@jskit-ai/users-core 0.1.4

package/test/usersRouteRequestInputValidator.test.js

@@ -0,0 +1,556 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import { KERNEL_TOKENS } from "@jskit-ai/kernel/shared/support/tokens";
+import { UsersCoreServiceProvider } from "../src/server/UsersCoreServiceProvider.js";
+import { resolveTenancyProfile } from "../src/shared/tenancyProfile.js";
+
+function createReplyDouble() {
+  return {
+    statusCode: 200,
+    payload: null,
+    redirectedTo: "",
+    code(value) {
+      this.statusCode = value;
+      return this;
+    },
+    send(value) {
+      this.payload = value;
+      return this;
+    },
+    redirect(value) {
+      this.redirectedTo = String(value || "");
+      return this;
+    }
+  };
+}
+
+function findRoute(routes, { method, path }) {
+  return routes.find((route) => route.method === method && route.path === path) || null;
+}
+
+async function registerRoutes({
+  authService = {},
+  consoleService = null,
+  workspaceEnabled = true,
+  workspaceTenancyEnabled = true,
+  workspaceInvitationsEnabled = true,
+  workspaceSelfCreateEnabled = true
+} = {}) {
+  const registeredRoutes = [];
+  const router = {
+    register(method, path, route, handler) {
+      registeredRoutes.push({
+        ...route,
+        method,
+        path,
+        handler
+      });
+    }
+  };
+
+  const bindings = new Map([
+    [KERNEL_TOKENS.HttpRouter, router],
+    ["authService", authService],
+    [
+      "users.accountProfile.service",
+      {
+        async readAvatar() {
+          return {
+            mimeType: "image/png",
+            buffer: Buffer.from([])
+          };
+        }
+      }
+    ],
+    ["actionExecutor", {}],
+    ["users.workspace.enabled", workspaceEnabled],
+    ["users.workspace.tenancy.enabled", workspaceTenancyEnabled],
+    ["users.workspace.invitations.enabled", workspaceInvitationsEnabled],
+    ["users.workspace.self-create.enabled", workspaceSelfCreateEnabled]
+  ]);
+
+  if (consoleService) {
+    bindings.set("consoleService", consoleService);
+  }
+
+  const app = {
+    has(token) {
+      return bindings.has(token);
+    },
+    make(token) {
+      if (!bindings.has(token)) {
+        throw new Error(`Missing test binding for token: ${String(token)}`);
+      }
+      return bindings.get(token);
+    }
+  };
+
+  const provider = new UsersCoreServiceProvider();
+  await provider.boot(app);
+
+  return registeredRoutes;
+}
+
+async function registerRoutesForMode({
+  tenancyMode = "none",
+  tenancyPolicy = {}
+} = {}) {
+  const tenancyProfile = resolveTenancyProfile({
+    tenancyMode,
+    tenancyPolicy
+  });
+  return registerRoutes({
+    workspaceEnabled: tenancyProfile.workspace.enabled === true,
+    workspaceTenancyEnabled: tenancyProfile.mode === "workspace",
+    workspaceInvitationsEnabled:
+      tenancyProfile.workspace.enabled === true && tenancyProfile.mode !== "none",
+    workspaceSelfCreateEnabled: tenancyProfile.workspace.allowSelfCreate === true
+  });
+}
+
+function createActionRequest({ input = {}, executeAction, file = null }) {
+  return {
+    input,
+    executeAction,
+    file,
+    user: {
+      id: 42
+    }
+  };
+}
+
+test("workspace and settings routes attach only the shared transport normalizers they actually use", async () => {
+  const routes = await registerRoutes();
+
+  const workspaceSettings = findRoute(routes, {
+    method: "GET",
+    path: "/api/w/:workspaceSlug/workspace/settings"
+  });
+  const workspaceSettingsPatch = findRoute(routes, {
+    method: "PATCH",
+    path: "/api/w/:workspaceSlug/workspace/settings"
+  });
+  const workspaceMemberRole = findRoute(routes, {
