Consumer-side provisioning: fetch the [ProvisionDoc] from the reserved
/.hackamore/provision path on hackamore's proxy listener — the only address a sandboxed
consumer can reach — and render it into native tool config. [write_configs]
writes everything under a
caller-supplied home directory — nothing outside it is touched, so a sandbox (or a
test) can configure stock tools without polluting the host's real ~/.kube, ~/.aws,
or git config.
Every write is recorded in a manifest (<home>/.hackamore/manifest) so [teardown] can
remove exactly what hackamore wrote and nothing else. Line-oriented files (git
credentials) are merged idempotently rather than clobbered, so re-provisioning a second
service doesn't drop the first. When hackamore terminates TLS, the doc carries a CA bundle
([ProvisionDoc::hackamore_ca]); it is written once and referenced by path from every
tool's config (kubeconfig, ~/.aws/config, .gitconfig).