fix(vault): add userID check to Syncer.CanSync

CanSync now checks that userID is also set, matching the
original behavior in client apps. This ensures sync won't
be attempted without a valid user identifier.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

feat(vault): add QueueAndSync for automatic sync after queue

- Add ApplyFn parameter to NewSyncer for storing apply callback
- Add CanSync() method to check if sync is configured
- Add Sync() method that uses stored ApplyFn
- Add QueueAndSync() that queues then syncs in one call
- Update all tests to pass ApplyFn (nil for queue-only tests)

This allows client apps to eliminate boilerplate code:
- Old: QueueChange + check canSync + call Sync
- New: QueueAndSync (handles it all internally)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

feat(sync): backward compatibility for legacy unprefixed entities

v0.3.2: Auto-refresh auth token before sync operations

refactor(module): change module path to github.com/harperreed/sweet

Enables direct `go get github.com/harperreed/sweet@v0.3.1` without
requiring a replace directive. Updates all internal imports.

BREAKING CHANGE: Integrators must update their imports from
`suitesync/...` to `github.com/harperreed/sweet/...`

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

v0.3.0 - Device Validation Security Update

Breaking Changes:
- All authenticated requests require X-Vault-Device-ID header
- Device registration required during login/register
- vault.NewClient panics if DeviceID is empty in SyncConfig

Security Improvements:
- Device validation ensures device belongs to authenticated user
- Revoked devices tracked and permanently blocked
- Per-item device IDs validated on push operations
- Rate limiting no longer trusts proxy headers by default
- Sequence generator returns error instead of silently resetting

See docs/migration-guide-v0.3.md for upgrade instructions.

feat(sync): Add wipe endpoint and improve decrypt errors

- Add /v1/sync/wipe endpoint for self-service data deletion
- Add Wipe() method to vault client
- Create DecryptError type with context (changeID, entity, userID, deviceID)
- Implement batch pagination for wipe/compact operations
- Log delete failures with record IDs
- Document wipe-and-resync pattern in integration guide

fix(sync): Increase ct_b64 field limit for large payloads

The TextField default max of 5000 characters was causing 500 errors
when syncing encrypted payloads larger than ~5KB. Base64 encoding
adds ~33% overhead, so 5KB of raw data = ~6800 chars = error.

Changes:
- Set ct_b64 max to 1MB for sync_changes (supports ~750KB raw payloads)
- Set ct_b64 max to 10MB for sync_snapshots (aggregated data)
- Added migration to update existing databases

Found via scenario testing with real dependencies.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

fix(ci): Revert to golangci-lint v1.64.5

v2 config format is incompatible. Stay on v1 for stability.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

fix(ci): Use golangci-lint-action v7 for golangci-lint v2

Action v6 doesn't support golangci-lint v2.x, need v7.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>