@valentinkolb/cloud 0.4.0 → 0.5.1

package/src/services/notifications/index.ts

@@ -1,13 +1,14 @@
 import { sql } from "bun";
-import { sendEmail } from "./email";
 import type { PaginationParams } from "../../contracts/shared";
-import { escapeLikePattern } from "../postgres";
 import { logger } from "../logging";
+import { escapeLikePattern } from "../postgres";
+import { sendEmail } from "./email";
 
 const log = logger("notifications");
 
 export type NotificationType = "email";
 export type NotificationStatus = "sent" | "pending" | "error";
+export type NotificationStatusSummary = Record<NotificationStatus, number>;
 
 /**
  * Computes notification delivery status from sent/error timestamps.
@@ -56,6 +57,12 @@ export type NotificationMessage = {
   status: NotificationStatus;
 };
 
+const emptyStatusSummary = (): NotificationStatusSummary => ({
+  sent: 0,
+  pending: 0,
+  error: 0,
+});
+
 type DbNotificationRow = {
   id: string;
   type: NotificationType;
@@ -143,23 +150,26 @@ export const sendToUser = async (params: SendToUserParams): Promise<{ ok: true;
  */
 export const list = async (
   pagination: PaginationParams,
-  options?: { sentBy?: string; isAdmin?: boolean; search?: string },
+  options?: { sentBy?: string; isAdmin?: boolean; search?: string; status?: NotificationStatus },
 ): Promise<{ notifications: NotificationMessage[]; total: number }> => {
   const { offset, perPage } = pagination;
-  const { sentBy, isAdmin, search } = options ?? {};
+  const { sentBy, isAdmin, search, status } = options ?? {};
 
   // Build query based on permissions
   let countRows: Array<{ count: number | string }> = [];
   let dataRows: DbNotificationRow[] = [];
 
   const searchPattern = search ? `%${escapeLikePattern(search)}%` : null;
+  const statusFilter = status ?? null;
 
