identity: "disconnect app" — revoke_app(Subject, Client) (+4 tests)

identity_tokens:revoke_app(Subject, Client) revokes every grant a subject holds for one client at once (audited one revoke per grant), exposed at the facade as identity:revoke_app. The action counterpart to the grants view — completing the account-security view+action pairs (sessions/logout_all, grants/revoke_app, history). Other subjects' same-client grants are untouched. account 11/11, 233/233. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-07 07:59:13 +00:00
parent 3b782eba8a
commit d466ca3414
6 changed files with 64 additions and 26 deletions
--- a/lib/identity/api.sx
+++ b/lib/identity/api.sx
--- a/lib/identity/scoreboard.json
+++ b/lib/identity/scoreboard.json
@@ -1,7 +1,7 @@
 {
  "language": "identity",
-  "total_pass": 229,
-  "total": 229,
+  "total_pass": 233,
+  "total": 233,
  "suites": [
    {"name":"session","pass":11,"total":11,"status":"ok"},
    {"name":"token","pass":24,"total":24,"status":"ok"},
@@ -24,6 +24,6 @@
    {"name":"introspect","pass":9,"total":9,"status":"ok"},
    {"name":"par","pass":7,"total":7,"status":"ok"},
    {"name":"dynreg","pass":5,"total":5,"status":"ok"},
-    {"name":"account","pass":7,"total":7,"status":"ok"}
+    {"name":"account","pass":11,"total":11,"status":"ok"}
  ]
 }
--- a/lib/identity/scoreboard.md
+++ b/lib/identity/scoreboard.md
@@ -1,6 +1,6 @@
 # identity-on-sx Scoreboard

-**Total: 229 / 229 tests passing**
+**Total: 233 / 233 tests passing**

 |  | Suite | Pass | Total |
 |---|---|---|---|
@@ -25,7 +25,7 @@
 | ✅ | introspect | 9 | 9 |
 | ✅ | par | 7 | 7 |
 | ✅ | dynreg | 5 | 5 |
-| ✅ | account | 7 | 7 |
+| ✅ | account | 11 | 11 |


 Generated by `lib/identity/conformance.sh`.
--- a/lib/identity/tests/account.sx
+++ b/lib/identity/tests/account.sx
@@ -1,7 +1,7 @@
-;; identity/tests/account.sx — \"apps with access\": per-subject active-grant
-;; listing, at the token registry (grants_for) and through the facade
-;; (identity:grants). Completes the per-subject security trio with sessions
-;; and history.
+;; identity/tests/account.sx — the account-security surface: \"apps with
+;; access\" (grants_for / identity:grants) plus \"disconnect this app\"
+;; (revoke_app / identity:revoke_app). Completes the per-subject view+action
+;; pair alongside sessions and history.

 (define id-acct-test-count 0)
 (define id-acct-test-pass 0)
@@ -49,7 +49,28 @@
      "R = identity_tokens:start(),\n       identity_tokens:issue(R, alice, web, read),\n       case identity_tokens:grants_for(R, alice) of\n         [{Client, _Scope}] -> Client;\n         _ -> other\n       end"))
  "web")

-;; ── facade-level grants ──────────────────────────────────────────
+;; ── token-level revoke_app (\"disconnect this app\") ────────────────
+
+(id-acct-test
+  "revoke_app revokes all of a subject's grants for one client"
+  (ida-ev
+    "R = identity_tokens:start(),\n     identity_tokens:issue(R, alice, web, read),\n     identity_tokens:issue(R, alice, web, write),\n     identity_tokens:issue(R, alice, cli, read),\n     identity_tokens:revoke_app(R, alice, web),\n     length(identity_tokens:grants_for(R, alice))")
+  1)
+
+(id-acct-test
+  "revoke_app deactivates that client's tokens"
+  (idanm
+    (ida-ev
+      "R = identity_tokens:start(),\n       {ok, T} = identity_tokens:issue(R, alice, web, read),\n       identity_tokens:revoke_app(R, alice, web),\n       case identity_tokens:introspect(R, T) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "inactive")
+
+(id-acct-test
+  "revoke_app leaves another subject's same-client grant intact"
+  (ida-ev
+    "R = identity_tokens:start(),\n     identity_tokens:issue(R, alice, web, read),\n     identity_tokens:issue(R, bob, web, read),\n     identity_tokens:revoke_app(R, alice, web),\n     length(identity_tokens:grants_for(R, bob))")
+  1)
+
+;; ── facade-level grants + revoke_app ─────────────────────────────

