feat: authsession service

authsession/internal/service/blockuser/consistency_test.go

@@ -0,0 +1,88 @@
+package blockuser
+
+import (
+	"context"
+	"errors"
+	"testing"
+	"time"
+
+	"galaxy/authsession/internal/domain/common"
+	"galaxy/authsession/internal/domain/devicesession"
+	"galaxy/authsession/internal/domain/userresolution"
+	"galaxy/authsession/internal/service/shared"
+	"galaxy/authsession/internal/testkit"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestExecuteRetriesProjectionPublishesForBlockFlow(t *testing.T) {
+	t.Parallel()
+
+	userDirectory := &testkit.InMemoryUserDirectory{}
+	store := &testkit.InMemorySessionStore{}
+	publisher := &testkit.RecordingProjectionPublisher{
+		Errors: []error{errors.New("publish failed"), nil},
+	}
+	require.NoError(t, userDirectory.SeedExisting(common.Email("pilot@example.com"), common.UserID("user-1")))
+	require.NoError(t, store.Create(context.Background(), activeSessionFixture("device-session-1", "user-1", time.Unix(10, 0).UTC())))
+
+	service, err := New(userDirectory, store, publisher, testkit.FixedClock{Time: time.Unix(20, 0).UTC()})
+	require.NoError(t, err)
+
+	result, err := service.Execute(context.Background(), Input{
+		UserID:     "user-1",
+		ReasonCode: "policy_block",
+		ActorType:  "admin",
+	})
+	require.NoError(t, err)
+	assert.Equal(t, "blocked", result.Outcome)
+	assert.EqualValues(t, 1, result.AffectedSessionCount)
+	require.Len(t, publisher.PublishedSnapshots(), 2)
+}
+
+func TestExecuteRepairsProjectionOnRepeatedAlreadyBlockedRequest(t *testing.T) {
+	t.Parallel()
+
+	userDirectory := &testkit.InMemoryUserDirectory{}
+	store := &testkit.InMemorySessionStore{}
+	publisher := &testkit.RecordingProjectionPublisher{Err: errors.New("publish failed")}
+	require.NoError(t, userDirectory.SeedExisting(common.Email("pilot@example.com"), common.UserID("user-1")))
+	require.NoError(t, store.Create(context.Background(), activeSessionFixture("device-session-1", "user-1", time.Unix(10, 0).UTC())))
+
+	service, err := New(userDirectory, store, publisher, testkit.FixedClock{Time: time.Unix(20, 0).UTC()})
+	require.NoError(t, err)
+
+	_, err = service.Execute(context.Background(), Input{
+		UserID:     "user-1",
+		ReasonCode: "policy_block",
+		ActorType:  "admin",
+	})
+	require.Error(t, err)
+	assert.Equal(t, shared.ErrorCodeServiceUnavailable, shared.CodeOf(err))
+	require.Len(t, publisher.PublishedSnapshots(), shared.MaxProjectionPublishAttempts)
+
+	sessionRecord, getErr := store.Get(context.Background(), common.DeviceSessionID("device-session-1"))
+	require.NoError(t, getErr)
+	require.NotNil(t, sessionRecord.Revocation)
+	assert.Equal(t, devicesession.StatusRevoked, sessionRecord.Status)
+	assert.Equal(t, devicesession.RevokeReasonUserBlocked, sessionRecord.Revocation.ReasonCode)
+
+	resolution, resolveErr := userDirectory.ResolveByEmail(context.Background(), common.Email("pilot@example.com"))
+	require.NoError(t, resolveErr)
+	assert.Equal(t, userresolution.KindBlocked, resolution.Kind)
+
+	publisher.Err = nil
+
+	result, err := service.Execute(context.Background(), Input{
+		UserID:     "user-1",
+		ReasonCode: "policy_block",
+		ActorType:  "admin",
+	})
+	require.NoError(t, err)
+	assert.Equal(t, "already_blocked", result.Outcome)
+	assert.EqualValues(t, 0, result.AffectedSessionCount)
+	require.NotNil(t, result.AffectedDeviceSessionIDs)
+	assert.Empty(t, result.AffectedDeviceSessionIDs)
+	require.Len(t, publisher.PublishedSnapshots(), shared.MaxProjectionPublishAttempts+1)
+}

authsession/internal/service/blockuser/cross_flow_test.go

@@ -0,0 +1,91 @@
+package blockuser
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"galaxy/authsession/internal/domain/challenge"
+	"galaxy/authsession/internal/domain/common"
+	"galaxy/authsession/internal/service/confirmemailcode"
+	"galaxy/authsession/internal/service/sendemailcode"
+	"galaxy/authsession/internal/service/shared"
+	"galaxy/authsession/internal/testkit"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+const blockFlowPublicKey = "AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8="
+
+func TestBlockUserAffectsLaterSendAndConfirmFlows(t *testing.T) {
+	t.Parallel()
+
+	challengeStore := &testkit.InMemoryChallengeStore{}
