@fuzdev/fuz_app 0.30.0 → 0.32.0

package/dist/testing/admin_integration.js

@@ -3,11 +3,12 @@ import './assert_dev_env.js';
  * Standard admin integration test suite for fuz_app admin routes.
  *
  * `describe_standard_admin_integration_tests` creates a composable test suite
- * that exercises admin account listing, permit grant/revoke, session/token
+ * that exercises admin account listing, permit grant/revoke (via the RPC
+ * surface — see `permit_offer_create` / `permit_revoke`), session/token
  * management, and audit log routes against a real PGlite database.
  *
- * Consumers call it with their route factory, session config, and role schema —
- * all admin route tests come for free.
+ * Consumers call it with their route factory, session config, role schema,
+ * and RPC endpoint specs — all admin route tests come for free.
  *
  * @module
  */
@@ -19,16 +20,13 @@ import { create_pglite_factory, create_describe_db, AUTH_INTEGRATION_TRUNCATE_TA
 import { find_auth_route, assert_response_matches_spec } from './integration_helpers.js';
 import { run_migrations } from '../db/migrate.js';
 import { ErrorCoverageCollector, assert_error_coverage, DEFAULT_INTEGRATION_ERROR_COVERAGE, } from './error_coverage.js';
-/**
- * Find an admin route by suffix, method, and role requirement.
- *
- * Disambiguates admin routes (e.g., `GET /admin/sessions`) from account-scoped
- * routes (e.g., `GET /account/sessions`) by checking `auth.type === 'role'`.
- */
-const find_admin_route = (specs, suffix, method) => specs.find((s) => s.method === method &&
-    s.path.endsWith(suffix) &&
-    s.auth.type === 'role' &&
-    s.auth.role === 'admin');
+import { rpc_call, rpc_call_non_browser, require_rpc_endpoint_path } from './rpc_helpers.js';
+import { permit_offer_create_action_spec, permit_revoke_action_spec, } from '../auth/permit_offer_action_specs.js';
+import { admin_account_list_action_spec, admin_session_list_action_spec, admin_session_revoke_all_action_spec, admin_token_revoke_all_action_spec, audit_log_list_action_spec, audit_log_permit_history_action_spec, } from '../auth/admin_action_specs.js';
+import { account_token_create_action_spec, account_verify_action_spec, } from '../auth/account_action_specs.js';
+import { query_grant_permit } from '../auth/permit_queries.js';
+import { query_actor_by_account } from '../auth/account_queries.js';
+import { query_accept_offer } from '../auth/permit_offer_queries.js';
 /**
  * Pick a web-grantable role for testing, preferring a non-admin app-defined role.
  */
@@ -47,21 +45,24 @@ const build_admin_test_app_options = (options, db, roles) => ({
     create_route_specs: options.create_route_specs,
     db,
     roles: roles ?? [ROLE_KEEPER, ROLE_ADMIN],
-    app_options: options.app_options,
+    app_options: {
+        rpc_endpoints: options.rpc_endpoints,
+        ...options.app_options,
+    },
 });
 /**
  * Standard admin integration test suite for fuz_app admin routes.
  *
- * Exercises account listing, permit grant/revoke, session management, token
- * management, audit log routes, admin-to-admin isolation, and response
- * schema validation.
- *
- * Each test group asserts that required routes exist, failing with a descriptive
- * message if the consumer's route specs are misconfigured.
+ * Exercises account listing, permit grant/revoke (via RPC), session
+ * management, token management, audit log routes, admin-to-admin isolation,
+ * and response schema validation.
  *
- * @param options - session config, route factory, and role schema
+ * @param options - session config, route factory, role schema, RPC endpoints
  */
 export const describe_standard_admin_integration_tests = (options) => {
+    // Hard-fail early so consumers see a clear setup error instead of a
+    // confusing test failure when `rpc_endpoints` is missing.
+    const rpc_path = require_rpc_endpoint_path(options.rpc_endpoints);
     const init_schema = async (db) => {
         await run_migrations(db, [AUTH_MIGRATION_NS]);
     };
@@ -76,20 +77,13 @@ export const describe_standard_admin_integration_tests = (options) => {
         let captured_route_specs = null;
         afterAll(() => {
             if (captured_route_specs) {
-                // Scope coverage to admin auth-related routes.
-                const admin_suffixes = [
-                    '/accounts',
-                    '/permits/grant',
-                    '/sessions',
-                    '/sessions/revoke-all',
-                    '/tokens/revoke-all',
-                    '/audit-log',
-                    '/audit-log/permit-history',
-                    '/invites',
-                ];
-                const admin_routes = captured_route_specs.filter((s) => (admin_suffixes.some((suffix) => s.path.endsWith(suffix)) ||
-                    s.path.includes('/permits/:') ||
-                    s.path.includes('/invites/:')) &&
+                // Scope coverage to admin auth-related routes. Post-2026-04-23
+                // RPC migration: account listing, session/token revoke-all,
+                // audit-log reads, and invite CRUD are RPC-only. The only
+                // admin REST route remaining is the optional
+                // `GET /audit-log/stream` SSE, plus the shared RPC endpoint
+                // path itself (admin methods live behind spec-level role auth).
+                const admin_routes = captured_route_specs.filter((s) => s.path.endsWith('/audit-log/stream') &&
                     s.auth.type === 'role' &&
                     s.auth.role === 'admin');
                 assert_error_coverage(error_collector, admin_routes.length > 0 ? admin_routes : captured_route_specs, { min_coverage: DEFAULT_INTEGRATION_ERROR_COVERAGE });
@@ -102,279 +96,134 @@ export const describe_standard_admin_integration_tests = (options) => {
             cookie: `${cookie_name}=${session_cookie}`,
             ...extra,
         });
-        // --- 1. Admin account listing ---
+        /**
+         * Drive the full consent flow (admin offer → recipient accept) and
+         * return the materialized permit id. Accept is a direct transactional
+         * `query_accept_offer` call because the suite focuses on the admin
+         * side; exercising the recipient's UI-wired accept path is covered by
+         * `describe_rpc_round_trip_tests` + fuz_app's own action suite.
+         */
+        const offer_and_accept = async (args) => {
+            const res = await rpc_call({
+                app: args.app,
+                path: rpc_path,
+                method: permit_offer_create_action_spec.method,
+                params: { to_account_id: args.to_account_id, role: args.role },
+                headers: args.admin_headers,
+            });
+            assert.ok(res.ok, `permit_offer_create failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
+            const offer = res.result.offer;
+            const accept_result = await get_db().transaction(async (tx) => query_accept_offer({ db: tx }, { offer_id: offer.id, to_account_id: args.to_account_id, ip: null }));
+            return { offer_id: offer.id, permit_id: accept_result.permit.id };
+        };
+        // --- 1. Admin account listing (RPC) ---
         describe('admin account listing', () => {
             test('admin can list all accounts', async () => {
                 const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
-                const accounts_route = find_admin_route(test_app.route_specs, '/accounts', 'GET');
-                assert.ok(accounts_route, 'Expected admin GET /accounts route — ensure create_route_specs includes admin routes');
                 const user_two = await test_app.create_account({ username: 'user_two' });
-                const res = await test_app.app.request(accounts_route.path, {
+                const res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: admin_account_list_action_spec.method,
                     headers: test_app.create_session_headers(),
                 });
-                assert.strictEqual(res.status, 200);
-                const body = await res.json();
-                assert.ok(Array.isArray(body.accounts), 'Expected accounts array');
-                assert.ok(body.accounts.length >= 2, 'Expected at least 2 accounts');
-                assert.ok(Array.isArray(body.grantable_roles), 'Expected grantable_roles array');
+                assert.ok(res.ok, `admin_account_list failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
+                const result = res.result;
+                assert.ok(Array.isArray(result.accounts), 'Expected accounts array');
+                assert.ok(result.accounts.length >= 2, 'Expected at least 2 accounts');
+                assert.ok(Array.isArray(result.grantable_roles), 'Expected grantable_roles array');
                 // Verify user_two appears in the listing
-                const found = body.accounts.find((e) => e.account.id === user_two.account.id);
+                const found = result.accounts.find((e) => e.account.id === user_two.account.id);
                 assert.ok(found, 'Expected user_two in accounts listing');
             });
             test('non-admin cannot list accounts', async () => {
                 const test_app = await create_test_app(build_admin_test_app_options(options, get_db(), [ROLE_KEEPER]));
                 captured_route_specs ??= test_app.route_specs;
-                const accounts_route = find_admin_route(test_app.route_specs, '/accounts', 'GET');
-                assert.ok(accounts_route, 'Expected admin GET /accounts route — ensure create_route_specs includes admin routes');
-                const res = await test_app.app.request(accounts_route.path, {
+                const res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: admin_account_list_action_spec.method,
                     headers: test_app.create_session_headers(),
                 });
+                assert.ok(!res.ok, 'Expected admin_account_list to fail for non-admin');
                 assert.strictEqual(res.status, 403);
-                const body = await res.clone().json();
-                assert.strictEqual(body.error, 'insufficient_permissions');
-                await error_collector.assert_and_record(test_app.route_specs, 'GET', accounts_route.path, res);
-            });
-        });
-        // --- 2. Permit grant lifecycle ---
-        describe('permit grant lifecycle', () => {
-            test('admin can grant a web-grantable role', async () => {
-                const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
-                const grant_route = find_admin_route(test_app.route_specs, '/permits/grant', 'POST');
-                assert.ok(grant_route, 'Expected admin POST /permits/grant route — ensure create_route_specs includes admin routes');
-                const user_two = await test_app.create_account({ username: 'user_two' });
-                const path = grant_route.path.replace(':account_id', user_two.account.id);
-                const res = await test_app.app.request(path, {
-                    method: 'POST',
-                    headers: test_app.create_session_headers({ 'content-type': 'application/json' }),
-                    body: JSON.stringify({ role: grantable_role }),
-                });
-                assert.strictEqual(res.status, 200);
-                const body = await res.json();
-                assert.strictEqual(body.ok, true);
-                assert.ok(body.permit);
-                assert.strictEqual(body.permit.role, grantable_role);
-                assert.ok(body.permit.id, 'Expected permit id');
-            });
-            test('admin cannot grant a non-web-grantable role', async () => {
-                const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
-                const grant_route = find_admin_route(test_app.route_specs, '/permits/grant', 'POST');
-                assert.ok(grant_route, 'Expected admin POST /permits/grant route — ensure create_route_specs includes admin routes');
-                const user_two = await test_app.create_account({ username: 'user_two' });
-                const path = grant_route.path.replace(':account_id', user_two.account.id);
-                const res = await test_app.app.request(path, {
-                    method: 'POST',
-                    headers: test_app.create_session_headers({ 'content-type': 'application/json' }),
-                    body: JSON.stringify({ role: ROLE_KEEPER }),
-                });
-                assert.strictEqual(res.status, 403);
-                const body = await res.clone().json();
-                assert.strictEqual(body.error, 'role_not_web_grantable');
-                await error_collector.assert_and_record(test_app.route_specs, 'POST', grant_route.path, res);
-            });
-            test('granting same role twice is idempotent (returns same permit)', async () => {
-                const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
-                const grant_route = find_admin_route(test_app.route_specs, '/permits/grant', 'POST');
-                assert.ok(grant_route, 'Expected admin POST /permits/grant route — ensure create_route_specs includes admin routes');
-                const user_two = await test_app.create_account({ username: 'user_two' });
-                const path = grant_route.path.replace(':account_id', user_two.account.id);
-                const headers = test_app.create_session_headers({ 'content-type': 'application/json' });
-                const body = JSON.stringify({ role: grantable_role });
-                // First grant
-                const res1 = await test_app.app.request(path, {
-                    method: 'POST',
-                    headers,
-                    body,
-                });
-                assert.strictEqual(res1.status, 200);
-                const body1 = await res1.json();
-                assert.strictEqual(body1.ok, true);
-                const permit_id_1 = body1.permit.id;
-                // Second grant — same role, same account
-                const res2 = await test_app.app.request(path, {
-                    method: 'POST',
-                    headers,
-                    body,
-                });
-                assert.strictEqual(res2.status, 200);
-                const body2 = await res2.json();
-                assert.strictEqual(body2.ok, true);
-                assert.strictEqual(body2.permit.id, permit_id_1, 'Expected same permit ID on idempotent grant');
-                assert.strictEqual(body2.permit.role, grantable_role);
-            });
