Add sharing grant management flow

[TheSilkky]

Summary

• add incident-detail sharing-grant creation and revocation controls for active contact public keys
• add typed API client create/revoke methods, safe schema fields, and session-scoped grant/wrapped-key query keys
• document the sharing-grant management boundary and update current/planned scope

Validation

• npm run typecheck
• npm run lint
• npm run test
• npm run build
• npm run test:e2e
• git diff --check origin/develop...

Security and scope notes

• Frontend-only change; no backend routes or server behavior added.
• Grants can be created only from active contact public keys already returned for the active session.
• Expired or revoked grants are shown as inactive delivery paths.
• The UI and parser tests avoid retaining or displaying wrapped-key ciphertext, raw media keys, contact private keys, plaintext, request bodies, stored paths, object keys, or private deployment details.
• This does not add decryption, key unwrapping, notification delivery, emergency dispatch, or trusted-contact account access.

Closes #50

[TheSilkky]

@codex review

Please review this PR for correctness, security, scope control, tests, and consistency with README.md, AGENTS.md, SECURITY.md, and relevant docs.

Focus on frontend route behavior, API client assumptions against open-proofline/server, token handling, no secret logging, no browser decryption or key unwrapping, Catalyst licensing boundaries, and validation results.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e7a9df9e36

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Refresh incident metadata after grant changes

When creating a grant changes the server-owned incident sharing state (for example from private to shared access, and similarly when revoking the last active grant), this handler only refreshes the sharing-grants list. The overview on the same route renders detail.incident.sharing_state from the separate incident query, so users can see a successful create/revoke message while the incident still appears to have the old sharing state until a full reload or navigation. Invalidate prooflineQueryKeys.incident(incidentId) after grant create/revoke as well.

Useful? React with 👍 / 👎.