+	sessionStore := &testkit.InMemorySessionStore{}
+	userDirectory := &testkit.InMemoryUserDirectory{}
+	publisher := &testkit.RecordingProjectionPublisher{}
+	idGenerator := &testkit.SequenceIDGenerator{
+		ChallengeIDs:     []common.ChallengeID{"challenge-1"},
+		DeviceSessionIDs: []common.DeviceSessionID{"device-session-1"},
+	}
+	hasher := testkit.DeterministicCodeHasher{}
+	mailSender := &testkit.RecordingMailSender{}
+	now := time.Unix(20, 0).UTC()
+	clock := testkit.FixedClock{Time: now}
+
+	blockService, err := New(userDirectory, sessionStore, publisher, clock)
+	require.NoError(t, err)
+
+	_, err = blockService.Execute(context.Background(), Input{
+		Email:      "pilot@example.com",
+		ReasonCode: "policy_block",
+		ActorType:  "admin",
+	})
+	require.NoError(t, err)
+
+	sendService, err := sendemailcode.New(
+		challengeStore,
+		userDirectory,
+		idGenerator,
+		testkit.FixedCodeGenerator{Code: "654321"},
+		hasher,
+		mailSender,
+		clock,
+	)
+	require.NoError(t, err)
+
+	sendResult, err := sendService.Execute(context.Background(), sendemailcode.Input{Email: "pilot@example.com"})
+	require.NoError(t, err)
+	assert.Equal(t, "challenge-1", sendResult.ChallengeID)
+	assert.Empty(t, mailSender.RecordedInputs())
+
+	challengeRecord, err := challengeStore.Get(context.Background(), common.ChallengeID("challenge-1"))
+	require.NoError(t, err)
+	assert.Equal(t, challenge.StatusDeliverySuppressed, challengeRecord.Status)
+	assert.Equal(t, challenge.DeliverySuppressed, challengeRecord.DeliveryState)
+
+	confirmService, err := confirmemailcode.New(
+		challengeStore,
+		sessionStore,
+		userDirectory,
+		testkit.StaticConfigProvider{},
+		publisher,
+		idGenerator,
+		hasher,
+		clock,
+	)
+	require.NoError(t, err)
+
+	_, err = confirmService.Execute(context.Background(), confirmemailcode.Input{
+		ChallengeID:     "challenge-1",
+		Code:            "654321",
+		ClientPublicKey: blockFlowPublicKey,
+	})
+	require.Error(t, err)
+	assert.Equal(t, shared.ErrorCodeBlockedByPolicy, shared.CodeOf(err))
+
+	updatedChallenge, getErr := challengeStore.Get(context.Background(), common.ChallengeID("challenge-1"))
+	require.NoError(t, getErr)
+	assert.Equal(t, challenge.StatusFailed, updatedChallenge.Status)
+}

authsession/internal/service/blockuser/observability_test.go

@@ -0,0 +1,64 @@
+package blockuser
+
+import (
+	"bytes"
+	"context"
+	"testing"
+	"time"
+
+	"galaxy/authsession/internal/domain/common"
+	"galaxy/authsession/internal/testkit"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.uber.org/zap"
+	"go.uber.org/zap/zapcore"
+)
+
+func TestExecuteLogsSafeOutcomeFields(t *testing.T) {
+	t.Parallel()
+
+	userDirectory := &testkit.InMemoryUserDirectory{}
+	require.NoError(t, userDirectory.SeedExisting(common.Email("pilot@example.com"), common.UserID("user-1")))
+
+	sessionStore := &testkit.InMemorySessionStore{}
+	require.NoError(t, sessionStore.Create(context.Background(), activeSessionFixture("device-session-1", "user-1", time.Unix(10, 0).UTC())))
+
+	logger, buffer := newObservedServiceLogger()
+	service, err := NewWithObservability(
+		userDirectory,
+		sessionStore,
+		&testkit.RecordingProjectionPublisher{},
+		testkit.FixedClock{Time: time.Unix(20, 0).UTC()},
+		logger,
+		nil,
+	)
+	require.NoError(t, err)
+
+	_, err = service.Execute(context.Background(), Input{
+		UserID:     "user-1",
+		ReasonCode: "policy_block",
+		ActorType:  "admin",
+	})
+	require.NoError(t, err)
+
+	logOutput := buffer.String()
+	assert.Contains(t, logOutput, "block_user")
+	assert.Contains(t, logOutput, "\"user_id\":\"user-1\"")
+	assert.Contains(t, logOutput, "\"reason_code\":\"policy_block\"")
+	assert.NotContains(t, logOutput, "pilot@example.com")
+}
+
+func newObservedServiceLogger() (*zap.Logger, *bytes.Buffer) {
+	buffer := &bytes.Buffer{}
+	encoderConfig := zap.NewProductionEncoderConfig()
+	encoderConfig.TimeKey = ""
+
+	core := zapcore.NewCore(
+		zapcore.NewJSONEncoder(encoderConfig),
+		zapcore.AddSync(buffer),
+		zap.DebugLevel,
+	)
+
+	return zap.New(core), buffer
+}

authsession/internal/service/blockuser/service.go

@@ -0,0 +1,294 @@
+// Package blockuser implements the trusted internal block-user use case.