-            test('grant with unknown role returns 400', async () => {
-                const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
-                const grant_route = find_admin_route(test_app.route_specs, '/permits/grant', 'POST');
-                assert.ok(grant_route, 'Expected admin POST /permits/grant route — ensure create_route_specs includes admin routes');
-                const user_two = await test_app.create_account({ username: 'user_two' });
-                const path = grant_route.path.replace(':account_id', user_two.account.id);
-                const res = await test_app.app.request(path, {
-                    method: 'POST',
-                    headers: test_app.create_session_headers({ 'content-type': 'application/json' }),
-                    body: JSON.stringify({ role: 'nonexistent_role' }),
-                });
-                assert.strictEqual(res.status, 400);
-                error_collector.record(test_app.route_specs, 'POST', grant_route.path, 400);
-            });
-            test('grant to nonexistent account returns 404', async () => {
-                const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
-                const grant_route = find_admin_route(test_app.route_specs, '/permits/grant', 'POST');
-                assert.ok(grant_route, 'Expected admin POST /permits/grant route — ensure create_route_specs includes admin routes');
-                const fake_id = '00000000-0000-0000-0000-000000000000';
-                const path = grant_route.path.replace(':account_id', fake_id);
-                const res = await test_app.app.request(path, {
-                    method: 'POST',
-                    headers: test_app.create_session_headers({ 'content-type': 'application/json' }),
-                    body: JSON.stringify({ role: grantable_role }),
-                });
-                assert.strictEqual(res.status, 404);
-                const body = await res.clone().json();
-                assert.strictEqual(body.error, 'account_not_found');
-                await error_collector.assert_and_record(test_app.route_specs, 'POST', grant_route.path, res);
-            });
-            test('admin can revoke a permit', async () => {
-                const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
-                const grant_route = find_admin_route(test_app.route_specs, '/permits/grant', 'POST');
-                const revoke_route = find_admin_route(test_app.route_specs, '/permits/:permit_id/revoke', 'POST');
-                const accounts_route = find_admin_route(test_app.route_specs, '/accounts', 'GET');
-                assert.ok(grant_route, 'Expected admin POST /permits/grant route — ensure create_route_specs includes admin routes');
-                assert.ok(revoke_route, 'Expected admin POST /permits/:permit_id/revoke route — ensure create_route_specs includes admin routes');
-                assert.ok(accounts_route, 'Expected admin GET /accounts route — ensure create_route_specs includes admin routes');
-                const user_two = await test_app.create_account({ username: 'user_two' });
-                const admin_headers = test_app.create_session_headers({ 'content-type': 'application/json' });
-                // Grant
-                const grant_path = grant_route.path.replace(':account_id', user_two.account.id);
-                await test_app.app.request(grant_path, {
-                    method: 'POST',
-                    headers: admin_headers,
-                    body: JSON.stringify({ role: grantable_role }),
-                });
-                // Find the permit ID via account listing
-                const list_res = await test_app.app.request(accounts_route.path, {
-                    headers: test_app.create_session_headers(),
-                });
-                const list_body = await list_res.json();
-                const entry = list_body.accounts.find((e) => e.account.id === user_two.account.id);
-                const permit = entry.permits.find((p) => p.role === grantable_role);
-                assert.ok(permit, 'Expected granted permit in listing');
-                // Revoke
-                const revoke_path = revoke_route.path
-                    .replace(':account_id', user_two.account.id)
-                    .replace(':permit_id', permit.id);
-                const revoke_res = await test_app.app.request(revoke_path, {
-                    method: 'POST',
-                    headers: test_app.create_session_headers(),
-                });
-                assert.strictEqual(revoke_res.status, 200);
-                const revoke_body = await revoke_res.json();
-                assert.strictEqual(revoke_body.ok, true);
-                assert.strictEqual(revoke_body.revoked, true);
-            });
-            test('revoking an already-revoked permit returns 404', async () => {
-                const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
-                const grant_route = find_admin_route(test_app.route_specs, '/permits/grant', 'POST');
-                const revoke_route = find_admin_route(test_app.route_specs, '/permits/:permit_id/revoke', 'POST');
-                const accounts_route = find_admin_route(test_app.route_specs, '/accounts', 'GET');
-                assert.ok(grant_route, 'Expected admin POST /permits/grant route — ensure create_route_specs includes admin routes');
-                assert.ok(revoke_route, 'Expected admin POST /permits/:permit_id/revoke route — ensure create_route_specs includes admin routes');
-                assert.ok(accounts_route, 'Expected admin GET /accounts route — ensure create_route_specs includes admin routes');
-                const user_two = await test_app.create_account({ username: 'user_two' });
-                const admin_headers = test_app.create_session_headers({ 'content-type': 'application/json' });
-                // Grant
-                const grant_path = grant_route.path.replace(':account_id', user_two.account.id);
-                await test_app.app.request(grant_path, {
-                    method: 'POST',
-                    headers: admin_headers,
-                    body: JSON.stringify({ role: grantable_role }),
-                });
-                // Find permit ID
-                const list_res = await test_app.app.request(accounts_route.path, {
-                    headers: test_app.create_session_headers(),
-                });
-                const list_body = await list_res.json();
-                const entry = list_body.accounts.find((e) => e.account.id === user_two.account.id);
-                const permit = entry.permits.find((p) => p.role === grantable_role);
-                assert.ok(permit);
-                const revoke_path = revoke_route.path
-                    .replace(':account_id', user_two.account.id)
-                    .replace(':permit_id', permit.id);
-                // First revoke — succeeds
-                const first = await test_app.app.request(revoke_path, {
-                    method: 'POST',
-                    headers: test_app.create_session_headers(),
-                });
-                assert.strictEqual(first.status, 200);
-                // Second revoke — already revoked, returns 404
-                const second = await test_app.app.request(revoke_path, {
-                    method: 'POST',
-                    headers: test_app.create_session_headers(),
-                });
-                assert.strictEqual(second.status, 404);
-                const body = await second.clone().json();
-                assert.strictEqual(body.error, 'permit_not_found');
-                await error_collector.assert_and_record(test_app.route_specs, 'POST', revoke_route.path, second);
             });
         });
+        // --- 2. Permit grant/revoke lifecycle ---
+        // Permit grant/revoke are RPC-only (see `permit_offer_create` /
+        // `permit_revoke`). End-to-end coverage lives in
+        // `describe_rpc_round_trip_tests` + fuz_app's own
+        // `permit_offer_actions.db.test.ts` /
+        // `permit_offer_actions.notifications.revoke.db.test.ts`. The
+        // audit/isolation groups below exercise them as preconditions for
+        // cross-cutting checks (event emission, admin-to-admin isolation).
