diff --git a/src/backend/clients/database/migrations/mysql/mysql_mig_10.sql b/src/backend/clients/database/migrations/mysql/mysql_mig_10.sql
index 8ecd88df6..93d96bbbe 100644
--- a/src/backend/clients/database/migrations/mysql/mysql_mig_10.sql
+++ b/src/backend/clients/database/migrations/mysql/mysql_mig_10.sql
@@ -15,7 +15,7 @@
-- You should have received a copy of the GNU Affero General Public License
-- along with this program. If not, see .
--- AUTH-5 (PUT-1019) — mirrors SQLite migration 0053. Adds the
+-- Mirrors SQLite migration 0053. Adds the
-- `access_token_uid` reverse-lookup column on `sessions` so raw-uuid
-- revoke can find the matching session row when only the v2 token_uid
-- (no JWT) is presented.
diff --git a/src/backend/clients/database/migrations/mysql/mysql_mig_9.sql b/src/backend/clients/database/migrations/mysql/mysql_mig_9.sql
index af20695d1..55169f735 100644
--- a/src/backend/clients/database/migrations/mysql/mysql_mig_9.sql
+++ b/src/backend/clients/database/migrations/mysql/mysql_mig_9.sql
@@ -15,7 +15,7 @@
-- You should have received a copy of the GNU Affero General Public License
-- along with this program. If not, see .
--- AUTH-2 (PUT-1014) — composite-key lookups + audit columns. Mirrors
+-- Composite-key lookups + audit columns. Mirrors
-- SQLite migration 0052. MySQL has no partial unique indexes, so the
-- "at most one active row per (user_id, app_uid)" / "one active row
-- per legacy_token_uid" semantics are encoded via VIRTUAL generated
diff --git a/src/backend/clients/database/migrations/sqlite/0052_sessions_v2_lookups.sql b/src/backend/clients/database/migrations/sqlite/0052_sessions_v2_lookups.sql
index 8cb86ac0d..8d11ee2eb 100644
--- a/src/backend/clients/database/migrations/sqlite/0052_sessions_v2_lookups.sql
+++ b/src/backend/clients/database/migrations/sqlite/0052_sessions_v2_lookups.sql
@@ -15,14 +15,14 @@
-- You should have received a copy of the GNU Affero General Public License
-- along with this program. If not, see .
--- AUTH-2 (PUT-1014) — composite-key lookups + audit columns.
+-- Composite-key lookups + audit columns.
-- - `app_uid` : binds `kind='app'` rows to their app authorization
-- target. (user_id, app_uid) is the idempotency key.
-- - `legacy_token_uid` : keys lazy-backfilled rows to the v1 token_uid that
-- originally minted them.
-- - `created_via` : audit sentinel (e.g. 'legacy_backfill').
--- - `auth_id` : stable per-user identity that survives re-login
--- (PUT-1010); lets manage-sessions group by identity.
+-- - `auth_id` : stable per-user identity that survives re-login;
+-- lets manage-sessions group by identity.
ALTER TABLE `sessions` ADD COLUMN `app_uid` TEXT;
ALTER TABLE `sessions` ADD COLUMN `legacy_token_uid` TEXT;
diff --git a/src/backend/clients/database/migrations/sqlite/0053_sessions_access_token_uid.sql b/src/backend/clients/database/migrations/sqlite/0053_sessions_access_token_uid.sql
index e781000f0..fa8611618 100644
--- a/src/backend/clients/database/migrations/sqlite/0053_sessions_access_token_uid.sql
+++ b/src/backend/clients/database/migrations/sqlite/0053_sessions_access_token_uid.sql
@@ -15,7 +15,7 @@
-- You should have received a copy of the GNU Affero General Public License
-- along with this program. If not, see .
--- AUTH-5 (PUT-1019) — let `kind='access_token'` rows be reverse-looked-up
+-- Let `kind='access_token'` rows be reverse-looked-up
-- from the `token_uid` claim that lives only in `access_token_permissions`.
-- Required so `POST /auth/revoke-access-token` with a raw token_uid input
-- (no JWT) can find and soft-revoke the session row, matching the JWT
diff --git a/src/backend/controllers/auth/AuthController.test.ts b/src/backend/controllers/auth/AuthController.test.ts
index 3cecc4dac..625545d29 100644
--- a/src/backend/controllers/auth/AuthController.test.ts
+++ b/src/backend/controllers/auth/AuthController.test.ts
@@ -3408,10 +3408,10 @@ describe('AuthController.handleRevokeSession additional branches', () => {
});
it('refuses to revoke the caller’s OWN current session row (400)', async () => {
- // PUT-1019 invariant: a self-revoke leaves the client in an
- // ambiguous identity state because the response can't write
- // fresh auth state. /logout is the only path that should end
- // the session you're currently authenticated under.
