- Update module docstrings to concise service descriptions
- Add _require_json() helper to Handler in k_proxy and k_client_portal,
eliminating repetitive try/except JSON-parse blocks in handler methods
- Cache SSL context once in ClientState.__init__ instead of per-request
- Fix: ClientState.enroll() now calls /session/logout on k_proxy before
re-enrolling, so the old server-side session is invalidated rather than
left to expire (discovered via live test where re-register after login
caused subsequent logout to fail with missing bearer token)
- Add targeted comments explaining non-obvious invariants: _gc_locked lock
ownership, _with_direct_ctap2 retry-on-reopen, _require_session None
convention, will_close connection reuse, HTTP/1.1 body-drain requirement,
90 s interactive timeout margin, and enroll session-clearing rationale
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Morten V. Christiansen