Remove legacy Patchbay flow signature

apps/flow-backend-systemd-local/src/signature.ts

@@ -14,5 +14,5 @@ export function verifyBodySignature(secret: string, body: string, signature: str
 }
 
 export function requestSignature(headers: Headers): string | null {
-	return headers.get("x-flow-signature-256") ?? headers.get("x-patch-flow-signature-256") ?? headers.get("x-patchbay-flow-signature-256");
+	return headers.get("x-flow-signature-256") ?? headers.get("x-patch-flow-signature-256");
 }

apps/flow-backend-systemd-local/test/backend.test.ts

@@ -16,10 +16,9 @@ test("signs and verifies dispatch bodies", () => {
 	expect(verifyBodySignature("secret", `${body}\n`, signature)).toBe(false);
 });
 
-test("reads generic, Patch, and legacy Patchbay dispatch signatures", () => {
+test("reads generic and Patch dispatch signatures", () => {
 	expect(requestSignature(new Headers({ "x-flow-signature-256": "sha256=generic" }))).toBe("sha256=generic");
 	expect(requestSignature(new Headers({ "x-patch-flow-signature-256": "sha256=patch" }))).toBe("sha256=patch");
-	expect(requestSignature(new Headers({ "x-patchbay-flow-signature-256": "sha256=legacy" }))).toBe("sha256=legacy");
 });
 
 test("dispatches matching flow steps and records runs", async () => {

docs/flows.md

@@ -143,8 +143,7 @@ Endpoints:
 
 When `CODEX_FLOW_BACKEND_SECRET` is configured, HTTP dispatches must include an
 HMAC SHA-256 body signature. The preferred header is `x-flow-signature-256`;
-`x-patch-flow-signature-256` and the legacy `x-patchbay-flow-signature-256`
-are accepted during the Patch migration.
+`x-patch-flow-signature-256` is also accepted for Patch dispatches.
 
 The CLI exposes the same operational surface: