@indigoai-us/hq-cloud 5.1.8 → 5.1.10

package/src/cli/sync.test.ts

@@ -61,7 +61,7 @@ const mockVendResponse = {
 function setupFetchMock() {
   const fetchMock = vi.fn().mockImplementation(async (url: string) => {
     const urlStr = String(url);
-    if (urlStr.includes("/entity/by-slug/")) {
+    if (urlStr.includes("/entity/by-slug/") || /\/entity\/cmp_/.test(urlStr)) {
       return { ok: true, status: 200, json: async () => ({ entity: mockEntity }), text: async () => "" };
     }
     if (urlStr.includes("/sts/vend")) {
@@ -98,7 +98,7 @@ describe("sync", () => {
     delete process.env.HQ_STATE_DIR;
   });
 
-  it("downloads remote files that don't exist locally", async () => {
+  it("downloads remote files under companies/{slug}/ so two companies don't collide", async () => {
     const result = await sync({
       company: "acme",
       vaultConfig: mockConfig,
@@ -107,8 +107,26 @@ describe("sync", () => {
 
     expect(result.filesDownloaded).toBe(2);
     expect(result.aborted).toBe(false);
-    expect(fs.existsSync(path.join(tmpDir, "docs", "handoff.md"))).toBe(true);
-    expect(fs.existsSync(path.join(tmpDir, "knowledge", "readme.md"))).toBe(true);
+    // Scoped under companies/{slug}/
+    expect(fs.existsSync(path.join(tmpDir, "companies", "acme", "docs", "handoff.md"))).toBe(true);
+    expect(fs.existsSync(path.join(tmpDir, "companies", "acme", "knowledge", "readme.md"))).toBe(true);
+    // NOT at hqRoot (pre-fix behavior would have written here and clobbered across companies)
+    expect(fs.existsSync(path.join(tmpDir, "docs", "handoff.md"))).toBe(false);
+    expect(fs.existsSync(path.join(tmpDir, "knowledge", "readme.md"))).toBe(false);
+  });
+
+  it("scopes by resolved ctx.slug even when caller passes a UID", async () => {
+    // mockEntity.slug is "acme" regardless of the ref used; verify resolved
+    // slug drives the local path, not the caller's ref.
+    const result = await sync({
+      company: "cmp_01ABCDEF",
+      vaultConfig: mockConfig,
+      hqRoot: tmpDir,
+    });
+
+    expect(result.filesDownloaded).toBe(2);
+    expect(fs.existsSync(path.join(tmpDir, "companies", "acme", "docs", "handoff.md"))).toBe(true);
+    expect(fs.existsSync(path.join(tmpDir, "companies", "cmp_01ABCDEF", "docs", "handoff.md"))).toBe(false);
   });
 
   it("throws when no company specified and no active company", async () => {
@@ -129,8 +147,9 @@ describe("sync", () => {
   });
 
   it("detects conflicts with local changes and keeps local on --on-conflict keep", async () => {
-    fs.mkdirSync(path.join(tmpDir, "docs"), { recursive: true });
-    fs.writeFileSync(path.join(tmpDir, "docs", "handoff.md"), "local version");
+    const companyDocs = path.join(tmpDir, "companies", "acme", "docs");
+    fs.mkdirSync(companyDocs, { recursive: true });
+    fs.writeFileSync(path.join(companyDocs, "handoff.md"), "local version");
 
     fs.writeFileSync(
       journalPath,
@@ -157,12 +176,13 @@ describe("sync", () => {
 
     expect(result.conflicts).toBe(1);
     expect(result.filesSkipped).toBeGreaterThanOrEqual(1);
-    expect(fs.readFileSync(path.join(tmpDir, "docs", "handoff.md"), "utf-8")).toBe("local version");
+    expect(fs.readFileSync(path.join(companyDocs, "handoff.md"), "utf-8")).toBe("local version");
   });
 
   it("aborts on --on-conflict abort", async () => {
-    fs.mkdirSync(path.join(tmpDir, "docs"), { recursive: true });
-    fs.writeFileSync(path.join(tmpDir, "docs", "handoff.md"), "local version");
+    const companyDocs = path.join(tmpDir, "companies", "acme", "docs");
+    fs.mkdirSync(companyDocs, { recursive: true });
+    fs.writeFileSync(path.join(companyDocs, "handoff.md"), "local version");
 
