- config init catches OSError (read-only dir, ENOSPC, gone cwd) alongside CommandError
and prints a clean [x] line; the main dispatch catches the full OSError family instead
of only FileNotFoundError (L13)
- document read_flag's fail-closed (non-dict -> not allowed) as a deliberate privilege-
gate default (nit).
Signed-off-by: disqualifier <dev@disqualifier.me>
the docs claimed 'you cannot grant yourself authority without already having it', which is false in the shared-DEK model: a DEK-holder with write access can copy a sealed True flag onto its own doc. replaced with the honest boundary (the flag is unforgeable WITHOUT the DEK, but is not a defense against a malicious DEK-holder, which is out of scope by design) and added operational guidance to detect a self-grant by auditing authorization state. no code or storage-format change.
Signed-off-by: disqualifier <dev@disqualifier.me>