@vellumai/vellum-gateway 0.4.13 → 0.4.15

package/ARCHITECTURE.md

@@ -53,12 +53,12 @@ The gateway exposes a REST API for reading and mutating assistant feature flags.
 
 **Token separation (authentication boundary):**
 
-The assistant feature flags API uses a dedicated token (the **feature-flag token**) stored at `~/.vellum/feature-flag-token`, separate from the **runtime token** (`~/.vellum/http-token`). This separation ensures that clients with feature-flag access cannot access runtime endpoints, and vice versa.
+The assistant feature flags API uses a dedicated feature-flag token stored at `~/.vellum/feature-flag-token`, separate from JWT auth tokens. This separation ensures that clients with feature-flag access cannot access runtime endpoints, and vice versa.
 
 | Operation | Accepted tokens |
 |-----------|----------------|
-| `GET /v1/feature-flags` | Runtime bearer token OR feature-flag token |
-| `PATCH /v1/feature-flags/:key` | Feature-flag token ONLY (runtime token is explicitly rejected) |
+| `GET /v1/feature-flags` | JWT bearer token OR feature-flag token |
+| `PATCH /v1/feature-flags/:key` | Feature-flag token ONLY (JWT bearer tokens are explicitly rejected) |
 
 The feature-flag token is auto-generated on first gateway startup if the file does not exist. The gateway watches the token file for changes and hot-reloads without restart.
 
@@ -90,12 +90,12 @@ Guardian verification endpoints are exposed directly by the gateway and forwarde
 | POST | `/v1/integrations/guardian/outbound/cancel` |
 | POST | `/v1/integrations/guardian/vellum/refresh` |
 
-The `/vellum/refresh` endpoint is the only public ingress for rotating actor + refresh token credentials. Clients must call this through the gateway; the runtime endpoint is not directly exposed. The gateway validates the caller's bearer token and forwards to the runtime, which handles refresh token validation, rotation, and replay detection (see [`assistant/ARCHITECTURE.md`](../assistant/ARCHITECTURE.md) for refresh token lifecycle details).
+The `/vellum/refresh` endpoint is the only public ingress for rotating JWT access + refresh token credentials. Clients must call this through the gateway; the runtime endpoint is not directly exposed. The gateway validates the caller's JWT and forwards to the runtime, which handles refresh token validation, rotation, and replay detection (see [`assistant/ARCHITECTURE.md`](../assistant/ARCHITECTURE.md) for the JWT auth lifecycle).
 
 **Authentication boundary:**
 
-- Gateway validates caller bearer auth against the runtime token.
-- Gateway forwards requests to runtime with the runtime bearer token and `X-Gateway-Origin` proof header.
+- Gateway validates the caller's JWT bearer token.
+- Gateway forwards requests to runtime with a minted JWT (`gateway_service_v1` scope profile).
 - Upstream 4xx/5xx responses are passed through, while connection errors return `502` and timeouts return `504`.
 
 **Key source files:**
@@ -103,7 +103,7 @@ The `/vellum/refresh` endpoint is the only public ingress for rotating actor + r
 | File | Purpose |
 |------|---------|
 | `gateway/src/http/routes/guardian-control-plane-proxy.ts` | Guardian control-plane proxy handlers and upstream forwarding |
-| `gateway/src/index.ts` | Route registration and bearer-auth enforcement for `/v1/integrations/guardian/*` |
+| `gateway/src/index.ts` | Route registration and JWT auth enforcement for `/v1/integrations/guardian/*` |
 
 ### Runtime Health Proxy
 
@@ -111,8 +111,8 @@ Runtime health is exposed directly by the gateway at `GET /v1/health` and forwar
 
 **Authentication boundary:**
 
-- Gateway validates caller bearer auth against the runtime token.
-- Gateway forwards the request to runtime with the runtime bearer token and `X-Gateway-Origin` proof header.
+- Gateway validates the caller's JWT bearer token.
+- Gateway forwards the request to runtime with a minted JWT (`gateway_service_v1` scope profile).
 - Upstream 4xx/5xx responses are passed through, while connection errors return `502` and timeouts return `504`.
 
