Dan Milne 7f0d3d3900 Tighten TOTP enrollment comments to explain the threat, not the change ...

Replace the changelog-flavored "view no longer round-trips" line with a
one-liner naming the actual threat (session-holder substituting a secret
they control). Drop the narration comment above session.delete +
deliver_later -- the identifiers already say what the two lines do.

Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>

2026-04-20 18:58:39 +10:00

5.8 KiB

Raw Blame History

View Raw