changes from review

Simplify code, remove tests and move related packages

Related-to: #3867

Author: taskbot

pkg/vmcp/server/session_management_v2_integration_test.go

@@ -6,7 +6,6 @@ package server_test
 import (
 	"bytes"
 	"context"
-	"encoding/hex"
 	"encoding/json"
 	"errors"
 	"io"
@@ -29,7 +28,6 @@ import (
 	"github.com/stacklok/toolhive/pkg/vmcp/router"
 	"github.com/stacklok/toolhive/pkg/vmcp/server"
 	vmcpsession "github.com/stacklok/toolhive/pkg/vmcp/session"
-	"github.com/stacklok/toolhive/pkg/vmcp/session/security"
 )
 
 // ---------------------------------------------------------------------------
@@ -113,19 +111,6 @@ func (f *v2FakeMultiSessionFactory) MakeSession(
 		return nil, f.err
 	}
 	baseSession := transportsession.NewStreamableSession("auto-id")
-
-	// Populate token hash metadata to match real session factory behavior.
-	allowAnonymous := vmcpsession.ShouldAllowAnonymous(identity)
-	if identity != nil && identity.Token != "" && !allowAnonymous {
-		testSecret := []byte("integration-test-secret")
-		testSalt := []byte("test-salt-123456")
-		tokenHash := security.HashToken(identity.Token, testSecret, testSalt)
-		baseSession.SetMetadata(vmcpsession.MetadataKeyTokenHash, tokenHash)
-		baseSession.SetMetadata(vmcpsession.MetadataKeyTokenSalt, hex.EncodeToString(testSalt))
-	} else {
-		baseSession.SetMetadata(vmcpsession.MetadataKeyTokenHash, "")
-	}
-
 	sess := newV2FakeMultiSession(baseSession, f.tools)
 	f.lastCreatedSession = sess
 	return sess, nil
@@ -139,21 +124,6 @@ func (f *v2FakeMultiSessionFactory) MakeSessionWithID(
 		return nil, f.err
 	}
 	baseSession := transportsession.NewStreamableSession(id)
-
-	// Populate token hash metadata to match real session factory behavior.
-	// This allows integration tests to verify that hashes (not raw tokens) are stored.
-	if identity != nil && identity.Token != "" && !allowAnonymous {
-		// Use a test HMAC secret and salt for integration tests
-		testSecret := []byte("integration-test-secret")
-		testSalt := []byte("test-salt-123456") // 16 bytes
-		tokenHash := security.HashToken(identity.Token, testSecret, testSalt)
-		baseSession.SetMetadata(vmcpsession.MetadataKeyTokenHash, tokenHash)
-		baseSession.SetMetadata(vmcpsession.MetadataKeyTokenSalt, hex.EncodeToString(testSalt))
-	} else {
-		// Anonymous session
-		baseSession.SetMetadata(vmcpsession.MetadataKeyTokenHash, "")
-	}
-
 	sess := newV2FakeMultiSession(baseSession, f.tools)
 	f.lastCreatedSession = sess
 	return sess, nil

pkg/vmcp/server/sessionmanager/session_manager.go

@@ -165,7 +165,7 @@ func (sm *Manager) CreateSession(
 	// Build the fully-formed MultiSession using the SDK-assigned session ID.
 	// Sessions created with an identity are bound to that identity (allowAnonymous=false).
 	// Sessions created without an identity allow anonymous access (allowAnonymous=true).
-	allowAnonymous := vmcpsession.ShouldAllowAnonymous(identity)
+	allowAnonymous := identity == nil || identity.Token == ""
 	sess, err := sm.factory.MakeSessionWithID(ctx, sessionID, identity, allowAnonymous, backends)
 	if err != nil {
 		return nil, fmt.Errorf("Manager.CreateSession: failed to create multi-session: %w", err)