 **Key source files:**
@@ -147,8 +147,8 @@ Telegram integration setup/config endpoints and ingress members/invites endpoint
 
 **Authentication boundary:**
 
-- Gateway validates caller bearer auth against the runtime token.
-- Gateway forwards requests to runtime with the runtime bearer token and `X-Gateway-Origin` proof header.
+- Gateway validates the caller's JWT bearer token.
+- Gateway forwards requests to runtime with a minted JWT (`gateway_ingress_v1` or `gateway_service_v1` scope profile).
 - Upstream 4xx/5xx responses are passed through, while connection errors return `502` and timeouts return `504`.
 
 **Key source files:**
@@ -183,8 +183,8 @@ Twilio integration setup/config endpoints are exposed directly by the gateway an
 
 **Authentication boundary:**
 
-- Gateway validates caller bearer auth against the runtime token.
-- Gateway forwards requests to runtime with the runtime bearer token and `X-Gateway-Origin` proof header.
+- Gateway validates the caller's JWT bearer token.
+- Gateway forwards requests to runtime with a minted JWT (`gateway_ingress_v1` or `gateway_service_v1` scope profile).
 - Upstream 4xx/5xx responses are passed through, while connection errors return `502` and timeouts return `504`.
 
 **Key source files:**
@@ -207,8 +207,8 @@ Channel readiness endpoints are exposed directly by the gateway and forwarded to
 
 **Authentication boundary:**
 
-- Gateway validates caller bearer auth against the runtime token.
-- Gateway forwards requests to runtime with the runtime bearer token and `X-Gateway-Origin` proof header.
+- Gateway validates the caller's JWT bearer token.
+- Gateway forwards requests to runtime with a minted JWT (`gateway_ingress_v1` or `gateway_service_v1` scope profile).
 - Upstream 4xx/5xx responses are passed through, while connection errors return `502` and timeouts return `504`.
 
 **Key source files:**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/vellum-gateway",
-  "version": "0.4.13",
+  "version": "0.4.15",
   "type": "module",
   "exports": {
     "./twilio/verify": "./src/twilio/verify.ts",

package/src/__tests__/browser-relay-websocket.test.ts

@@ -19,11 +19,8 @@ function makeConfig(overrides: Partial<GatewayConfig> = {}): GatewayConfig {
     defaultAssistantId: undefined,
     unmappedPolicy: "reject",
     port: 7830,
-    runtimeBearerToken: undefined,
-    runtimeGatewayOriginSecret: undefined,
     runtimeProxyEnabled: false,
     runtimeProxyRequireAuth: true,
-    runtimeProxyBearerToken: undefined,
     shutdownDrainMs: 5000,
     runtimeTimeoutMs: 30000,
     runtimeMaxRetries: 2,
@@ -56,9 +53,6 @@ function makeConfig(overrides: Partial<GatewayConfig> = {}): GatewayConfig {
     trustProxy: false,
     ...overrides,
   };
-  if (merged.runtimeGatewayOriginSecret === undefined) {
-    merged.runtimeGatewayOriginSecret = merged.runtimeBearerToken;
-  }
   return merged;
 }
 
@@ -104,7 +98,7 @@ describe("createBrowserRelayWebsocketHandler", () => {
   const TEST_TOKEN = "relay-token-abc123";
 
   test("upgrades when token query parameter is valid", () => {
-    const config = makeConfig({ runtimeProxyBearerToken: TEST_TOKEN });
+    const config = makeConfig({});
     const handler = createBrowserRelayWebsocketHandler(config);
     const req = new Request(
       `http://localhost:7830/v1/browser-relay?token=${TEST_TOKEN}`,
@@ -121,7 +115,7 @@ describe("createBrowserRelayWebsocketHandler", () => {
   });
 