     fs.writeFileSync(
       journalPath,
@@ -191,8 +211,9 @@ describe("sync", () => {
   });
 
   it("overwrites local on --on-conflict overwrite", async () => {
-    fs.mkdirSync(path.join(tmpDir, "docs"), { recursive: true });
-    fs.writeFileSync(path.join(tmpDir, "docs", "handoff.md"), "local version");
+    const companyDocs = path.join(tmpDir, "companies", "acme", "docs");
+    fs.mkdirSync(companyDocs, { recursive: true });
+    fs.writeFileSync(path.join(companyDocs, "handoff.md"), "local version");
 
     fs.writeFileSync(
       journalPath,
@@ -220,6 +241,6 @@ describe("sync", () => {
     expect(result.conflicts).toBe(1);
     expect(result.filesDownloaded).toBeGreaterThanOrEqual(1);
     // File should be overwritten with mock content
-    expect(fs.readFileSync(path.join(tmpDir, "docs", "handoff.md"), "utf-8")).toBe("mock file content");
+    expect(fs.readFileSync(path.join(companyDocs, "handoff.md"), "utf-8")).toBe("mock file content");
   });
 });

package/src/cli/sync.ts

@@ -74,6 +74,11 @@ export async function sync(options: SyncOptions): Promise<SyncResult> {
 
   // Resolve entity context
   let ctx = await resolveEntityContext(companyRef, vaultConfig);
+  // Every company's files land under companies/{slug}/ so fanning out multiple
+  // companies into the same hqRoot doesn't cross-clobber files with overlapping
+  // S3 keys (e.g. every company has a .hq/manifest.json). Remote keys stay
+  // company-relative; the prefix lives only on disk.
+  const companyRoot = path.join(hqRoot, "companies", ctx.slug);
   const shouldSync = createIgnoreFilter(hqRoot);
   const journal = readJournal(ctx.slug);
 
@@ -86,7 +91,7 @@ export async function sync(options: SyncOptions): Promise<SyncResult> {
   const remoteFiles = await listRemoteFiles(ctx);
 
   for (const remoteFile of remoteFiles) {
-    const localPath = path.join(hqRoot, remoteFile.key);
+    const localPath = path.join(companyRoot, remoteFile.key);
 
     // Apply ignore rules
     if (!shouldSync(localPath)) {

package/src/cognito-auth.test.ts

@@ -1,9 +1,9 @@
 /**
  * Unit tests for cognito-auth.ts — focus on the `expiresAt` shape contract.
  *
- * Canonical on-disk shape is ISO 8601 (what both writers emit). The reader
- * also tolerates a raw number (ms since epoch) for forward/backward compat
- * during rollouts, and fails safe on anything unparseable.
+ * Canonical on-disk shape is epoch milliseconds (number). The reader also
+ * tolerates ISO 8601 strings for backward compatibility with pre-migration
+ * token files, and fails safe on anything unparseable.
  */
 
 import * as fs from "fs";
@@ -100,11 +100,21 @@ describe("isExpiring — expiresAt shape tolerance", () => {
 });
 
 // ---------------------------------------------------------------------------
-// Round-trip: writers emit ISO, readers read ISO
+// Round-trip: writers emit epoch-ms, readers read epoch-ms
 // ---------------------------------------------------------------------------
 
 describe("expiresAt shape round-trip", () => {
-  it("saveCachedTokens + loadCachedTokens preserves ISO string shape", async () => {
+  it("saveCachedTokens + loadCachedTokens preserves epoch-ms number shape", async () => {
+    const { saveCachedTokens, loadCachedTokens } = await importModule();
+    const epochMs = Date.now() + 3600 * 1000;
+    saveCachedTokens({ ...baseTokens, expiresAt: epochMs });
+    const loaded = loadCachedTokens();
+    expect(loaded).not.toBeNull();
+    expect(typeof loaded?.expiresAt).toBe("number");
+    expect(loaded?.expiresAt).toBe(epochMs);
+  });
+
+  it("saveCachedTokens + loadCachedTokens tolerates legacy ISO string", async () => {
     const { saveCachedTokens, loadCachedTokens } = await importModule();
     const iso = new Date(Date.now() + 3600 * 1000).toISOString();
     saveCachedTokens({ ...baseTokens, expiresAt: iso });
@@ -112,12 +122,9 @@ describe("expiresAt shape round-trip", () => {
     expect(loaded).not.toBeNull();
     expect(typeof loaded?.expiresAt).toBe("string");
     expect(loaded?.expiresAt).toBe(iso);
-    expect(loaded?.expiresAt).toMatch(
-      /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d+)?Z$/,
-    );
   });
 
