diff --git a/sh/shared/github-auth.sh b/sh/shared/github-auth.sh
index 674c793b..15135bec 100755
--- a/sh/shared/github-auth.sh
+++ b/sh/shared/github-auth.sh
@@ -39,7 +39,7 @@ _install_gh_brew() {
 
 # Install gh via APT with GitHub's official repository (Debian/Ubuntu)
 _install_gh_apt() {
-    # Use sudo only when not already root (Fly.io containers run as root)
+    # Use sudo only when not already root (some cloud containers run as root)
     local SUDO=""
     if [[ "$(id -u)" -ne 0 ]]; then SUDO="sudo"; fi
 
diff --git a/sh/shared/key-request.sh b/sh/shared/key-request.sh
index e247999f..33e64fda 100644
--- a/sh/shared/key-request.sh
+++ b/sh/shared/key-request.sh
@@ -121,8 +121,8 @@ process.stdout.write(d[process.env._VAR] || d.api_key || d.token || '');
             # downstream in unquoted expansions, eval contexts, or logging
             # Allow alphanumeric plus safe chars needed by real tokens:
             #   - _ . / @  (standard API key chars)
-            #   : + =      (base64 segments, URL-style formats)
-            #   space       (Fly.io "FlyV1 <macaroon>" prefixed tokens)
+            #   : + =      (base64 segments, URL-safe and base64 formats)
+            #   space       (prefixed token formats, e.g., "Bearer <token>")
             # Must match CLI's loadTokenFromConfig regex in cli/src/digitalocean/digitalocean.ts
             if [[ ! "${val}" =~ ^[a-zA-Z0-9._/@:+=\ -]+$ ]]; then
                 log "SECURITY: Invalid characters in config value for ${var_name}"