@vellumai/assistant 0.4.13 → 0.4.15

package/src/runtime/auth/__tests__/route-policy.test.ts

@@ -0,0 +1,166 @@
+/**
+ * Tests for route policy enforcement (enforcePolicy).
+ *
+ * Covers:
+ * - Unregistered endpoints return null (allowed)
+ * - Principal type check denies disallowed types
+ * - Scope check denies missing scopes
+ * - Allowed requests return null
+ * - Channel inbound requires svc_gateway principal type
+ * - Dev bypass allows all requests through
+ */
+
+import { describe, expect, mock, test } from 'bun:test';
+
+mock.module('../../../util/logger.js', () => ({
+  getLogger: () => new Proxy({} as Record<string, unknown>, {
+    get: () => () => {},
+  }),
+}));
+
+// Track auth bypass state for tests
+let authDisabled = false;
+mock.module('../../../config/env.js', () => ({
+  isHttpAuthDisabled: () => authDisabled,
+  hasUngatedHttpAuthDisabled: () => false,
+}));
+
+import { enforcePolicy, getPolicy } from '../route-policy.js';
+import type { AuthContext, Scope } from '../types.js';
+
+/** Build a synthetic AuthContext for testing. */
+function buildTestContext(overrides?: {
+  principalType?: AuthContext['principalType'];
+  scopes?: Scope[];
+}): AuthContext {
+  return {
+    subject: 'actor:self:test-principal',
+    principalType: overrides?.principalType ?? 'actor',
+    assistantId: 'self',
+    actorPrincipalId: 'test-principal',
+    scopeProfile: 'actor_client_v1',
+    scopes: new Set(overrides?.scopes ?? ['chat.read', 'chat.write', 'approval.read', 'approval.write']),
+    policyEpoch: 1,
+  };
+}
+
+describe('enforcePolicy', () => {
+  test('returns null for unregistered endpoints (no policy)', () => {
+    authDisabled = false;
+    const ctx = buildTestContext();
+    const result = enforcePolicy('nonexistent/endpoint', ctx);
+    expect(result).toBeNull();
+  });
+
+  test('returns null when actor context has required scopes and type', () => {
+    authDisabled = false;
+    const ctx = buildTestContext({ scopes: ['chat.read', 'chat.write'] });
+    const result = enforcePolicy('messages:POST', ctx);
+    expect(result).toBeNull();
+  });
+
+  test('returns 403 when principal type is not allowed', () => {
+    authDisabled = false;
+    // channels/inbound requires svc_gateway, not actor
+    const ctx = buildTestContext({ principalType: 'actor', scopes: ['ingress.write'] });
+    const result = enforcePolicy('channels/inbound', ctx);
+    expect(result).not.toBeNull();
+    expect(result!.status).toBe(403);
+    const _body = result!.json();
+    // Response.json() returns a promise
+  });
+
+  test('returns 403 when required scope is missing', () => {
+    authDisabled = false;
+    // messages:POST requires chat.write, we only provide chat.read
+    const ctx = buildTestContext({ scopes: ['chat.read'] });
+    const result = enforcePolicy('messages:POST', ctx);
+    expect(result).not.toBeNull();
+    expect(result!.status).toBe(403);
+  });
+
+  test('channel inbound requires svc_gateway principal type', () => {
+    authDisabled = false;
+    const policy = getPolicy('channels/inbound');
+    expect(policy).toBeDefined();
+    expect(policy!.allowedPrincipalTypes).toContain('svc_gateway');
+    expect(policy!.allowedPrincipalTypes).not.toContain('actor');
+    expect(policy!.requiredScopes).toContain('ingress.write');
+  });
+
+  test('channel inbound allows svc_gateway with ingress.write', () => {
+    authDisabled = false;
+    const ctx = buildTestContext({
+      principalType: 'svc_gateway',
+      scopes: ['ingress.write', 'internal.write'],
+    });
+    const result = enforcePolicy('channels/inbound', ctx);
+    expect(result).toBeNull();
+  });
+
+  test('internal endpoints require svc_gateway principal type', () => {
+    authDisabled = false;