-  it("refreshTokens writes an ISO string to cache", async () => {
+  it("refreshTokens writes epoch milliseconds to cache", async () => {
     vi.stubGlobal(
       "fetch",
       vi.fn(async () =>
@@ -135,6 +142,7 @@ describe("expiresAt shape round-trip", () => {
     );
 
     const { refreshTokens, loadCachedTokens } = await importModule();
+    const before = Date.now();
     const result = await refreshTokens(
       {
         region: "us-east-1",
@@ -143,14 +151,14 @@ describe("expiresAt shape round-trip", () => {
       },
       "prior-refresh-token",
     );
+    const after = Date.now();
 
-    expect(typeof result.expiresAt).toBe("string");
-    expect(result.expiresAt).toMatch(
-      /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d+)?Z$/,
-    );
+    expect(typeof result.expiresAt).toBe("number");
+    expect(result.expiresAt).toBeGreaterThanOrEqual(before + 3600 * 1000);
+    expect(result.expiresAt).toBeLessThanOrEqual(after + 3600 * 1000);
 
     const onDisk = loadCachedTokens();
     expect(onDisk?.expiresAt).toBe(result.expiresAt);
-    expect(typeof onDisk?.expiresAt).toBe("string");
+    expect(typeof onDisk?.expiresAt).toBe("number");
   });
 });

package/src/cognito-auth.ts

@@ -38,14 +38,25 @@ export interface CognitoAuthConfig {
   port?: number;
   /** OAuth scopes. Defaults to ["openid", "email", "profile"]. */
   scopes?: string[];
+  /**
+   * Force a federated IdP (e.g. "Google"). When set, the Hosted UI IdP picker
+   * is bypassed and Cognito redirects straight to the provider. When omitted,
+   * Cognito shows its default picker.
+   */
+  identityProvider?: string;
+  /**
+   * OAuth `prompt` param (e.g. "select_account"). Only meaningful when the IdP
+   * honors it — Google uses it to force account re-selection.
+   */
+  prompt?: string;
 }
 
 export interface CognitoTokens {
   accessToken: string;
   idToken: string;
   refreshToken: string;
-  /** ISO 8601 timestamp when the access token expires. */
-  expiresAt: string;
+  /** Epoch milliseconds when the access token expires. Writers MUST emit a number. Readers accept ISO 8601 strings for backward compatibility with pre-migration token files. */
+  expiresAt: string | number;
   tokenType: "Bearer";
 }
 
@@ -78,7 +89,9 @@ export function saveCachedTokens(tokens: CognitoTokens): void {
   if (!fs.existsSync(HQ_DIR)) {
     fs.mkdirSync(HQ_DIR, { recursive: true, mode: 0o700 });
   }
-  fs.writeFileSync(TOKEN_FILE, JSON.stringify(tokens, null, 2), { mode: 0o600 });
+  const tmpPath = path.join(HQ_DIR, `.cognito-tokens.json.tmp.${process.pid}`);
+  fs.writeFileSync(tmpPath, JSON.stringify(tokens, null, 2), { mode: 0o600 });
+  fs.renameSync(tmpPath, TOKEN_FILE);
 }
 
 export function clearCachedTokens(): void {
@@ -86,11 +99,10 @@ export function clearCachedTokens(): void {
 }
 
 /**
- * Parse `expiresAt` to epoch-ms. Canonical on-disk shape is ISO 8601 (what
- * both writers in this file emit), but older/external writers may have left a
- * raw number. Accept both so a shape mismatch during rollout doesn't wedge
- * sign-in. Returns null for anything unparseable — callers should treat that
- * as "expired" and force a refresh.
+ * Parse `expiresAt` to epoch-ms. Canonical on-disk shape is epoch milliseconds
+ * (number). Older token files may contain ISO 8601 strings. Accept both for
+ * migration safety. Returns null for anything unparseable — callers should
+ * treat that as "expired" and force a refresh.
  */
 function parseExpiresAtMs(raw: unknown): number | null {
   if (typeof raw === "number") return Number.isFinite(raw) ? raw : null;
@@ -158,7 +170,9 @@ export async function browserLogin(
   const { verifier, challenge } = generatePkce();
   const state = base64UrlEncode(crypto.randomBytes(16));
 