+package blockuser
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"galaxy/authsession/internal/domain/common"
+	"galaxy/authsession/internal/domain/devicesession"
+	"galaxy/authsession/internal/domain/userresolution"
+	"galaxy/authsession/internal/ports"
+	"galaxy/authsession/internal/service/shared"
+	"galaxy/authsession/internal/telemetry"
+
+	"go.uber.org/zap"
+)
+
+const (
+	// SubjectKindUserID identifies a block request addressed by stable user id.
+	SubjectKindUserID = "user_id"
+
+	// SubjectKindEmail identifies a block request addressed by normalized e-mail
+	// address.
+	SubjectKindEmail = "email"
+)
+
+// Input describes one trusted internal block-user request.
+type Input struct {
+	// UserID identifies the subject to block when the request is user-id based.
+	UserID string
+
+	// Email identifies the subject to block when the request is e-mail based.
+	Email string
+
+	// ReasonCode stores the machine-readable block reason code applied to the
+	// user directory.
+	ReasonCode string
+
+	// ActorType stores the machine-readable actor type for any derived session
+	// revocation.
+	ActorType string
+
+	// ActorID stores the optional stable actor identifier for any derived
+	// session revocation.
+	ActorID string
+}
+
+// Result describes the frozen internal block-user acknowledgement.
+type Result struct {
+	// Outcome reports whether the block state was newly applied or already
+	// existed.
+	Outcome string
+
+	// SubjectKind reports whether the request targeted `user_id` or `email`.
+	SubjectKind string
+
+	// SubjectValue stores the normalized subject value addressed by the
+	// operation.
+	SubjectValue string
+
+	// AffectedSessionCount reports how many sessions changed state during the
+	// current call.
+	AffectedSessionCount int64
+
+	// AffectedDeviceSessionIDs lists every session identifier affected during
+	// the current call.
+	AffectedDeviceSessionIDs []string
+}
+
+// Service executes the trusted internal block-user use case.
+type Service struct {
+	userDirectory ports.UserDirectory
+	sessionStore  ports.SessionStore
+	publisher     ports.GatewaySessionProjectionPublisher
+	clock         ports.Clock
+	logger        *zap.Logger
+	telemetry     *telemetry.Runtime
+}
+
+// New returns a block-user service wired to the required ports.
+func New(userDirectory ports.UserDirectory, sessionStore ports.SessionStore, publisher ports.GatewaySessionProjectionPublisher, clock ports.Clock) (*Service, error) {
+	return NewWithObservability(userDirectory, sessionStore, publisher, clock, nil, nil)
+}
+
+// NewWithObservability returns a block-user service wired to the required
+// ports plus optional structured logging and telemetry dependencies.