   test("returns 401 when token is missing", () => {
-    const config = makeConfig({ runtimeProxyBearerToken: TEST_TOKEN });
+    const config = makeConfig({});
     const handler = createBrowserRelayWebsocketHandler(config);
     const req = new Request("http://localhost:7830/v1/browser-relay", {
       headers: { upgrade: "websocket" },
@@ -138,7 +132,7 @@ describe("createBrowserRelayWebsocketHandler", () => {
   });
 
   test("allows unauthenticated upgrade when runtime proxy auth is disabled", () => {
-    const config = makeConfig({ runtimeProxyRequireAuth: false, runtimeProxyBearerToken: undefined });
+    const config = makeConfig({ runtimeProxyRequireAuth: false});
     const handler = createBrowserRelayWebsocketHandler(config);
     const req = new Request("http://localhost:7830/v1/browser-relay", {
       headers: { upgrade: "websocket" },
@@ -154,7 +148,7 @@ describe("createBrowserRelayWebsocketHandler", () => {
   });
 
   test("returns 403 when non-loopback host is requested from a public peer", () => {
-    const config = makeConfig({ runtimeProxyBearerToken: TEST_TOKEN });
+    const config = makeConfig({});
     const handler = createBrowserRelayWebsocketHandler(config);
     const req = new Request(
       `http://gateway.example.com:7830/v1/browser-relay?token=${TEST_TOKEN}`,
@@ -173,7 +167,7 @@ describe("createBrowserRelayWebsocketHandler", () => {
   });
 
   test("returns 403 for localhost host when peer is public (host spoof prevention)", () => {
-    const config = makeConfig({ runtimeProxyBearerToken: TEST_TOKEN });
+    const config = makeConfig({});
     const handler = createBrowserRelayWebsocketHandler(config);
     const req = new Request(
       `http://localhost:7830/v1/browser-relay?token=${TEST_TOKEN}`,
@@ -191,9 +185,8 @@ describe("createBrowserRelayWebsocketHandler", () => {
     expect(fakeServer.upgrade).not.toHaveBeenCalled();
   });
 
-
   test("allows non-loopback host when peer is private network", () => {
-    const config = makeConfig({ runtimeProxyBearerToken: TEST_TOKEN });
+    const config = makeConfig({});
     const handler = createBrowserRelayWebsocketHandler(config);
     const req = new Request(
       `http://gateway.example.com:7830/v1/browser-relay?token=${TEST_TOKEN}`,
@@ -238,7 +231,6 @@ describe("getBrowserRelayWebsocketHandlers", () => {
       wsType: "browser-relay",
       config: makeConfig({
         assistantRuntimeBaseUrl: "http://runtime.internal:7821",
-        runtimeBearerToken: "runtime-token",
       }),
     });
 

package/src/__tests__/config.test.ts

@@ -74,66 +74,32 @@ describe("config: Telegram-only default mode", () => {
 
 describe("config: runtime proxy flags", () => {
   test("proxy disabled by default", () => {
-    withEnv({ VELLUM_HTTP_TOKEN_PATH: "/nonexistent/http-token" }, () => {
+    withEnv({}, () => {
       const config = loadConfig();
       expect(config.runtimeProxyEnabled).toBe(false);
       expect(config.runtimeProxyRequireAuth).toBe(true);
-      expect(config.runtimeProxyBearerToken).toBeUndefined();
     });
   });
 
-  test("proxy enabled with auth and valid token", () => {
-    withEnv(
-      {
-        GATEWAY_RUNTIME_PROXY_ENABLED: "true",
-        RUNTIME_PROXY_BEARER_TOKEN: "secret-key",
-      },
-      () => {
-        const config = loadConfig();
-        expect(config.runtimeProxyEnabled).toBe(true);
-        expect(config.runtimeProxyRequireAuth).toBe(true);
-        expect(config.runtimeProxyBearerToken).toBe("secret-key");
-      },
-    );
-  });
-
-  test("proxy enabled with auth disabled (no token needed)", () => {
+  test("proxy enabled with auth disabled", () => {
     withEnv(
       {
         GATEWAY_RUNTIME_PROXY_ENABLED: "true",
         GATEWAY_RUNTIME_PROXY_REQUIRE_AUTH: "false",
-        VELLUM_HTTP_TOKEN_PATH: "/nonexistent/http-token",
       },
       () => {
         const config = loadConfig();
         expect(config.runtimeProxyEnabled).toBe(true);
         expect(config.runtimeProxyRequireAuth).toBe(false);
-        expect(config.runtimeProxyBearerToken).toBeUndefined();
       },
     );
   });
 