+    const policy = getPolicy('internal/twilio/voice-webhook');
+    expect(policy).toBeDefined();
+    expect(policy!.allowedPrincipalTypes).toContain('svc_gateway');
+    expect(policy!.allowedPrincipalTypes).not.toContain('actor');
+    expect(policy!.requiredScopes).toContain('internal.write');
+  });
+
+  test('internal endpoints deny actor principal type', () => {
+    authDisabled = false;
+    const ctx = buildTestContext({
+      principalType: 'actor',
+      scopes: ['internal.write'],
+    });
+    const result = enforcePolicy('internal/twilio/voice-webhook', ctx);
+    expect(result).not.toBeNull();
+    expect(result!.status).toBe(403);
+  });
+
+  test('standard actor endpoints allow actor, svc_gateway, and ipc', () => {
+    authDisabled = false;
+    const policy = getPolicy('messages:POST');
+    expect(policy).toBeDefined();
+    expect(policy!.allowedPrincipalTypes).toContain('actor');
+    expect(policy!.allowedPrincipalTypes).toContain('svc_gateway');
+    expect(policy!.allowedPrincipalTypes).toContain('ipc');
+  });
+
+  test('dev bypass allows all requests through regardless of policy', () => {
+    authDisabled = true;
+    // Actor trying to access channels/inbound (which requires svc_gateway)
+    const ctx = buildTestContext({ principalType: 'actor', scopes: [] });
+    const result = enforcePolicy('channels/inbound', ctx);
+    expect(result).toBeNull();
+    authDisabled = false;
+  });
+
+  test('approval endpoints require approval.write scope', () => {
+    authDisabled = false;
+    const policy = getPolicy('confirm');
+    expect(policy).toBeDefined();
+    expect(policy!.requiredScopes).toContain('approval.write');
+  });
+
+  test('guardian-actions/pending requires approval.read scope', () => {
+    authDisabled = false;
+    const policy = getPolicy('guardian-actions/pending');
+    expect(policy).toBeDefined();
+    expect(policy!.requiredScopes).toContain('approval.read');
+  });
+
+  test('guardian-actions/decision requires approval.write scope', () => {
+    authDisabled = false;
+    const policy = getPolicy('guardian-actions/decision');
+    expect(policy).toBeDefined();
+    expect(policy!.requiredScopes).toContain('approval.write');
+  });
+
+  test('events endpoint requires chat.read scope', () => {
+    authDisabled = false;
+    const policy = getPolicy('events');
+    expect(policy).toBeDefined();
+    expect(policy!.requiredScopes).toContain('chat.read');
+  });
+});

package/src/runtime/auth/__tests__/scopes.test.ts

@@ -0,0 +1,109 @@
+import { describe, expect, test } from 'bun:test';
+
+import { hasAllScopes, hasScope, resolveScopeProfile } from '../scopes.js';
+import type { AuthContext, Scope, ScopeProfile } from '../types.js';
+
+/** Utility to create a minimal AuthContext with a given scope profile. */
+function makeCtx(profile: ScopeProfile): AuthContext {
+  return {
+    subject: 'test:self:id',
+    principalType: 'actor',
+    assistantId: 'self',
+    scopeProfile: profile,
+    scopes: resolveScopeProfile(profile),
+    policyEpoch: 1,
+  };
+}
+
+describe('resolveScopeProfile', () => {
+  test('actor_client_v1 includes all client scopes', () => {
+    const scopes = resolveScopeProfile('actor_client_v1');
+    const expected: Scope[] = [
+      'chat.read', 'chat.write',
+      'approval.read', 'approval.write',
+      'settings.read', 'settings.write',
+      'attachments.read', 'attachments.write',
+      'calls.read', 'calls.write',
+      'feature_flags.read', 'feature_flags.write',
+    ];
+    for (const s of expected) {
+      expect(scopes.has(s)).toBe(true);
+    }
+    expect(scopes.size).toBe(expected.length);
+  });
+
+  test('actor_client_v1 does not include server-only scopes', () => {
+    const scopes = resolveScopeProfile('actor_client_v1');