+    method: "PATCH",
+    path: "/api/w/:workspaceSlug/workspace/members/:memberUserId/role"
+  });
+  const workspaceMemberDelete = findRoute(routes, {
+    method: "DELETE",
+    path: "/api/w/:workspaceSlug/workspace/members/:memberUserId"
+  });
+  const workspaceInviteDelete = findRoute(routes, {
+    method: "DELETE",
+    path: "/api/w/:workspaceSlug/workspace/invites/:inviteId"
+  });
+  const settingsProfilePatch = findRoute(routes, {
+    method: "PATCH",
+    path: "/api/settings/profile"
+  });
+  const settingsOAuthStart = findRoute(routes, {
+    method: "GET",
+    path: "/api/settings/security/oauth/:provider/start"
+  });
+  const consoleSettingsPatch = findRoute(routes, {
+    method: "PATCH",
+    path: "/api/console/settings"
+  });
+
+  assert.equal(typeof workspaceSettings?.paramsValidator?.normalize, "function");
+  assert.equal(typeof workspaceSettingsPatch?.bodyValidator?.normalize, "function");
+  assert.equal(typeof workspaceMemberRole?.paramsValidator?.normalize, "function");
+  assert.equal(typeof workspaceMemberRole?.bodyValidator?.normalize, "function");
+  assert.equal(typeof workspaceMemberDelete?.paramsValidator?.normalize, "function");
+  assert.equal(typeof workspaceInviteDelete?.paramsValidator?.normalize, "function");
+  assert.equal(typeof settingsProfilePatch?.bodyValidator?.normalize, "function");
+  assert.equal(typeof settingsOAuthStart?.paramsValidator?.normalize, "function");
+  assert.equal(typeof settingsOAuthStart?.queryValidator?.normalize, "function");
+  assert.equal(typeof consoleSettingsPatch?.bodyValidator?.normalize, "function");
+});
+
+test("workspace settings routes mount one canonical workspace endpoint", async () => {
+  const routes = await registerRoutes();
+  const workspaceSettings = findRoute(routes, {
+    method: "GET",
+    path: "/api/w/:workspaceSlug/workspace/settings"
+  });
+  const workspaceSettingsPatch = findRoute(routes, {
+    method: "PATCH",
+    path: "/api/w/:workspaceSlug/workspace/settings"
+  });
+  const adminWorkspaceSettings = findRoute(routes, {
+    method: "GET",
+    path: "/api/admin/w/:workspaceSlug/workspace/settings"
+  });
+  const consoleWorkspaceSettings = findRoute(routes, {
+    method: "GET",
+    path: "/api/console/w/:workspaceSlug/workspace/settings"
+  });
+
+  assert.ok(workspaceSettings);
+  assert.equal(workspaceSettings?.visibility, "workspace");
+  assert.equal(workspaceSettingsPatch?.visibility, "workspace");
+  assert.equal(workspaceSettings?.surface, "");
+  assert.equal(workspaceSettingsPatch?.surface, "");
+  assert.equal(adminWorkspaceSettings, null);
+  assert.equal(consoleWorkspaceSettings, null);
+});
+
+test("users-core boot skips workspace routes when workspace policy is disabled", async () => {
+  const routes = await registerRoutes({
+    workspaceEnabled: false,
+    workspaceTenancyEnabled: false,
+    workspaceInvitationsEnabled: false,
+    workspaceSelfCreateEnabled: false
+  });
+
+  assert.equal(findRoute(routes, { method: "GET", path: "/api/workspaces" }), null);
+  assert.equal(findRoute(routes, { method: "POST", path: "/api/workspaces" }), null);
+  assert.equal(findRoute(routes, { method: "GET", path: "/api/w/:workspaceSlug/workspace/settings" }), null);
+  assert.equal(findRoute(routes, { method: "GET", path: "/api/settings" })?.path, "/api/settings");
+});
+
+test("users-core boot skips workspace create route when self-create policy is disabled", async () => {
+  const routes = await registerRoutes({
+    workspaceEnabled: true,
+    workspaceTenancyEnabled: true,
+    workspaceInvitationsEnabled: true,
+    workspaceSelfCreateEnabled: false
+  });
+
