From 46f5233bbb1f138153e84f685754ff1e602193ae Mon Sep 17 00:00:00 2001
From: Bilal Godil <bg2002@gmail.com>
Date: Tue, 26 May 2026 10:43:52 -0700
Subject: [PATCH] chore(hexclave): scrub references to deleted
 RENAME-TO-HEXCLAVE.md

9 source comments pointed at the planning doc removed in the prior commit.
Drop the 'See RENAME-TO-HEXCLAVE.md' sentence/parenthetical from each;
keep the surrounding substantive context intact (CORS allowlist derivation,
JWT issuer dual-acceptance rationale, OIDC opaque-identifier carve-out
explanation, Hexclave/Stack alias rationale).
---
 apps/backend/src/app/api/latest/integrations/idp.ts | 2 +-
 apps/backend/src/lib/tokens.tsx                     | 2 +-
 apps/backend/src/proxy.tsx                          | 4 ++--
 apps/dashboard/src/proxy.tsx                        | 4 ++--
 packages/template/src/index.ts                      | 4 ++--
 packages/template/src/lib/stack-app/index.ts        | 2 +-
 6 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/apps/backend/src/app/api/latest/integrations/idp.ts b/apps/backend/src/app/api/latest/integrations/idp.ts
index a5c0af16a..c4a001822 100644
--- a/apps/backend/src/app/api/latest/integrations/idp.ts
+++ b/apps/backend/src/app/api/latest/integrations/idp.ts
@@ -169,7 +169,7 @@ export async function createOidcProvider(options: { id: string, baseUrl: string,
   // never exposed to OIDC clients (the actual OIDC `aud` claim is set elsewhere).
   // Changing this string rotates ALL outstanding JWT signing keys and invalidates
   // every cached client JWKS — so it is intentionally pinned to the pre-rebrand
-  // domain. Carve-out per RENAME-TO-HEXCLAVE.md ("internal opaque identifiers").
+  // domain (internal opaque identifier — never exposed to clients).
   const privateJwks = await getPrivateJwks({
     audience: `https://idp-jwk-audience.stack-auth.com/${encodeURIComponent(options.id)}`,
   });
diff --git a/apps/backend/src/lib/tokens.tsx b/apps/backend/src/lib/tokens.tsx
index 7e0a87e2e..45428a666 100644
--- a/apps/backend/src/lib/tokens.tsx
+++ b/apps/backend/src/lib/tokens.tsx
@@ -63,7 +63,7 @@ const getIssuer = (projectId: string, userType: UserType) => {
 // Hexclave rebrand: api.stack-auth.com ↔ api.hexclave.com. During the domain transition a
 // backend served from one host must keep validating tokens issued under the other, so the
 // validator accepts the issuer under both hosts. Signing always uses getIssuer() (the
-// configured host), so new tokens follow the deployment. See RENAME-TO-HEXCLAVE.md (Tier 0, JWT).
+// configured host), so new tokens follow the deployment.
 // Use a Map (not a plain object) for the dynamic host lookup — avoids any chance of a
 // prototype-key collision when the input host comes from an attacker-controlled JWT.
 const issuerHostAliases = new Map<string, string>([
diff --git a/apps/backend/src/proxy.tsx b/apps/backend/src/proxy.tsx
index c41fea4ee..ccf6a80c4 100644
--- a/apps/backend/src/proxy.tsx
+++ b/apps/backend/src/proxy.tsx
@@ -54,7 +54,7 @@ const corsAllowedResponseHeaders = [
 ];
 