+    expect(scopes.has('ingress.write')).toBe(false);
+    expect(scopes.has('internal.write')).toBe(false);
+    expect(scopes.has('ipc.all')).toBe(false);
+  });
+
+  test('gateway_ingress_v1 includes ingress and internal scopes', () => {
+    const scopes = resolveScopeProfile('gateway_ingress_v1');
+    expect(scopes.has('ingress.write')).toBe(true);
+    expect(scopes.has('internal.write')).toBe(true);
+    expect(scopes.size).toBe(2);
+  });
+
+  test('gateway_service_v1 includes chat, settings, attachments, and internal scopes', () => {
+    const scopes = resolveScopeProfile('gateway_service_v1');
+    expect(scopes.has('chat.write')).toBe(true);
+    expect(scopes.has('settings.read')).toBe(true);
+    expect(scopes.has('settings.write')).toBe(true);
+    expect(scopes.has('attachments.read')).toBe(true);
+    expect(scopes.has('attachments.write')).toBe(true);
+    expect(scopes.has('internal.write')).toBe(true);
+    expect(scopes.size).toBe(6);
+  });
+
+  test('ipc_v1 includes only ipc.all', () => {
+    const scopes = resolveScopeProfile('ipc_v1');
+    expect(scopes.has('ipc.all')).toBe(true);
+    expect(scopes.size).toBe(1);
+  });
+});
+
+describe('hasScope', () => {
+  test('returns true for a scope the profile includes', () => {
+    const ctx = makeCtx('actor_client_v1');
+    expect(hasScope(ctx, 'chat.read')).toBe(true);
+  });
+
+  test('returns false for a scope the profile excludes', () => {
+    const ctx = makeCtx('actor_client_v1');
+    expect(hasScope(ctx, 'ingress.write')).toBe(false);
+  });
+
+  test('returns true for ipc.all on ipc_v1 profile', () => {
+    const ctx = makeCtx('ipc_v1');
+    expect(hasScope(ctx, 'ipc.all')).toBe(true);
+  });
+});
+
+describe('hasAllScopes', () => {
+  test('returns true when all requested scopes are present', () => {
+    const ctx = makeCtx('actor_client_v1');
+    expect(hasAllScopes(ctx, 'chat.read', 'chat.write', 'approval.read')).toBe(true);
+  });
+
+  test('returns false when any requested scope is missing', () => {
+    const ctx = makeCtx('actor_client_v1');
+    expect(hasAllScopes(ctx, 'chat.read', 'ingress.write')).toBe(false);
+  });
+
+  test('returns true for empty scope list', () => {
+    const ctx = makeCtx('actor_client_v1');
+    expect(hasAllScopes(ctx)).toBe(true);
+  });
+
+  test('returns true for single present scope', () => {
+    const ctx = makeCtx('gateway_ingress_v1');
+    expect(hasAllScopes(ctx, 'ingress.write')).toBe(true);
+  });
+
+  test('returns false for single absent scope', () => {
+    const ctx = makeCtx('gateway_ingress_v1');
+    expect(hasAllScopes(ctx, 'chat.read')).toBe(false);
+  });
+});

package/src/runtime/auth/__tests__/subject.test.ts

@@ -0,0 +1,149 @@
+import { describe, expect, test } from 'bun:test';
+
+import { parseSub } from '../subject.js';
+
+describe('parseSub', () => {
+  // -------------------------------------------------------------------------
+  // actor pattern
+  // -------------------------------------------------------------------------
+
+  test('parses actor:<assistantId>:<actorPrincipalId>', () => {
+    const result = parseSub('actor:self:principal-abc');
+    expect(result.ok).toBe(true);
+    if (result.ok) {
+      expect(result.principalType).toBe('actor');
+      expect(result.assistantId).toBe('self');
+      expect(result.actorPrincipalId).toBe('principal-abc');
+      expect(result.sessionId).toBeUndefined();
+    }
+  });
+
+  test('parses actor pattern with complex ids', () => {
+    const result = parseSub('actor:asst-uuid-123:principal-uuid-456');
+    expect(result.ok).toBe(true);
+    if (result.ok) {
+      expect(result.principalType).toBe('actor');
+      expect(result.assistantId).toBe('asst-uuid-123');
+      expect(result.actorPrincipalId).toBe('principal-uuid-456');
+    }
