§9 comment-density pass over the §9 accretion; two targeted dedupes (the rest authored dense, per the §6/§7/§8 precedent). (1) logger.ts: the requestStore declaration comment restated the file header (ambient per-request Log → deep modules join the trace without threading) and the accessor docs below it — collapsed to a one-line label. (2) security-headers.ts: dropped the redundant 'applied to every response' note above securityHeaders() (the file header + function name already say it). No stale forward-refs remain; README §9 sections left untouched (concise, _(planned)_ already swept in §8). Docs/comments-only; typecheck + 339 units green.

src/logger.ts

@@ -37,8 +37,7 @@ export function createLogger(opts: LoggerOptions = {}): Log {
   });
 }
 
-// The current request's Log, made ambient so deep modules (the Ory clients via tracedFetch, login,
-// jwks) join its trace + correlation without threading a logger through every signature.
+// The ambient per-request Log (see the header); set by runWithLog, read by currentLog/tracedFetch.
 const requestStore = new AsyncLocalStorage<Log>();
 
 // Run `fn` with `log` as the ambient request logger (app.ts wraps each request). currentLog() reads

src/security-headers.ts

@@ -24,7 +24,6 @@ export interface SecurityHeaderOptions {
   secure?: boolean; // https deployment (mirrors SECURE_COOKIES) → also emit HSTS
 }
 
-// The header set applied to every response.
 export function securityHeaders(options: SecurityHeaderOptions = {}): Record<string, string> {
   const headers: Record<string, string> = {
     "content-security-policy": CSP,