+func NewWithObservability(
+	userDirectory ports.UserDirectory,
+	sessionStore ports.SessionStore,
+	publisher ports.GatewaySessionProjectionPublisher,
+	clock ports.Clock,
+	logger *zap.Logger,
+	telemetryRuntime *telemetry.Runtime,
+) (*Service, error) {
+	switch {
+	case userDirectory == nil:
+		return nil, fmt.Errorf("blockuser: user directory must not be nil")
+	case sessionStore == nil:
+		return nil, fmt.Errorf("blockuser: session store must not be nil")
+	case publisher == nil:
+		return nil, fmt.Errorf("blockuser: projection publisher must not be nil")
+	case clock == nil:
+		return nil, fmt.Errorf("blockuser: clock must not be nil")
+	default:
+		return &Service{
+			userDirectory: userDirectory,
+			sessionStore:  sessionStore,
+			publisher:     publisher,
+			clock:         clock,
+			logger:        namedLogger(logger, "block_user"),
+			telemetry:     telemetryRuntime,
+		}, nil
+	}
+}
+
+// Execute applies the requested block state and revokes any active sessions of
+// the resolved user when one exists.
+func (s *Service) Execute(ctx context.Context, input Input) (result Result, err error) {
+	logFields := []zap.Field{
+		zap.String("component", "service"),
+		zap.String("use_case", "block_user"),
+	}
+	defer func() {
+		if result.Outcome != "" {
+			logFields = append(logFields, zap.String("outcome", result.Outcome))
+		}
+		if result.SubjectKind != "" {
+			logFields = append(logFields, zap.String("subject_kind", result.SubjectKind))
+		}
+		if result.AffectedSessionCount > 0 {
+			logFields = append(logFields, zap.Int64("affected_session_count", result.AffectedSessionCount))
+		}
+		shared.LogServiceOutcome(s.logger, ctx, "block user completed", err, logFields...)
+	}()
+
+	subjectKind, subjectValue, storeResult, err := s.blockSubject(ctx, input)
+	if err != nil {
+		return Result{}, err
+	}
+	logFields = append(logFields, zap.String("reason_code", shared.NormalizeString(input.ReasonCode)))
+	if !storeResult.UserID.IsZero() {
+		logFields = append(logFields, zap.String("user_id", storeResult.UserID.String()))
+	}
+
+	affectedDeviceSessionIDs := []string{}
+	affectedSessionCount := int64(0)
+	if !storeResult.UserID.IsZero() {
+		revocation, err := shared.BuildRevocation(
+			devicesession.RevokeReasonUserBlocked.String(),
+			input.ActorType,
+			input.ActorID,
+			s.clock.Now(),
+		)
+		if err != nil {
+			return Result{}, err
+		}
+
+		revokeResult, err := s.sessionStore.RevokeAllByUserID(ctx, ports.RevokeUserSessionsInput{
+			UserID:     storeResult.UserID,
+			Revocation: revocation,
+		})
+		if err != nil {
+			return Result{}, shared.ServiceUnavailable(err)
+		}
+		if err := revokeResult.Validate(); err != nil {
+			return Result{}, shared.InternalError(err)
+		}
+
+		for _, record := range revokeResult.Sessions {
+			if err := shared.PublishSessionProjectionWithTelemetry(ctx, s.publisher, record, s.telemetry, "block_user"); err != nil {
+				return Result{}, err
+			}
+			affectedDeviceSessionIDs = append(affectedDeviceSessionIDs, record.ID.String())
+		}
+		if revokeResult.Outcome == ports.RevokeUserSessionsOutcomeNoActiveSessions {
+			if err := s.republishCurrentRevokedSessions(ctx, storeResult.UserID); err != nil {
+				return Result{}, err
+			}
+		}
+		affectedSessionCount = int64(len(revokeResult.Sessions))
+		if affectedSessionCount > 0 {
+			s.telemetry.RecordSessionRevocations(ctx, "block_user", devicesession.RevokeReasonUserBlocked.String(), affectedSessionCount)
+		}
+	}
+
+	result = Result{
+		Outcome:                  string(storeResult.Outcome),
+		SubjectKind:              subjectKind,
+		SubjectValue:             subjectValue,
+		AffectedSessionCount:     affectedSessionCount,
+		AffectedDeviceSessionIDs: affectedDeviceSessionIDs,
+	}
+
+	return result, nil
+}
+
+func (s *Service) blockSubject(ctx context.Context, input Input) (string, string, ports.BlockUserResult, error) {