+  });
+
+  // -------------------------------------------------------------------------
+  // svc:gateway pattern
+  // -------------------------------------------------------------------------
+
+  test('parses svc:gateway:<assistantId>', () => {
+    const result = parseSub('svc:gateway:self');
+    expect(result.ok).toBe(true);
+    if (result.ok) {
+      expect(result.principalType).toBe('svc_gateway');
+      expect(result.assistantId).toBe('self');
+      expect(result.actorPrincipalId).toBeUndefined();
+      expect(result.sessionId).toBeUndefined();
+    }
+  });
+
+  // -------------------------------------------------------------------------
+  // ipc pattern
+  // -------------------------------------------------------------------------
+
+  test('parses ipc:<assistantId>:<sessionId>', () => {
+    const result = parseSub('ipc:self:session-xyz');
+    expect(result.ok).toBe(true);
+    if (result.ok) {
+      expect(result.principalType).toBe('ipc');
+      expect(result.assistantId).toBe('self');
+      expect(result.sessionId).toBe('session-xyz');
+      expect(result.actorPrincipalId).toBeUndefined();
+    }
+  });
+
+  // -------------------------------------------------------------------------
+  // Malformed input
+  // -------------------------------------------------------------------------
+
+  test('fails on empty string', () => {
+    const result = parseSub('');
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.reason).toContain('empty');
+    }
+  });
+
+  test('fails on unrecognized prefix', () => {
+    const result = parseSub('unknown:self:id');
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.reason).toContain('unrecognized');
+    }
+  });
+
+  test('fails on actor with too few parts', () => {
+    const result = parseSub('actor:self');
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.reason).toContain('unrecognized');
+    }
+  });
+
+  test('fails on actor with too many parts', () => {
+    const result = parseSub('actor:self:principal:extra');
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.reason).toContain('unrecognized');
+    }
+  });
+
+  test('fails on actor with empty assistantId', () => {
+    const result = parseSub('actor::principal-abc');
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.reason).toContain('empty');
+    }
+  });
+
+  test('fails on actor with empty actorPrincipalId', () => {
+    const result = parseSub('actor:self:');
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.reason).toContain('empty');
+    }
+  });
+
+  test('fails on svc:gateway with empty assistantId', () => {
+    const result = parseSub('svc:gateway:');
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.reason).toContain('empty');
+    }
+  });
+
+  test('fails on svc with wrong second part', () => {
+    const result = parseSub('svc:other:self');
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.reason).toContain('unrecognized');
+    }
+  });
+
+  test('fails on ipc with empty sessionId', () => {
+    const result = parseSub('ipc:self:');
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.reason).toContain('empty');
+    }
+  });
+
+  test('fails on ipc with empty assistantId', () => {
+    const result = parseSub('ipc::session-abc');
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.reason).toContain('empty');
+    }
+  });
+
+  test('fails on bare prefix with no colons', () => {
+    const result = parseSub('actor');
+    expect(result.ok).toBe(false);
+  });
+});

package/src/runtime/auth/__tests__/token-service.test.ts

@@ -0,0 +1,263 @@
+import { mkdtempSync, realpathSync, rmSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+
+import { afterAll, beforeEach, describe, expect, mock, test } from 'bun:test';
+
