identity: subject-wide session management — sessions + logout_all (+8 tests)

api.sx gains sessions(Subject) (enumerate a subject's live sessions) and logout_all(Subject) ("log out everywhere") — revokes and deregisters every session the subject holds, auditing a logout per session, leaving other subjects' sessions untouched. Builds on registry.sessions_for. New tests/session_mgmt.sx. 193/193. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-07 03:16:21 +00:00
parent db885e15bc
commit b1f9c6bef0
6 changed files with 107 additions and 12 deletions
--- a/lib/identity/api.sx
+++ b/lib/identity/api.sx
--- a/lib/identity/conformance.sh
+++ b/lib/identity/conformance.sh
@@ -44,6 +44,7 @@ SUITES=(
  "device|id-device-test-pass|id-device-test-count"
  "facade|id-facade-test-pass|id-facade-test-count"
  "delegation|id-deleg-test-pass|id-deleg-test-count"
+  "session-mgmt|id-smgmt-test-pass|id-smgmt-test-count"
 )

 cat > "$TMPFILE" << 'EPOCHS'
@@ -83,6 +84,7 @@ cat > "$TMPFILE" << 'EPOCHS'
 (load "lib/identity/tests/device.sx")
 (load "lib/identity/tests/facade.sx")
 (load "lib/identity/tests/delegation.sx")
+(load "lib/identity/tests/session_mgmt.sx")
 (epoch 100)
 (eval "(list id-session-test-pass id-session-test-count)")
 (epoch 101)
@@ -115,6 +117,8 @@ cat > "$TMPFILE" << 'EPOCHS'
 (eval "(list id-facade-test-pass id-facade-test-count)")
 (epoch 115)
 (eval "(list id-deleg-test-pass id-deleg-test-count)")
+(epoch 116)
+(eval "(list id-smgmt-test-pass id-smgmt-test-count)")
 EPOCHS

 timeout 600 "$SX_SERVER" < "$TMPFILE" > "$OUTFILE" 2>&1
--- a/lib/identity/scoreboard.json
+++ b/lib/identity/scoreboard.json
@@ -1,7 +1,7 @@
 {
  "language": "identity",
-  "total_pass": 185,
-  "total": 185,
+  "total_pass": 193,
+  "total": 193,
  "suites": [
    {"name":"session","pass":11,"total":11,"status":"ok"},
    {"name":"token","pass":24,"total":24,"status":"ok"},
@@ -18,6 +18,7 @@
    {"name":"grants","pass":9,"total":9,"status":"ok"},
    {"name":"device","pass":10,"total":10,"status":"ok"},
    {"name":"facade","pass":9,"total":9,"status":"ok"},
-    {"name":"delegation","pass":8,"total":8,"status":"ok"}
+    {"name":"delegation","pass":8,"total":8,"status":"ok"},
+    {"name":"session-mgmt","pass":8,"total":8,"status":"ok"}
  ]
 }
--- a/lib/identity/scoreboard.md
+++ b/lib/identity/scoreboard.md
@@ -1,6 +1,6 @@
 # identity-on-sx Scoreboard

-**Total: 185 / 185 tests passing**
+**Total: 193 / 193 tests passing**

 |  | Suite | Pass | Total |
 |---|---|---|---|
@@ -20,6 +20,7 @@
 | ✅ | device | 10 | 10 |
 | ✅ | facade | 9 | 9 |
 | ✅ | delegation | 8 | 8 |
+| ✅ | session-mgmt | 8 | 8 |