         // --- 3. Admin session management ---
         describe('admin session management', () => {
             test('admin can list all active sessions', async () => {
                 const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
-                const sessions_route = find_admin_route(test_app.route_specs, '/sessions', 'GET');
-                assert.ok(sessions_route, 'Expected admin GET /sessions route — ensure create_route_specs includes admin routes');
                 await test_app.create_account({ username: 'user_two' });
-                const res = await test_app.app.request(sessions_route.path, {
+                const res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: admin_session_list_action_spec.method,
                     headers: test_app.create_session_headers(),
                 });
-                assert.strictEqual(res.status, 200);
-                const body = await res.json();
+                assert.ok(res.ok, `admin_session_list failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
+                const body = res.result;
                 assert.ok(Array.isArray(body.sessions), 'Expected sessions array');
                 assert.ok(body.sessions.length >= 2, 'Expected sessions from multiple accounts');
             });
             test('admin can revoke all sessions for another account', async () => {
                 const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
-                const revoke_sessions_route = find_admin_route(test_app.route_specs, '/sessions/revoke-all', 'POST');
-                const verify_route = find_auth_route(test_app.route_specs, '/verify', 'GET');
-                assert.ok(revoke_sessions_route, 'Expected admin POST /sessions/revoke-all route — ensure create_route_specs includes admin routes');
-                assert.ok(verify_route, 'Expected GET /verify route — ensure create_route_specs includes account routes');
                 const user_two = await test_app.create_account({ username: 'user_two' });
-                // Verify user_two's session works
-                const before = await test_app.app.request(verify_route.path, {
+                // Verify user_two's session works via `account_verify` RPC
+                const before = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: account_verify_action_spec.method,
                     headers: create_headers(user_two.session_cookie),
                 });
                 assert.strictEqual(before.status, 200);
-                // Admin revokes all sessions for user_two
-                const path = revoke_sessions_route.path.replace(':account_id', user_two.account.id);
-                const res = await test_app.app.request(path, {
-                    method: 'POST',
+                // Admin revokes all sessions for user_two via RPC
+                const res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: admin_session_revoke_all_action_spec.method,
+                    params: { account_id: user_two.account.id },
                     headers: test_app.create_session_headers(),
                 });
-                assert.strictEqual(res.status, 200);
-                const body = await res.json();
-                assert.strictEqual(body.ok, true);
-                assert.ok(body.count >= 1, 'Expected at least 1 revoked session');
+                assert.ok(res.ok, `admin_session_revoke_all failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
+                const result = res.result;
+                assert.strictEqual(result.ok, true);
+                assert.ok(result.count >= 1, 'Expected at least 1 revoked session');
                 // Verify user_two's session no longer works
-                const after = await test_app.app.request(verify_route.path, {
+                const after = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: account_verify_action_spec.method,
                     headers: create_headers(user_two.session_cookie),
                 });
                 assert.strictEqual(after.status, 401);
             });
             test('admin revoking own sessions invalidates own session', async () => {
                 const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
-                const revoke_sessions_route = find_admin_route(test_app.route_specs, '/sessions/revoke-all', 'POST');
-                const verify_route = find_auth_route(test_app.route_specs, '/verify', 'GET');
-                assert.ok(revoke_sessions_route, 'Expected admin POST /sessions/revoke-all route — ensure create_route_specs includes admin routes');
-                assert.ok(verify_route, 'Expected GET /verify route — ensure create_route_specs includes account routes');
-                // Admin revokes own sessions
-                const path = revoke_sessions_route.path.replace(':account_id', test_app.backend.account.id);
-                const res = await test_app.app.request(path, {
-                    method: 'POST',
+                // Admin revokes own sessions via RPC
+                const res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: admin_session_revoke_all_action_spec.method,
+                    params: { account_id: test_app.backend.account.id },
                     headers: test_app.create_session_headers(),
                 });
-                assert.strictEqual(res.status, 200);
-                const body = await res.json();
-                assert.strictEqual(body.ok, true);
-                assert.ok(body.count >= 1, 'Expected at least 1 revoked session');
+                assert.ok(res.ok, `admin_session_revoke_all failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
+                const result = res.result;
+                assert.strictEqual(result.ok, true);
+                assert.ok(result.count >= 1, 'Expected at least 1 revoked session');
                 // Admin's own session should no longer work
-                const after = await test_app.app.request(verify_route.path, {
+                const after = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: account_verify_action_spec.method,
                     headers: test_app.create_session_headers(),
                 });
                 assert.strictEqual(after.status, 401);
@@ -384,92 +233,97 @@ export const describe_standard_admin_integration_tests = (options) => {
         describe('admin token management', () => {
             test('admin can revoke all tokens for another account', async () => {
                 const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
-                const revoke_tokens_route = find_admin_route(test_app.route_specs, '/tokens/revoke-all', 'POST');
-                const verify_route = find_auth_route(test_app.route_specs, '/verify', 'GET');
-                assert.ok(revoke_tokens_route, 'Expected admin POST /tokens/revoke-all route — ensure create_route_specs includes admin routes');
-                assert.ok(verify_route, 'Expected GET /verify route — ensure create_route_specs includes account routes');
                 const user_two = await test_app.create_account({ username: 'user_two' });
-                // Verify user_two's bearer token works
-                const before = await test_app.app.request(verify_route.path, {
-                    headers: { host: 'localhost', authorization: `Bearer ${user_two.api_token}` },
+                // Verify user_two's bearer token works via `account_verify` RPC
+                const before = await rpc_call_non_browser({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: account_verify_action_spec.method,
+                    headers: { authorization: `Bearer ${user_two.api_token}` },
                 });
                 assert.strictEqual(before.status, 200);
-                // Admin revokes all tokens for user_two
-                const path = revoke_tokens_route.path.replace(':account_id', user_two.account.id);
-                const res = await test_app.app.request(path, {
-                    method: 'POST',
+                // Admin revokes all tokens for user_two via RPC
+                const res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: admin_token_revoke_all_action_spec.method,
+                    params: { account_id: user_two.account.id },
                     headers: test_app.create_session_headers(),
                 });
-                assert.strictEqual(res.status, 200);
-                const body = await res.json();
-                assert.strictEqual(body.ok, true);
-                assert.ok(body.count >= 1, 'Expected at least 1 revoked token');
+                assert.ok(res.ok, `admin_token_revoke_all failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
+                const result = res.result;
+                assert.strictEqual(result.ok, true);
+                assert.ok(result.count >= 1, 'Expected at least 1 revoked token');
                 // Verify user_two's bearer token no longer works
-                const after = await test_app.app.request(verify_route.path, {
-                    headers: { host: 'localhost', authorization: `Bearer ${user_two.api_token}` },
+                const after = await rpc_call_non_browser({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: account_verify_action_spec.method,
+                    headers: { authorization: `Bearer ${user_two.api_token}` },
                 });
                 assert.strictEqual(after.status, 401);
             });
         });
-        // --- 5. Audit log routes ---
-        describe('audit log routes', () => {
+        // --- 5. Audit log RPC reads ---
+        describe('audit log RPC reads', () => {
             test('admin can list audit log events', async () => {
                 const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
-                const audit_route = find_admin_route(test_app.route_specs, '/audit-log', 'GET');
-                assert.ok(audit_route, 'Expected admin GET /audit-log route — ensure create_route_specs includes admin routes');
-                const res = await test_app.app.request(audit_route.path, {
+                const res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: audit_log_list_action_spec.method,
                     headers: test_app.create_session_headers(),
                 });
-                assert.strictEqual(res.status, 200);
-                const body = await res.json();
+                assert.ok(res.ok, `audit_log_list failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
+                const body = res.result;
                 assert.ok(Array.isArray(body.events), 'Expected events array');
             });
             test('audit log supports event_type filter', async () => {
                 const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
-                const grant_route = find_admin_route(test_app.route_specs, '/permits/grant', 'POST');
-                const audit_route = find_admin_route(test_app.route_specs, '/audit-log', 'GET');
-                assert.ok(grant_route, 'Expected admin POST /permits/grant route — ensure create_route_specs includes admin routes');
-                assert.ok(audit_route, 'Expected admin GET /audit-log route — ensure create_route_specs includes admin routes');
-                // Create a grant to produce an audit event
+                // Admin offer emits `permit_offer_create`. The downstream
+                // `permit_grant` only fires on accept — out of scope for this test.
