identity: "disconnect app" — revoke_app(Subject, Client) (+4 tests)

identity_tokens:revoke_app(Subject, Client) revokes every grant a subject
holds for one client at once (audited one revoke per grant), exposed at the
facade as identity:revoke_app. The action counterpart to the grants view —
completing the account-security view+action pairs (sessions/logout_all,
grants/revoke_app, history). Other subjects' same-client grants are
untouched. account 11/11, 233/233.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

lib/identity/tests/account.sx

@@ -1,7 +1,7 @@
-;; identity/tests/account.sx — \"apps with access\": per-subject active-grant
-;; listing, at the token registry (grants_for) and through the facade
-;; (identity:grants). Completes the per-subject security trio with sessions
-;; and history.
+;; identity/tests/account.sx — the account-security surface: \"apps with
+;; access\" (grants_for / identity:grants) plus \"disconnect this app\"
+;; (revoke_app / identity:revoke_app). Completes the per-subject view+action
+;; pair alongside sessions and history.
 
 (define id-acct-test-count 0)
 (define id-acct-test-pass 0)
@@ -49,7 +49,28 @@
       "R = identity_tokens:start(),\n       identity_tokens:issue(R, alice, web, read),\n       case identity_tokens:grants_for(R, alice) of\n         [{Client, _Scope}] -> Client;\n         _ -> other\n       end"))
   "web")
 
-;; ── facade-level grants ──────────────────────────────────────────
+;; ── token-level revoke_app (\"disconnect this app\") ────────────────
+
+(id-acct-test
+  "revoke_app revokes all of a subject's grants for one client"
+  (ida-ev
+    "R = identity_tokens:start(),\n     identity_tokens:issue(R, alice, web, read),\n     identity_tokens:issue(R, alice, web, write),\n     identity_tokens:issue(R, alice, cli, read),\n     identity_tokens:revoke_app(R, alice, web),\n     length(identity_tokens:grants_for(R, alice))")
+  1)
+
+(id-acct-test
+  "revoke_app deactivates that client's tokens"
+  (idanm
+    (ida-ev
+      "R = identity_tokens:start(),\n       {ok, T} = identity_tokens:issue(R, alice, web, read),\n       identity_tokens:revoke_app(R, alice, web),\n       case identity_tokens:introspect(R, T) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "inactive")
+
+(id-acct-test
+  "revoke_app leaves another subject's same-client grant intact"
+  (ida-ev
+    "R = identity_tokens:start(),\n     identity_tokens:issue(R, alice, web, read),\n     identity_tokens:issue(R, bob, web, read),\n     identity_tokens:revoke_app(R, alice, web),\n     length(identity_tokens:grants_for(R, bob))")
+  1)
+
+;; ── facade-level grants + revoke_app ─────────────────────────────
 
 (id-acct-test
   "identity:grants lists apps a subject has logged into"
@@ -58,9 +79,9 @@
   2)
 
 (id-acct-test
-  "revoking a token drops it from identity:grants"
+  "identity:revoke_app disconnects one app, leaving the rest"
   (ida-ev
-    "Svc = identity:start(),\n     {ok, _S1, T1} = identity:login(Svc, alice, web, read),\n     identity:login(Svc, alice, mobile, read),\n     identity:revoke(Svc, T1),\n     length(identity:grants(Svc, alice))")
+    "Svc = identity:start(),\n     identity:login(Svc, alice, web, read),\n     identity:login(Svc, alice, mobile, read),\n     identity:revoke_app(Svc, alice, web),\n     length(identity:grants(Svc, alice))")
   1)
 
 (id-acct-test
@@ -69,6 +90,13 @@
     "Svc = identity:start(),\n     identity:login(Svc, alice, web, read),\n     identity:login(Svc, bob, web, read),\n     length(identity:grants(Svc, bob))")
   1)
 
+(id-acct-test
+  "revoke_app is audited as a revoke"
+  (idanm
+    (ida-ev
+      "Svc = identity:start(),\n       identity:login(Svc, alice, web, read),\n       identity:revoke_app(Svc, alice, web),\n       case identity:history(Svc, alice) of\n         [login, issue, revoke] -> audited;\n         Other -> Other\n       end"))
+  "audited")
+
 (define
   id-acct-test-summary
   (str "account " id-acct-test-pass "/" id-acct-test-count))