+  assert.equal(findRoute(routes, { method: "POST", path: "/api/workspaces" }), null);
+  assert.equal(findRoute(routes, { method: "GET", path: "/api/workspaces" })?.path, "/api/workspaces");
+});
+
+test("users-core route registration follows tenancy mode matrix", async () => {
+  const noneRoutes = await registerRoutesForMode({
+    tenancyMode: "none"
+  });
+  const personalRoutes = await registerRoutesForMode({
+    tenancyMode: "personal"
+  });
+  const workspaceRoutes = await registerRoutesForMode({
+    tenancyMode: "workspace"
+  });
+  const workspaceSelfCreateRoutes = await registerRoutesForMode({
+    tenancyMode: "workspace",
+    tenancyPolicy: {
+      workspace: {
+        allowSelfCreate: true
+      }
+    }
+  });
+
+  assert.equal(findRoute(noneRoutes, { method: "GET", path: "/api/workspaces" }), null);
+  assert.equal(findRoute(noneRoutes, { method: "POST", path: "/api/workspaces" }), null);
+  assert.equal(findRoute(noneRoutes, { method: "GET", path: "/api/w/:workspaceSlug/workspace/settings" }), null);
+  assert.equal(findRoute(noneRoutes, { method: "GET", path: "/api/workspace/invitations/pending" }), null);
+
+  assert.equal(findRoute(personalRoutes, { method: "GET", path: "/api/workspaces" })?.path, "/api/workspaces");
+  assert.equal(findRoute(personalRoutes, { method: "POST", path: "/api/workspaces" }), null);
+  assert.equal(
+    findRoute(personalRoutes, { method: "GET", path: "/api/w/:workspaceSlug/workspace/settings" })?.path,
+    "/api/w/:workspaceSlug/workspace/settings"
+  );
+  assert.equal(
+    findRoute(personalRoutes, { method: "GET", path: "/api/workspace/invitations/pending" })?.path,
+    "/api/workspace/invitations/pending"
+  );
+
+  assert.equal(findRoute(workspaceRoutes, { method: "GET", path: "/api/workspaces" })?.path, "/api/workspaces");
+  assert.equal(findRoute(workspaceRoutes, { method: "POST", path: "/api/workspaces" }), null);
+  assert.equal(
+    findRoute(workspaceRoutes, { method: "GET", path: "/api/w/:workspaceSlug/workspace/settings" })?.path,
+    "/api/w/:workspaceSlug/workspace/settings"
+  );
+  assert.equal(
+    findRoute(workspaceRoutes, { method: "GET", path: "/api/workspace/invitations/pending" })?.path,
+    "/api/workspace/invitations/pending"
+  );
+
+  assert.equal(
+    findRoute(workspaceSelfCreateRoutes, { method: "POST", path: "/api/workspaces" })?.path,
+    "/api/workspaces"
+  );
+});
+
+test("users-core boot skips invitation redeem/list routes when workspace invitations are disabled", async () => {
+  const routes = await registerRoutes({
+    workspaceEnabled: true,
+    workspaceTenancyEnabled: true,
+    workspaceInvitationsEnabled: false,
+    workspaceSelfCreateEnabled: false
+  });
+
+  assert.equal(findRoute(routes, { method: "GET", path: "/api/workspace/invitations/pending" }), null);
+  assert.equal(findRoute(routes, { method: "POST", path: "/api/workspace/invitations/redeem" }), null);
+  assert.equal(findRoute(routes, { method: "GET", path: "/api/w/:workspaceSlug/workspace/invites" }), null);
+  assert.equal(findRoute(routes, { method: "POST", path: "/api/w/:workspaceSlug/workspace/invites" }), null);
+  assert.equal(findRoute(routes, { method: "DELETE", path: "/api/w/:workspaceSlug/workspace/invites/:inviteId" }), null);
+});
+
+test("workspace invite and member handlers build action input from request.input", async () => {
+  const routes = await registerRoutes();
+  const workspaceCreate = findRoute(routes, {
+    method: "POST",
+    path: "/api/workspaces"
+  });
+  const workspaceInviteRedeem = findRoute(routes, {
+    method: "POST",
+    path: "/api/workspace/invitations/redeem"
+  });
