- config init catches OSError (read-only dir, ENOSPC, gone cwd) alongside CommandError
and prints a clean [x] line; the main dispatch catches the full OSError family instead
of only FileNotFoundError (L13)
- document read_flag's fail-closed (non-dict -> not allowed) as a deliberate privilege-
gate default (nit).
Signed-off-by: disqualifier <dev@disqualifier.me>
a tampered or foreign GCM capability flag raises cryptography's InvalidTag (subclasses Exception, not ValueError/RuntimeError), which escaped the CLI's catch tuple as a raw traceback on the authorize/verify paths. main() now catches InvalidTag and surfaces '[\xe2\x9c\x98] capability flag failed authentication — tampered or wrong DEK'. also corrected the stale CLAUDE.md storage note that still described the swallow-wrapped mongo methods instead of the fail-loud raw-collection path.
Signed-off-by: disqualifier <dev@disqualifier.me>
two regressions in the [mongo] storage backend: (1) the four finally blocks did 'await db.close()' but the mongo lib's close() became synchronous this session, so await None raised TypeError on every op — dropped the await. (2) the backend consumed mongo's swallow-and-return-default wrapped methods raw, conflating a driver error with 'no document / not initialized' in the lib that gates authority; it now goes through the raw db.collection(name) escape hatch (the motor collection, which raises) and raises on a no-op upsert, matching the CLI's fail-loud stance.
Signed-off-by: disqualifier <dev@disqualifier.me>
the docs claimed 'you cannot grant yourself authority without already having it', which is false in the shared-DEK model: a DEK-holder with write access can copy a sealed True flag onto its own doc. replaced with the honest boundary (the flag is unforgeable WITHOUT the DEK, but is not a defense against a malicious DEK-holder, which is out of scope by design) and added operational guidance to detect a self-grant by auditing authorization state. no code or storage-format change.
Signed-off-by: disqualifier <dev@disqualifier.me>
- JsonStore._write used a fixed '<path>.tmp' name with no lock, so two concurrent
authorizer invocations could clobber each other's temp and corrupt/lose the key
store. use tempfile.mkstemp in the same dir (unique per write) then os.replace
(atomic), cleaning up the temp on failure.
- list 'created_at' formatting did int(raw) unguarded; one hand-edited/legacy doc
with a bad timestamp aborted the whole table. guard per-row, fall back to '-'.
verified by execution: 20 concurrent writers -> 0 errors, file stays valid JSON,
no leftover .tmp; upsert still dedupes/updates; bad/absent created_at -> '-'.
Signed-off-by: disqualifier <dev@disqualifier.me>