 Generated by `lib/identity/conformance.sh`.
--- a/lib/identity/tests/session_mgmt.sx
+++ b/lib/identity/tests/session_mgmt.sx
@@ -0,0 +1,81 @@
+;; identity/tests/session_mgmt.sx — subject-wide session management:
+;; enumerate a subject's sessions and \"log out everywhere\".
+
+(define id-smgmt-test-count 0)
+(define id-smgmt-test-pass 0)
+(define id-smgmt-test-fails (list))
+
+(define
+  id-smgmt-test
+  (fn
+    (name actual expected)
+    (set! id-smgmt-test-count (+ id-smgmt-test-count 1))
+    (if
+      (= actual expected)
+      (set! id-smgmt-test-pass (+ id-smgmt-test-pass 1))
+      (append! id-smgmt-test-fails {:name name :expected expected :actual actual}))))
+
+(define idsm-ev erlang-eval-ast)
+(define idsmnm (fn (v) (get v :name)))
+
+(identity-load-all!)
+
+;; ── enumerate a subject's sessions ───────────────────────────────
+
+(id-smgmt-test
+  "sessions lists all of a subject's sessions"
+  (idsm-ev
+    "Svc = identity:start(),\n     identity:login(Svc, alice, web, read),\n     identity:login(Svc, alice, cli, read),\n     length(identity:sessions(Svc, alice))")
+  2)
+
+(id-smgmt-test
+  "sessions is empty for a subject with none"
+  (idsm-ev
+    "Svc = identity:start(),\n     length(identity:sessions(Svc, stranger))")
+  0)
+
+;; ── log out everywhere ───────────────────────────────────────────
+
+(id-smgmt-test
+  "logout_all ends every session of the subject"
+  (idsmnm
+    (idsm-ev
+      "Svc = identity:start(),\n       {ok, S1, _} = identity:login(Svc, alice, web, read),\n       {ok, S2, _} = identity:login(Svc, alice, cli, read),\n       identity:logout_all(Svc, alice),\n       case {identity:session_status(Svc, S1), identity:session_status(Svc, S2)} of\n         {gone, gone} -> both_gone;\n         _ -> some_left\n       end"))
+  "both_gone")
+
+(id-smgmt-test
+  "after logout_all the subject has no sessions"
+  (idsm-ev
+    "Svc = identity:start(),\n     identity:login(Svc, alice, web, read),\n     identity:login(Svc, alice, cli, read),\n     identity:logout_all(Svc, alice),\n     length(identity:sessions(Svc, alice))")
+  0)
+
+(id-smgmt-test
+  "logout_all leaves other subjects' sessions intact"
+  (idsm-ev
+    "Svc = identity:start(),\n     identity:login(Svc, alice, web, read),\n     identity:login(Svc, bob, web, read),\n     identity:logout_all(Svc, alice),\n     length(identity:sessions(Svc, bob))")
+  1)
+
+(id-smgmt-test
+  "logout_all on an unknown subject is ok, not a crash"
+  (idsmnm
+    (idsm-ev "Svc = identity:start(),\n       identity:logout_all(Svc, ghost)"))
+  "ok")
+
+;; ── logout_all is audited ────────────────────────────────────────
+
+(id-smgmt-test
+  "logout_all records a logout event"
+  (idsmnm
+    (idsm-ev
+      "Svc = identity:start(),\n       identity:login(Svc, alice, web, read),\n       identity:logout_all(Svc, alice),\n       case identity:history(Svc, alice) of\n         [login, issue, logout] -> audited;\n         Other -> Other\n       end"))
+  "audited")
+
+(id-smgmt-test
+  "logout_all audits each of several sessions"
+  (idsm-ev
+    "Svc = identity:start(),\n     identity:login(Svc, alice, web, read),\n     identity:login(Svc, alice, cli, read),\n     identity:logout_all(Svc, alice),\n     length(identity:history(Svc, alice))")
+  6)
+
+(define
+  id-smgmt-test-summary
+  (str "session-mgmt " id-smgmt-test-pass "/" id-smgmt-test-count))
--- a/plans/identity-on-sx.md
+++ b/plans/identity-on-sx.md
@@ -19,7 +19,7 @@ through the event log, all authorization questions delegated to `acl-on-sx`.

 ## Status (rolling)

-`bash lib/identity/conformance.sh` → **185/185** (4 phases + 8 ext; backlog clear)
+`bash lib/identity/conformance.sh` → **193/193** (4 phases + 9 ext)

 ## Ground rules

@@ -86,8 +86,14 @@ lib/identity/api.sx ── (identity/login) (identity/grant?) (identity/revoke)
 - [x] acl-on-sx delegation: identity-gates-before-acl boundary (401 vs 403), stub decider (live Datalog bridge is cross-substrate)
 - [ ] OAuth `state` (CSRF) + OIDC `nonce` threaded through authorize→exchange
 - [x] unify `api.sx` over membership + audit (one facade, audited login/logout)
+- [x] subject-wide session management: `sessions(Subject)` + `logout_all` (log out everywhere)

 ## Progress log
+- 2026-06-07 — subject-wide session management (ext): `api.sx` gains
+  `sessions(Subject)` (enumerate) and `logout_all(Subject)` ("log out
+  everywhere") — revokes + deregisters every session a subject holds,
+  auditing a logout per session, leaving other subjects untouched. Builds on
+  registry.sessions_for. New tests/session_mgmt.sx (8). 185→193.
 - 2026-06-07 — `delegation.sx` (ext): the identity→acl boundary made concrete.
  `check` introspects the token first: inactive → `{error, unauthenticated}`
  (401, acl never consulted); active → constructs {Subject, Scope, Action,