+  const workspaceMemberRolePatch = findRoute(routes, {
+    method: "PATCH",
+    path: "/api/w/:workspaceSlug/workspace/members/:memberUserId/role"
+  });
+  const workspaceMemberDelete = findRoute(routes, {
+    method: "DELETE",
+    path: "/api/w/:workspaceSlug/workspace/members/:memberUserId"
+  });
+  const workspaceInviteCreate = findRoute(routes, {
+    method: "POST",
+    path: "/api/w/:workspaceSlug/workspace/invites"
+  });
+  const workspaceInviteDelete = findRoute(routes, {
+    method: "DELETE",
+    path: "/api/w/:workspaceSlug/workspace/invites/:inviteId"
+  });
+  const calls = [];
+  const executeAction = async (payload) => {
+    calls.push(payload);
+    return {};
+  };
+
+  await workspaceCreate.handler(
+    createActionRequest({
+      input: {
+        body: { name: "Operations", slug: "operations" }
+      },
+      executeAction
+    }),
+    createReplyDouble()
+  );
+  await workspaceInviteRedeem.handler(
+    createActionRequest({
+      input: {
+        body: { token: "token-1", decision: "accept" }
+      },
+      executeAction
+    }),
+    createReplyDouble()
+  );
+  await workspaceMemberRolePatch.handler(
+    createActionRequest({
+      input: {
+        params: { workspaceSlug: "acme", memberUserId: "12" },
+        body: { roleId: "admin" }
+      },
+      executeAction
+    }),
+    createReplyDouble()
+  );
+  await workspaceInviteCreate.handler(
+    createActionRequest({
+      input: {
+        params: { workspaceSlug: "acme" },
+        body: { email: "user@example.com", roleId: "member" }
+      },
+      executeAction
+    }),
+    createReplyDouble()
+  );
+  await workspaceMemberDelete.handler(
+    createActionRequest({
+      input: {
+        params: { workspaceSlug: "acme", memberUserId: "44" }
+      },
+      executeAction
+    }),
+    createReplyDouble()
+  );
+  await workspaceInviteDelete.handler(
+    createActionRequest({
+      input: {
+        params: { workspaceSlug: "acme", inviteId: "55" }
+      },
+      executeAction
+    }),
+    createReplyDouble()
+  );
+
+  assert.deepEqual(calls[0], {
+    actionId: "workspace.workspaces.create",
+    input: { name: "Operations", slug: "operations" }
+  });
+  assert.deepEqual(calls[1].input, { payload: { token: "token-1", decision: "accept" } });
+  assert.deepEqual(calls[2].input, { workspaceSlug: "acme", memberUserId: "12", roleId: "admin" });
+  assert.deepEqual(calls[3].input, { workspaceSlug: "acme", email: "user@example.com", roleId: "member" });
+  assert.deepEqual(calls[4].input, { workspaceSlug: "acme", memberUserId: "44" });
+  assert.deepEqual(calls[5].input, { workspaceSlug: "acme", inviteId: "55" });
+});
+
+test("workspace settings route handlers build action input from request.input", async () => {
+  const routes = await registerRoutes();
+  const workspaceSettingsPatch = findRoute(routes, {
+    method: "PATCH",
+    path: "/api/w/:workspaceSlug/workspace/settings"
+  });
+  const calls = [];
+  const executeAction = async (payload) => {
+    calls.push(payload);
+    return {};
+  };
+
+  await workspaceSettingsPatch.handler(
+    createActionRequest({
+      input: {
+        params: { workspaceSlug: "acme" },
+        body: { name: "Acme Workspace" }
+      },
+      executeAction
+    }),
+    createReplyDouble()
+  );
+
+  assert.deepEqual(calls[0], {
+    actionId: "workspace.settings.update",
+    input: { workspaceSlug: "acme", patch: { name: "Acme Workspace" } }
+  });
+});
+
+test("account route handlers build action input from request.input", async () => {
+  const routes = await registerRoutes({
+    authService: {
+      writeSessionCookies() {}
+    }
+  });
