identity: "disconnect app" — revoke_app(Subject, Client) (+4 tests)

identity_tokens:revoke_app(Subject, Client) revokes every grant a subject holds for one client at once (audited one revoke per grant), exposed at the facade as identity:revoke_app. The action counterpart to the grants view — completing the account-security view+action pairs (sessions/logout_all, grants/revoke_app, history). Other subjects' same-client grants are untouched. account 11/11, 233/233. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-07 07:59:13 +00:00
parent 3b782eba8a
commit d466ca3414
6 changed files with 64 additions and 26 deletions
--- a/lib/identity/api.sx
+++ b/lib/identity/api.sx
--- a/lib/identity/scoreboard.json
+++ b/lib/identity/scoreboard.json
@@ -1,7 +1,7 @@
 {
  "language": "identity",
-  "total_pass": 229,
-  "total": 229,
+  "total_pass": 233,
+  "total": 233,
  "suites": [
    {"name":"session","pass":11,"total":11,"status":"ok"},
    {"name":"token","pass":24,"total":24,"status":"ok"},
@@ -24,6 +24,6 @@
    {"name":"introspect","pass":9,"total":9,"status":"ok"},
    {"name":"par","pass":7,"total":7,"status":"ok"},
    {"name":"dynreg","pass":5,"total":5,"status":"ok"},
-    {"name":"account","pass":7,"total":7,"status":"ok"}
+    {"name":"account","pass":11,"total":11,"status":"ok"}
  ]
 }
--- a/lib/identity/scoreboard.md
+++ b/lib/identity/scoreboard.md
@@ -1,6 +1,6 @@
 # identity-on-sx Scoreboard

-**Total: 229 / 229 tests passing**
+**Total: 233 / 233 tests passing**

 |  | Suite | Pass | Total |
 |---|---|---|---|
@@ -25,7 +25,7 @@
 | ✅ | introspect | 9 | 9 |
 | ✅ | par | 7 | 7 |
 | ✅ | dynreg | 5 | 5 |
-| ✅ | account | 7 | 7 |
+| ✅ | account | 11 | 11 |


 Generated by `lib/identity/conformance.sh`.
--- a/lib/identity/tests/account.sx
+++ b/lib/identity/tests/account.sx
@@ -1,7 +1,7 @@
-;; identity/tests/account.sx — \"apps with access\": per-subject active-grant
-;; listing, at the token registry (grants_for) and through the facade
-;; (identity:grants). Completes the per-subject security trio with sessions
-;; and history.
+;; identity/tests/account.sx — the account-security surface: \"apps with
+;; access\" (grants_for / identity:grants) plus \"disconnect this app\"
+;; (revoke_app / identity:revoke_app). Completes the per-subject view+action
+;; pair alongside sessions and history.

 (define id-acct-test-count 0)
 (define id-acct-test-pass 0)
@@ -49,7 +49,28 @@
      "R = identity_tokens:start(),\n       identity_tokens:issue(R, alice, web, read),\n       case identity_tokens:grants_for(R, alice) of\n         [{Client, _Scope}] -> Client;\n         _ -> other\n       end"))
  "web")

-;; ── facade-level grants ──────────────────────────────────────────
+;; ── token-level revoke_app (\"disconnect this app\") ────────────────
+
+(id-acct-test
+  "revoke_app revokes all of a subject's grants for one client"
+  (ida-ev
+    "R = identity_tokens:start(),\n     identity_tokens:issue(R, alice, web, read),\n     identity_tokens:issue(R, alice, web, write),\n     identity_tokens:issue(R, alice, cli, read),\n     identity_tokens:revoke_app(R, alice, web),\n     length(identity_tokens:grants_for(R, alice))")
+  1)
+
+(id-acct-test
+  "revoke_app deactivates that client's tokens"
+  (idanm
+    (ida-ev
+      "R = identity_tokens:start(),\n       {ok, T} = identity_tokens:issue(R, alice, web, read),\n       identity_tokens:revoke_app(R, alice, web),\n       case identity_tokens:introspect(R, T) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "inactive")
+
+(id-acct-test
+  "revoke_app leaves another subject's same-client grant intact"
+  (ida-ev
+    "R = identity_tokens:start(),\n     identity_tokens:issue(R, alice, web, read),\n     identity_tokens:issue(R, bob, web, read),\n     identity_tokens:revoke_app(R, alice, web),\n     length(identity_tokens:grants_for(R, bob))")
+  1)
+
+;; ── facade-level grants + revoke_app ─────────────────────────────

 (id-acct-test
  "identity:grants lists apps a subject has logged into"
@@ -58,9 +79,9 @@
  2)

 (id-acct-test
-  "revoking a token drops it from identity:grants"
+  "identity:revoke_app disconnects one app, leaving the rest"
  (ida-ev
-    "Svc = identity:start(),\n     {ok, _S1, T1} = identity:login(Svc, alice, web, read),\n     identity:login(Svc, alice, mobile, read),\n     identity:revoke(Svc, T1),\n     length(identity:grants(Svc, alice))")
+    "Svc = identity:start(),\n     identity:login(Svc, alice, web, read),\n     identity:login(Svc, alice, mobile, read),\n     identity:revoke_app(Svc, alice, web),\n     length(identity:grants(Svc, alice))")
  1)

 (id-acct-test
@@ -69,6 +90,13 @@
    "Svc = identity:start(),\n     identity:login(Svc, alice, web, read),\n     identity:login(Svc, bob, web, read),\n     length(identity:grants(Svc, bob))")
  1)

+(id-acct-test
+  "revoke_app is audited as a revoke"
+  (idanm
+    (ida-ev
+      "Svc = identity:start(),\n       identity:login(Svc, alice, web, read),\n       identity:revoke_app(Svc, alice, web),\n       case identity:history(Svc, alice) of\n         [login, issue, revoke] -> audited;\n         Other -> Other\n       end"))
+  "audited")
+
 (define
  id-acct-test-summary
  (str "account " id-acct-test-pass "/" id-acct-test-count))
--- a/lib/identity/token.sx
+++ b/lib/identity/token.sx