pub fn save_vault(path: &Path, vault: &SealedVault) -> Result<()>Expand description
Persist the vault to path atomically (temp file + rename), 0600 on Unix so
a non-privileged user can’t read or replace it. The caller chooses a path the
audited user can’t write (e.g. root-owned /etc/kintsugi/ in the locked
system posture).