+  const calls = [];
+  const executeAction = async (payload) => {
+    calls.push(payload);
+    if (payload.actionId === "settings.security.oauth.link.start") {
+      return { url: "/oauth/link" };
+    }
+    if (payload.actionId === "settings.profile.update") {
+      return { settings: {}, session: null };
+    }
+    if (payload.actionId === "settings.security.password.change") {
+      return { message: "ok", session: null };
+    }
+    return {};
+  };
+
+  await findRoute(routes, { method: "PATCH", path: "/api/settings/profile" }).handler(
+    createActionRequest({
+      input: { body: { displayName: "Merc" } },
+      executeAction
+    }),
+    createReplyDouble()
+  );
+  await findRoute(routes, { method: "PATCH", path: "/api/settings/preferences" }).handler(
+    createActionRequest({
+      input: { body: { locale: "en-US" } },
+      executeAction
+    }),
+    createReplyDouble()
+  );
+  await findRoute(routes, { method: "PATCH", path: "/api/settings/notifications" }).handler(
+    createActionRequest({
+      input: { body: { email: true } },
+      executeAction
+    }),
+    createReplyDouble()
+  );
+  await findRoute(routes, { method: "POST", path: "/api/settings/security/change-password" }).handler(
+    createActionRequest({
+      input: {
+        body: {
+          currentPassword: "old-password",
+          newPassword: "new-password-123",
+          confirmPassword: "new-password-123"
+        }
+      },
+      executeAction
+    }),
+    createReplyDouble()
+  );
+  await findRoute(routes, { method: "PATCH", path: "/api/settings/security/methods/password" }).handler(
+    createActionRequest({
+      input: { body: { enabled: true } },
+      executeAction
+    }),
+    createReplyDouble()
+  );
+  const oauthReply = createReplyDouble();
+  await findRoute(routes, { method: "GET", path: "/api/settings/security/oauth/:provider/start" }).handler(
+    createActionRequest({
+      input: {
+        params: { provider: "github" },
+        query: { returnTo: "/app/settings" }
+      },
+      executeAction
+    }),
+    oauthReply
+  );
+  await findRoute(routes, { method: "DELETE", path: "/api/settings/security/oauth/:provider" }).handler(
+    createActionRequest({
+      input: { params: { provider: "github" } },
+      executeAction
+    }),
+    createReplyDouble()
+  );
+  await findRoute(routes, { method: "POST", path: "/api/settings/security/logout-others" }).handler(
+    createActionRequest({
+      executeAction
+    }),
+    createReplyDouble()
+  );
+
+  assert.deepEqual(calls[0].input, { payload: { displayName: "Merc" } });
+  assert.deepEqual(calls[1].input, { payload: { locale: "en-US" } });
+  assert.deepEqual(calls[2].input, { payload: { email: true } });
+  assert.deepEqual(calls[3].input, {
+    payload: {
+      currentPassword: "old-password",
+      newPassword: "new-password-123",
+      confirmPassword: "new-password-123"
+    }
+  });
+  assert.deepEqual(calls[4].input, { payload: { enabled: true } });
+  assert.deepEqual(calls[5].input, { provider: "github", returnTo: "/app/settings" });
+  assert.equal(oauthReply.redirectedTo, "/oauth/link");
+  assert.deepEqual(calls[6].input, { provider: "github" });
+  assert.equal(calls[7].actionId, "settings.security.sessions.logout_others");
+});
+
+test("console settings route handlers use request.input payloads", async () => {
+  const routes = await registerRoutes();
+  const calls = [];
+  const executeAction = async (payload) => {
+    calls.push(payload);
+    return {
+      settings: {}
+    };
+  };
+
+  await findRoute(routes, { method: "GET", path: "/api/console/settings" }).handler(