-  test("proxy enabled with auth required but no token throws", () => {
-    withEnv(
-      {
-        GATEWAY_RUNTIME_PROXY_ENABLED: "true",
-        GATEWAY_RUNTIME_PROXY_REQUIRE_AUTH: "true",
-        VELLUM_HTTP_TOKEN_PATH: "/nonexistent/http-token",
-      },
-      () => {
-        expect(() => loadConfig()).toThrow(
-          "RUNTIME_PROXY_BEARER_TOKEN is required when proxy is enabled with auth required",
-        );
-      },
-    );
-  });
-
-  test("proxy disabled ignores missing token even with auth required", () => {
+  test("proxy disabled ignores auth setting", () => {
     withEnv(
       {
         GATEWAY_RUNTIME_PROXY_ENABLED: "false",
         GATEWAY_RUNTIME_PROXY_REQUIRE_AUTH: "true",
-        VELLUM_HTTP_TOKEN_PATH: "/nonexistent/http-token",
       },
       () => {
         const config = loadConfig();
@@ -146,8 +112,6 @@ describe("config: runtime proxy flags", () => {
     withEnv(
       {
         GATEWAY_RUNTIME_PROXY_ENABLED: "true",
-        RUNTIME_PROXY_BEARER_TOKEN: "my-token",
-        VELLUM_HTTP_TOKEN_PATH: "/nonexistent/http-token",
       },
       () => {
         const config = loadConfig();
@@ -155,112 +119,6 @@ describe("config: runtime proxy flags", () => {
       },
     );
   });
-
-  test("reads bearer token from http-token file when available", () => {
-    /** Verifies the gateway reads the daemon's http-token file for auth. */
-    withEnv(
-      {
-        GATEWAY_RUNTIME_PROXY_ENABLED: "true",
-        VELLUM_HTTP_TOKEN_PATH: "/tmp/test-http-token",
-      },
-      () => {
-        // GIVEN an http-token file exists with a known token
-        writeFileSync("/tmp/test-http-token", "file-based-token\n");
-
-        // WHEN we load the config
-        const config = loadConfig();
-
-        // THEN the bearer token is read from the file (trimmed)
-        expect(config.runtimeProxyBearerToken).toBe("file-based-token");
-
-        // AND cleanup
-        unlinkSync("/tmp/test-http-token");
-      },
-    );
-  });
-
-  test("env var takes precedence over http-token file", () => {
-    /** Verifies that the env var is preferred over the http-token file. */
-    withEnv(
-      {
-        GATEWAY_RUNTIME_PROXY_ENABLED: "true",
-        RUNTIME_PROXY_BEARER_TOKEN: "env-token",
-        VELLUM_HTTP_TOKEN_PATH: "/tmp/test-http-token-priority",
-      },
-      () => {
-        // GIVEN an http-token file exists with a different token than the env var
-        writeFileSync("/tmp/test-http-token-priority", "file-token");
-
-        // WHEN we load the config