+	userID := shared.NormalizeString(input.UserID)
+	email := shared.NormalizeString(input.Email)
+
+	switch {
+	case userID == "" && email == "":
+		return "", "", ports.BlockUserResult{}, shared.InvalidRequest("exactly one of user_id or email must be provided")
+	case userID != "" && email != "":
+		return "", "", ports.BlockUserResult{}, shared.InvalidRequest("exactly one of user_id or email must be provided")
+	case userID != "":
+		parsedUserID, err := shared.ParseUserID(userID)
+		if err != nil {
+			return "", "", ports.BlockUserResult{}, err
+		}
+		reasonCode, err := parseBlockReasonCode(input.ReasonCode)
+		if err != nil {
+			return "", "", ports.BlockUserResult{}, err
+		}
+
+		result, err := s.userDirectory.BlockByUserID(ctx, ports.BlockUserByIDInput{
+			UserID:     parsedUserID,
+			ReasonCode: reasonCode,
+		})
+		if err != nil {
+			switch {
+			case errors.Is(err, ports.ErrNotFound):
+				return "", "", ports.BlockUserResult{}, shared.SubjectNotFound()
+			default:
+				return "", "", ports.BlockUserResult{}, shared.ServiceUnavailable(err)
+			}
+		}
+		if err := result.Validate(); err != nil {
+			return "", "", ports.BlockUserResult{}, shared.InternalError(err)
+		}
+		s.telemetry.RecordUserDirectoryOutcome(ctx, "block_by_user_id", string(result.Outcome))
+
+		return SubjectKindUserID, parsedUserID.String(), result, nil
+	default:
+		parsedEmail, err := shared.ParseEmail(email)
+		if err != nil {
+			return "", "", ports.BlockUserResult{}, err
+		}
+		reasonCode, err := parseBlockReasonCode(input.ReasonCode)
+		if err != nil {
+			return "", "", ports.BlockUserResult{}, err
+		}
+
+		result, err := s.userDirectory.BlockByEmail(ctx, ports.BlockUserByEmailInput{
+			Email:      parsedEmail,
+			ReasonCode: reasonCode,
+		})
+		if err != nil {
+			return "", "", ports.BlockUserResult{}, shared.ServiceUnavailable(err)
+		}
+		if err := result.Validate(); err != nil {
+			return "", "", ports.BlockUserResult{}, shared.InternalError(err)
+		}
+		s.telemetry.RecordUserDirectoryOutcome(ctx, "block_by_email", string(result.Outcome))
+
+		return SubjectKindEmail, parsedEmail.String(), result, nil
+	}
+}
+
+func parseBlockReasonCode(value string) (userresolution.BlockReasonCode, error) {
+	reasonCode := userresolution.BlockReasonCode(shared.NormalizeString(value))
+	if err := reasonCode.Validate(); err != nil {
+		return "", shared.InvalidRequest(err.Error())
+	}
+
+	return reasonCode, nil
+}
+
+func (s *Service) republishCurrentRevokedSessions(ctx context.Context, userID common.UserID) error {
+	records, err := s.sessionStore.ListByUserID(ctx, userID)
+	if err != nil {
+		return shared.ServiceUnavailable(err)
+	}
+
+	for _, record := range records {
+		if record.Status != devicesession.StatusRevoked {
+			continue
+		}
+		if err := shared.PublishSessionProjectionWithTelemetry(ctx, s.publisher, record, s.telemetry, "block_user_repair"); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func namedLogger(logger *zap.Logger, name string) *zap.Logger {
+	if logger == nil {
+		logger = zap.NewNop()
+	}
+
+	return logger.Named(name)
+}

authsession/internal/service/blockuser/service_test.go

@@ -0,0 +1,237 @@
+package blockuser
+
+import (
+	"context"
+	"errors"
+	"testing"
+	"time"
+
+	"galaxy/authsession/internal/domain/common"
+	"galaxy/authsession/internal/domain/devicesession"
+	"galaxy/authsession/internal/domain/gatewayprojection"
+	"galaxy/authsession/internal/domain/userresolution"
+	"galaxy/authsession/internal/service/shared"
+	"galaxy/authsession/internal/testkit"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestExecuteBlocksByUserIDAndRevokesSessions(t *testing.T) {
+	t.Parallel()
+
+	userDirectory := &testkit.InMemoryUserDirectory{}
+	store := &testkit.InMemorySessionStore{}
+	publisher := &testkit.RecordingProjectionPublisher{}