+ // Invariant: a self-revoke leaves the client in an ambiguous
+ // identity state because the response can't write fresh auth
+ // state. /logout is the only path that should end the session
+ // you're currently authenticated under.
const { user, actor } = await makeUserAndActor();
const sessionRes = await server.services.auth.createSessionToken(
user,
@@ -3464,7 +3464,7 @@ describe('AuthController.handleRevokeSession additional branches', () => {
});
});
-// ── handleMigrateToken (PUT-1021 SDK-1) ─────────────────────────────
+// ── handleMigrateToken ──────────────────────────────────────────────
describe('AuthController.handleMigrateToken', () => {
const TEST_ORIGIN = 'https://migrate.test.local';
@@ -3572,10 +3572,10 @@ describe('AuthController.handleMigrateToken', () => {
});
it('returns 409 reauth_required for v1 web/session tokens', async () => {
- // Web tokens never migrate silently — they always go through the
- // interactive reauth flow (PUT-1023). The body code is what
- // puter.js / GUI key on; the 409 status is what tells SDK code
- // "this isn't a generic auth failure, route through reauth".
+ // Web tokens never migrate silently — they always go through
+ // the interactive reauth flow. The body code is what puter.js /
+ // GUI key on; the 409 status is what tells SDK code "this
+ // isn't a generic auth failure, route through reauth".
const { user } = await makeUserAndActor();
const v1 = mintV1Token({
type: 'session',
diff --git a/src/backend/core/http/middleware/authProbe.test.ts b/src/backend/core/http/middleware/authProbe.test.ts
index 4f0995af9..2353c7a1f 100644
--- a/src/backend/core/http/middleware/authProbe.test.ts
+++ b/src/backend/core/http/middleware/authProbe.test.ts
@@ -44,7 +44,7 @@ interface StubAuth {
seenTokens: string[];
/** Legacy setter — accepts the old Actor|null|'throw' shape. */
setNext: (next: Actor | null | 'throw') => void;
- /** AUTH-4: set the full AuthResult to be returned by `authenticate()`. */
+ /** Set the full AuthResult to be returned by `authenticate()`. */
setNextResult: (next: AuthResultLike | 'throw') => void;
}
@@ -54,7 +54,7 @@ const makeStubAuth = (defaultActor: Actor | null = null): StubAuth => {
? { actor: defaultActor }
: { invalid: true };
const service = {
- // AUTH-4 entry point used by the probe.
+ // Entry point used by the probe.
authenticate: async (token: string) => {
seenTokens.push(token);
if (nextResult === 'throw') throw new Error('verify failed');
@@ -543,9 +543,9 @@ describe('createAuthProbe — actor attachment + failure tracking', () => {
});
});
-// ── AUTH-4: reauth signal + KV counters ─────────────────────────────
+// ── Reauth signal + KV counters ─────────────────────────────────────
-describe('createAuthProbe — AUTH-4 reauth signal', () => {
+describe('createAuthProbe — reauth signal', () => {
/** Capture KV increments without a real store. */
const makeKvStub = () => {
const calls: Array<{
diff --git a/src/backend/core/http/middleware/gates.test.ts b/src/backend/core/http/middleware/gates.test.ts
index 2ff9fc5a5..b39f5e76e 100644
--- a/src/backend/core/http/middleware/gates.test.ts
+++ b/src/backend/core/http/middleware/gates.test.ts
@@ -137,7 +137,7 @@ describe('requireAuthGate', () => {
expectHttpError(got, 403, 'forbidden');
});
- // ── AUTH-4 reauth signal ────────────────────────────────────────
+ // ── Reauth signal ───────────────────────────────────────────────
it('returns 401 reauth_required for a legacy v1 token', () => {
const got = runGate(requireAuthGate(), {
diff --git a/src/backend/services/auth/AuthService.test.ts b/src/backend/services/auth/AuthService.test.ts
index 5643fede9..8057f2755 100644
--- a/src/backend/services/auth/AuthService.test.ts
+++ b/src/backend/services/auth/AuthService.test.ts
@@ -167,9 +167,9 @@ describe('AuthService (integration)', () => {
});
});
- // ── AUTH-4: rich `authenticate()` result shape ───────────────────
+ // ── Rich `authenticate()` result shape ──────────────────────────
- describe('authenticate (AUTH-4 reauth signal)', () => {
+ describe('authenticate (reauth signal)', () => {
it('returns { actor } for a healthy v2 session token', async () => {
const user = await makeUser();
const { token } = await authService.createSessionToken(user, {});
@@ -1025,13 +1025,13 @@ describe('AuthService (integration)', () => {
});
});
- // ── AUTH-5 (PUT-1019) revoke coverage ────────────────────────────
+ // ── Revoke coverage ─────────────────────────────────────────────
describe('revokeAccessToken raw-uuid session-row coverage', () => {
// The JWT-input branch has always flipped the session row's
- // revoked_at. AUTH-5 closes the raw-uuid gap: the new
- // `sessions.access_token_uid` column lets revoke find the row
- // for v2-minted tokens even when no JWT was presented.