+const testDir = realpathSync(mkdtempSync(join(tmpdir(), 'auth-token-test-')));
+
+mock.module('../../../util/platform.js', () => ({
+  getRootDir: () => testDir,
+  getDataDir: () => testDir,
+  getDbPath: () => join(testDir, 'test.db'),
+  normalizeAssistantId: (id: string) => id === 'self' ? 'self' : id,
+  isMacOS: () => process.platform === 'darwin',
+  isLinux: () => process.platform === 'linux',
+  isWindows: () => process.platform === 'win32',
+  getSocketPath: () => join(testDir, 'test.sock'),
+  getPidPath: () => join(testDir, 'test.pid'),
+  getLogPath: () => join(testDir, 'test.log'),
+  ensureDataDir: () => {},
+}));
+
+mock.module('../../../util/logger.js', () => ({
+  getLogger: () => new Proxy({} as Record<string, unknown>, {
+    get: () => () => {},
+  }),
+}));
+
+import { CURRENT_POLICY_EPOCH } from '../policy.js';
+import { hashToken, initAuthSigningKey, mintToken, verifyToken } from '../token-service.js';
+
+const TEST_KEY = Buffer.from('test-signing-key-32-bytes-long!!');
+
+beforeEach(() => {
+  initAuthSigningKey(TEST_KEY);
+});
+
+afterAll(() => {
+  try { rmSync(testDir, { recursive: true, force: true }); } catch {}
+});
+
+describe('mintToken / verifyToken round-trip', () => {
+  test('mint + verify succeeds for valid token targeting vellum-daemon', () => {
+    const token = mintToken({
+      aud: 'vellum-daemon',
+      sub: 'actor:self:principal-abc',
+      scope_profile: 'actor_client_v1',
+      policy_epoch: CURRENT_POLICY_EPOCH,
+      ttlSeconds: 300,
+    });
+
+    expect(token).toBeTruthy();
+    expect(token.split('.').length).toBe(3);
+
+    const result = verifyToken(token, 'vellum-daemon');
+    expect(result.ok).toBe(true);
+    if (result.ok) {
+      expect(result.claims.iss).toBe('vellum-auth');
+      expect(result.claims.aud).toBe('vellum-daemon');
+      expect(result.claims.sub).toBe('actor:self:principal-abc');
+      expect(result.claims.scope_profile).toBe('actor_client_v1');
+      expect(result.claims.policy_epoch).toBe(CURRENT_POLICY_EPOCH);
+      expect(result.claims.iat).toBeDefined();
+      expect(result.claims.jti).toBeDefined();
+    }
+  });
+
+  test('mint + verify succeeds for gateway audience', () => {
+    const token = mintToken({
+      aud: 'vellum-gateway',
+      sub: 'svc:gateway:self',
+      scope_profile: 'gateway_ingress_v1',
+      policy_epoch: CURRENT_POLICY_EPOCH,
+      ttlSeconds: 60,
+    });
+
+    const result = verifyToken(token, 'vellum-gateway');
+    expect(result.ok).toBe(true);
+    if (result.ok) {
+      expect(result.claims.aud).toBe('vellum-gateway');
+      expect(result.claims.sub).toBe('svc:gateway:self');
+    }
+  });
+
+  test('each mint produces a unique jti', () => {
+    const params = {
+      aud: 'vellum-daemon' as const,
+      sub: 'actor:self:p1',
+      scope_profile: 'actor_client_v1' as const,
+      policy_epoch: CURRENT_POLICY_EPOCH,
+      ttlSeconds: 300,
+    };
+
+    const t1 = mintToken(params);
+    const t2 = mintToken(params);
+
+    const r1 = verifyToken(t1, 'vellum-daemon');
+    const r2 = verifyToken(t2, 'vellum-daemon');
+
+    expect(r1.ok).toBe(true);
+    expect(r2.ok).toBe(true);
+    if (r1.ok && r2.ok) {
+      expect(r1.claims.jti).not.toBe(r2.claims.jti);
+    }
+  });
+});
+
+describe('verifyToken failure cases', () => {
+  test('rejects expired token', () => {
+    const token = mintToken({
+      aud: 'vellum-daemon',
+      sub: 'actor:self:p1',
+      scope_profile: 'actor_client_v1',
+      policy_epoch: CURRENT_POLICY_EPOCH,
+      ttlSeconds: -10, // already expired
+    });
+
+    const result = verifyToken(token, 'vellum-daemon');
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.reason).toBe('token_expired');
+    }
+  });
+
+  test('rejects wrong audience', () => {
+    const token = mintToken({