-        const config = loadConfig();
-
-        // THEN the env var token takes precedence
-        expect(config.runtimeProxyBearerToken).toBe("env-token");
-
-        // AND cleanup
-        unlinkSync("/tmp/test-http-token-priority");
-      },
-    );
-  });
-
-  test("falls back to env var when http-token file is missing", () => {
-    /** Verifies fallback to RUNTIME_PROXY_BEARER_TOKEN env var. */
-    withEnv(
-      {
-        GATEWAY_RUNTIME_PROXY_ENABLED: "true",
-        RUNTIME_PROXY_BEARER_TOKEN: "env-fallback-token",
-        VELLUM_HTTP_TOKEN_PATH: "/nonexistent/http-token",
-      },
-      () => {
-        // GIVEN the http-token file does not exist
-        // WHEN we load the config
-        const config = loadConfig();
-
-        // THEN the env var token is used as fallback
-        expect(config.runtimeProxyBearerToken).toBe("env-fallback-token");
-      },
-    );
-  });
-});
-
-describe("config: runtime bearer token", () => {
-  test("runtimeBearerToken is undefined when env is unset and http-token file is missing", () => {
-    withEnv({ VELLUM_HTTP_TOKEN_PATH: "/nonexistent/http-token" }, () => {
-      const config = loadConfig();
-      expect(config.runtimeBearerToken).toBeUndefined();
-    });
-  });
-
-  test("runtimeBearerToken is set from RUNTIME_BEARER_TOKEN env var", () => {
-    withEnv({ RUNTIME_BEARER_TOKEN: "rt-secret", VELLUM_HTTP_TOKEN_PATH: "/nonexistent/http-token" }, () => {
-      const config = loadConfig();
-      expect(config.runtimeBearerToken).toBe("rt-secret");
-    });
-  });
-
-  test("runtimeBearerToken is read from http-token file when env var is unset", () => {
-    withEnv({ VELLUM_HTTP_TOKEN_PATH: "/tmp/test-runtime-http-token" }, () => {
-      writeFileSync("/tmp/test-runtime-http-token", "runtime-file-token\n");
-      const config = loadConfig();
-      expect(config.runtimeBearerToken).toBe("runtime-file-token");
-      unlinkSync("/tmp/test-runtime-http-token");
-    });
-  });
-
-  test("RUNTIME_BEARER_TOKEN env var takes precedence over http-token file", () => {
-    withEnv(
-      {
-        RUNTIME_BEARER_TOKEN: "runtime-env-token",
-        VELLUM_HTTP_TOKEN_PATH: "/tmp/test-runtime-http-token-priority",
-      },
-      () => {
-        writeFileSync("/tmp/test-runtime-http-token-priority", "runtime-file-token");
-        const config = loadConfig();
-        expect(config.runtimeBearerToken).toBe("runtime-env-token");
-        unlinkSync("/tmp/test-runtime-http-token-priority");
-      },
-    );
-  });
 });
 
