merge_policy: handle and test when a bypass is unnecessary
The logic did not consider when a token is possible, but not provided. Only make noise about an invalid token being provided when one is actually provided and test the behavior.
The logic did not consider when a token is possible, but not provided. Only make noise about an invalid token being provided when one is actually provided and test the behavior.