chore: sync testing plan with authsession

TESTING.md

@@ -117,7 +117,7 @@ The testing plan follows this service order:
 
 ---
 
-## 1. Edge Gateway Service
+## 1. [Edge Gateway](gateway/README.md) Service
 
 ### Service tests
 
@@ -230,7 +230,7 @@ The testing plan follows this service order:
 
 ---
 
-## 2. Auth / Session Service
+## 2. [Auth / Session](authsession/README.md) Service
 
 ### Service tests
 
@@ -273,9 +273,14 @@ The testing plan follows this service order:
   * stored session reread before publish to avoid stale active projection
 * Public API tests:
 
-  * JSON decoding and unknown field rejection
+  * JSON decoding, input validation, and invalid-request mapping
   * public error mapping
   * stable success DTO shape
+  * end-to-end public HTTP send/confirm scenarios
+  * timeout mapping and invalid-success-payload rejection
+  * stable public OpenAPI validation and gateway contract parity
+  * stable public error examples
+  * trace/metric emission and sensitive-field log redaction
 * Internal API tests:
 
   * `GetSession`
@@ -283,12 +288,24 @@ The testing plan follows this service order:
   * `RevokeDeviceSession`
   * `RevokeAllUserSessions`
   * `BlockUser`
+  * path/body validation and invalid-request mapping
+  * end-to-end internal HTTP read/revoke/block scenarios
+  * timeout mapping and invalid-success-payload rejection
+  * stable internal OpenAPI validation and frozen mutation DTO/enums
+  * trace/metric emission and sensitive-field log redaction
 * Redis adapter tests:
 
   * challenge store
   * session store
   * config provider
   * projection publisher
+* Runtime and architecture tests:
+
+  * public/internal HTTP server lifecycle
+  * intentional absence of `/healthz`, `/readyz`, and `/metrics`
+  * runtime wiring for `stub|rest` user-service and mail-service adapters
+  * startup fail-fast on Redis-backed ping failure
+  * storage-agnostic core for domain/service/ports layers
 
 ### Inter-service integration tests with already implemented components
 
@@ -303,6 +320,7 @@ The testing plan follows this service order:
   * challenge persistence
   * session persistence
   * session projection compatibility
+  * duplicate publish keeps gateway cache canonical
 * `Gateway <-> Auth / Session <-> Redis`
 
   * login creates session
@@ -310,11 +328,21 @@ The testing plan follows this service order:
   * repeated confirm repairs a previously failed projection publish
   * revoked session invalidates gateway authentication path
   * revoked session closes gateway push stream
+  * malformed client public key keeps stable client-facing error
 * `Auth / Session <-> stub Mail`
 
   * auth code send path
   * suppression path
   * explicit mail failure path
+* `Auth / Session <-> Mail REST`
+
+  * sent/suppressed/failure compatibility
+  * blocked/throttled sends skip mail delivery
+* `Auth / Session <-> User REST`
+
+  * resolve-by-email compatibility for public send
+  * ensure-user compatibility for confirm
+  * exists/block compatibility for internal revoke/block flows
 
 ### Regression tests to keep from this stage onward
 
@@ -323,11 +351,16 @@ The testing plan follows this service order:
 * Confirm idempotency window behavior remains stable.
 * Projection repair-on-retry remains safe after source-of-truth commits.
 * Confirm-race cleanup does not leave multiple active winner sessions.
+* Projection repair continues working after process restart.
+* Redis reconnect on the same live process preserves recovery semantics.
+* Expired challenges continue returning `challenge_expired` during grace and `challenge_not_found` after TTL cleanup.
+* Large session-list and bulk-revoke paths remain stable.
+* Concurrent confirm, revoke-all, and block flows do not leak active sessions.
 * Session projection remains compatible with gateway expectations.
 
 ---
 
-## 3. User Service
+## 3. [User](user/README.md) Service
 
 ### Service tests
 
@@ -778,7 +811,7 @@ The testing plan follows this service order:
 
 ---
 
-## 10. Geo Profile Service
+## 10. [Geo Profile](geoprofile/README.md) Service
 
 ### Service tests