+ // revoked_at. The raw-uuid gap is closed by the
+ // `sessions.access_token_uid` column, which lets revoke find
+ // the row for v2-minted tokens even when no JWT was presented.
it('soft-revokes the v2 session row when revoked by raw token_uid', async () => {
const user = await makeUser();
@@ -1168,7 +1168,7 @@ describe('AuthService (integration)', () => {
});
});
- // ── SDK-1 (PUT-1021) migrate-token ────────────────────────────────
+ // ── migrate-token ───────────────────────────────────────────────
describe('migrateLegacyToken', () => {
// Hand-mint v1 tokens using the same compression dict the
diff --git a/src/backend/services/auth/AuthService.ts b/src/backend/services/auth/AuthService.ts
index e5d25f5d4..9b367485f 100644
--- a/src/backend/services/auth/AuthService.ts
+++ b/src/backend/services/auth/AuthService.ts
@@ -514,10 +514,10 @@ export class AuthService extends PuterService {
return this.#migrateAccessToken(decoded as AccessTokenPayload);
}
if (decoded.type === 'app-under-user') {
- // Per ROLLOUT-1, app-token migration is the kind that
- // ultimately retires — flag-gated independently from the
- // top-level `allow_v1_tokens` so access-token migration
- // can stay on indefinitely.
+ // App-token migration is the kind that ultimately retires
+ // — flag-gated independently from the top-level
+ // `allow_v1_tokens` so access-token migration can stay on
+ // indefinitely.
const allowAppMigration =
(this.config as { allow_v1_app_migration?: boolean })
.allow_v1_app_migration !== false;
@@ -1372,7 +1372,7 @@ export class AuthService extends PuterService {
}
}
- // Permissions rows still DELETE — the AUTH-5 "no DELETE on revoke"
+ // Permissions rows still DELETE — the "no DELETE on revoke"
// rule scoped to the `sessions` table (where the audit trail of
// when a session existed/was revoked is load-bearing for forensic
// queries and the cascade graph). `access_token_permissions`
diff --git a/src/backend/stores/session/SessionStore.test.ts b/src/backend/stores/session/SessionStore.test.ts
index 7d743059c..f13430bd4 100644
--- a/src/backend/stores/session/SessionStore.test.ts
+++ b/src/backend/stores/session/SessionStore.test.ts
@@ -135,9 +135,9 @@ describe('SessionStore', () => {
});
it('returns null when expires_at is in the past', async () => {
- // PUT-1014 moved expires_at enforcement into getByUuid so the
- // row is the single source of truth — no AUTH-4 re-mint pass
- // needed (we run long-lived JWTs in v2).
+ // expires_at enforcement lives in getByUuid so the row is
+ // the single source of truth — no re-mint pass needed (we
+ // run long-lived JWTs in v2).
const user = await makeUser();
const past = Math.floor(Date.now() / 1000) - 60;
const session = await target.create(user.id, { expires_at: past });
@@ -272,7 +272,7 @@ describe('SessionStore', () => {
});
});
- // ── PUT-1014 composite-key lookups ──────────────────────────────
+ // ── Composite-key lookups ──────────────────────────────────────
describe('getOrCreateApp', () => {
it('creates a kind="app" row on first call with the right shape', async () => {
diff --git a/src/backend/types.ts b/src/backend/types.ts
index 6c692699d..302e13b2d 100644
--- a/src/backend/types.ts
+++ b/src/backend/types.ts
@@ -481,7 +481,7 @@ interface IConfigOptional {
/**
* Legacy HMAC secret for v1 JWTs. New tokens are always signed with
* `jwt_secret_v2`; this value is verify-only and accepted as long as
- * `allow_v1_tokens` is true (flipped off in ROLLOUT-1 to retire v1).