-  const authUrl = new URL(`${authBaseUrl(config)}/login`);
+  // Use `/oauth2/authorize` (not `/login`) so `identity_provider` + `prompt`
+  // are honored. `/login` ignores those params and always shows the IdP picker.
+  const authUrl = new URL(`${authBaseUrl(config)}/oauth2/authorize`);
   authUrl.searchParams.set("client_id", config.clientId);
   authUrl.searchParams.set("response_type", "code");
   authUrl.searchParams.set("scope", scopes);
@@ -166,6 +180,12 @@ export async function browserLogin(
   authUrl.searchParams.set("code_challenge", challenge);
   authUrl.searchParams.set("code_challenge_method", "S256");
   authUrl.searchParams.set("state", state);
+  if (config.identityProvider) {
+    authUrl.searchParams.set("identity_provider", config.identityProvider);
+  }
+  if (config.prompt) {
+    authUrl.searchParams.set("prompt", config.prompt);
+  }
 
   const code = await waitForAuthCode(port, state);
   const tokens = await exchangeCodeForTokens(config, code, verifier, port);
@@ -300,7 +320,7 @@ async function exchangeCodeForTokens(
     accessToken: data.access_token,
     idToken: data.id_token,
     refreshToken: data.refresh_token,
-    expiresAt: new Date(Date.now() + data.expires_in * 1000).toISOString(),
+    expiresAt: Date.now() + data.expires_in * 1000,
     tokenType: "Bearer",
   };
 }
@@ -336,7 +356,7 @@ export async function refreshTokens(
     accessToken: data.access_token,
     idToken: data.id_token,
     refreshToken: data.refresh_token ?? currentRefreshToken,
-    expiresAt: new Date(Date.now() + data.expires_in * 1000).toISOString(),
+    expiresAt: Date.now() + data.expires_in * 1000,
     tokenType: "Bearer",
   };
   saveCachedTokens(tokens);

package/src/index.ts

@@ -70,6 +70,7 @@ export type {
   EntityInfo,
   CreateEntityInput,
   CreateEntityResult,
+  PendingInviteByEmail,
 } from "./vault-client.js";
 
 // STS child vending (VLT-8)