+	if err := userDirectory.SeedExisting(common.Email("pilot@example.com"), common.UserID("user-1")); err != nil {
+		require.Failf(t, "test failed", "SeedExisting() returned error: %v", err)
+	}
+	if err := store.Create(context.Background(), activeSessionFixture("device-session-1", "user-1", time.Unix(10, 0).UTC())); err != nil {
+		require.Failf(t, "test failed", "Create() returned error: %v", err)
+	}
+
+	service, err := New(userDirectory, store, publisher, testkit.FixedClock{Time: time.Unix(20, 0).UTC()})
+	require.NoError(t, err)
+
+	result, err := service.Execute(context.Background(), Input{
+		UserID:     "user-1",
+		ReasonCode: "policy_block",
+		ActorType:  "admin",
+	})
+	require.NoError(t, err)
+	assert.Equal(t, "blocked", result.Outcome)
+	assert.EqualValues(t, 1, result.AffectedSessionCount)
+	assert.Equal(t, SubjectKindUserID, result.SubjectKind)
+	assert.Equal(t, "user-1", result.SubjectValue)
+	assert.Equal(t, []string{"device-session-1"}, result.AffectedDeviceSessionIDs)
+
+	stored, getErr := store.Get(context.Background(), common.DeviceSessionID("device-session-1"))
+	require.NoError(t, getErr)
+	require.NotNil(t, stored.Revocation)
+	assert.Equal(t, devicesession.StatusRevoked, stored.Status)
+	assert.Equal(t, devicesession.RevokeReasonUserBlocked, stored.Revocation.ReasonCode)
+	assert.Equal(t, common.RevokeActorType("admin"), stored.Revocation.ActorType)
+
+	resolution, resolveErr := userDirectory.ResolveByEmail(context.Background(), common.Email("pilot@example.com"))
+	require.NoError(t, resolveErr)
+	assert.Equal(t, userresolution.KindBlocked, resolution.Kind)
+	assert.Equal(t, userresolution.BlockReasonCode("policy_block"), resolution.BlockReasonCode)
+
+	published := publisher.PublishedSnapshots()
+	require.Len(t, published, 1)
+	assert.Equal(t, gatewayprojection.StatusRevoked, published[0].Status)
+	assert.Equal(t, devicesession.RevokeReasonUserBlocked, published[0].RevokeReasonCode)
+	assert.Equal(t, common.RevokeActorType("admin"), published[0].RevokeActorType)
+}
+
+func TestExecuteBlocksByEmailWithoutExistingUser(t *testing.T) {
+	t.Parallel()
+
+	userDirectory := &testkit.InMemoryUserDirectory{}
+	publisher := &testkit.RecordingProjectionPublisher{}
+	service, err := New(userDirectory, &testkit.InMemorySessionStore{}, publisher, testkit.FixedClock{Time: time.Unix(20, 0).UTC()})
+	require.NoError(t, err)
+
+	result, err := service.Execute(context.Background(), Input{
+		Email:      "pilot@example.com",
+		ReasonCode: "policy_block",
+		ActorType:  "admin",
+	})
+	require.NoError(t, err)
+	assert.Equal(t, "blocked", result.Outcome)
+	assert.EqualValues(t, 0, result.AffectedSessionCount)
+	assert.Equal(t, SubjectKindEmail, result.SubjectKind)
+	assert.Equal(t, "pilot@example.com", result.SubjectValue)
+	require.NotNil(t, result.AffectedDeviceSessionIDs)
+	assert.Empty(t, result.AffectedDeviceSessionIDs)
+
+	resolution, resolveErr := userDirectory.ResolveByEmail(context.Background(), common.Email("pilot@example.com"))
+	require.NoError(t, resolveErr)
+	assert.Equal(t, userresolution.KindBlocked, resolution.Kind)
+	assert.Equal(t, userresolution.BlockReasonCode("policy_block"), resolution.BlockReasonCode)
+	assert.Empty(t, publisher.PublishedSnapshots())
+}
+
+func TestExecuteBlocksByEmailWithExistingUserAndRevokesSessions(t *testing.T) {
+	t.Parallel()
+
+	userDirectory := &testkit.InMemoryUserDirectory{}
+	store := &testkit.InMemorySessionStore{}
+	publisher := &testkit.RecordingProjectionPublisher{}
+	if err := userDirectory.SeedExisting(common.Email("pilot@example.com"), common.UserID("user-1")); err != nil {
+		require.Failf(t, "test failed", "SeedExisting() returned error: %v", err)
+	}
+	if err := store.Create(context.Background(), activeSessionFixture("device-session-1", "user-1", time.Unix(10, 0).UTC())); err != nil {
+		require.Failf(t, "test failed", "Create() returned error: %v", err)
+	}
+
