pub fn encode_session_env(sid_hex: &str, ephemeral_private: &[u8; 32]) -> StringExpand description
Encode a JOY_SESSION env var value. Backward-compatible with sessions
that carry only the ephemeral session key; pass delegation_private = None for that case.
Layout (base64-encoded):
- Auth-only:
[sid 12][session_priv 32](44 bytes) - Auth + Crypt:
[sid 12][session_priv 32][delegation_priv 32](76 bytes)
Per ADR-041 §5, the delegation private key is included exactly when the
originating token had crypt scope. The AI’s joy commands read the
delegation key from this env var to unwrap zone keys; it never lives on
disk.