@@ -43,15 +43,15 @@ use tracing::{debug, info, warn};
4343pub type AuthedChannel = InterceptedService < Channel , AuthInterceptor > ;
4444
4545/// Shared, refreshable Bearer header. All [`AuthInterceptor`] clones read
46- /// the same slot, so the PR-5 refresh task can rotate the token in place
47- /// without rebuilding the channel.
46+ /// the same slot, so the renewal task can replace the token in place without
47+ /// rebuilding the channel.
4848type TokenSlot = Arc < RwLock < AsciiMetadataValue > > ;
4949
5050/// Process-wide token slot. Initialized by the first [`connect_channel`]
51- /// call and shared with every subsequent client + the refresh loop.
51+ /// call and shared with every subsequent client and the renewal loop.
5252static TOKEN_SLOT : OnceLock < TokenSlot > = OnceLock :: new ( ) ;
5353
54- /// One-shot guard so the refresh loop spawns at most once per process.
54+ /// One-shot guard so the renewal loop spawns at most once per process.
5555static REFRESH_SPAWNED : OnceLock < ( ) > = OnceLock :: new ( ) ;
5656
5757fn install_token_slot ( token : & str ) -> Result < TokenSlot > {
@@ -68,8 +68,8 @@ fn install_token_slot(token: &str) -> Result<TokenSlot> {
6868}
6969
7070/// gRPC interceptor that injects `authorization: Bearer <token>` on every
71- /// outbound request. The token lives in a shared [`TokenSlot`] so the
72- /// PR-5 refresh task can replace it without rebuilding clients.
71+ /// outbound request. The token lives in a shared [`TokenSlot`] so the renewal
72+ /// task can replace it without rebuilding clients.
7373#[ derive( Clone ) ]
7474pub struct AuthInterceptor {
7575 bearer : TokenSlot ,
@@ -162,9 +162,9 @@ async fn build_plain_channel(endpoint: &str) -> Result<Channel> {
162162/// First call per process resolves the sandbox JWT via the three-step
163163/// lookup (env → file → K8s SA bootstrap exchange) and installs it into
164164/// the process-wide [`TOKEN_SLOT`]. Subsequent calls reuse the cached
165- /// slot — the refresh loop keeps the value fresh, so re-running the
165+ /// slot — the renewal loop keeps the value fresh, so re-running the
166166/// bootstrap is both unnecessary and (on the K8s SA path) expensive
167- /// (one apiserver round-trip per call). The refresh loop itself is
167+ /// (one apiserver round-trip per call). The renewal loop itself is
168168/// spawned once per process via [`REFRESH_SPAWNED`].
169169async fn connect_channel ( endpoint : & str ) -> Result < AuthedChannel > {
170170 let channel = build_plain_channel ( endpoint) . await ?;
@@ -250,7 +250,7 @@ pub async fn connect_channel_pub(endpoint: &str) -> Result<AuthedChannel> {
250250 connect_channel ( endpoint) . await
251251}
252252
253- /// Background task that rotates the sandbox JWT at ~80% of its remaining
253+ /// Background task that renews the sandbox JWT at ~80% of its remaining
254254/// lifetime. The new token replaces the value in [`TOKEN_SLOT`], so all
255255/// in-flight and future clients pick it up on their next request. The
256256/// loop never panics: every failure is logged and re-attempted after a
@@ -270,7 +270,7 @@ async fn refresh_token_loop(channel: AuthedChannel, slot: TokenSlot) {
270270 Ok ( value) => {
271271 if let Ok ( mut guard) = slot. write ( ) {
272272 * guard = value;
273- info ! ( "rotated gateway sandbox JWT in-place" ) ;
273+ info ! ( "renewed gateway sandbox JWT in-place" ) ;
274274 }
275275 }
276276 Err ( e) => warn ! ( error = %e, "refreshed JWT contained invalid header bytes" ) ,
0 commit comments