Expand description
I16 prompt rendering — the authoritative dialog text, built only from the
core-authored ConfirmRequest (spec §8.3).
The renderer is platform-independent and pure (no IO, no hardware), so it is
fully unit-tested off-macOS. The macOS dialog passes prompt_text verbatim
as the localizedReason of LAContext evaluatePolicy:.
Contract (§8.3, I16):
- The resolved command (the thing that varies between a legitimate and a suspicious request) is the visually prominent first line.
- The coordinate (address, never the value), sensitivity, environment, origin,
and the observed requesting process follow as authoritative metadata, one
label: valueline each. - Any requester-supplied free text is rendered last, clearly fenced and labeled untrusted — it is never the authoritative line.
- No secret value appears:
ConfirmRequestcarries none (only the address), and this renderer adds none (I7/I12).
Constants§
- UNTRUSTED_
LABEL - Label used to fence requester-supplied (untrusted) text in the dialog.
Functions§
- prompt_
text - Build the authoritative confirmation dialog text from a core
ConfirmRequest.