From 02fef67e53be6c1a478d86f6bb5992298597544a Mon Sep 17 00:00:00 2001
From: AJ ONeal <aj@therootcompany.com>
Date: Mon, 13 Apr 2026 22:57:21 -0600
Subject: [PATCH] fix(auth/csvauth): ID() returns Name only, not Name~hashID
 for tokens

Principal identity is the subject (who), not the credential instance
(which token). The hashID suffix was an internal cache fingerprint that
leaked into the public ID. Callers that need to distinguish individual
token instances must use a separate mechanism.

TSV serialization in ToRecord() still writes Name~hashID when hashID is
set so the credential file round-trips correctly.
---
 auth/csvauth/credential.go | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/auth/csvauth/credential.go b/auth/csvauth/credential.go
index 2026913..e9529a6 100644
--- a/auth/csvauth/credential.go
+++ b/auth/csvauth/credential.go
@@ -57,9 +57,6 @@ type Credential struct {
 }
 
 func (c *Credential) ID() string {
-	if c.Purpose == PurposeToken {
-		return c.Name + hashIDSep + c.hashID
-	}
 	return c.Name
 }