+      aud: 'vellum-daemon',
+      sub: 'actor:self:p1',
+      scope_profile: 'actor_client_v1',
+      policy_epoch: CURRENT_POLICY_EPOCH,
+      ttlSeconds: 300,
+    });
+
+    const result = verifyToken(token, 'vellum-gateway');
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.reason).toContain('audience_mismatch');
+    }
+  });
+
+  test('rejects malformed token (no dots)', () => {
+    const result = verifyToken('not-a-jwt', 'vellum-daemon');
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.reason).toContain('malformed_token');
+    }
+  });
+
+  test('rejects malformed token (only 2 parts)', () => {
+    const result = verifyToken('part1.part2', 'vellum-daemon');
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.reason).toContain('malformed_token');
+    }
+  });
+
+  test('rejects tampered payload', () => {
+    const token = mintToken({
+      aud: 'vellum-daemon',
+      sub: 'actor:self:p1',
+      scope_profile: 'actor_client_v1',
+      policy_epoch: CURRENT_POLICY_EPOCH,
+      ttlSeconds: 300,
+    });
+
+    const parts = token.split('.');
+    // Tamper with the payload
+    parts[1] = parts[1] + 'X';
+    const tampered = parts.join('.');
+
+    const result = verifyToken(tampered, 'vellum-daemon');
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.reason).toBe('invalid_signature');
+    }
+  });
+
+  test('rejects tampered signature', () => {
+    const token = mintToken({
+      aud: 'vellum-daemon',
+      sub: 'actor:self:p1',
+      scope_profile: 'actor_client_v1',
+      policy_epoch: CURRENT_POLICY_EPOCH,
+      ttlSeconds: 300,
+    });
+
+    const parts = token.split('.');
+    parts[2] = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';
+    const tampered = parts.join('.');
+
+    const result = verifyToken(tampered, 'vellum-daemon');
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.reason).toBe('invalid_signature');
+    }
+  });
+
+  test('rejects token with stale policy epoch', () => {
+    const token = mintToken({
+      aud: 'vellum-daemon',
+      sub: 'actor:self:p1',
+      scope_profile: 'actor_client_v1',
+      policy_epoch: 0, // stale
+      ttlSeconds: 300,
+    });
+
+    const result = verifyToken(token, 'vellum-daemon');
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.reason).toBe('stale_policy_epoch');
+    }
+  });
+
+  test('rejects token signed with a different key', () => {
+    // Mint with current key
+    const token = mintToken({
+      aud: 'vellum-daemon',
+      sub: 'actor:self:p1',
+      scope_profile: 'actor_client_v1',
+      policy_epoch: CURRENT_POLICY_EPOCH,
+      ttlSeconds: 300,
+    });
+
+    // Switch to a different key
+    initAuthSigningKey(Buffer.from('different-key-32-bytes-longXXXX'));
+
+    const result = verifyToken(token, 'vellum-daemon');
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.reason).toBe('invalid_signature');
+    }
+
+    // Restore original key for remaining tests
+    initAuthSigningKey(TEST_KEY);
+  });
+});
+
+describe('hashToken', () => {
+  test('produces consistent SHA-256 hex digest', () => {
+    const hash1 = hashToken('test-token');
+    const hash2 = hashToken('test-token');
+    expect(hash1).toBe(hash2);
+    expect(hash1.length).toBe(64);
+  });
+
+  test('different tokens produce different hashes', () => {
+    const t1 = mintToken({
+      aud: 'vellum-daemon',
+      sub: 'actor:self:p1',
+      scope_profile: 'actor_client_v1',
+      policy_epoch: CURRENT_POLICY_EPOCH,
+      ttlSeconds: 300,
+    });
+    const t2 = mintToken({
+      aud: 'vellum-daemon',
+      sub: 'actor:self:p2',
+      scope_profile: 'actor_client_v1',
+      policy_epoch: CURRENT_POLICY_EPOCH,
+      ttlSeconds: 300,
+    });
+    expect(hashToken(t1)).not.toBe(hashToken(t2));
+  });
+});