Permissions aren’t available from the context object in rules as you have likely noticed. You could infer from your roles what permissions should be added. I think this is the intended relationship between roles and permissions, so you don’t have to include a group of permissions in a token. Just the user’s roles.
You could also make a call to the management api to see what permissions are associated with which role.
Thanks,
Dan