//! HashiCorp Vault KV v2 provider — authentication and namespace support.
//!
//! This module provides the `VaultAuth` enum (token or AppRole) and the
//! `approle_login` helper used by `cmd_vault_pull` to acquire a short-lived
//! client token for the duration of a single command invocation.
//!
//! # AppRole authentication
//!
//! AppRole auth follows the standard HCP Vault flow:
//! 1. `POST {vault_url}/v1/auth/approle/login` with `{"role_id":"…","secret_id":"…"}`
//! 2. Parse `auth.client_token` from the response JSON.
//! 3. Use the token for all subsequent Vault API calls; do not persist it.
//!
//! # Namespace support
//!
//! HCP Vault Enterprise namespaces are addressed by passing the
//! `X-Vault-Namespace` header on every request. When a namespace is
//! configured (via `VaultConfig::vault_namespace` or `VAULT_NAMESPACE` env var),
//! `cmd_vault_pull` injects this header on the AppRole login call and on all
//! KV v2 LIST/GET calls that follow.