                 const user_two = await test_app.create_account({ username: 'user_two' });
-                const grant_path = grant_route.path.replace(':account_id', user_two.account.id);
-                await test_app.app.request(grant_path, {
-                    method: 'POST',
-                    headers: test_app.create_session_headers({ 'content-type': 'application/json' }),
-                    body: JSON.stringify({ role: grantable_role }),
+                const offer_res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: permit_offer_create_action_spec.method,
+                    params: { to_account_id: user_two.account.id, role: grantable_role },
+                    headers: test_app.create_session_headers(),
                 });
-                // Filter by event_type
-                const res = await test_app.app.request(`${audit_route.path}?event_type=permit_grant`, {
+                assert.ok(offer_res.ok, 'permit_offer_create should succeed');
+                const res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: audit_log_list_action_spec.method,
+                    params: { event_type: 'permit_offer_create' },
                     headers: test_app.create_session_headers(),
                 });
-                assert.strictEqual(res.status, 200);
-                const body = await res.json();
-                assert.ok(Array.isArray(body.events));
-                assert.ok(body.events.length >= 1, 'Expected at least 1 permit_grant event');
+                assert.ok(res.ok, `audit_log_list failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
+                const body = res.result;
+                assert.ok(body.events.length >= 1, 'Expected at least 1 permit_offer_create event');
                 for (const event of body.events) {
-                    assert.strictEqual(event.event_type, 'permit_grant');
+                    assert.strictEqual(event.event_type, 'permit_offer_create');
                 }
             });
             test('admin can view permit history', async () => {
                 const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
-                const grant_route = find_admin_route(test_app.route_specs, '/permits/grant', 'POST');
-                const history_route = find_admin_route(test_app.route_specs, '/audit-log/permit-history', 'GET');
-                assert.ok(grant_route, 'Expected admin POST /permits/grant route — ensure create_route_specs includes admin routes');
-                assert.ok(history_route, 'Expected admin GET /audit-log/permit-history route — ensure create_route_specs includes admin routes');
-                // Create a grant to produce audit data
+                // Drive the full consent flow so `permit_grant` lands in the audit log
+                // — `query_audit_log_list_permit_history` filters to (permit_grant, permit_revoke).
                 const user_two = await test_app.create_account({ username: 'user_two' });
-                const grant_path = grant_route.path.replace(':account_id', user_two.account.id);
-                await test_app.app.request(grant_path, {
-                    method: 'POST',
-                    headers: test_app.create_session_headers({ 'content-type': 'application/json' }),
-                    body: JSON.stringify({ role: grantable_role }),
-                });
-                const res = await test_app.app.request(history_route.path, {
+                await offer_and_accept({
+                    app: test_app.app,
+                    admin_headers: test_app.create_session_headers(),
+                    to_account_id: user_two.account.id,
+                    role: grantable_role,
+                });
+                const res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: audit_log_permit_history_action_spec.method,
                     headers: test_app.create_session_headers(),
                 });
-                assert.strictEqual(res.status, 200);
-                const body = await res.json();
-                assert.ok(Array.isArray(body.events), 'Expected events array');
+                assert.ok(res.ok, `audit_log_permit_history failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
+                const body = res.result;
                 assert.ok(body.events.length >= 1, 'Expected at least 1 permit history event');
             });
         });
@@ -477,85 +331,147 @@ export const describe_standard_admin_integration_tests = (options) => {
         describe('admin audit trail', () => {
             test('permit revoke creates audit event', async () => {
                 const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
-                const grant_route = find_admin_route(test_app.route_specs, '/permits/grant', 'POST');
-                const revoke_route = find_admin_route(test_app.route_specs, '/permits/:permit_id/revoke', 'POST');
-                const accounts_route = find_admin_route(test_app.route_specs, '/accounts', 'GET');
-                const audit_route = find_admin_route(test_app.route_specs, '/audit-log', 'GET');
-                assert.ok(grant_route, 'Expected admin POST /permits/grant route — ensure create_route_specs includes admin routes');
-                assert.ok(revoke_route, 'Expected admin POST /permits/:permit_id/revoke route — ensure create_route_specs includes admin routes');
-                assert.ok(accounts_route, 'Expected admin GET /accounts route — ensure create_route_specs includes admin routes');
-                assert.ok(audit_route, 'Expected admin GET /audit-log route — ensure create_route_specs includes admin routes');
                 const user_two = await test_app.create_account({ username: 'user_two' });
-                const admin_headers = test_app.create_session_headers({ 'content-type': 'application/json' });
-                // Grant a role
-                const grant_path = grant_route.path.replace(':account_id', user_two.account.id);
-                await test_app.app.request(grant_path, {
-                    method: 'POST',
-                    headers: admin_headers,
-                    body: JSON.stringify({ role: grantable_role }),
-                });
-                // Find the permit ID
-                const list_res = await test_app.app.request(accounts_route.path, {
+                const target_actor = await query_actor_by_account({ db: get_db() }, user_two.account.id);
+                assert.ok(target_actor);
+                const permit = await query_grant_permit({ db: get_db() }, {
+                    actor_id: target_actor.id,
+                    role: grantable_role,
+                    granted_by: test_app.backend.actor.id,
+                });
+                // Revoke via RPC
+                const revoke_res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: permit_revoke_action_spec.method,
+                    params: { actor_id: target_actor.id, permit_id: permit.id },
                     headers: test_app.create_session_headers(),
                 });
-                const list_body = await list_res.json();
-                const entry = list_body.accounts.find((e) => e.account.id === user_two.account.id);
-                const permit = entry.permits.find((p) => p.role === grantable_role);
-                // Revoke the permit
