//! tsafe Agent daemon.
//!
//! Spawned by `tsafe agent unlock` after the user approves in the terminal.
//! Listens on a local IPC socket, holds the vault password in memory (zeroed on
//! drop), and hands it out only to callers that know the session token and can
//! prove the PID they claim over the transport.
//!
//! Usage: tsafe-agent <profile> <session_token_hex> <requesting_pid> <ttl_secs>
//!
//! The agent exits when:
//! - The TTL expires.
//! - A `Lock` request is received.
//! - The daemon is explicitly revoked.