fix(ext/setup): wizard writes settings.enc to match CLI init

Add default_vault_settings_json() to the hand-written wasm.d.ts
declarations, then use it in attachStep3New to encrypt and push
settings.enc after manifest.enc during new-vault creation. Wizard-
created vaults now have all four files the SW expects (salt,
params.json, manifest.enc, settings.enc), preventing the
get_vault_settings 404 on first unlock.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

extension/src/setup/setup.ts

@@ -769,6 +769,12 @@ function attachStep3New(): void {
       const encryptedManifest = w.manifest_encrypt(handle, manifestJson);
       log('manifest encrypted', { bytes: encryptedManifest.length });
 
+      stage = 'encrypt default settings';
+      log(stage);
+      const settingsJson = w.default_vault_settings_json();
+      const encryptedSettings = w.settings_encrypt(handle, settingsJson);
+      log('settings encrypted', { bytes: encryptedSettings.length });
+
       stage = 'push vault files';
       log(stage);
       const hostUrl = state.hostType === 'github' ? 'https://api.github.com' : state.hostUrl;
@@ -788,6 +794,13 @@ function attachStep3New(): void {
         'init: encrypted manifest',
       );
 
+      log('write settings.enc');
+      await host.writeFileCreateOnly(
+        'settings.enc',
+        new Uint8Array(encryptedSettings),
+        'init: encrypted settings',
+      );
+
       stage = 'release handle';
       w.lock(handle);
 

extension/src/wasm.d.ts

@@ -40,6 +40,7 @@ declare module 'relicario-wasm' {
   export function item_encrypt(handle: SessionHandle, item_json: string): Uint8Array;
   export function settings_decrypt(handle: SessionHandle, encrypted: Uint8Array): unknown;
   export function settings_encrypt(handle: SessionHandle, settings_json: string): Uint8Array;
+  export function default_vault_settings_json(): string;
 
   export function attachment_encrypt(
     handle: SessionHandle,