For sign requests above the policy's confirm threshold, push to a user-configured channel and wait for explicit ack.
Scope
- Pluggable transport: ntfy (zero-setup), Pushover, Telegram bot. Start with ntfy.
- Push payload: portal, action, summary (e.g. "transfer 0.5 ETH to 0xabc..."), one-time approval URL + matching denial URL.
- Local HTTP endpoint on a random localhost port (bound to 127.0.0.1) that handles the approval/denial click and forwards the decision back to the daemon.
- Timeout: configurable, default 60s. Timeout = deny.
- One-time tokens, expire on first use or timeout. Token-binding to a specific sign request ID so a leaked token can't approve a different sign.
Acceptance criteria
- ntfy notification arrives within 5s of sign request.
- Approval click allows the sign; denial click rejects it; timeout rejects it.
- Tokens cannot be replayed.
- Tokens cannot approve a different sign request than the one they were issued for.
Deps
For sign requests above the policy's confirm threshold, push to a user-configured channel and wait for explicit ack.
Scope
Acceptance criteria
Deps