+ * `allow_v1_tokens` is true (flipped off to retire v1).
*/
jwt_secret: string;
/** HMAC secret used to sign and verify v2 auth JWTs (`kid: 'v2'`). */
@@ -493,10 +493,10 @@ interface IConfigOptional {
allow_v1_tokens: boolean;
/**
* When false, `POST /auth/migrate-token` returns 410 Gone for v1
- * `app-under-user` tokens. Per ROLLOUT-1, app-token migration is
- * retired ahead of access-token migration — keeping these on
- * separate flags lets ops kill apps first and keep API-key
- * migration on indefinitely. Default true.
+ * `app-under-user` tokens. App-token migration is retired ahead
+ * of access-token migration — keeping these on separate flags
+ * lets ops kill apps first and keep API-key migration on
+ * indefinitely. Default true.
*/
allow_v1_app_migration: boolean;
/**
diff --git a/src/gui/src/UI/UIDesktop.js b/src/gui/src/UI/UIDesktop.js
index 79e2be642..549cc89d5 100644
--- a/src/gui/src/UI/UIDesktop.js
+++ b/src/gui/src/UI/UIDesktop.js
@@ -125,11 +125,11 @@ async function UIDesktop (options) {
console.error('GUI Socket Error:', error);
});
- // PUT-1023 (GUI-1) — pick up reauth_required signals delivered via the
- // socket.io handshake. SocketService emits `Error { data: { code:
+ // Pick up reauth_required signals delivered via the socket.io
+ // handshake. SocketService emits `Error { data: { code:
// 'reauth_required', reason, auth_id } }` for legacy/revoked/expired
- // tokens. Without this branch the disconnect would look like a silent
- // network failure to the user.
+ // tokens. Without this branch the disconnect would look like a
+ // silent network failure to the user.
window.socket.on('connect_error', (err) => {
const signal = err?.data;
if ( signal?.code === 'reauth_required' ) {
diff --git a/src/gui/src/UI/UIWindowLogin.js b/src/gui/src/UI/UIWindowLogin.js
index 75c7dd825..0ff53f3e4 100644
--- a/src/gui/src/UI/UIWindowLogin.js
+++ b/src/gui/src/UI/UIWindowLogin.js
@@ -454,10 +454,10 @@ async function UIWindowLogin (options) {
}
// Prepare data for the request
- // PUT-1023 (GUI-1) — when this login was triggered by a 401
- // reauth_required, forward `auth_id` (and the originating
- // reason) so the backend can re-attach the user/session to the
- // same stable identity (consumed by GUI-2).
+ // When this login was triggered by a 401 reauth_required,
+ // forward `auth_id` (and the originating reason) so the
+ // backend can re-attach the user/session to the same
+ // stable identity.
const reauth_payload = options.auth_id
? { auth_id: options.auth_id, reauth_reason: options.reauth_reason }
: {};
diff --git a/src/gui/src/globals.js b/src/gui/src/globals.js
index 90e90200b..be493dc34 100644
--- a/src/gui/src/globals.js
+++ b/src/gui/src/globals.js
@@ -55,10 +55,10 @@ if ( window.logged_in_users === null )
window.logged_in_users = [];
}
-// this sessions's user — PUT-1023 (GUI-1) prefers the v2 storage key. The
-// legacy key is still consulted so that users with a stale v1 token get
-// picked up here (and immediately routed through the reauth modal by the
-// first 401 from the backend).
+// this sessions's user — prefer the v2 storage key. The legacy key is
+// still consulted so that users with a stale v1 token get picked up here
+// (and immediately routed through the reauth modal by the first 401
+// from the backend).
window.auth_token =
localStorage.getItem('auth_token_v2')
|| localStorage.getItem('auth_token');
diff --git a/src/gui/src/helpers.js b/src/gui/src/helpers.js
index 33291e821..85459ddbf 100644
--- a/src/gui/src/helpers.js
+++ b/src/gui/src/helpers.js
@@ -31,9 +31,9 @@ import UIWindowLogin from './UI/UIWindowLogin.js';
import UIWindowProgress from './UI/UIWindowProgress.js';
import UIWindowSaveAccount from './UI/UIWindowSaveAccount.js';
-// PUT-1023 (GUI-1) — localStorage keys for the GUI session token. v2 is the
-// new key written after the v1→v2 cutover. Reads prefer v2; v1 is only kept
-// to drive the reauth-modal path when a stale legacy session is found.
