Expand description
I16 prompt rendering — the authoritative dialog text, built only from the
core-authored ConfirmRequest (spec §8.3).
The renderer is platform-independent and pure (no IO, no hardware), so it is
fully unit-tested here in core and shared by every native [Biometric]
(macOS LocalAuthentication, Windows Hello). The native dialog passes
prompt_text verbatim as its prompt string (localizedReason on macOS, the
verification message on Windows).
Contract (§8.3, I16):
- The resolved command (the thing that varies between a legitimate and a suspicious request) is the visually prominent first line.
- The coordinate (address, never the value), sensitivity, environment, origin,
and the observed requesting process follow as authoritative metadata, one
label: valueline each. - Any requester-supplied free text is rendered last, clearly fenced and labeled untrusted — it is never the authoritative line.
- No secret value appears:
ConfirmRequestcarries none (only the address), and this renderer adds none (I7/I12).
Constants§
- UNTRUSTED_
LABEL - Label used to fence requester-supplied (untrusted) text in the dialog.
Functions§
- prompt_
text - Build the authoritative confirmation dialog text from a core
ConfirmRequest.