 describe("config: twilio assistant phone number mapping", () => {

package/src/__tests__/guardian-control-plane-proxy.test.ts

@@ -22,11 +22,8 @@ function makeConfig(overrides: Partial<GatewayConfig> = {}): GatewayConfig {
     defaultAssistantId: undefined,
     unmappedPolicy: "reject",
     port: 7830,
-    runtimeBearerToken: "runtime-token",
-    runtimeGatewayOriginSecret: "gateway-origin",
     runtimeProxyEnabled: false,
     runtimeProxyRequireAuth: true,
-    runtimeProxyBearerToken: undefined,
     shutdownDrainMs: 5000,
     runtimeTimeoutMs: 30000,
     runtimeMaxRetries: 2,
@@ -59,9 +56,6 @@ function makeConfig(overrides: Partial<GatewayConfig> = {}): GatewayConfig {
     trustProxy: false,
     ...overrides,
   };
-  if (merged.runtimeGatewayOriginSecret === undefined) {
-    merged.runtimeGatewayOriginSecret = merged.runtimeBearerToken;
-  }
   return merged;
 }
 

package/src/__tests__/ingress-control-plane-proxy.test.ts

@@ -22,11 +22,8 @@ function makeConfig(overrides: Partial<GatewayConfig> = {}): GatewayConfig {
     defaultAssistantId: undefined,
     unmappedPolicy: "reject",
     port: 7830,
-    runtimeBearerToken: "runtime-token",
-    runtimeGatewayOriginSecret: "gateway-origin",
     runtimeProxyEnabled: false,
     runtimeProxyRequireAuth: true,
-    runtimeProxyBearerToken: undefined,
     shutdownDrainMs: 5000,
     runtimeTimeoutMs: 30000,
     runtimeMaxRetries: 2,
@@ -59,9 +56,6 @@ function makeConfig(overrides: Partial<GatewayConfig> = {}): GatewayConfig {
     trustProxy: false,
     ...overrides,
   };
-  if (merged.runtimeGatewayOriginSecret === undefined) {
-    merged.runtimeGatewayOriginSecret = merged.runtimeBearerToken;
-  }
   return merged;
 }
 

package/src/__tests__/load-guards.test.ts

@@ -12,11 +12,8 @@ function makeConfig(overrides: Partial<GatewayConfig> = {}): GatewayConfig {
     defaultAssistantId: undefined,
     unmappedPolicy: "reject",
     port: 7830,
-    runtimeBearerToken: undefined,
-    runtimeGatewayOriginSecret: undefined,
     runtimeProxyEnabled: false,
     runtimeProxyRequireAuth: true,
-    runtimeProxyBearerToken: undefined,
     shutdownDrainMs: 5000,
     runtimeTimeoutMs: 30000,
     runtimeMaxRetries: 2,
@@ -49,9 +46,6 @@ function makeConfig(overrides: Partial<GatewayConfig> = {}): GatewayConfig {
     trustProxy: false,
     ...overrides,
   };
-  if (merged.runtimeGatewayOriginSecret === undefined) {
-    merged.runtimeGatewayOriginSecret = merged.runtimeBearerToken;
-  }
   return merged;
 }
 

package/src/__tests__/oauth-callback.test.ts

@@ -24,11 +24,8 @@ function makeConfig(overrides: Partial<GatewayConfig> = {}): GatewayConfig {
     defaultAssistantId: undefined,
     unmappedPolicy: "reject",
     port: 7830,
-    runtimeBearerToken: "rt-token",
-    runtimeGatewayOriginSecret: undefined,
     runtimeProxyEnabled: false,
     runtimeProxyRequireAuth: true,
-    runtimeProxyBearerToken: undefined,
     shutdownDrainMs: 5000,
     runtimeTimeoutMs: 30000,
     runtimeMaxRetries: 2,
@@ -61,9 +58,6 @@ function makeConfig(overrides: Partial<GatewayConfig> = {}): GatewayConfig {
     trustProxy: false,
     ...overrides,
   };
-  if (merged.runtimeGatewayOriginSecret === undefined) {
-    merged.runtimeGatewayOriginSecret = merged.runtimeBearerToken;
-  }
   return merged;
 }
 
@@ -329,7 +323,7 @@ describe("OAuth callback handler", () => {
     );
 
     const handler = createOAuthCallbackHandler(
-      makeConfig({ runtimeBearerToken: undefined }),
+      makeConfig({}),
     );
     const req = new Request(
       `http://localhost:7830/webhooks/oauth/callback?state=${VALID_STATE}&code=c1`,

package/src/__tests__/resolve-assistant.test.ts

@@ -12,11 +12,8 @@ function makeConfig(overrides: Partial<GatewayConfig> = {}): GatewayConfig {
     defaultAssistantId: undefined,
     unmappedPolicy: "reject",
     port: 7830,
-    runtimeBearerToken: undefined,
-    runtimeGatewayOriginSecret: undefined,
     runtimeProxyEnabled: false,
     runtimeProxyRequireAuth: true,
-    runtimeProxyBearerToken: undefined,
     shutdownDrainMs: 5000,
     runtimeTimeoutMs: 30000,
     runtimeMaxRetries: 2,
@@ -49,9 +46,6 @@ function makeConfig(overrides: Partial<GatewayConfig> = {}): GatewayConfig {
     trustProxy: false,
     ...overrides,
   };
-  if (merged.runtimeGatewayOriginSecret === undefined) {
-    merged.runtimeGatewayOriginSecret = merged.runtimeBearerToken;
-  }
   return merged;
 }
 