+// localStorage keys for the GUI session token. v2 is the new key written
+// after the v1→v2 cutover. Reads prefer v2; v1 is only kept to drive the
+// reauth-modal path when a stale legacy session is found.
window.AUTH_TOKEN_KEY_V1 = 'auth_token';
window.AUTH_TOKEN_KEY_V2 = 'auth_token_v2';
@@ -51,16 +51,16 @@ window.is_auth = () => {
};
/**
- * PUT-1023 (GUI-1) — central handler for `401 { code: 'reauth_required' }`.
+ * Central handler for `401 { code: 'reauth_required' }`.
*
- * The backend `authProbe` middleware (AUTH-4) emits this 401 shape whenever
- * a token is legacy/revoked/expired. The GUI must NOT silently logout: that
- * loses window/URL state and surprises the user. Instead we:
+ * The backend `authProbe` middleware emits this 401 shape whenever a
+ * token is legacy/revoked/expired. The GUI must NOT silently logout:
+ * that loses window/URL state and surprises the user. Instead we:
* 1. Snapshot enough state to land back where we were after sign-in.
* 2. Clear both the v1 and v2 token keys.
* 3. Show a soft modal explaining what happened.
- * 4. Re-open UIWindowLogin, forwarding `auth_id` so temp users (and
- * pending GUI-2 work) can re-attach to the same identity.
+ * 4. Re-open UIWindowLogin, forwarding `auth_id` so temp users can
+ * re-attach to the same identity.
*
* Idempotent: parallel 401s while the modal is already open are dropped.
*/
@@ -84,8 +84,7 @@ window.handleReauthRequired = async (signal = {}) => {
} catch ( e ) { /* ignore */ }
window.auth_token = null;
- // Soft modal. UIAlert is the lightest-weight existing surface; the
- // copy is the one specified by GUI-1's spec.
+ // Soft modal. UIAlert is the lightest-weight existing surface.
try {
await UIAlert({
message: i18n('reauth_required_message') || 'Your session was updated for security — please sign in again.',
@@ -102,7 +101,7 @@ window.handleReauthRequired = async (signal = {}) => {
// fall through to UIWindowLogin directly.
}
- // Open the login window, forwarding auth_id (consumed in GUI-2).
+ // Open the login window, forwarding auth_id.
try {
const login = await UIWindowLogin({
reload_on_success: true,
@@ -580,8 +579,8 @@ window.refresh_user_data = async (auth_token) => {
window.update_auth_data = async (auth_token, user, api_origin) => {
window.auth_token = auth_token;
- // PUT-1023 (GUI-1) — write the v2 key going forward and clear any
- // lingering v1 key so a single localStorage source-of-truth is used.
+ // Write the v2 key going forward and clear any lingering v1 key so
+ // a single localStorage source-of-truth is used.
localStorage.setItem(window.AUTH_TOKEN_KEY_V2, auth_token);
localStorage.removeItem(window.AUTH_TOKEN_KEY_V1);
@@ -741,8 +740,8 @@ window.sendWindowWillCloseMsg = function (iframe_element) {
window.logout = () => {
// clear cache
puter._cache.flushall();
- // PUT-1023 (GUI-1) — clear both old and new token keys. Cookie clear
- // is handled by the backend logout endpoint.
+ // Clear both old and new token keys. Cookie clear is handled by
+ // the backend logout endpoint.
try {
localStorage.removeItem(window.AUTH_TOKEN_KEY_V2);
localStorage.removeItem(window.AUTH_TOKEN_KEY_V1);
@@ -751,10 +750,10 @@ window.logout = () => {
// document.dispatchEvent(new Event("logout", { bubbles: true}));
};
-// PUT-1023 (GUI-1) — global jQuery ajax error interceptor. Catches any
-// `401 { code: 'reauth_required' }` that wasn't already handled by a more
-// specific `statusCode[401]` callback on the call site, so we don't have
-// to audit every legacy `$.ajax` call when AUTH-4 rolls out.
