAAa,CAAC;YAClB,IAAI,CAAC;gBACH,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,MAAM,GAAG,IAAI,EAAE,EAAE,IAAI,CAAC,CAAC;YACnD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,SAAS,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;gBAChE,IAAI,OAAO,GAAG,WAAW;oBAAE,SAAS;gBACpC,MAAM,SAAS,CAAC;YAClB,CAAC;YAED,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;gBACX,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG;oBAAE,OAAO,SAAc,CAAC;gBAC9C,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAM,CAAC;YACjC,CAAC;YAED,MAAM,YAAY,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YAEtC,2CAA2C;YAC3C,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC7B,MAAM,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;YAChD,CAAC;YAED,6BAA6B;YAC7B,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;QACtD,CAAC;QAED,MAAM,SAAS,IAAI,IAAI,gBAAgB,CAAC,8BAA8B,EAAE,GAAG,CAAC,CAAC;IAC/E,CAAC;IAEO,QAAQ,CAAC,MAAc,EAAE,IAAY;QAC3C,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;QAE1C,QAAQ,MAAM,EAAE,CAAC;YACf,KAAK,GAAG;gBACN,OAAO,IAAI,cAAc,CAAC,OAAO,CAAC,CAAC;YACrC,KAAK,GAAG;gBACN,OAAO,IAAI,0BAA0B,CAAC,OAAO,CAAC,CAAC;YACjD,KAAK,GAAG;gBACN,OAAO,IAAI,kBAAkB,CAAC,OAAO,CAAC,CAAC;YACzC,KAAK,GAAG;gBACN,OAAO,IAAI,kBAAkB,CAAC,OAAO,CAAC,CAAC;YACzC;gBACE,OAAO,IAAI,gBAAgB,CAAC,OAAO,IAAI,8BAA8B,MAAM,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;QACjG,CAAC;IACH,CAAC;IAEO,cAAc,CAAC,IAAY;QACjC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAyC,CAAC;YACxE,OAAO,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,KAAK,IAAI,IAAI,CAAC;QAChD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;CACF"}
+{"version":3,"file":"vault-client.js","sourceRoot":"","sources":["../src/vault-client.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAEtD,8EAA8E;AAC9E,gBAAgB;AAChB,8EAA8E;AAE9E,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IAGvB;IACA;IAHlB,YACE,OAAe,EACC,UAAkB,EAClB,IAAa;QAE7B,KAAK,CAAC,OAAO,CAAC,CAAC;QAHC,eAAU,GAAV,UAAU,CAAQ;QAClB,SAAI,GAAJ,IAAI,CAAS;QAG7B,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;IACjC,CAAC;CACF;AAED,MAAM,OAAO,cAAe,SAAQ,gBAAgB;IAClD,YAAY,OAAO,GAAG,oDAAoD;QACxE,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACpB,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;IAC/B,CAAC;CACF;AAED,MAAM,OAAO,0BAA2B,SAAQ,gBAAgB;IAC9D,YAAY,OAAO,GAAG,yCAAyC;QAC7D,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACpB,IAAI,CAAC,IAAI,GAAG,4BAA4B,CAAC;IAC3C,CAAC;CACF;AAED,MAAM,OAAO,kBAAmB,SAAQ,gBAAgB;IACtD,YAAY,OAAO,GAAG,oBAAoB;QACxC,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACpB,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;IACnC,CAAC;CACF;AAED,MAAM,OAAO,kBAAmB,SAAQ,gBAAgB;IACtD,YAAY,OAAO,GAAG,4DAA4D;QAChF,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACpB,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;IACnC,CAAC;CACF;AA+DD,MAAM,UAAU,yBAAyB,CACvC,IAAkB;IAElB,iFAAiF;IACjF,iFAAiF;IACjF,4BAA4B;IAC5B,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;IACxD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACtC,MAAM,MAAM,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACxC,MAAM,EAAE,GAAI,CAAC,CAAC,SAAgC,IAAI,EAAE,CAAC;QACrD,MAAM,EAAE,GAAI,CAAC,CAAC,SAAgC,IAAI,EAAE,CAAC;QACrD,IAAI,EAAE,KAAK,EAAE;YAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACvC,OAAO,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAChC,CAAC,CAAC,CAAC;IACH,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC;AACnB,CAAC;AAgOD,8EAA8E;AAC9E,eAAe;AACf,8EAA8E;AAE9E,MAAM,WAAW,GAAG,CAAC,CAAC;AACtB,MAAM,aAAa,GAAG,GAAG,CAAC;AAE1B,SAAS,WAAW,CAAC,MAAc;IACjC,OAAO,MAAM,KAAK,GAAG,IAAI,MAAM,IAAI,GAAG,CAAC;AACzC,CAAC;AAED,KAAK,UAAU,KAAK,CAAC,EAAU;IAC7B,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAC3D,CAAC;AAED,8EAA8E;AAC9E,cAAc;AACd,8EAA8E;AAE9E,MAAM,OAAO,WAAW;IACL,MAAM,CAAS;IACf,YAAY,CAAwB;IACpC,UAAU,CAAyB;IAEpD,YAAY,MAA0B;QACpC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAChD,yEAAyE;QACzE,0EAA0E;QAC1E,uEAAuE;QACvE,qEAAqE;QACrE,uEAAuE;QACvE,4DAA4D;QAC5D,MAAM,GAAG,GAAG,MAAM,CAAC,SAAS,CAAC;QAC7B,IAAI,CAAC,YAAY;YACf,OAAO,GAAG,KAAK,UAAU;gBACvB,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC,GAAG,EAAE;gBACnB,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC,GAAG,CAAC;QACtB,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC;IACtC,CAAC;IAED,4EAA4E;IAE5E,KAAK,CAAC,YAAY,CAAC,KAAwB;QACzC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAC1B,oBAAoB,EACpB,KAAK,CACN,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,KAAa,EAAE,SAAiB;QACjD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAC1B,oBAAoB,EACpB,EAAE,KAAK,EAAE,SAAS,EAAE,CACrB,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,gBAAgB,CAAC,aAAqB,EAAE,UAAkB;QAC9D,MAAM,IAAI,CAAC,IAAI,CAAC,oBAAoB,EAAE,EAAE,aAAa,EAAE,UAAU,EAAE,CAAC,CAAC;IACvE,CAAC;IAED;;;;;;;;;;;;;;OAcG;IACH,KAAK,CAAC,iBAAiB;QACrB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,GAAG,CAAgC,gBAAgB,CAAC,CAAC;QAC7E,OAAO,IAAI,CAAC,WAAW,CAAC;IAC1B,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,2BAA2B;QAC/B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,GAAG,CACzB,8BAA8B,CAC/B,CAAC;QACF,OAAO,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC;IAC5B,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,0BAA0B,CAAC,SAAiB;QAChD,MAAM,IAAI,CAAC,IAAI,CAAC,4BAA4B,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;IAC/D,CAAC;IAED,KAAK,CAAC,oBAAoB,CAAC,UAAkB;QAC3C,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,GAAG,CACzB,uBAAuB,kBAAkB,CAAC,UAAU,CAAC,EAAE,CACxD,CAAC;QACF,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,KAAsB;QACrC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAC1B,kBAAkB,EAClB,KAAK,CACN,CAAC;QACF,OAAO,IAAI,CAAC,UAAU,CAAC;IACzB,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,UAAkB;QACzC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,GAAG,CACzB,uBAAuB,kBAAkB,CAAC,UAAU,CAAC,UAAU,CAChE,CAAC;QACF,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,2EAA2E;IAE3E;;;;;;;;;;;;;OAaG;IACH,KAAK,CAAC,oBAAoB,CAAC,UAAkB;QAC3C,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,GAAG,CACzB,4BAA4B,kBAAkB,CAAC,UAAU,CAAC,EAAE,CAC7D,CAAC;QACF,OAAO,IAAI,CAAC,MAAM,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,KAAK,CAAC,uBAAuB,CAC3B,YAAoB;QAEpB,OAAO,IAAI,CAAC,GAAG,CACb,mBAAmB,kBAAkB,CAAC,YAAY,CAAC,cAAc,CAClE,CAAC;IACJ,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,uBAAuB,CAC3B,YAAoB,EACpB,OAAqC;QAErC