pub fn render_unpack_script() -> StringExpand description
The destination open helper (unpack.sh), written to the USB by
exchange seal. Run on the destination, it opens package.kovra with the
custodied recipient identity (KOV-39) and imports the secrets, prompting for
the vault passphrase. For high entries the access token (the second
channel) is supplied via KOVRA_EXCHANGE_TOKEN and written to a temp file
outside the USB (deleted on exit) — the token never lands on the stick.
Pure; embeds no secret.