 // Hexclave rebrand: every `x-stack-*` header is dual-accepted under its `x-hexclave-*` equivalent.
-// Derive the alias names so the CORS allowlists never drift. See RENAME-TO-HEXCLAVE.md (Tier 0).
+// Derive the alias names so the CORS allowlists never drift.
 function withHexclaveHeaderAliases(headers: string[]): string[] {
   return headers.flatMap((header) => header.startsWith('x-stack-')
     ? [header, `x-hexclave-${header.slice('x-stack-'.length)}`]
@@ -125,7 +125,7 @@ export async function proxy(request: NextRequest) {
   // Hexclave rebrand: dual-accept request headers. New SDKs emit `x-hexclave-*`; copy each onto its
   // `x-stack-*` equivalent here — before routing and yup validation — so downstream auth parsing
   // and route schemas (which read `x-stack-*`) keep working unchanged. The new form wins when both
-  // are present. See RENAME-TO-HEXCLAVE.md (Tier 0, HTTP request headers).
+  // are present.
   for (const [name, value] of request.headers) {
     if (name.startsWith('x-hexclave-')) {
       newRequestHeaders.set(`x-stack-${name.slice('x-hexclave-'.length)}`, value);
diff --git a/apps/dashboard/src/proxy.tsx b/apps/dashboard/src/proxy.tsx
index c3b6a8935..47039c891 100644
--- a/apps/dashboard/src/proxy.tsx
+++ b/apps/dashboard/src/proxy.tsx
@@ -35,7 +35,7 @@ const corsAllowedResponseHeaders = [
 ];
 
 // Hexclave rebrand: every `x-stack-*` header is dual-accepted under its `x-hexclave-*` equivalent.
-// Derive the alias names so the CORS allowlists never drift. See RENAME-TO-HEXCLAVE.md (Tier 0).
+// Derive the alias names so the CORS allowlists never drift.
 function withHexclaveHeaderAliases(headers: string[]): string[] {
   return headers.flatMap((header) => header.startsWith('x-stack-')
     ? [header, `x-hexclave-${header.slice('x-stack-'.length)}`]
@@ -60,7 +60,7 @@ export async function proxy(request: NextRequest) {
 
   // Hexclave rebrand: dual-accept request headers — copy each `x-hexclave-*` onto its `x-stack-*`
   // equivalent so downstream API routes that read `x-stack-*` keep working unchanged. The new form
-  // wins when both are present. See RENAME-TO-HEXCLAVE.md (Tier 0, HTTP request headers).
+  // wins when both are present.
   const newRequestHeaders = new Headers(request.headers);
   for (const [name, value] of request.headers) {
     if (name.startsWith('x-hexclave-')) {
diff --git a/packages/template/src/index.ts b/packages/template/src/index.ts
index 5a0b5160c..55e123cad 100644
--- a/packages/template/src/index.ts
+++ b/packages/template/src/index.ts
@@ -1,6 +1,6 @@
 export * from './lib/stack-app';
 export { getConvexProvidersConfig } from "./integrations/convex";
-// Hexclave aliases — same symbols under the new brand name (see RENAME-TO-HEXCLAVE.md, Tier 1)
+// Hexclave aliases — same symbols under the new brand name
 export type { StackConfig as HexclaveConfig } from "@hexclave/shared/config";
 export { defineStackConfig as defineHexclaveConfig } from "@hexclave/shared/config";
 /** @deprecated Use `HexclaveConfig` instead — same symbol, new brand name. */
@@ -10,7 +10,7 @@ export { defineStackConfig } from "@hexclave/shared/config";
 
 // IF_PLATFORM react-like
 export type { AnalyticsOptions, AnalyticsReplayOptions } from "./lib/stack-app/apps/implementations/session-replay";
-// Hexclave aliases — same symbols under the new brand name (see RENAME-TO-HEXCLAVE.md, Tier 1)
+// Hexclave aliases — same symbols under the new brand name
 export { default as HexclaveHandler } from "./components-page/stack-handler";
 export { useStackApp as useHexclaveApp } from "./lib/hooks";
 export { default as HexclaveProvider } from "./providers/stack-provider";
diff --git a/packages/template/src/lib/stack-app/index.ts b/packages/template/src/lib/stack-app/index.ts
index 2e482be93..16ab21583 100644
--- a/packages/template/src/lib/stack-app/index.ts
+++ b/packages/template/src/lib/stack-app/index.ts
@@ -5,7 +5,7 @@ export {
 } from "./apps";
 
 // Legacy Stack* aliases — same runtime symbols, kept for backwards compatibility.
-// Prefer the Hexclave* equivalents in new code. See RENAME-TO-HEXCLAVE.md (Tier 1).
+// Prefer the Hexclave* equivalents in new code.
 /** @deprecated Use `HexclaveAdminApp` instead — same symbol, new brand name. */
 export { StackAdminApp } from "./apps";
 /** @deprecated Use `HexclaveClientApp` instead — same symbol, new brand name. */