 (id-acct-test
  "identity:grants lists apps a subject has logged into"
@@ -58,9 +79,9 @@
  2)

 (id-acct-test
-  "revoking a token drops it from identity:grants"
+  "identity:revoke_app disconnects one app, leaving the rest"
  (ida-ev
-    "Svc = identity:start(),\n     {ok, _S1, T1} = identity:login(Svc, alice, web, read),\n     identity:login(Svc, alice, mobile, read),\n     identity:revoke(Svc, T1),\n     length(identity:grants(Svc, alice))")
+    "Svc = identity:start(),\n     identity:login(Svc, alice, web, read),\n     identity:login(Svc, alice, mobile, read),\n     identity:revoke_app(Svc, alice, web),\n     length(identity:grants(Svc, alice))")
  1)

 (id-acct-test
@@ -69,6 +90,13 @@
    "Svc = identity:start(),\n     identity:login(Svc, alice, web, read),\n     identity:login(Svc, bob, web, read),\n     length(identity:grants(Svc, bob))")
  1)

+(id-acct-test
+  "revoke_app is audited as a revoke"
+  (idanm
+    (ida-ev
+      "Svc = identity:start(),\n       identity:login(Svc, alice, web, read),\n       identity:revoke_app(Svc, alice, web),\n       case identity:history(Svc, alice) of\n         [login, issue, revoke] -> audited;\n         Other -> Other\n       end"))
+  "audited")
+
 (define
  id-acct-test-summary
  (str "account " id-acct-test-pass "/" id-acct-test-count))
--- a/lib/identity/token.sx
+++ b/lib/identity/token.sx
--- a/plans/identity-on-sx.md
+++ b/plans/identity-on-sx.md
@@ -19,7 +19,7 @@ through the event log, all authorization questions delegated to `acl-on-sx`.

 ## Status (rolling)

-`bash lib/identity/conformance.sh` → **229/229** (4 phases + 14 ext) — slow (~10min, run in background; internal timeout 1200)
+`bash lib/identity/conformance.sh` → **233/233** (4 phases + 15 ext) — slow (~10min, run in background; internal timeout 1200)

 ## Ground rules

@@ -88,12 +88,19 @@ lib/identity/api.sx ── (identity/login) (identity/grant?) (identity/revoke)
 - [x] pushed authorization requests (PAR, RFC 9126): single-use request_uri → consent
 - [x] dynamic client registration (RFC 7591): server-generated client_id + secret
 - [x] "apps with access": `grants_for(Subject)` / `identity:grants` (per-subject active grants)
+- [x] "disconnect app": `revoke_app(Subject, Client)` — revoke all of a subject's grants for a client
 - [x] unify `api.sx` over membership + audit (one facade, audited login/logout)
 - [x] subject-wide session management: `sessions(Subject)` + `logout_all` (log out everywhere)
 - [x] token exchange (RFC 8693): downscope a token into a new independent token
 - [x] RFC 7662 full introspection metadata (`introspect_full`: sub/client_id/scope/exp/iat/token_type)

 ## Progress log
+- 2026-06-07 — "disconnect app" (ext): `identity_tokens:revoke_app(Subject,
+  Client)` revokes every grant a subject holds for one client at once (audited
+  one revoke per grant), exposed at the facade as `identity:revoke_app`. The
+  action counterpart to the `grants` view — completes the account-security
+  view+action pairs: sessions/logout_all, grants/revoke_app, history. Other
+  subjects' same-client grants are untouched. +4 → account 11, 233/233.
 - 2026-06-07 — "apps with access" (ext): `identity_tokens:grants_for(Subject)`
  lists a subject's ACTIVE grants as `[{Client, Scope}]` (revoked excluded),
  exposed through the facade as `identity:grants(Subject)`. Completes the