package/src/vault-client.test.ts

@@ -387,4 +387,177 @@ describe("API surface", () => {
     const memberships = await client.listMyMemberships();
     expect(memberships).toEqual([]);
   });
+
+  it("listMyPendingInvitesByEmail hits GET /membership/pending-by-email", async () => {
+    fetchSpy.mockResolvedValueOnce(
+      jsonResponse(200, {
+        invites: [
+          {
+            membershipKey: "email:stefan@getindigo.ai#cmp_abc",
+            companyUid: "cmp_abc",
+            role: "owner",
+            invitedBy: "sub-admin",
+            invitedAt: "2026-04-20T00:00:00Z",
+          },
+        ],
+      }),
+    );
+
+    const invites = await client.listMyPendingInvitesByEmail();
+    expect(invites).toHaveLength(1);
+    expect(invites[0].companyUid).toBe("cmp_abc");
+
+    const [url, init] = fetchSpy.mock.calls[0] as [string, RequestInit];
+    expect(url).toBe(
+      "https://vault.test.example.com/membership/pending-by-email",
+    );
+    expect(init.method).toBe("GET");
+  });
+
+  it("listMyPendingInvitesByEmail returns [] when server omits the key", async () => {
+    fetchSpy.mockResolvedValueOnce(jsonResponse(200, {}));
+    const invites = await client.listMyPendingInvitesByEmail();
+    expect(invites).toEqual([]);
+  });
+
+  it("claimPendingInvitesByEmail POSTs personUid to /membership/claim-by-email", async () => {
+    fetchSpy.mockResolvedValueOnce(jsonResponse(200, {}));
+
+    await client.claimPendingInvitesByEmail("ent_person_stefan");
+
+    const [url, init] = fetchSpy.mock.calls[0] as [string, RequestInit];
+    expect(url).toBe(
+      "https://vault.test.example.com/membership/claim-by-email",
+    );
+    expect(init.method).toBe("POST");
+    expect(JSON.parse(init.body as string)).toEqual({
+      personUid: "ent_person_stefan",
+    });
+  });
+});
+
+describe("VaultClient identity bootstrap", () => {
+  let client: VaultClient;
+  let fetchSpy: MockInstance<typeof fetch>;
+
+  beforeEach(() => {
+    fetchSpy = vi.spyOn(globalThis, "fetch");
+    fetchSpy.mockResolvedValue(jsonResponse(200, {}));
+    client = new VaultClient({
+      apiUrl: "https://vault.test.example.com",
+      authToken: "test-token",
+      region: "us-east-1",
+    });
+  });
+
+  afterEach(() => {
+    fetchSpy.mockRestore();
+  });
+
+  it("entity.listByType GETs /entity/by-type/{type}", async () => {
+    fetchSpy.mockResolvedValueOnce(
+      jsonResponse(200, {
+        entities: [
+          {
+            uid: "ent_person_stefan",
+            slug: "stefan-johnson",
+            type: "person",
+            status: "active",
+          },
+        ],
+      }),
+    );
+
+    const entities = await client.entity.listByType("person");
+    expect(entities).toHaveLength(1);
+    const [url] = fetchSpy.mock.calls[0] as [string];
+    expect(url).toBe(
+      "https://vault.test.example.com/entity/by-type/person",
+    );
+  });
+
+  it("entity.listByType returns [] when server omits the key", async () => {
+    fetchSpy.mockResolvedValueOnce(jsonResponse(200, {}));
+    const entities = await client.entity.listByType("person");
+    expect(entities).toEqual([]);
+  });
+
+  it("ensureMyPersonEntity short-circuits when a person entity already exists", async () => {
+    fetchSpy.mockResolvedValueOnce(
+      jsonResponse(200, {
+        entities: [
+          {
+            uid: "ent_person_existing",
+            slug: "already-there",
+            type: "person",
+            status: "active",
+          },
+        ],
+      }),
+    );
+
+    const person = await client.ensureMyPersonEntity({
+      ownerSub: "sub-abc",
+      displayName: "Stefan Johnson",
+    });
+
+    expect(person.uid).toBe("ent_person_existing");
+    // Only one HTTP call — list. No POST /entity.
+    expect(fetchSpy).toHaveBeenCalledTimes(1);
+  });
+
+  it("ensureMyPersonEntity POSTs /entity with a slug derived from displayName when none exist", async () => {
+    fetchSpy
+      .mockResolvedValueOnce(jsonResponse(200, { entities: [] }))
+      .mockResolvedValueOnce(
+        jsonResponse(200, {
+          entity: {
+            uid: "ent_person_new",
+            slug: "stefan-johnson",
+            type: "person",
+            status: "active",
+          },
+        }),
+      );
+
+    const person = await client.ensureMyPersonEntity({
+      ownerSub: "sub-abc",
+      displayName: "Stefan Johnson",
+    });
+
+    expect(person.uid).toBe("ent_person_new");
+    expect(fetchSpy).toHaveBeenCalledTimes(2);
+    const [url, init] = fetchSpy.mock.calls[1] as [string, RequestInit];
+    expect(url).toBe("https://vault.test.example.com/entity");
+    expect(init.method).toBe("POST");
+    expect(JSON.parse(init.body as string)).toEqual({
+      type: "person",
+      name: "Stefan Johnson",
+      slug: "stefan-johnson",
+    });
+  });
+
+  it("ensureMyPersonEntity falls back to user-<sub-suffix> when displayName slugifies to empty", async () => {
+    fetchSpy
+      .mockResolvedValueOnce(jsonResponse(200, { entities: [] }))
+      .mockResolvedValueOnce(
+        jsonResponse(200, {
+          entity: {
+            uid: "ent_person_new",
+            slug: "user-12345678",
+            type: "person",
+            status: "active",
+          },
+        }),
+      );
+
+    await client.ensureMyPersonEntity({
+      ownerSub: "sub-abcdef12345678",
+      displayName: "!!!",
+    });
+
+    const [, init] = fetchSpy.mock.calls[1] as [string, RequestInit];
+    const body = JSON.parse(init.body as string);
+    expect(body.slug).toBe("user-12345678");
+  });
 });

package/src/vault-client.ts

@@ -105,10 +105,21 @@ export interface EntityInfo {
   uid: string;
   slug: string;
   type: string;
+  /** Human-readable display name — surfaced in UIs that list companies. */
+  name?: string;
   bucketName?: string;
   status: string;
 }
 
