Expand description
Confirmation nonce store for dangerous operations.
Used by the latch system (set -o latch) to gate destructive commands
behind a nonce-based confirmation flow. Nonces are time-limited and
reusable within their TTL for idempotent retries.
Nonces are path-scoped: a nonce issued for rm fileA cannot confirm
rm fileB. Validation checks both the command and that confirmed paths
are a subset of the authorized paths.
Structsยง
- Nonce
Scope - What a nonce authorizes: a command and a set of paths.
- Nonce
Store - A store for confirmation nonces with TTL-based expiration.