two regressions in the [mongo] storage backend: (1) the four finally blocks did 'await db.close()' but the mongo lib's close() became synchronous this session, so await None raised TypeError on every op — dropped the await. (2) the backend consumed mongo's swallow-and-return-default wrapped methods raw, conflating a driver error with 'no document / not initialized' in the lib that gates authority; it now goes through the raw db.collection(name) escape hatch (the motor collection, which raises) and raises on a no-op upsert, matching the CLI's fail-loud stance.
Signed-off-by: disqualifier <dev@disqualifier.me>
the docs claimed 'you cannot grant yourself authority without already having it', which is false in the shared-DEK model: a DEK-holder with write access can copy a sealed True flag onto its own doc. replaced with the honest boundary (the flag is unforgeable WITHOUT the DEK, but is not a defense against a malicious DEK-holder, which is out of scope by design) and added operational guidance to detect a self-grant by auditing authorization state. no code or storage-format change.
Signed-off-by: disqualifier <dev@disqualifier.me>
- JsonStore._write used a fixed '<path>.tmp' name with no lock, so two concurrent
authorizer invocations could clobber each other's temp and corrupt/lose the key
store. use tempfile.mkstemp in the same dir (unique per write) then os.replace
(atomic), cleaning up the temp on failure.
- list 'created_at' formatting did int(raw) unguarded; one hand-edited/legacy doc
with a bad timestamp aborted the whole table. guard per-row, fall back to '-'.
verified by execution: 20 concurrent writers -> 0 errors, file stays valid JSON,
no leftover .tmp; upsert still dedupes/updates; bad/absent created_at -> '-'.
Signed-off-by: disqualifier <dev@disqualifier.me>
