docs: reorder & testing

backend/internal/user/deps.go

@@ -34,10 +34,34 @@ type GeoCascade interface {
 // canonical implementation wraps `*auth.Service.RevokeAllForUser`. The
 // adapter lives in `cmd/backend/main.go` so `auth` does not export an
 // extra method shape.
+//
+// The actor argument carries audit context: who initiated the revoke
+// and why. The auth side persists it into `session_revocations`; user
+// callers populate it with a fixed kind matching the trigger.
 type SessionRevoker interface {
-	RevokeAllForUser(ctx context.Context, userID uuid.UUID) error
+	RevokeAllForUser(ctx context.Context, userID uuid.UUID, actor SessionRevokeActor) error
 }
 
+// SessionRevokeActor describes the principal behind a session revoke.
+// Kind is a closed vocabulary mirrored by `auth.ActorKind`; ID is the
+// stable identifier of the principal (a user UUID for self-driven
+// flows, an admin username for admin-driven flows). Reason is a
+// free-form note recorded in the audit row.
+type SessionRevokeActor struct {
+	Kind   string
+	ID     string
+	Reason string
+}
+
+// Closed Kind vocabulary. Mirror constants live in
+// `auth.ActorKind*`; the values must stay in sync because the auth
+// adapter forwards them verbatim.
+const (
+	SessionRevokeActorSoftDeleteUser  = "soft_delete_user"
+	SessionRevokeActorSoftDeleteAdmin = "soft_delete_admin"
+	SessionRevokeActorAdminSanction   = "admin_sanction"
+)
+
 // NewNoopLobbyCascade returns a LobbyCascade that logs every invocation
 // at info level and returns nil. The canonical lobby is wired in `cmd/backend/main.go`.
 // implementation; until then the no-op keeps the cascade orchestration