+    createActionRequest({ executeAction }),
+    createReplyDouble()
+  );
+
+  await findRoute(routes, { method: "PATCH", path: "/api/console/settings" }).handler(
+    createActionRequest({
+      input: {
+        body: {}
+      },
+      executeAction
+    }),
+    createReplyDouble()
+  );
+
+  assert.equal(calls[0].actionId, "console.settings.read");
+  assert.deepEqual(calls[1], {
+    actionId: "console.settings.update",
+    input: {
+      payload: {}
+    }
+  });
+});

package/test/usersRouteResources.test.js

@@ -0,0 +1,113 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import path from "node:path";
+import { existsSync } from "node:fs";
+import { fileURLToPath } from "node:url";
+import { deriveResourceRequiredMetadata } from "@jskit-ai/kernel/_testable";
+import "../test-support/registerDefaultSettingsFields.js";
+import { consoleSettingsResource } from "../src/shared/resources/consoleSettingsResource.js";
+import { userProfileResource } from "../src/shared/resources/userProfileResource.js";
+import { userSettingsResource } from "../src/shared/resources/userSettingsResource.js";
+import { workspaceMembersResource } from "../src/shared/resources/workspaceMembersResource.js";
+import { workspaceResource } from "../src/shared/resources/workspaceResource.js";
+import { workspaceSettingsResource } from "../src/shared/resources/workspaceSettingsResource.js";
+
+function assertResourceShape(resource, label) {
+  assert.ok(resource, `${label} resource must exist.`);
+  assert.equal(typeof resource, "object", `${label} resource must be an object.`);
+  assert.equal(typeof resource.resource, "string", `${label}.resource must be a string.`);
+
+  for (const operationName of ["view", "list", "create", "replace", "patch"]) {
+    const operation = resource.operations?.[operationName];
+    assert.equal(typeof operation, "object", `${label}.operations.${operationName} must exist.`);
+    assert.equal(typeof operation.method, "string", `${label}.operations.${operationName}.method must exist.`);
+    const resolvedMessages =
+      operation?.messages && typeof operation.messages === "object"
+        ? operation.messages
+        : resource?.messages || resource?.operationMessages;
+    assert.equal(
+      typeof resolvedMessages,
+      "object",
+      `${label}.operations.${operationName} must resolve messages from operation.messages or resource.messages.`
+    );
+    assert.equal(
+      typeof operation.outputValidator?.schema,
+      "object",
+      `${label}.operations.${operationName} payload schema is required.`
+    );
+  }
+
+  assert.equal(typeof resource.operations.create.bodyValidator?.schema, "object", `${label}.operations.create.bodyValidator.schema is required.`);
+  assert.equal(typeof resource.operations.replace.bodyValidator?.schema, "object", `${label}.operations.replace.bodyValidator.schema is required.`);
+  assert.equal(typeof resource.operations.patch.bodyValidator?.schema, "object", `${label}.operations.patch.bodyValidator.schema is required.`);
+
+  const requiredMetadata = deriveResourceRequiredMetadata(resource);
+  assert.ok(Array.isArray(requiredMetadata.create), `${label}.derivedRequired.create must be an array.`);
+  assert.ok(Array.isArray(requiredMetadata.replace), `${label}.derivedRequired.replace must be an array.`);
+  assert.ok(Array.isArray(requiredMetadata.patch), `${label}.derivedRequired.patch must be an array.`);
+}
+
+test("workspace/settings/console resources expose canonical validators", () => {
+  const resourcesByLabel = {
+    workspace: workspaceResource,
+    workspaceSettings: workspaceSettingsResource,
+    userProfile: userProfileResource,