-                const revoke_path = revoke_route.path
-                    .replace(':account_id', user_two.account.id)
-                    .replace(':permit_id', permit.id);
-                await test_app.app.request(revoke_path, {
-                    method: 'POST',
+                assert.ok(revoke_res.ok, `permit_revoke failed: ${revoke_res.ok ? '' : JSON.stringify(revoke_res.error)}`);
+                // Check audit log for permit_revoke event
+                const audit_res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: audit_log_list_action_spec.method,
+                    params: { event_type: 'permit_revoke' },
                     headers: test_app.create_session_headers(),
                 });
-                // Check audit log for permit_revoke event
-                const audit_res = await test_app.app.request(`${audit_route.path}?event_type=permit_revoke`, { headers: test_app.create_session_headers() });
-                assert.strictEqual(audit_res.status, 200);
-                const audit_body = await audit_res.json();
+                assert.ok(audit_res.ok, `audit_log_list failed: ${audit_res.ok ? '' : JSON.stringify(audit_res.error)}`);
+                const audit_body = audit_res.result;
                 assert.ok(audit_body.events.length >= 1, 'Expected permit_revoke audit event');
                 assert.strictEqual(audit_body.events[0].event_type, 'permit_revoke');
             });
             test('admin session revoke-all creates audit event', async () => {
                 const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
-                const revoke_sessions_route = find_admin_route(test_app.route_specs, '/sessions/revoke-all', 'POST');
-                const audit_route = find_admin_route(test_app.route_specs, '/audit-log', 'GET');
-                assert.ok(revoke_sessions_route, 'Expected admin POST /sessions/revoke-all route — ensure create_route_specs includes admin routes');
-                assert.ok(audit_route, 'Expected admin GET /audit-log route — ensure create_route_specs includes admin routes');
                 const user_two = await test_app.create_account({ username: 'user_two' });
-                // Revoke all sessions for user_two
-                const path = revoke_sessions_route.path.replace(':account_id', user_two.account.id);
-                await test_app.app.request(path, {
-                    method: 'POST',
+                // Revoke all sessions for user_two via RPC
+                const revoke_res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: admin_session_revoke_all_action_spec.method,
+                    params: { account_id: user_two.account.id },
                     headers: test_app.create_session_headers(),
                 });
+                assert.ok(revoke_res.ok, `admin_session_revoke_all failed: ${revoke_res.ok ? '' : JSON.stringify(revoke_res.error)}`);
                 // Check audit log
-                const audit_res = await test_app.app.request(`${audit_route.path}?event_type=session_revoke_all`, { headers: test_app.create_session_headers() });
-                assert.strictEqual(audit_res.status, 200);
-                const audit_body = await audit_res.json();
+                const audit_res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: audit_log_list_action_spec.method,
+                    params: { event_type: 'session_revoke_all' },
+                    headers: test_app.create_session_headers(),
+                });
+                assert.ok(audit_res.ok, 'audit_log_list should succeed');
+                const audit_body = audit_res.result;
                 assert.ok(audit_body.events.length >= 1, 'Expected session_revoke_all audit event');
                 assert.strictEqual(audit_body.events[0].event_type, 'session_revoke_all');
             });
             test('admin token revoke-all creates audit event', async () => {
                 const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
-                const revoke_tokens_route = find_admin_route(test_app.route_specs, '/tokens/revoke-all', 'POST');
-                const audit_route = find_admin_route(test_app.route_specs, '/audit-log', 'GET');
-                assert.ok(revoke_tokens_route, 'Expected admin POST /tokens/revoke-all route — ensure create_route_specs includes admin routes');
-                assert.ok(audit_route, 'Expected admin GET /audit-log route — ensure create_route_specs includes admin routes');
                 const user_two = await test_app.create_account({ username: 'user_two' });
-                // Revoke all tokens for user_two
-                const path = revoke_tokens_route.path.replace(':account_id', user_two.account.id);
-                await test_app.app.request(path, {
-                    method: 'POST',
+                // Revoke all tokens for user_two via RPC
+                const revoke_res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: admin_token_revoke_all_action_spec.method,
+                    params: { account_id: user_two.account.id },
                     headers: test_app.create_session_headers(),
                 });
+                assert.ok(revoke_res.ok, `admin_token_revoke_all failed: ${revoke_res.ok ? '' : JSON.stringify(revoke_res.error)}`);
                 // Check audit log
-                const audit_res = await test_app.app.request(`${audit_route.path}?event_type=token_revoke_all`, { headers: test_app.create_session_headers() });
-                assert.strictEqual(audit_res.status, 200);
-                const audit_body = await audit_res.json();
+                const audit_res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: audit_log_list_action_spec.method,
+                    params: { event_type: 'token_revoke_all' },
+                    headers: test_app.create_session_headers(),
+                });
+                assert.ok(audit_res.ok, 'audit_log_list should succeed');
+                const audit_body = audit_res.result;
                 assert.ok(audit_body.events.length >= 1, 'Expected token_revoke_all audit event');
                 assert.strictEqual(audit_body.events[0].event_type, 'token_revoke_all');
             });
+            test('admin session revoke-all 404 emits failure audit', async () => {
+                const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
+                // `Uuid = z.uuid()` is v4-strict; use a valid v4 shape so we hit the
+                // handler's account lookup rather than failing at param validation.
+                const missing_id = 'aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaa01';
+                const res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: admin_session_revoke_all_action_spec.method,
+                    params: { account_id: missing_id },
+                    headers: test_app.create_session_headers(),
+                });
+                assert.ok(!res.ok, 'Expected 404 for missing account');
+                assert.strictEqual(res.status, 404);
+                assert.strictEqual(res.error.data.reason, 'account_not_found');
+                // Failure audit row should be visible on the audit-log feed.
+                // `target_account_id` is null (FK prevents referencing a missing id)
+                // — the probed id is preserved under `metadata.attempted_account_id`.