+	service, err := New(userDirectory, store, publisher, testkit.FixedClock{Time: time.Unix(20, 0).UTC()})
+	require.NoError(t, err)
+
+	result, err := service.Execute(context.Background(), Input{
+		Email:      "pilot@example.com",
+		ReasonCode: "policy_block",
+		ActorType:  "admin",
+	})
+	require.NoError(t, err)
+	assert.Equal(t, "blocked", result.Outcome)
+	assert.EqualValues(t, 1, result.AffectedSessionCount)
+	assert.Equal(t, []string{"device-session-1"}, result.AffectedDeviceSessionIDs)
+
+	stored, getErr := store.Get(context.Background(), common.DeviceSessionID("device-session-1"))
+	require.NoError(t, getErr)
+	require.NotNil(t, stored.Revocation)
+	assert.Equal(t, devicesession.RevokeReasonUserBlocked, stored.Revocation.ReasonCode)
+	assert.Equal(t, common.RevokeActorType("admin"), stored.Revocation.ActorType)
+
+	resolution, resolveErr := userDirectory.ResolveByEmail(context.Background(), common.Email("pilot@example.com"))
+	require.NoError(t, resolveErr)
+	assert.Equal(t, userresolution.KindBlocked, resolution.Kind)
+	assert.Equal(t, userresolution.BlockReasonCode("policy_block"), resolution.BlockReasonCode)
+
+	published := publisher.PublishedSnapshots()
+	require.Len(t, published, 1)
+	assert.Equal(t, devicesession.RevokeReasonUserBlocked, published[0].RevokeReasonCode)
+}
+
+func TestExecuteReturnsSubjectNotFoundForUnknownUserID(t *testing.T) {
+	t.Parallel()
+
+	service, err := New(&testkit.InMemoryUserDirectory{}, &testkit.InMemorySessionStore{}, &testkit.RecordingProjectionPublisher{}, testkit.FixedClock{Time: time.Unix(20, 0).UTC()})
+	if err != nil {
+		require.Failf(t, "test failed", "New() returned error: %v", err)
+	}
+
+	_, err = service.Execute(context.Background(), Input{
+		UserID:     "missing",
+		ReasonCode: "policy_block",
+		ActorType:  "admin",
+	})
+	assert.Equal(t, shared.ErrorCodeSubjectNotFound, shared.CodeOf(err))
+}
+
+func TestExecuteAlreadyBlockedStillRevokesLingeringSessions(t *testing.T) {
+	t.Parallel()
+
+	userDirectory := &testkit.InMemoryUserDirectory{}
+	store := &testkit.InMemorySessionStore{}
+	publisher := &testkit.RecordingProjectionPublisher{}
+	if err := userDirectory.SeedBlockedUser(common.Email("pilot@example.com"), common.UserID("user-1"), userresolution.BlockReasonCode("policy_block")); err != nil {
+		require.Failf(t, "test failed", "SeedBlockedUser() returned error: %v", err)
+	}
+	if err := store.Create(context.Background(), activeSessionFixture("device-session-1", "user-1", time.Unix(10, 0).UTC())); err != nil {
+		require.Failf(t, "test failed", "Create() returned error: %v", err)
+	}
+
+	service, err := New(userDirectory, store, publisher, testkit.FixedClock{Time: time.Unix(20, 0).UTC()})
+	require.NoError(t, err)
+
+	result, err := service.Execute(context.Background(), Input{
+		Email:      "pilot@example.com",
+		ReasonCode: "policy_block",
+		ActorType:  "admin",
+	})
+	require.NoError(t, err)
+	assert.Equal(t, "already_blocked", result.Outcome)
+	assert.EqualValues(t, 1, result.AffectedSessionCount)
+	assert.Equal(t, []string{"device-session-1"}, result.AffectedDeviceSessionIDs)
+
+	stored, getErr := store.Get(context.Background(), common.DeviceSessionID("device-session-1"))
+	require.NoError(t, getErr)
+	require.NotNil(t, stored.Revocation)
+	assert.Equal(t, devicesession.RevokeReasonUserBlocked, stored.Revocation.ReasonCode)
+	assert.Equal(t, common.RevokeActorType("admin"), stored.Revocation.ActorType)
+
+	published := publisher.PublishedSnapshots()
+	require.Len(t, published, 1)
+	assert.Equal(t, devicesession.RevokeReasonUserBlocked, published[0].RevokeReasonCode)
+}
+
+func TestExecuteReturnsServiceUnavailableWhenPublishFails(t *testing.T) {
+	t.Parallel()
+
+	userDirectory := &testkit.InMemoryUserDirectory{}
+	store := &testkit.InMemorySessionStore{}
+	publisher := &testkit.RecordingProjectionPublisher{Err: errors.New("publish failed")}
