[js] gga example app: prune dead flows + stale PR-number comments (#28473)

## What
Prune dead / reject-only flows and fix stale PR-number comments: demote the EMAIL_OTP "Add second" reject demo and OAUTH rechallenge no-op to Advanced (or remove), fold the duplicate EMAIL_OTP rechallenge into guided login, and reword the stale `"PR #28427:"` / `"PR 4 flow:"` comments to describe behavior.

## Why
P4 example app, PR 3 in `40-example-app-design.md` §2/§5. These flows existed only to exercise reject paths or duplicated a guided step, and the PR-number comments anchor readers to specific (now-irrelevant) PRs rather than describing what the code does. Small, low-risk cleanup independent of the UI restructure.

## Place in the stack
Base: #28472 (session.ts + status chip). Fourth PR of the **P4 example-app** stack.

## Notable points
- Deletions/rewrites only; no new behavior. Reject/no-op demos are demoted, not silently lost.
- Manual test tool; type gate: `build` + `lint`/`format`.

---
Part of the Turnkey login-family migration program. See `sparkcore/sparkcore/grid/docs/login-migration/00-program-plan.md`.

GitOrigin-RevId: 5158156f8af7183ce150e63815e4d2dd563b377b

Author: carsonp6

apps/examples/grid-global-accounts-example-app/index.html

@@ -235,10 +235,10 @@
   <body>
     <h1>Grid Global Accounts - Example App</h1>
     <p class="note" style="margin-bottom: 12px">
-      Signed-retry flows show the <code>requestId</code> /
-      <code>payloadToSign</code> from step 1 so you can inspect them before
-      step 2 forwards with
-      <code>Grid-Wallet-Signature: sandbox-valid-signature</code>.
+      Pick a mode at the top. Signed-retry flows are two-step — step 1 issues a
+      202 challenge (<code>requestId</code> / <code>payloadToSign</code> you can
+      inspect), step 2 forwards a <code>Grid-Wallet-Signature</code>: a magic
+      value in sandbox, a real session stamp in production.
     </p>
 
     <!-- ========== Shared Setup ========== -->
@@ -446,21 +446,12 @@ <h3>Verify → session (secure OTP)</h3>
 
         <div class="subsection">
           <h3>
-            Rechallenge (re-issue OTP)
-          </h3>
-          <p class="note">Uses Credential ID from Wallet Context.</p>
-          <button id="btn-email_otp-rechallenge">Rechallenge</button>
-          <div id="email_otp-rechallenge-status"></div>
-        </div>
-
-        <div class="subsection">
-          <h3>
-            Add second EMAIL_OTP via signed retry
+            Add second EMAIL_OTP (expected-reject demo)
           </h3>
           <p class="note">
-            Rejects because one EMAIL_OTP already attached — step 1 exercises
-            the reject path. Remove the first EMAIL_OTP to test the full add
-            flow.
+            Not a happy path. Rejects because one EMAIL_OTP is already attached
+            — step 1 exercises the reject path. Remove the first EMAIL_OTP to
+            test the full add flow.
           </p>
           <button id="btn-email_otp-add-issue">1. Issue add challenge</button>
           <div id="email_otp-add-issue-status"></div>
@@ -578,15 +569,6 @@ <h3>Verify → session</h3>
           <div id="oauth-verify-status"></div>
         </div>
 
-        <div class="subsection">
-          <h3>Rechallenge</h3>
-          <p class="note">
-            OAUTH rechallenge is a no-op — just returns AuthMethod.
-          </p>
-          <button id="btn-oauth-rechallenge">Rechallenge</button>
-          <div id="oauth-rechallenge-status"></div>
-        </div>
-
         <div class="subsection">
           <h3>
             Add additional OAUTH via signed retry
@@ -732,9 +714,9 @@ <h3>Create credential</h3>
         <div class="subsection">
           <h3>Session challenge</h3>
           <p class="note">
-            PR 4 flow: <code>/challenge</code> returns
+            <code>/challenge</code> returns
             <code>challenge = sha256(CREATE_READ_WRITE_SESSION body)</code> +
-            <code>requestId</code>. Client signs the challenge via WebAuthn.
+            <code>requestId</code>. The client signs the challenge via WebAuthn.
           </p>
           <label for="passkey-challenge-pubkey">Client Public Key (hex)</label>
           <input

apps/examples/grid-global-accounts-example-app/src/flows/email-otp.ts

@@ -1,4 +1,4 @@
-// EMAIL_OTP lifecycle: create, secure-OTP challenge/verify, rechallenge, add.
+// EMAIL_OTP lifecycle: create, secure-OTP challenge/verify, add.
 
 import { generateP256KeyPair } from "@turnkey/crypto";
 
@@ -134,22 +134,6 @@ export function wireEmailOtpFlows(): void {
     },
   );
 
-  bindClick(
-    "btn-email_otp-rechallenge",
-    "email_otp-rechallenge-status",
-    "EMAIL_OTP Rechallenge",
-    "Re-issuing OTP...",
-    async () => {
-      const credId = requireCredentialId();
-      const { data } = await apiPost(
-        `/auth/credentials/${encodeURIComponent(credId)}/challenge`,
-        {},
-      );
-      addLog("EMAIL_OTP Rechallenge", data);
-      return JSON.stringify(data, null, 2);
-    },
-  );
-
   const emailOtpAddRequestId = el<HTMLInputElement>("email_otp-add-request-id");
   bindClick(
     "btn-email_otp-add-issue",

apps/examples/grid-global-accounts-example-app/src/flows/oauth.ts

@@ -1,4 +1,4 @@
-// OAUTH lifecycle: create, verify (→ session), rechallenge (no-op), add.
+// OAUTH lifecycle: create, verify (→ session), add.
 
 import { SANDBOX_SIG } from "../config";
 import { apiPost } from "../api-client";
@@ -61,22 +61,6 @@ export function wireOauthFlows(): void {
     },
   );
 
-  bindClick(
-    "btn-oauth-rechallenge",
-    "oauth-rechallenge-status",
-    "OAUTH Rechallenge",
-    "Running no-op rechallenge...",
-    async () => {
-      const credId = requireCredentialId();
-      const { data } = await apiPost(
-        `/auth/credentials/${encodeURIComponent(credId)}/challenge`,
-        {},
-      );
-      addLog("OAUTH Rechallenge", data);
-      return JSON.stringify(data, null, 2);
-    },
-  );
-
   const oauthAddRequestId = el<HTMLInputElement>("oauth-add-request-id");
   bindClick(
     "btn-oauth-add-issue",

apps/examples/grid-global-accounts-example-app/src/webauthn.ts

@@ -92,8 +92,8 @@ export async function signWithPasskey(
       "No challenge — issue a session challenge (step above) first.",
     );
   }
-  // PR #28427: Turnkey's WebAuthn challenge is the UTF-8 bytes of the
-  // sha256-hex challenge string returned by /challenge — NOT base64url-decoded.
+  // Turnkey's WebAuthn challenge is the UTF-8 bytes of the sha256-hex challenge
+  // string returned by /challenge — NOT base64url-decoded.
   const challenge = new TextEncoder().encode(challengeValue);
   const allowCredentials: PublicKeyCredentialDescriptor[] = credentialId
     ? [{ type: "public-key", id: b64UrlToBytes(credentialId) as BufferSource }]