package/src/__tests__/runtime-client.test.ts

@@ -27,11 +27,8 @@ function makeConfig(overrides: Partial<GatewayConfig> = {}): GatewayConfig {
     defaultAssistantId: undefined,
     unmappedPolicy: "reject",
     port: 7830,
-    runtimeBearerToken: undefined,
-    runtimeGatewayOriginSecret: undefined,
     runtimeProxyEnabled: false,
     runtimeProxyRequireAuth: true,
-    runtimeProxyBearerToken: undefined,
     shutdownDrainMs: 5000,
     runtimeTimeoutMs: 30000,
     runtimeMaxRetries: 2,
@@ -64,9 +61,6 @@ function makeConfig(overrides: Partial<GatewayConfig> = {}): GatewayConfig {
     trustProxy: false,
     ...overrides,
   };
-  if (merged.runtimeGatewayOriginSecret === undefined) {
-    merged.runtimeGatewayOriginSecret = merged.runtimeBearerToken;
-  }
   return merged;
 }
 
@@ -193,7 +187,7 @@ describe("forwardToRuntime", () => {
       new Response(JSON.stringify(successBody), { status: 200 }),
     );
 
-    const config = makeConfig({ runtimeBearerToken: "my-secret-token" });
+    const config = makeConfig({});
     await forwardToRuntime(config, payload);
 
     const calledInit = (fetchMock.mock.calls[0] as unknown[])[1] as RequestInit;
@@ -270,7 +264,7 @@ describe("forwardTwilioVoiceWebhook", () => {
       }),
     );
 
-    const config = makeConfig({ runtimeBearerToken: "rt-tok" });
+    const config = makeConfig({});
     const params = { CallSid: "CA123", AccountSid: "AC456" };
     const originalUrl = "https://example.com/webhooks/twilio/voice?callSessionId=sess-1";
 
@@ -300,7 +294,7 @@ describe("forwardTwilioStatusWebhook", () => {
   test("sends params to runtime internal status endpoint", async () => {
     fetchMock = mock(async () => new Response(null, { status: 200 }));
 
-    const config = makeConfig({ runtimeBearerToken: "rt-tok" });
+    const config = makeConfig({});
     const params = { CallSid: "CA123", CallStatus: "completed" };
 
     const result = await forwardTwilioStatusWebhook(config, params);
@@ -329,7 +323,7 @@ describe("forwardTwilioConnectActionWebhook", () => {
       }),
     );
 
-    const config = makeConfig({ runtimeBearerToken: "rt-tok" });
+    const config = makeConfig({});
     const params = { CallSid: "CA123" };
 
     const result = await forwardTwilioConnectActionWebhook(config, params);

package/src/__tests__/runtime-health-proxy.test.ts

@@ -22,11 +22,8 @@ function makeConfig(overrides: Partial<GatewayConfig> = {}): GatewayConfig {
     defaultAssistantId: undefined,
     unmappedPolicy: "reject",
     port: 7830,
-    runtimeBearerToken: "runtime-token",
-    runtimeGatewayOriginSecret: "gateway-origin",
     runtimeProxyEnabled: false,
     runtimeProxyRequireAuth: true,
-    runtimeProxyBearerToken: undefined,
     shutdownDrainMs: 5000,
     runtimeTimeoutMs: 30000,
     runtimeMaxRetries: 2,
@@ -59,9 +56,6 @@ function makeConfig(overrides: Partial<GatewayConfig> = {}): GatewayConfig {
     trustProxy: false,
     ...overrides,
   };
-  if (merged.runtimeGatewayOriginSecret === undefined) {
-    merged.runtimeGatewayOriginSecret = merged.runtimeBearerToken;
-  }
   return merged;
 }
 