,OAAO,IAAI,CAAC,OAAO,CACjB,KAAK,EACL,mBAAmB,kBAAkB,CAAC,YAAY,CAAC,cAAc,EACjE,OAAO,CACR,CAAC;IACJ,CAAC;IAED,4EAA4E;IAEnE,MAAM,GAAG;QAChB,GAAG,EAAE,KAAK,EAAE,GAAW,EAAuB,EAAE;YAC9C,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,GAAG,CAAyB,WAAW,kBAAkB,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAC1F,OAAO,IAAI,CAAC,MAAM,CAAC;QACrB,CAAC;QAED;;;;;;;;;;WAUG;QACH,UAAU,EAAE,KAAK,EAAE,IAAY,EAAE,IAAY,EAAuB,EAAE;YACpE,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,GAAG,CACzB,mBAAmB,kBAAkB,CAAC,IAAI,CAAC,IAAI,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAC1E,CAAC;YACF,OAAO,IAAI,CAAC,MAAM,CAAC;QACrB,CAAC;QAED;;;;;;;;;;;WAWG;QACH,iBAAiB,EAAE,KAAK,EACtB,IAAY,EACZ,IAAY,EACgB,EAAE;YAC9B,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,CAI1B,8BAA8B,kBAAkB,CAAC,IAAI,CAAC,SAAS,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAC1F,CAAC;YACF,IAAI,KAAK,CAAC,SAAS,IAAI,CAAC,KAAK,CAAC,qBAAqB;gBAAE,OAAO,IAAI,CAAC;YACjE,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;QACtD,CAAC;QAED,MAAM,EAAE,KAAK,EAAE,KAAwB,EAAuB,EAAE;YAC9D,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAAqB,SAAS,EAAE,KAAK,CAAC,CAAC;YACnE,OAAO,IAAI,CAAC,MAAM,CAAC;QACrB,CAAC;QAED,yEAAyE;QACzE,UAAU,EAAE,KAAK,EAAE,IAAY,EAAyB,EAAE;YACxD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,GAAG,CACzB,mBAAmB,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAC9C,CAAC;YACF,OAAO,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;QAC7B,CAAC;KACF,CAAC;IAEF,4EAA4E;IAE5E;;;;;;;;;;OAUG;IACH,KAAK,CAAC,oBAAoB,CAAC,KAG1B;QACC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;QACxD,MAAM,IAAI,GAAG,yBAAyB,CAAC,QAAQ,CAAC,CAAC;QACjD,IAAI,IAAI,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC;QAE/B,MAAM,IAAI,GACR,KAAK,CAAC,WAAW;aACd,WAAW,EAAE;aACb,OAAO,CAAC,aAAa,EAAE,GAAG,CAAC;aAC3B,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC;aACvB,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,QAAQ,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;QAEtE,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;YACxB,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,KAAK,CAAC,WAAW;YACvB,IAAI;SACL,CAAC,CAAC;IACL,CAAC;IAED,+EAA+E;IAE/E,KAAK,CAAC,eAAe,CAAC,UAAkB;QACtC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAC1B,mBAAmB,EACnB,EAAE,UAAU,EAAE,CACf,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,4EAA4E;IAE5E;;;;;;;;;;;;;;;;;;;;OAoBG;IACH,KAAK,CAAC,IAAI,CAAC,KAAgB;QACzB,OAAO,IAAI,CAAC,IAAI,CAAa,OAAO,EAAE,KAAK,CAAC,CAAC;IAC/C,CAAC;IAED,4EAA4E;IAEnE,GAAG,GAAG;QACb;;;;;;;;;;;;WAYG;QACH,SAAS,EAAE,KAAK,EAAE,KAAqB,EAA4B,EAAE;YACnE,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAAkB,iBAAiB,EAAE,KAAK,CAAC,CAAC;YACxE,OAAO,IAAI,CAAC;QACd,CAAC;QACD,QAAQ,EAAE,KAAK,EAAE,KAAsD,EAGpE,EAAE;YACH,OAAO,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,KAAK,CAAC,CAAC;QAC5C,CAAC;KACF,CAAC;IAEF,4EAA4E;IAC5E,EAAE;IACF,qEAAqE;IACrE,8EAA8E;IAC9E,mEAAmE;IACnE,8EAA8E;IAC9E,wEAAwE;IAExE;;;;;;OAMG;IACH,KAAK,CAAC,iBAAiB;QACrB,OAAO,IAAI,CAAC,GAAG,CAAyB,kBAAkB,CAAC,CAAC;IAC9D,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,SAAS,CAAC,KAAiB;QAC/B,OAAO,IAAI,CAAC,IAAI,CAAoB,WAAW,EAAE,KAAK,CAAC,CAAC;IAC1D,CAAC;IAED,4EAA4E;IAEpE,KAAK,CAAC,GAAG,CAAI,IAAY;QAC/B,OAAO,IAAI,CAAC,OAAO,CAAI,KAAK,EAAE,IAAI,CAAC,CAAC;IACtC,CAAC;IAEO,KAAK,CAAC,IAAI,CAAI,IAAY,EAAE,IAAc;QAChD,OAAO,IAAI,CAAC,OAAO,CAAI,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;IAC7C,CAAC;IAEO,KAAK,CAAC,OAAO,CAAI,MAAc,EAAE,IAAY,EAAE,IAAc;QACnE,IAAI,SAA4B,CAAC;QAEjC,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,IAAI,WAAW,EAAE,OAAO,EAAE,EAAE,CAAC;YACxD,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC;gBAChB,MAAM,KAAK,GAAG,aAAa,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC;gBACvD,MAAM,KAAK,CAAC,KAAK,CAAC,CAAC;YACrB,CAAC;YAED,MAAM,OAAO,GAA2B;gBACtC,aAAa,EAAE,UAAU,MAAM,IAAI,CAAC,YAAY,EAAE,EAAE;gBACpD,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,kBAAkB,CAAC,IAAI,CAAC,UAAU,CAAC;aACvC,CAAC;YAEF,MAAM,IAAI,GAAgB,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;YAE9C,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;gBACvB,OAAO,CAAC,cAAc,CAAC,GAAG,kBAAkB,CAAC;gBAC7C,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;YACnC,CAAC;YAED,IAAI,GAAa,CAAC;YAClB,IAAI,CAAC;gBACH,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,MAAM,GAAG,IAAI,EAAE,EAAE,IAAI,CAAC,CAAC;YACnD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,SAAS,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;gBAChE,IAAI,OAAO,GAAG,WAAW;oBAAE,SAAS;gBACpC,MAAM,SAAS,CAAC;YAClB,CAAC;YAED,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;gBACX,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG;oBAAE,OAAO,SAAc,CAAC;gBAC9C,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAM,CAAC;YACjC,CAAC;YAED,MAAM,YAAY,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YAEtC,2CAA2C;YAC3C,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC7B,MAAM,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;YAChD,CAAC;YAED,6BAA6B;YAC7B,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;QACtD,CAAC;QAED,MAAM,SAAS,IAAI,IAAI,gBAAgB,CAAC,8BAA8B,EAAE,GAAG,CAAC,CAAC;IAC/E,CAAC;IAEO,QAAQ,CAAC,MAAc,EAAE,IAAY;QAC3C,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;QAE1C,QAAQ,MAAM,EAAE,CAAC;YACf,KAAK,GAAG;gBACN,OAAO,IAAI,cAAc,CAAC,OAAO,CAAC,CAAC;YACrC,KAAK,GAAG;gBACN,OAAO,IAAI,0BAA0B,CAAC,OAAO,CAAC,CAAC;YACjD,KAAK,GAAG;gBACN,OAAO,IAAI,kBAAkB,CAAC,OAAO,CAAC,CAAC;YACzC,KAAK,GAAG;gBACN,OAAO,IAAI,kBAAkB,CAAC,OAAO,CAAC,CAAC;YACzC;gBACE,OAAO,IAAI,gBAAgB,CAAC,OAAO,IAAI,8BAA8B,MAAM,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;QACjG,CAAC;IACH,CAAC;IAEO,cAAc,CAAC,IAAY;QACjC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAyC,CAAC;YACxE,OAAO,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,KAAK,IAAI,IAAI,CAAC;QAChD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;CACF"}

package/dist/vault-client.test.js

@@ -520,6 +520,168 @@ describe("VaultClient identity bootstrap", () => {
     });
 });
 // ---------------------------------------------------------------------------
+// Browse-vs-sync SDK methods (US-004)
+//
+// listMyExplicitGrants, getMembershipSyncConfig, setMembershipSyncConfig
+// wrap the US-002/US-003 hq-pro endpoints. Tests assert URL shape, payload
+// shape, error mapping (401/404/network), and the empty-grants fallback
+// that lets call sites treat "no grants" as a normal state.
