From b9008734057671f2ca4f52107f2f6f3f63d741fb Mon Sep 17 00:00:00 2001
From: Miguel Jacq <mig@mig5.net>
Date: Sat, 27 Dec 2025 20:35:53 -0600
Subject: [PATCH] Add Technical_Decomp_Cache

---
 Technical_Decomp_Cache.md | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 Technical_Decomp_Cache.md

diff --git a/Technical_Decomp_Cache.md b/Technical_Decomp_Cache.md
new file mode 100644
index 0000000..3c42bb7
--- /dev/null
+++ b/Technical_Decomp_Cache.md
@@ -0,0 +1,25 @@
+## enroll/cache.py
+
+### HarvestCache (frozen dataclass)
+
+Purpose: a small wrapper around a directory path representing a locally stored harvest bundle.
+
+#### Field:
+
+dir: Path: the bundle directory.
+
+#### Property:
+
+state_json -> Path: returns dir / "state.json".
+
+#### Lifecycle / where it’s used:
+
+Created by `new_harvest_cache_dir(hint=...)` when the CLI wants a safe default output location (especially for SOPS encrypted outputs).
+
+It’s a "typed return value" so callers don’t pass raw strings around.
+
+#### Security behavior around it:
+
+`new_harvest_cache_dir()` builds a directory under `~/.local/cache/enroll/harvest` (or `$XDG_CACHE_HOME/enroll/harvest`).
+
+Uses mkdtemp() to avoid predictable paths and forces 0700 permissions (best-effort).
\ No newline at end of file