fix(encryption): make tikv meta client self-contained

Signed-off-by: tenfyzhong <tenfy@tenfy.cn>

Author: tenfyzhong

pkg/encryption/tikv_http_client.go

@@ -41,6 +41,12 @@ type tikvEncryptionHTTPClient struct {
 	httpTimeout time.Duration
 }
 
+// TiKVEncryptionClient fetches keyspace-level encryption metadata from TiKV.
+// It is consumed by the encryption meta manager in follow-up PRs.
+type TiKVEncryptionClient interface {
+	GetKeyspaceEncryptionMeta(ctx context.Context, keyspaceID uint32) (*EncryptionMeta, error)
+}
+
 func NewTiKVEncryptionHTTPClient(pdClient pd.Client, credential *security.Credential) (TiKVEncryptionClient, error) {
 	httpClient, err := httputil.NewClient(credential)
 	if err != nil {
@@ -420,3 +426,17 @@ func truncateBytesForLog(b []byte, max int) string {
 	}
 	return fmt.Sprintf("%s...(truncated, %d bytes total)", string(b[:max]), len(b))
 }
+
+func safeKMSVendor(masterKey *MasterKey) string {
+	if masterKey == nil {
+		return ""
+	}
+	return masterKey.Vendor
+}
+
+func safeCMEKID(masterKey *MasterKey) string {
+	if masterKey == nil {
+		return ""
+	}
+	return masterKey.CmekId
+}