+                const audit_res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: audit_log_list_action_spec.method,
+                    params: { event_type: 'session_revoke_all' },
+                    headers: test_app.create_session_headers(),
+                });
+                assert.ok(audit_res.ok, 'audit_log_list should succeed');
+                const audit_body = audit_res.result;
+                const failure = audit_body.events.find((e) => e.outcome === 'failure');
+                assert.ok(failure, 'Expected a failure-outcome session_revoke_all audit event');
+                assert.strictEqual(failure.target_account_id, null);
+                assert.strictEqual(failure.metadata.reason, 'account_not_found');
+                assert.strictEqual(failure.metadata.attempted_account_id, missing_id);
+            });
+            test('admin token revoke-all 404 emits failure audit', async () => {
+                const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
+                const missing_id = 'aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaa02';
+                const res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: admin_token_revoke_all_action_spec.method,
+                    params: { account_id: missing_id },
+                    headers: test_app.create_session_headers(),
+                });
+                assert.ok(!res.ok, 'Expected 404 for missing account');
+                assert.strictEqual(res.status, 404);
+                assert.strictEqual(res.error.data.reason, 'account_not_found');
+                const audit_res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: audit_log_list_action_spec.method,
+                    params: { event_type: 'token_revoke_all' },
+                    headers: test_app.create_session_headers(),
+                });
+                assert.ok(audit_res.ok, 'audit_log_list should succeed');
+                const audit_body = audit_res.result;
+                const failure = audit_body.events.find((e) => e.outcome === 'failure');
+                assert.ok(failure, 'Expected a failure-outcome token_revoke_all audit event');
+                assert.strictEqual(failure.target_account_id, null);
+                assert.strictEqual(failure.metadata.reason, 'account_not_found');
+                assert.strictEqual(failure.metadata.attempted_account_id, missing_id);
+            });
         });
         // --- 7. Audit log completeness ---
         describe('audit log completeness', () => {
@@ -563,26 +479,13 @@ export const describe_standard_admin_integration_tests = (options) => {
                 const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
                 const login_route = find_auth_route(test_app.route_specs, '/login', 'POST');
                 const logout_route = find_auth_route(test_app.route_specs, '/logout', 'POST');
-                const grant_route = find_admin_route(test_app.route_specs, '/permits/grant', 'POST');
-                const revoke_route = find_admin_route(test_app.route_specs, '/permits/:permit_id/revoke', 'POST');
-                const accounts_route = find_admin_route(test_app.route_specs, '/accounts', 'GET');
-                const create_token_route = find_auth_route(test_app.route_specs, '/tokens/create', 'POST');
                 const password_route = find_auth_route(test_app.route_specs, '/password', 'POST');
-                const audit_route = find_admin_route(test_app.route_specs, '/audit-log', 'GET');
-                assert.ok(audit_route, 'Expected admin GET /audit-log route');
-                // skip if required routes are missing (consumer may not wire all routes)
-                if (!login_route ||
-                    !logout_route ||
-                    !grant_route ||
-                    !revoke_route ||
-                    !accounts_route ||
-                    !create_token_route ||
-                    !password_route)
+                // skip if required routes are missing (consumer may not wire all routes).
+                // Token creation goes through `account_token_create` RPC — always wired
+                // because `rpc_endpoints` is required at the suite level.
+                if (!login_route || !logout_route || !password_route)
                     return;
                 const user_two = await test_app.create_account({ username: 'audit_user' });
-                const admin_headers = test_app.create_session_headers({
-                    'content-type': 'application/json',
-                });
                 // 1. login (user_two logs in)
                 const login_res = await test_app.app.request(login_route.path, {
                     method: 'POST',
@@ -609,36 +512,35 @@ export const describe_standard_admin_integration_tests = (options) => {
                         },
                     });
                 }
-                // 3. grant permit (admin grants grantable_role to user_two)
-                const grant_path = grant_route.path.replace(':account_id', user_two.account.id);
-                await test_app.app.request(grant_path, {
-                    method: 'POST',
-                    headers: admin_headers,
-                    body: JSON.stringify({ role: grantable_role }),
-                });
-                // find permit ID
-                const list_res = await test_app.app.request(accounts_route.path, {
+                // 3. offer permit (admin offers grantable_role to user_two) — full
+                // consentful flow: offer + accept so both `permit_offer_create` and
+                // `permit_grant` audit events land.
+                const { permit_id } = await offer_and_accept({
+                    app: test_app.app,
+                    admin_headers: test_app.create_session_headers(),
+                    to_account_id: user_two.account.id,
+                    role: grantable_role,
+                });
+                // 4. revoke permit (RPC)
+                const target_actor = await query_actor_by_account({ db: get_db() }, user_two.account.id);
+                assert.ok(target_actor);
+                const revoke_res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: permit_revoke_action_spec.method,
+                    params: { actor_id: target_actor.id, permit_id },
                     headers: test_app.create_session_headers(),
                 });
-                const list_body = await list_res.json();
-                const entry = list_body.accounts.find((e) => e.account.id === user_two.account.id);
-                const permit = entry?.permits?.find((p) => p.role === grantable_role);
-                // 4. revoke permit
-                if (permit) {
-                    const rev_path = revoke_route.path
-                        .replace(':account_id', user_two.account.id)
-                        .replace(':permit_id', permit.id);
-                    await test_app.app.request(rev_path, {
-                        method: 'POST',
-                        headers: test_app.create_session_headers(),
-                    });
-                }
-                // 5. create token
-                await test_app.app.request(create_token_route.path, {
-                    method: 'POST',
-                    headers: admin_headers,
-                    body: JSON.stringify({ name: 'audit-test-token' }),
+                assert.ok(revoke_res.ok, `permit_revoke failed: ${revoke_res.ok ? '' : JSON.stringify(revoke_res.error)}`);
+                // 5. create token (RPC)
+                const token_res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: account_token_create_action_spec.method,
+                    params: { name: 'audit-test-token' },
+                    headers: test_app.create_session_headers(),
                 });
+                assert.ok(token_res.ok, `account_token_create failed: ${token_res.ok ? '' : JSON.stringify(token_res.error)}`);
                 // 6. password change
                 await test_app.app.request(password_route.path, {
                     method: 'POST',
@@ -673,16 +575,23 @@ export const describe_standard_admin_integration_tests = (options) => {
                     origin: 'http://localhost:5173',
                     cookie: `${cookie_name}=${relogin_match[1]}`,
                 };
-                const audit_res = await test_app.app.request(audit_route.path, {
+                const audit_res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: audit_log_list_action_spec.method,
                     headers: relogin_headers,
                 });
-                assert.strictEqual(audit_res.status, 200);
-                const audit_body = await audit_res.json();
+                assert.ok(audit_res.ok, `audit_log_list failed: ${audit_res.ok ? '' : JSON.stringify(audit_res.error)}`);
+                const audit_body = audit_res.result;
                 const events = audit_body.events;
-                // check that each operation produced at least one event
+                // check that each operation produced at least one event.
+                // `permit_offer_create` fires on the admin RPC; `permit_grant`
+                // fires when the recipient accepts (driven by offer_and_accept).
                 const expected_types = [
                     'login',
                     'logout',
+                    'permit_offer_create',
+                    'permit_offer_accept',
                     'permit_grant',
                     'permit_revoke',
                     'token_create',
@@ -697,7 +606,7 @@ export const describe_standard_admin_integration_tests = (options) => {
         });
         // --- 8. Admin-to-admin isolation ---
         describe('admin-to-admin isolation', () => {
-            test('admin A cannot revoke admin B permits via mismatched account_id', async () => {
+            test('admin B revoking own permit via RPC succeeds', async () => {
                 const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
                 captured_route_specs ??= test_app.route_specs;
                 // Bootstrap user is admin A. Create admin B.