+export interface PendingInviteByEmail {
+  membershipKey: string;
+  companyUid: string;
+  role: MembershipRole;
+  inviteToken?: string;
+  invitedBy: string;
+  invitedAt: string;
+}
+
 export interface CreateEntityInput {
   type: "person" | "company";
   slug: string;
@@ -238,6 +249,31 @@ export class VaultClient {
     return data.memberships;
   }
 
+  /**
+   * List the caller's email-keyed pending invites. Server reads the email
+   * from the Cognito JWT, so no parameters are needed client-side.
+   *
+   * Used on first sign-in (installer + sync-runner) to detect invites that
+   * were sent to the caller's email before they had a person entity. Pair
+   * with {@link claimPendingInvitesByEmail} to rewrite those rows once the
+   * person exists.
+   */
+  async listMyPendingInvitesByEmail(): Promise<PendingInviteByEmail[]> {
+    const data = await this.get<{ invites: PendingInviteByEmail[] }>(
+      "/membership/pending-by-email",
+    );
+    return data.invites ?? [];
+  }
+
+  /**
+   * Rewrite every email-keyed pending invite for the caller's email so it
+   * becomes personUid-keyed. Idempotent — zero-cost for returning users who
+   * have no pending invites. The caller's email is inferred from the JWT.
+   */
+  async claimPendingInvitesByEmail(personUid: string): Promise<void> {
+    await this.post("/membership/claim-by-email", { personUid });
+  }
+
   async listMembersOfCompany(companyUid: string): Promise<Membership[]> {
     const data = await this.get<{ members: Membership[] }>(
       `/membership/company/${encodeURIComponent(companyUid)}`,
@@ -279,8 +315,50 @@ export class VaultClient {
       const data = await this.post<CreateEntityResult>("/entity", input);
       return data.entity;
     },
+
+    /** Return every entity of `type` owned by the caller (scoped by JWT). */
+    listByType: async (type: string): Promise<EntityInfo[]> => {
+      const data = await this.get<{ entities: EntityInfo[] }>(
+        `/entity/by-type/${encodeURIComponent(type)}`,
+      );
+      return data.entities ?? [];
+    },
   };
 
+  // -- Identity bootstrap ---------------------------------------------------
+
+  /**
+   * Return the caller's person entity, creating it if one does not exist.
+   *
+   * Mirrors the installer's `ensurePersonEntity` bootstrap (`vault-handoff.ts`):
+   * pre-condition for {@link claimPendingInvitesByEmail}, which needs a
+   * concrete `personUid` to rewrite the email-keyed rows against.
+   *
+   * The slug is derived from `displayName`; if slugification yields an empty
+   * string, falls back to `user-<last-8-of-ownerSub>` so the POST always has
+   * a non-empty slug.
+   */
+  async ensureMyPersonEntity(hints: {
+    ownerSub: string;
+    displayName: string;
+  }): Promise<EntityInfo> {
+    const existing = await this.entity.listByType("person");
+    if (existing.length > 0) return existing[0];
+
+    const slug =
+      hints.displayName
+        .toLowerCase()
+        .replace(/[^a-z0-9]+/g, "-")
+        .replace(/^-+|-+$/g, "")
+        .slice(0, 63) || `user-${hints.ownerSub.slice(-8).toLowerCase()}`;
+
+    return this.entity.create({
+      type: "person",
+      name: hints.displayName,
+      slug,
+    });
+  }
+
   // -- Provisioning operations (VLT-2) -----------------------------------------
 
   async provisionBucket(companyUid: string): Promise<{ bucketName: string; kmsKeyId: string }> {

package/test/invite-flow.integration.test.ts

@@ -57,7 +57,7 @@ describe("parseToken", () => {
   });
 
   it("extracts token from https:// URL", () => {
-    expect(parseToken("https://hq.indigoai.com/accept/tok_xyz")).toBe("tok_xyz");
+    expect(parseToken("https://example.com/accept/tok_xyz")).toBe("tok_xyz");
   });
 
   it("returns raw token unchanged", () => {