From 918be53a30feb29b18bcf16b74425ab5f5f61543 Mon Sep 17 00:00:00 2001
From: Chummy <chumyin0912@gmail.com>
Date: Wed, 18 Feb 2026 15:30:03 +0800
Subject: [PATCH] test(security): harden token format regression coverage

---
 src/security/pairing.rs | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/security/pairing.rs b/src/security/pairing.rs
index f7f34f5..a9c4a37 100644
--- a/src/security/pairing.rs
+++ b/src/security/pairing.rs
@@ -416,10 +416,17 @@ mod tests {
     }
 
     #[test]
-    fn generate_token_has_prefix() {
+    fn generate_token_has_prefix_and_hex_payload() {
         let token = generate_token();
-        assert!(token.starts_with("zc_"));
-        assert!(token.len() > 10);
+        let payload = token
+            .strip_prefix("zc_")
+            .expect("Generated token should include zc_ prefix");
+
+        assert_eq!(payload.len(), 64, "Token payload should be 32 bytes in hex");
+        assert!(
+            payload.chars().all(|c| c.is_ascii_hexdigit()),
+            "Token payload should be lowercase hex"
+        );
     }
 
     // ── Brute force protection ───────────────────────────────