+	if err := userDirectory.SeedExisting(common.Email("pilot@example.com"), common.UserID("user-1")); err != nil {
+		require.Failf(t, "test failed", "SeedExisting() returned error: %v", err)
+	}
+	if err := store.Create(context.Background(), activeSessionFixture("device-session-1", "user-1", time.Unix(10, 0).UTC())); err != nil {
+		require.Failf(t, "test failed", "Create() returned error: %v", err)
+	}
+
+	service, err := New(userDirectory, store, publisher, testkit.FixedClock{Time: time.Unix(20, 0).UTC()})
+	require.NoError(t, err)
+
+	_, err = service.Execute(context.Background(), Input{
+		UserID:     "user-1",
+		ReasonCode: "policy_block",
+		ActorType:  "admin",
+	})
+	assert.Equal(t, shared.ErrorCodeServiceUnavailable, shared.CodeOf(err))
+
+	stored, getErr := store.Get(context.Background(), common.DeviceSessionID("device-session-1"))
+	require.NoError(t, getErr)
+	require.NotNil(t, stored.Revocation)
+	assert.Equal(t, devicesession.RevokeReasonUserBlocked, stored.Revocation.ReasonCode)
+
+	resolution, resolveErr := userDirectory.ResolveByEmail(context.Background(), common.Email("pilot@example.com"))
+	require.NoError(t, resolveErr)
+	assert.Equal(t, userresolution.KindBlocked, resolution.Kind)
+	assert.Equal(t, userresolution.BlockReasonCode("policy_block"), resolution.BlockReasonCode)
+}
+
+func activeSessionFixture(deviceSessionID string, userID string, createdAt time.Time) devicesession.Session {
+	key, err := common.NewClientPublicKey(make([]byte, 32))
+	if err != nil {
+		panic(err)
+	}
+
+	return devicesession.Session{
+		ID:              common.DeviceSessionID(deviceSessionID),
+		UserID:          common.UserID(userID),
+		ClientPublicKey: key,
+		Status:          devicesession.StatusActive,
+		CreatedAt:       createdAt,
+	}
+}

authsession/internal/service/blockuser/stub_user_directory_test.go

@@ -0,0 +1,60 @@
+package blockuser
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	stubuserservice "galaxy/authsession/internal/adapters/userservice"
+	"galaxy/authsession/internal/domain/common"
+	"galaxy/authsession/internal/testkit"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestExecuteWithRuntimeStubUserDirectory(t *testing.T) {
+	t.Parallel()
+
+	t.Run("blocks by email through runtime stub", func(t *testing.T) {
+		t.Parallel()
+
+		userDirectory := &stubuserservice.StubDirectory{}
+		require.NoError(t, userDirectory.SeedExisting(common.Email("pilot@example.com"), common.UserID("user-1")))
+
+		store := &testkit.InMemorySessionStore{}
+		require.NoError(t, store.Create(context.Background(), activeSessionFixture("device-session-1", "user-1", time.Unix(10, 0).UTC())))
+
+		service, err := New(userDirectory, store, &testkit.RecordingProjectionPublisher{}, testkit.FixedClock{Time: time.Unix(20, 0).UTC()})
+		require.NoError(t, err)
+
+		result, err := service.Execute(context.Background(), Input{
+			Email:      "pilot@example.com",
+			ReasonCode: "policy_block",
+			ActorType:  "admin",
+		})
+		require.NoError(t, err)
+		assert.Equal(t, SubjectKindEmail, result.SubjectKind)
+		assert.Equal(t, "blocked", result.Outcome)
+		assert.EqualValues(t, 1, result.AffectedSessionCount)
+	})
+
+	t.Run("blocks by user id through runtime stub", func(t *testing.T) {
+		t.Parallel()
+
+		userDirectory := &stubuserservice.StubDirectory{}
+		require.NoError(t, userDirectory.SeedExisting(common.Email("pilot@example.com"), common.UserID("user-1")))
+
+		service, err := New(userDirectory, &testkit.InMemorySessionStore{}, &testkit.RecordingProjectionPublisher{}, testkit.FixedClock{Time: time.Unix(20, 0).UTC()})
+		require.NoError(t, err)
+
+		result, err := service.Execute(context.Background(), Input{
+			UserID:     "user-1",
+			ReasonCode: "policy_block",
+			ActorType:  "admin",
+		})
+		require.NoError(t, err)
+		assert.Equal(t, SubjectKindUserID, result.SubjectKind)
+		assert.Equal(t, "blocked", result.Outcome)
+	})
+}