package/src/__tests__/runtime-proxy-auth.test.ts

@@ -1,5 +1,7 @@
-import { describe, test, expect, mock, afterEach } from "bun:test";
+import { describe, test, expect, mock, afterEach, beforeAll } from "bun:test";
 import type { GatewayConfig } from "../config.js";
+import { initSigningKey, mintToken } from "../auth/token-service.js";
+import { CURRENT_POLICY_EPOCH } from "../auth/policy.js";
 
 type FetchFn = (input: string | URL | Request, init?: RequestInit) => Promise<Response>;
 let fetchMock: ReturnType<typeof mock<FetchFn>> = mock(async () => new Response());
@@ -10,7 +12,21 @@ mock.module("../fetch.js", () => ({
 
 const { createRuntimeProxyHandler } = await import("../http/routes/runtime-proxy.js");
 
-const TOKEN = "test-secret-token";
+const TEST_SIGNING_KEY = Buffer.from('test-signing-key-at-least-32-bytes-long');
+initSigningKey(TEST_SIGNING_KEY);
+
+/** Mint a valid edge JWT (aud=vellum-gateway) for test requests. */
+function mintEdgeToken(): string {
+  return mintToken({
+    aud: 'vellum-gateway',
+    sub: 'actor:test-assistant:test-user',
+    scope_profile: 'actor_client_v1',
+    policy_epoch: CURRENT_POLICY_EPOCH,
+    ttlSeconds: 300,
+  });
+}
+
+const TOKEN = mintEdgeToken();
 
 function makeConfig(overrides: Partial<GatewayConfig> = {}): GatewayConfig {
   const merged: GatewayConfig = {
@@ -22,11 +38,8 @@ function makeConfig(overrides: Partial<GatewayConfig> = {}): GatewayConfig {
     defaultAssistantId: undefined,
     unmappedPolicy: "reject",
     port: 7830,
-    runtimeBearerToken: undefined,
-    runtimeGatewayOriginSecret: undefined,
     runtimeProxyEnabled: true,
     runtimeProxyRequireAuth: true,
-    runtimeProxyBearerToken: TOKEN,
     shutdownDrainMs: 5000,
     runtimeTimeoutMs: 30000,
     runtimeMaxRetries: 2,
@@ -59,9 +72,6 @@ function makeConfig(overrides: Partial<GatewayConfig> = {}): GatewayConfig {
     trustProxy: false,
     ...overrides,
   };
-  if (merged.runtimeGatewayOriginSecret === undefined) {
-    merged.runtimeGatewayOriginSecret = merged.runtimeBearerToken;
-  }
   return merged;
 }
 
@@ -114,7 +124,7 @@ describe("runtime proxy auth enforcement", () => {
     expect(body.ok).toBe(true);
   });
 
-  test("auth required: replaces client authorization with configured bearer token for upstream", async () => {
+  test("auth required: replaces client edge token with exchange token for upstream", async () => {
     let capturedHeaders: Headers | undefined;
     fetchMock = mock(async (_input: string | URL | Request, init?: RequestInit) => {
       capturedHeaders = init?.headers as unknown as Headers;
@@ -130,13 +140,18 @@ describe("runtime proxy auth enforcement", () => {
     });
     await handler(req);
 
-    expect(capturedHeaders!.get("authorization")).toBe(`Bearer ${TOKEN}`);
+    const upstreamAuth = capturedHeaders!.get("authorization");
+    expect(upstreamAuth).toBeTruthy();
+    // The upstream should receive an exchange token (aud=vellum-daemon),
+    // NOT the original edge token.
+    expect(upstreamAuth).toStartWith("Bearer ");
+    expect(upstreamAuth).not.toBe(`Bearer ${TOKEN}`);
   });
 
   test("auth not required: proxies without token", async () => {
     mockUpstream();
     const handler = createRuntimeProxyHandler(
-      makeConfig({ runtimeProxyRequireAuth: false, runtimeProxyBearerToken: undefined }),
+      makeConfig({ runtimeProxyRequireAuth: false}),
     );
     const req = new Request("http://localhost:7830/v1/health");
     const res = await handler(req);