+// Global jQuery ajax error interceptor. Catches any `401 { code:
+// 'reauth_required' }` that wasn't already handled by a more specific
+// `statusCode[401]` callback on the call site, so we don't have to
+// audit every legacy `$.ajax` call when the reauth signal rolls out.
if ( typeof $ !== 'undefined' && $.fn ) {
$(document).ajaxError(function (event, jqxhr, settings, thrownError) {
if ( jqxhr?.status !== 401 ) return;
@@ -769,9 +768,9 @@ if ( typeof $ !== 'undefined' && $.fn ) {
});
}
-// PUT-1023 (GUI-1) — multi-tab propagation. If another tab signs in (sets
-// the v2 token) or signs out (clears it), reflect that here without forcing
-// a full page reload when we can avoid it.
+// Multi-tab propagation. If another tab signs in (sets the v2 token) or
+// signs out (clears it), reflect that here without forcing a full page
+// reload when we can avoid it.
if ( typeof window !== 'undefined' && window.addEventListener ) {
window.addEventListener('storage', (event) => {
if ( event.key !== window.AUTH_TOKEN_KEY_V2 ) return;
diff --git a/src/gui/src/initgui.js b/src/gui/src/initgui.js
index 8e2b45c1f..9f1ae32c0 100644
--- a/src/gui/src/initgui.js
+++ b/src/gui/src/initgui.js
@@ -392,7 +392,7 @@ window.initgui = async function (options) {
if ( r.ok ) {
const { token } = await r.json();
window.auth_token = token;
- // PUT-1023 (GUI-1) — write the v2 key; drop legacy v1 key.
+ // Write the v2 key; drop legacy v1 key.
localStorage.setItem(window.AUTH_TOKEN_KEY_V2 || 'auth_token_v2', token);
try { localStorage.removeItem(window.AUTH_TOKEN_KEY_V1 || 'auth_token'); } catch ( e ) { /* ignore */ }
if ( typeof puter !== 'undefined' ) puter.setAuthToken(token, window.api_origin);
diff --git a/src/puter-js/src/index.js b/src/puter-js/src/index.js
index e8bd8a69c..28fb2dd84 100644
--- a/src/puter-js/src/index.js
+++ b/src/puter-js/src/index.js
@@ -92,11 +92,11 @@ class Lock {
// (using defaultGUIOrigin breaks locally-hosted apps)
const PROD_ORIGIN = 'https://puter.com';
-// localStorage keys for the auth token. v1 is the legacy key. v2 is the new
-// key written after the token rotation in the v1→v2 cutover (PUT-1024).
-// Reads prefer v2; v1 is only consulted to drive the silent-migration path
-// (SDK access_token / app kinds) or — for kind='web' — to fail over to the
-// interactive reauth flow.
+// localStorage keys for the auth token. v1 is the legacy key. v2 is
+// the new key written after the token rotation in the v1→v2 cutover.
+// Reads prefer v2; v1 is only consulted to drive the silent-migration
+// path (access_token / app kinds) or — for kind='web' — to fail over
+// to the interactive reauth flow.
const STORAGE_KEY_V1 = 'puter.auth.token';
const STORAGE_KEY_V2 = 'puter.auth.token.v2';
@@ -152,7 +152,7 @@ const puterInit = (function () {
// Event handling properties
eventHandlers = {};
- // Reauth coordinator state (PUT-1022 PJS-1). When the backend signals
+ // Reauth coordinator state. When the backend signals
// `401 { code: 'reauth_required' }`, in-flight requests await this
// promise; the first caller drives the interactive flow, everyone
// else replays after it resolves.
@@ -476,11 +476,11 @@ const puterInit = (function () {
// URL-param tokens may still be v1 (host apps that
// haven't rebuilt yet). Set immediately so submodules
// can run, then attempt silent migration in the
- // background — PJS-2.
