docs: align API retry hardening status with implemented helpers

documentation/TODO__Agents.md

@@ -160,8 +160,8 @@ below. The TTL + `verify_in_flight` guards are the current mitigation.
 **Status:** ✅ Completed (2026-05-21)
 
 Recent API helper fixes restored retry/backoff for transient network `TypeError` failures.
-Current remaining gap: timeout-triggered aborts are treated the same as intentional/user
-aborts, so retries are skipped in both `api_get_object.ts` and `api_post_object.ts`.
+Timeout-triggered aborts are now handled separately from intentional/user aborts so the
+retry loop behavior is correct.
 
 **Decision (for now):** Keep the global default timeout at **20s**.
 
@@ -171,6 +171,7 @@ aborts, so retries are skipped in both `api_get_object.ts` and `api_post_object.
   - **Timeout abort** (helper timer): retryable via existing retry loop
 - Timeout classification added with per-attempt timeout flag (not `AbortError` name-only logic).
 - Backoff behavior retained for retryable failures (`2s -> 4s -> 6s -> 8s`, cap 8s).
+- Existing fail-fast class retained for 400/401/403/422, with auth-expired store signaling on 401/403.
 - Validation done:
   - `npx svelte-check` clean
   - API Playwright tests updated/fixed and passing (`v3_api_security.modern`, `v3_api_nested_crud`)
@@ -198,31 +199,39 @@ aborts, so retries are skipped in both `api_get_object.ts` and `api_post_object.
 ---
 
 ### [API] PATCH/DELETE retry hardening — parity with GET/POST
-**Status:** 🚧 In progress (PATCH first, then DELETE)
+**Status:** ✅ Completed (2026-05-21)
 
-Current behavior in `api_patch_object.ts` and `api_delete_object.ts` has retry loops,
-but does not yet have GET/POST parity for abort classification and backoff policy.
+PATCH and DELETE now implement the same retry-classification model used in GET/POST,
+including timeout abort separation and capped retry backoff.
 
-**Plan (sequenced):**
-- **Step 1 (now): PATCH parity**
-  - Add timeout-vs-intentional abort separation.
-  - Retry only timeout/network transient class.
-  - Keep fail-fast behavior for 400/401/403/422.
-  - Add capped backoff (`2s -> 4s -> 6s -> 8s`).
-- **Step 2 (after PATCH validation): DELETE parity**
-  - Apply same classification and backoff strategy.
-  - Preserve existing delete semantics for client/auth failures.
+**Implemented:**
+- PATCH:
+  - Per-attempt timeout controller with explicit timeout-abort flag.
+  - Retries timeout/network transient failures only.
+  - Intentional caller aborts fail fast (no retry).
+  - Fail-fast retained for 400/401/403/422.
+  - Backoff capped at `2s -> 4s -> 6s -> 8s`.
+- DELETE:
+  - Same timeout-vs-intentional abort separation.
+  - Same retry class for timeout/network transient failures.
+  - Same caller-abort fail-fast behavior.
+  - Explicit fail-fast for 400/401/403/422.
+  - Backoff capped at `2s -> 4s -> 6s -> 8s`.
 
 **Mutation safety note:**
 - PATCH/DELETE can have ambiguous commit state on timeout. Current policy is conservative:
   retries target obvious transient failure class (timeout/network), while caller aborts remain
   fail-fast to avoid duplicate side effects during navigation/unmount flows.
 
+**Primary files:**
+- `src/lib/ae_api/api_patch_object.ts`
+- `src/lib/ae_api/api_delete_object.ts`
+
 **Acceptance criteria:**
-- PATCH and DELETE timeout-aborts retry under capped backoff.
-- Caller/navigation aborts do not retry.
-- No regression for 400/401/403/422 fail-fast behavior.
-- `npx svelte-check` clean, API-focused Playwright tests remain green.
+- ✅ PATCH and DELETE timeout-aborts retry under capped backoff.
+- ✅ Caller/navigation aborts do not retry.
+- ✅ No regression for 400/401/403/422 fail-fast behavior.
+- ✅ `npx svelte-check` clean, API-focused Playwright tests remained green during rollout.
 
 ---