+    userSettings: userSettingsResource,
+    consoleSettings: consoleSettingsResource
+  };
+
+  for (const [label, resource] of Object.entries(resourcesByLabel)) {
+    assertResourceShape(resource, label);
+  }
+});
+
+test("specialized settings and invite operations expose canonical validators", () => {
+  const workspaceMembersOperationSpecs = [
+    { label: "workspaceMembers.rolesList", operation: workspaceMembersResource.operations.rolesList },
+    { label: "workspaceMembers.membersList", operation: workspaceMembersResource.operations.membersList },
+    { label: "workspaceMembers.updateMemberRole", operation: workspaceMembersResource.operations.updateMemberRole },
+    { label: "workspaceMembers.removeMember", operation: workspaceMembersResource.operations.removeMember },
+    { label: "workspaceMembers.invitesList", operation: workspaceMembersResource.operations.invitesList },
+    { label: "workspaceMembers.createInvite", operation: workspaceMembersResource.operations.createInvite },
+    { label: "workspaceMembers.revokeInvite", operation: workspaceMembersResource.operations.revokeInvite },
+    { label: "workspaceMembers.redeemInvite", operation: workspaceMembersResource.operations.redeemInvite }
+  ];
+  const operationSpecs = [
+    ...workspaceMembersOperationSpecs,
+    { label: "userProfile.avatarUpload", operation: userProfileResource.operations.avatarUpload },
+    { label: "userProfile.avatarDelete", operation: userProfileResource.operations.avatarDelete },
+    { label: "userSettings.passwordChange", operation: userSettingsResource.operations.passwordChange },
+    { label: "userSettings.passwordMethodToggle", operation: userSettingsResource.operations.passwordMethodToggle },
+    { label: "userSettings.oauthLinkStart", operation: userSettingsResource.operations.oauthLinkStart },
+    { label: "userSettings.oauthUnlink", operation: userSettingsResource.operations.oauthUnlink },
+    { label: "userSettings.logoutOtherSessions", operation: userSettingsResource.operations.logoutOtherSessions }
+  ];
+
+  for (const { label, operation } of operationSpecs) {
+    assert.equal(typeof operation?.method, "string", `${label}.method must exist.`);
+    assert.equal(typeof operation?.outputValidator?.schema, "object", `${label}.outputValidator.schema must exist.`);
+    if (operation?.bodyValidator) {
+      assert.equal(typeof operation.bodyValidator.schema, "object", `${label}.bodyValidator.schema must exist.`);
+    }
+    if (operation?.paramsValidator) {
+      assert.equal(typeof operation.paramsValidator.schema, "object", `${label}.paramsValidator.schema must exist.`);
+    }
+    if (operation?.queryValidator) {
+      assert.equal(typeof operation.queryValidator.schema, "object", `${label}.queryValidator.schema must exist.`);
+    }
+  }
+});
+
+test("users-core no longer uses a workspace schema helper that exposes raw schema leaves", () => {
+  const testFilePath = fileURLToPath(import.meta.url);
+  const packageRoot = path.resolve(path.dirname(testFilePath), "..");
+  const legacyWorkspaceRoutesFile = path.join(packageRoot, "src", "server", "common", "routes", "workspaceRoutes.js");
+  assert.equal(existsSync(legacyWorkspaceRoutesFile), false, "workspaceRoutes.js must not exist.");
+});
+
+test("users-core route validators no longer live under a legacy shared/schema directory", () => {
+  const testFilePath = fileURLToPath(import.meta.url);
+  const packageRoot = path.resolve(path.dirname(testFilePath), "..");
+  const legacySchemaDir = path.join(packageRoot, "src", "shared", "schema");
+  assert.equal(existsSync(legacySchemaDir), false, "src/shared/schema must not exist.");
+});