+// ---------------------------------------------------------------------------
+describe("listMyExplicitGrants (US-004)", () => {
+    it("GETs /v1/files/grants with the company query param and returns grants[]", async () => {
+        const grant = {
+            companyUid: "cmp_abc",
+            path: "shared/docs",
+            permission: "read",
+            source: "person",
+        };
+        fetchSpy.mockResolvedValueOnce(jsonResponse(200, {
+            grants: [grant],
+            computedAt: "2026-05-20T12:00:00.000Z",
+        }));
+        const grants = await client.listMyExplicitGrants("cmp_abc");
+        expect(grants).toEqual([grant]);
+        const [url, init] = fetchSpy.mock.calls[0];
+        expect(url).toBe("https://vault.test.example.com/v1/files/grants?company=cmp_abc");
+        expect(init.method).toBe("GET");
+        expect(init.body).toBeUndefined();
+    });
+    it("URL-encodes the companyUid query parameter", async () => {
+        fetchSpy.mockResolvedValueOnce(jsonResponse(200, { grants: [], computedAt: "2026-05-20T12:00:00.000Z" }));
+        await client.listMyExplicitGrants("cmp/with spaces&weird=chars");
+        const [url] = fetchSpy.mock.calls[0];
+        expect(url).toBe("https://vault.test.example.com/v1/files/grants?company=cmp%2Fwith%20spaces%26weird%3Dchars");
+    });
+    it("returns [] when the server omits the grants key (empty graph)", async () => {
+        fetchSpy.mockResolvedValueOnce(jsonResponse(200, { computedAt: "2026-05-20T12:00:00.000Z" }));
+        const grants = await client.listMyExplicitGrants("cmp_abc");
+        expect(grants).toEqual([]);
+    });
+    it("maps 401 to VaultAuthError", async () => {
+        fetchSpy.mockResolvedValueOnce(jsonResponse(401, { error: "Missing or invalid authorization token" }));
+        await expect(client.listMyExplicitGrants("cmp_abc")).rejects.toThrow(VaultAuthError);
+    });
+    it("maps 404 to VaultNotFoundError", async () => {
+        fetchSpy.mockResolvedValueOnce(jsonResponse(404, { error: "Unknown route" }));
+        await expect(client.listMyExplicitGrants("cmp_abc")).rejects.toThrow(VaultNotFoundError);
+    });
+    it("surfaces transport errors after exhausting retries", async () => {
+        fetchSpy.mockRejectedValue(new Error("ECONNREFUSED"));
+        await expect(client.listMyExplicitGrants("cmp_abc")).rejects.toThrow(/ECONNREFUSED/);
+        // 1 initial + 3 retries = 4 attempts on a persistent network error.
+        expect(fetchSpy).toHaveBeenCalledTimes(4);
+    });
+});
+describe("getMembershipSyncConfig (US-004)", () => {
+    it("GETs /v1/memberships/{id}/sync-config and returns the row verbatim", async () => {
+        const row = {
+            membershipId: "psn_1#cmp_abc",
+            syncMode: "custom",
+            customPaths: ["shared/docs", "personal/psn_1"],
+            isDefault: false,
+            updatedAt: "2026-05-20T12:00:00.000Z",
+            updatedBy: "psn_admin",
+        };
+        fetchSpy.mockResolvedValueOnce(jsonResponse(200, row));
+        const result = await client.getMembershipSyncConfig("psn_1#cmp_abc");
+        expect(result).toEqual(row);
+        const [url, init] = fetchSpy.mock.calls[0];
+        expect(url).toBe(
+        // `#` in the membershipKey MUST be URL-encoded — otherwise the
+        // server sees a fragment, not a path segment.
