the docs claimed 'you cannot grant yourself authority without already having it', which is false in the shared-DEK model: a DEK-holder with write access can copy a sealed True flag onto its own doc. replaced with the honest boundary (the flag is unforgeable WITHOUT the DEK, but is not a defense against a malicious DEK-holder, which is out of scope by design) and added operational guidance to detect a self-grant by auditing authorization state. no code or storage-format change.
Signed-off-by: disqualifier <dev@disqualifier.me>
- JsonStore._write used a fixed '<path>.tmp' name with no lock, so two concurrent
authorizer invocations could clobber each other's temp and corrupt/lose the key
store. use tempfile.mkstemp in the same dir (unique per write) then os.replace
(atomic), cleaning up the temp on failure.
- list 'created_at' formatting did int(raw) unguarded; one hand-edited/legacy doc
with a bad timestamp aborted the whole table. guard per-row, fall back to '-'.
verified by execution: 20 concurrent writers -> 0 errors, file stays valid JSON,
no leftover .tmp; upsert still dedupes/updates; bad/absent created_at -> '-'.
Signed-off-by: disqualifier <dev@disqualifier.me>