+ // background.
this.setAuthToken(bootstrapAuthToken);
needsSilentMigration = true;
} else {
- // Prefer the v2 storage key (PJS-2). Fall back to v1
+ // Prefer the v2 storage key. Fall back to v1
// and queue a silent migrate-token call.
const v2 = this.normalizeAuthTokenCandidate(
localStorage.getItem(STORAGE_KEY_V2),
@@ -527,7 +527,7 @@ const puterInit = (function () {
// initialize submodules
this.initSubmodules();
try {
- // Prefer the v2 storage key (PJS-2). Fall back to v1 and
+ // Prefer the v2 storage key. Fall back to v1 and
// run a silent migration in the background.
const v2 = this.normalizeAuthTokenCandidate(
localStorage.getItem(STORAGE_KEY_V2),
@@ -774,8 +774,8 @@ const puterInit = (function () {
};
/**
- * PUT-1022 (PJS-1) — reauth coordinator. Called by the network layer
- * (lib/utils.js) when the backend returns
+ * Reauth coordinator. Called by the network layer (lib/utils.js)
+ * when the backend returns
* `401 { code: 'reauth_required', reason, auth_id }`.
*
* Behavior is environment-specific:
@@ -784,7 +784,7 @@ const puterInit = (function () {
* that resolves when the user signs in (so callers can replay)
* or rejects if reauth fails / is canceled.
* - `gui`: no-op — the GUI environment renders its own modal
- * (PUT-1023 GUI-1) and host code is responsible for the flow.
+ * and host code is responsible for the flow.
* - workers / nodejs: there's no UI surface to drive, so reject
* with a structured error and let worker code react.
*
@@ -902,7 +902,7 @@ const puterInit = (function () {
/**
* Register a listener for SDK events. Used by host apps to react
- * to `puter.auth.reauth_required` (PUT-1022 PJS-1).
+ * to `puter.auth.reauth_required`.
*/
on = function (eventName, handler) {
if ( ! this.eventHandlers[eventName] ) this.eventHandlers[eventName] = [];
@@ -918,8 +918,8 @@ const puterInit = (function () {
};
/**
- * PUT-1024 (PJS-2) — best-effort silent v1→v2 token migration via
- * the backend `/auth/migrate-token` endpoint (SDK-1). Used at boot
+ * Best-effort silent v1→v2 token migration via the backend
+ * `/auth/migrate-token` endpoint. Used at boot
* when only a legacy `puter.auth.token` is present; on success the
* v2 token is set via setAuthToken (which clears the v1 key).
*
diff --git a/src/puter-js/src/lib/utils.js b/src/puter-js/src/lib/utils.js
index f20b38b15..eccb56d09 100644
--- a/src/puter-js/src/lib/utils.js
+++ b/src/puter-js/src/lib/utils.js
@@ -100,8 +100,8 @@ function initXhr (endpoint, APIOrigin, authToken, method = 'post', contentType =
xhr.setRequestHeader('Content-Type', contentType);
xhr.responseType = responseType ?? '';
- // Capture enough request shape to replay this XHR after a reauth_required
- // (PUT-1022 PJS-1). The body is captured below by intercepting send().
+ // Capture enough request shape to replay this XHR after a
+ // reauth_required. The body is captured below by intercepting send().
xhr._puterReq = {
endpoint,
APIOrigin,
@@ -176,12 +176,12 @@ async function handle_resp (success_cb, error_cb, resolve_func, reject_func, res
const resp = await parseResponse(response);
// error - unauthorized
if ( response.status === 401 ) {
- // PUT-1022 (PJS-1) — v2 reauth signal. The backend `authProbe`
- // middleware returns `401 { code: 'reauth_required', reason, auth_id }`
- // for legacy v1 tokens, revoked sessions, and expired sessions
- // beyond the silent re-mint window. Drive the env-specific reauth
- // flow on the Puter class, then replay the original request with
- // the new token.
+ // v2 reauth signal. The backend `authProbe` middleware returns
+ // `401 { code: 'reauth_required', reason, auth_id }` for legacy
+ // v1 tokens, revoked sessions, and expired sessions beyond the
+ // silent re-mint window. Drive the env-specific reauth flow on
+ // the Puter class, then replay the original request with the
+ // new token.
if ( resp?.code === 'reauth_required' ) {
try {
await puter.triggerReauth({
@@ -595,8 +595,8 @@ async function driverCall_ (
// HTTP Error - unauthorized
if ( response.target.status === 401 || resp?.code === 'token_auth_failed' ) {
- // PUT-1022 (PJS-1) — v2 reauth signal. Replay the driver
- // call by re-entering driverCall_ rather than using the
+ // v2 reauth signal. Replay the driver call by re-entering
+ // driverCall_ rather than using the
// generic replayXhrAfterReauth helper: the generic helper
// wires the retried XHR through setupXhrEventHandlers, which
// resolves with the parsed response and skips driverCall_'s