+        "https://vault.test.example.com/v1/memberships/psn_1%23cmp_abc/sync-config");
+        expect(init.method).toBe("GET");
+        expect(init.body).toBeUndefined();
+    });
+    it("returns the default row (isDefault: true) without updatedAt/updatedBy", async () => {
+        fetchSpy.mockResolvedValueOnce(jsonResponse(200, {
+            membershipId: "psn_1#cmp_abc",
+            syncMode: "all",
+            isDefault: true,
+        }));
+        const result = await client.getMembershipSyncConfig("psn_1#cmp_abc");
+        expect(result.isDefault).toBe(true);
+        expect(result.updatedAt).toBeUndefined();
+        expect(result.updatedBy).toBeUndefined();
+    });
+    it("maps 401 to VaultAuthError", async () => {
+        fetchSpy.mockResolvedValueOnce(jsonResponse(401, { error: "Token expired" }));
+        await expect(client.getMembershipSyncConfig("psn_1#cmp_abc")).rejects.toThrow(VaultAuthError);
+    });
+    it("maps 404 to VaultNotFoundError (membership tombstoned or missing)", async () => {
+        fetchSpy.mockResolvedValueOnce(jsonResponse(404, {
+            error: "Membership not found or not active: psn_1#cmp_abc",
+        }));
+        await expect(client.getMembershipSyncConfig("psn_1#cmp_abc")).rejects.toThrow(VaultNotFoundError);
+    });
+    it("surfaces network errors after retry exhaustion", async () => {
+        fetchSpy.mockRejectedValue(new Error("socket hang up"));
+        await expect(client.getMembershipSyncConfig("psn_1#cmp_abc")).rejects.toThrow(/socket hang up/);
+        expect(fetchSpy).toHaveBeenCalledTimes(4);
+    });
+});
+describe("setMembershipSyncConfig (US-004)", () => {
+    it("PUTs the partial body to /v1/memberships/{id}/sync-config", async () => {
+        const persisted = {
+            membershipId: "psn_1#cmp_abc",
+            syncMode: "custom",
+            customPaths: ["shared/docs"],
+            isDefault: false,
+            updatedAt: "2026-05-20T12:00:00.000Z",
+            updatedBy: "psn_1",
+        };
+        fetchSpy.mockResolvedValueOnce(jsonResponse(200, persisted));
+        const result = await client.setMembershipSyncConfig("psn_1#cmp_abc", {
+            syncMode: "custom",
+            customPaths: ["shared/docs"],
+        });
+        expect(result).toEqual(persisted);
+        const [url, init] = fetchSpy.mock.calls[0];
+        expect(url).toBe("https://vault.test.example.com/v1/memberships/psn_1%23cmp_abc/sync-config");
+        expect(init.method).toBe("PUT");
+        const headers = init.headers;
+        expect(headers["Content-Type"]).toBe("application/json");
+        expect(headers.Authorization).toBe("Bearer test-jwt-token-123");
+        expect(JSON.parse(init.body)).toEqual({
+            syncMode: "custom",
+            customPaths: ["shared/docs"],
+        });
+    });
+    it("supports the shared mode without customPaths", async () => {
+        fetchSpy.mockResolvedValueOnce(jsonResponse(200, {
+            membershipId: "psn_1#cmp_abc",
+            syncMode: "shared",
+            isDefault: false,
+            updatedAt: "2026-05-20T12:00:00.000Z",
+            updatedBy: "psn_1",
+        }));
+        const result = await client.setMembershipSyncConfig("psn_1#cmp_abc", {
+            syncMode: "shared",
+        });
+        expect(result.syncMode).toBe("shared");
+        expect(result.customPaths).toBeUndefined();
+        const [, init] = fetchSpy.mock.calls[0];
+        expect(JSON.parse(init.body)).toEqual({ syncMode: "shared" });
+    });
+    it("maps 401 to VaultAuthError", async () => {
+        fetchSpy.mockResolvedValueOnce(jsonResponse(401, { error: "Token expired" }));
+        await expect(client.setMembershipSyncConfig("psn_1#cmp_abc", { syncMode: "all" })).rejects.toThrow(VaultAuthError);
