pub async fn reconcile(
client: &Client,
executor: &DeploymentExecutor<'_>,
obj_id: &ObjectId,
grants: &[GrantPrivilegesStatement<Raw>],
kind: &GrantObjectKind,
) -> Result<(), CliError>Expand description
Reconcile grants for a single object: apply desired grants, revoke stale ones.
Three-step algorithm:
- Apply all desired GRANTs idempotently (GRANT is a no-op if already present).
- Query the live grant state and default-privilege grants from the catalog.
- Compute the set difference (current - desired - protected) and REVOKE stale grants.