@@ -705,36 +614,24 @@ export const describe_standard_admin_integration_tests = (options) => {
                     username: 'admin_b_iso',
                     roles: ['admin'],
                 });
-                // Find the permit grant route to give admin B a grantable role
-                const grant_route = find_admin_route(test_app.route_specs, '/permits/grant', 'POST');
-                assert.ok(grant_route, 'Expected POST /permits/grant admin route');
-                // Admin A grants a role to admin B
-                const grant_res = await test_app.app.request(grant_route.path.replace(':account_id', admin_b.account.id), {
-                    method: 'POST',
-                    headers: create_headers(test_app.backend.session_cookie, {
-                        'content-type': 'application/json',
-                    }),
-                    body: JSON.stringify({ role: grantable_role }),
-                });
-                assert.strictEqual(grant_res.status, 200);
-                const grant_body = await grant_res.json();
-                assert.ok(grant_body.permit, 'Expected permit in grant response');
-                const permit_id = grant_body.permit.id;
-                // Admin B revokes their own permit via admin route — should succeed
-                const revoke_route = test_app.route_specs.find((s) => s.method === 'POST' &&
-                    s.path.includes('/permits/:permit_id/revoke') &&
-                    s.auth.type === 'role' &&
-                    s.auth.role === 'admin');
-                assert.ok(revoke_route, 'Expected POST /permits/:permit_id/revoke admin route');
-                const revoke_res = await test_app.app.request(revoke_route.path
-                    .replace(':account_id', admin_b.account.id)
-                    .replace(':permit_id', permit_id), {
-                    method: 'POST',
+                // Seed an active permit directly — the revoke IDOR check is the
+                // subject of this test, not the grant→accept cycle.
+                const permit = await query_grant_permit({ db: get_db() }, {
+                    actor_id: admin_b.actor.id,
+                    role: grantable_role,
+                    granted_by: test_app.backend.actor.id,
+                });
+                // Admin B revokes their own permit via RPC — should succeed
+                const revoke_res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: permit_revoke_action_spec.method,
+                    params: { actor_id: admin_b.actor.id, permit_id: permit.id },
                     headers: create_headers(admin_b.session_cookie),
                 });
-                assert.strictEqual(revoke_res.status, 200);
-                const revoke_body = await revoke_res.json();
-                assert.strictEqual(revoke_body.revoked, true);
+                assert.ok(revoke_res.ok, `permit_revoke failed: ${revoke_res.ok ? '' : JSON.stringify(revoke_res.error)}`);
+                const result = revoke_res.result;
+                assert.strictEqual(result.revoked, true);
             });
             test('admin revoke-all sessions for another admin works', async () => {
                 const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
@@ -742,17 +639,18 @@ export const describe_standard_admin_integration_tests = (options) => {
                     username: 'admin_b_sess',
                     roles: ['admin'],
                 });
-                const revoke_sessions_route = find_admin_route(test_app.route_specs, '/sessions/revoke-all', 'POST');
-                assert.ok(revoke_sessions_route, 'Expected POST /sessions/revoke-all admin route');
-                // Admin A revokes all of admin B's sessions
-                const res = await test_app.app.request(revoke_sessions_route.path.replace(':account_id', admin_b.account.id), {
-                    method: 'POST',
+                // Admin A revokes all of admin B's sessions via RPC
+                const res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: admin_session_revoke_all_action_spec.method,
+                    params: { account_id: admin_b.account.id },
                     headers: create_headers(test_app.backend.session_cookie),
                 });
-                assert.strictEqual(res.status, 200);
-                const body = await res.json();
-                assert.ok(typeof body.count === 'number', 'Expected count field in response');
-                assert.ok(body.count >= 1, 'Expected at least 1 session revoked');
+                assert.ok(res.ok, `admin_session_revoke_all failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
+                const result = res.result;
+                assert.ok(typeof result.count === 'number', 'Expected count field in response');
+                assert.ok(result.count >= 1, 'Expected at least 1 session revoked');
             });
             test('admin revoke-all tokens for another admin works', async () => {
                 const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
@@ -760,39 +658,41 @@ export const describe_standard_admin_integration_tests = (options) => {
                     username: 'admin_b_tok',
                     roles: ['admin'],
                 });
-                // Admin B creates an API token
-                const token_create_route = test_app.route_specs.find((s) => s.method === 'POST' && s.path.endsWith('/tokens/create'));
-                if (token_create_route) {
-                    await test_app.app.request(token_create_route.path, {
-                        method: 'POST',
-                        headers: create_headers(admin_b.session_cookie, {
-                            'content-type': 'application/json',
-                        }),
-                        body: JSON.stringify({ name: 'admin-b-token' }),
-                    });
-                }
-                const revoke_tokens_route = find_admin_route(test_app.route_specs, '/tokens/revoke-all', 'POST');
-                assert.ok(revoke_tokens_route, 'Expected POST /tokens/revoke-all admin route');
-                // Admin A revokes all of admin B's tokens
-                const res = await test_app.app.request(revoke_tokens_route.path.replace(':account_id', admin_b.account.id), {
-                    method: 'POST',
+                // Admin B creates an API token via RPC
+                const token_res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: account_token_create_action_spec.method,
+                    params: { name: 'admin-b-token' },
+                    headers: create_headers(admin_b.session_cookie),
+                });
+                assert.ok(token_res.ok, `account_token_create failed: ${token_res.ok ? '' : JSON.stringify(token_res.error)}`);
+                // Admin A revokes all of admin B's tokens via RPC
+                const res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: admin_token_revoke_all_action_spec.method,
+                    params: { account_id: admin_b.account.id },
                     headers: create_headers(test_app.backend.session_cookie),
                 });
-                assert.strictEqual(res.status, 200);
-                const body = await res.json();
-                assert.ok(typeof body.count === 'number', 'Expected count field in response');
+                assert.ok(res.ok, `admin_token_revoke_all failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
+                const result = res.result;
+                assert.ok(typeof result.count === 'number', 'Expected count field in response');
+                // Token was created above, so revoke should evict at least one.
+                assert.ok(result.count >= 1, 'Expected at least 1 token revoked');
             });
             test('non-admin cannot access admin routes for another account', async () => {
                 const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
                 const regular_user = await test_app.create_account({ username: 'regular_user_iso' });
-                const accounts_route = find_admin_route(test_app.route_specs, '/accounts', 'GET');
-                assert.ok(accounts_route, 'Expected GET /accounts admin route');
-                // Regular user tries to list accounts — should get 403
-                const res = await test_app.app.request(accounts_route.path, {
+                // Regular user tries to list accounts via the admin RPC — should 403
+                const res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: admin_account_list_action_spec.method,
                     headers: create_headers(regular_user.session_cookie),
                 });
+                assert.ok(!res.ok, 'Expected admin_account_list to fail for non-admin');
                 assert.strictEqual(res.status, 403);
-                error_collector.record(test_app.route_specs, 'GET', accounts_route.path, 403);
             });
         });
         // --- 8a. Error coverage: unauthenticated access to admin routes ---