+    });
+    it("maps 404 to VaultNotFoundError when the membership is gone", async () => {
+        fetchSpy.mockResolvedValueOnce(jsonResponse(404, { error: "Membership not found" }));
+        await expect(client.setMembershipSyncConfig("psn_1#cmp_abc", { syncMode: "all" })).rejects.toThrow(VaultNotFoundError);
+    });
+    it("maps 409 to VaultConflictError", async () => {
+        fetchSpy.mockResolvedValueOnce(jsonResponse(409, { error: "Concurrent write conflict" }));
+        await expect(client.setMembershipSyncConfig("psn_1#cmp_abc", { syncMode: "all" })).rejects.toThrow(VaultConflictError);
+    });
+    it("surfaces network errors after retry exhaustion", async () => {
+        fetchSpy.mockRejectedValue(new Error("ETIMEDOUT"));
+        await expect(client.setMembershipSyncConfig("psn_1#cmp_abc", { syncMode: "all" })).rejects.toThrow(/ETIMEDOUT/);
+        expect(fetchSpy).toHaveBeenCalledTimes(4);
+    });
+});
+// ---------------------------------------------------------------------------
 // Refreshable authToken getter
 //
 // Regression for the personal-sync 401: a captured `authToken` string can
@@ -586,4 +748,68 @@ describe("authToken getter (refreshable token)", () => {
         }
     });
 });
+// ---------------------------------------------------------------------------
+// Raw vend (POST /vend, purpose-aware after US-009)
+// ---------------------------------------------------------------------------
+describe("vend (POST /vend, purpose-aware)", () => {
+    it("POSTs to /vend with paths/operations/purpose and returns credentials + policySize", async () => {
+        fetchSpy.mockResolvedValueOnce(jsonResponse(200, {
+            credentials: {
+                accessKeyId: "AKIA-BROWSE",
+                secretAccessKey: "secret",
+                sessionToken: "token",
+                expiration: "2026-05-20T13:00:00.000Z",
+            },
+            paths: ["shared/docs/"],
+            operations: "read-only",
+            purpose: "browse",
+            policySize: 412,
+            requestId: "req_xyz",
+        }));
+        const out = await client.vend({
+            paths: ["shared/docs/"],
+            operations: "read-only",
+            purpose: "browse",
+        });
+        expect(out.purpose).toBe("browse");
+        expect(out.policySize).toBe(412);
+        expect(out.credentials.accessKeyId).toBe("AKIA-BROWSE");
+        expect(out.credentials.sessionToken).toBe("token");
+        const [url, init] = fetchSpy.mock.calls[0];
+        expect(url).toBe("https://vault.test.example.com/vend");
+        expect(init.method.toUpperCase()).toBe("POST");
+        expect(JSON.parse(init.body)).toEqual({
+            paths: ["shared/docs/"],
+            operations: "read-only",
+            purpose: "browse",
+        });
+    });
+    it("forwards purpose='sync' verbatim (no client-side defaulting)", async () => {
+        fetchSpy.mockResolvedValueOnce(jsonResponse(200, {
+            credentials: {
+                accessKeyId: "k",
+                secretAccessKey: "s",
+                sessionToken: "t",
+                expiration: "2026-05-20T13:00:00.000Z",
+            },
+            paths: ["shared/"],
+            operations: "read-only",
+            purpose: "sync",
+            policySize: 200,
+        }));
+        await client.vend({
+            paths: ["shared/"],
+            operations: "read-only",
+            purpose: "sync",
+            duration: 1800,
+        });
+        const [, init] = fetchSpy.mock.calls[0];
+        expect(JSON.parse(init.body)).toEqual({
+            paths: ["shared/"],
+            operations: "read-only",
+            purpose: "sync",
+            duration: 1800,
+        });
+    });
+});
 //# sourceMappingURL=vault-client.test.js.map