   if (isAdmin) {
     // Admins see all notifications
     if (searchPattern) {
       countRows = await sql`
         SELECT COUNT(*)::int as count FROM notifications.messages
-        WHERE subject ILIKE ${searchPattern} ESCAPE '\' OR content ILIKE ${searchPattern} ESCAPE '\' OR recipient ILIKE ${searchPattern} ESCAPE '\'
+        WHERE
+          (${statusFilter}::text IS NULL OR CASE WHEN sent_at IS NOT NULL THEN 'sent' WHEN error IS NOT NULL THEN 'error' ELSE 'pending' END = ${statusFilter})
+          AND (subject ILIKE ${searchPattern} ESCAPE '\' OR content ILIKE ${searchPattern} ESCAPE '\' OR recipient ILIKE ${searchPattern} ESCAPE '\')
       `;
       dataRows = await sql`
         SELECT
@@ -168,12 +178,17 @@ export const list = async (
           u.display_name as sent_by_name
         FROM notifications.messages m
         LEFT JOIN auth.users u ON m.sent_by = u.id
-        WHERE m.subject ILIKE ${searchPattern} ESCAPE '\' OR m.content ILIKE ${searchPattern} ESCAPE '\' OR m.recipient ILIKE ${searchPattern} ESCAPE '\'
+        WHERE
+          (${statusFilter}::text IS NULL OR CASE WHEN m.sent_at IS NOT NULL THEN 'sent' WHEN m.error IS NOT NULL THEN 'error' ELSE 'pending' END = ${statusFilter})
+          AND (m.subject ILIKE ${searchPattern} ESCAPE '\' OR m.content ILIKE ${searchPattern} ESCAPE '\' OR m.recipient ILIKE ${searchPattern} ESCAPE '\')
         ORDER BY m.created_at DESC
         LIMIT ${perPage} OFFSET ${offset}
       `;
     } else {
-      countRows = await sql`SELECT COUNT(*)::int as count FROM notifications.messages`;
+      countRows = await sql`
+        SELECT COUNT(*)::int as count FROM notifications.messages
+        WHERE ${statusFilter}::text IS NULL OR CASE WHEN sent_at IS NOT NULL THEN 'sent' WHEN error IS NOT NULL THEN 'error' ELSE 'pending' END = ${statusFilter}
+      `;
       dataRows = await sql`
         SELECT
           m.id, m.type, m.recipient, m.subject, m.content,
@@ -181,6 +196,7 @@ export const list = async (
           u.display_name as sent_by_name
         FROM notifications.messages m
         LEFT JOIN auth.users u ON m.sent_by = u.id
+        WHERE ${statusFilter}::text IS NULL OR CASE WHEN m.sent_at IS NOT NULL THEN 'sent' WHEN m.error IS NOT NULL THEN 'error' ELSE 'pending' END = ${statusFilter}
         ORDER BY m.created_at DESC
         LIMIT ${perPage} OFFSET ${offset}
       `;
@@ -190,7 +206,10 @@ export const list = async (
     if (searchPattern) {
       countRows = await sql`
         SELECT COUNT(*)::int as count FROM notifications.messages
-        WHERE sent_by = ${sentBy} AND (subject ILIKE ${searchPattern} ESCAPE '\' OR content ILIKE ${searchPattern} ESCAPE '\' OR recipient ILIKE ${searchPattern} ESCAPE '\')
+        WHERE
+          sent_by = ${sentBy}
+          AND (${statusFilter}::text IS NULL OR CASE WHEN sent_at IS NOT NULL THEN 'sent' WHEN error IS NOT NULL THEN 'error' ELSE 'pending' END = ${statusFilter})
+          AND (subject ILIKE ${searchPattern} ESCAPE '\' OR content ILIKE ${searchPattern} ESCAPE '\' OR recipient ILIKE ${searchPattern} ESCAPE '\')
       `;
       dataRows = await sql`
         SELECT
@@ -199,12 +218,20 @@ export const list = async (
           u.display_name as sent_by_name
         FROM notifications.messages m
         LEFT JOIN auth.users u ON m.sent_by = u.id
-        WHERE m.sent_by = ${sentBy} AND (m.subject ILIKE ${searchPattern} ESCAPE '\' OR m.content ILIKE ${searchPattern} ESCAPE '\' OR m.recipient ILIKE ${searchPattern} ESCAPE '\')
+        WHERE
+          m.sent_by = ${sentBy}
+          AND (${statusFilter}::text IS NULL OR CASE WHEN m.sent_at IS NOT NULL THEN 'sent' WHEN m.error IS NOT NULL THEN 'error' ELSE 'pending' END = ${statusFilter})
+          AND (m.subject ILIKE ${searchPattern} ESCAPE '\' OR m.content ILIKE ${searchPattern} ESCAPE '\' OR m.recipient ILIKE ${searchPattern} ESCAPE '\')
         ORDER BY m.created_at DESC
         LIMIT ${perPage} OFFSET ${offset}
       `;
     } else {
-      countRows = await sql`SELECT COUNT(*)::int as count FROM notifications.messages WHERE sent_by = ${sentBy}`;
+      countRows = await sql`
+        SELECT COUNT(*)::int as count FROM notifications.messages
+        WHERE
+          sent_by = ${sentBy}
+          AND (${statusFilter}::text IS NULL OR CASE WHEN sent_at IS NOT NULL THEN 'sent' WHEN error IS NOT NULL THEN 'error' ELSE 'pending' END = ${statusFilter})
+      `;
       dataRows = await sql`
         SELECT
           m.id, m.type, m.recipient, m.subject, m.content,
@@ -212,7 +239,9 @@ export const list = async (
           u.display_name as sent_by_name
         FROM notifications.messages m
         LEFT JOIN auth.users u ON m.sent_by = u.id
-        WHERE m.sent_by = ${sentBy}
+        WHERE
+          m.sent_by = ${sentBy}
+          AND (${statusFilter}::text IS NULL OR CASE WHEN m.sent_at IS NOT NULL THEN 'sent' WHEN m.error IS NOT NULL THEN 'error' ELSE 'pending' END = ${statusFilter})
         ORDER BY m.created_at DESC
         LIMIT ${perPage} OFFSET ${offset}
       `;
@@ -246,6 +275,47 @@ export const list = async (
   return { notifications, total };
 };
 
+/**
+ * Count current notification statuses for recent entries.
+ */
+export const getStatusSummary = async (options?: {
+  sentBy?: string;
+  isAdmin?: boolean;
+  days?: number;
+}): Promise<NotificationStatusSummary> => {
+  const { sentBy, isAdmin, days = 7 } = options ?? {};
+  const windowDays = Math.max(1, Math.floor(days));
+  const summary = emptyStatusSummary();
+
+  let rows: Array<{ status: NotificationStatus; count: number | string }> = [];
+  if (isAdmin) {
+    rows = await sql`
+      SELECT
+        CASE WHEN sent_at IS NOT NULL THEN 'sent' WHEN error IS NOT NULL THEN 'error' ELSE 'pending' END as status,
+        COUNT(*)::int as count
+      FROM notifications.messages
+      WHERE created_at >= now() - (${windowDays}::int * interval '1 day')
+      GROUP BY status
+    `;
+  } else if (sentBy) {
+    rows = await sql`
+      SELECT
+        CASE WHEN sent_at IS NOT NULL THEN 'sent' WHEN error IS NOT NULL THEN 'error' ELSE 'pending' END as status,
+        COUNT(*)::int as count
+      FROM notifications.messages
+      WHERE sent_by = ${sentBy} AND created_at >= now() - (${windowDays}::int * interval '1 day')
+      GROUP BY status
+    `;
+  }
+
+  for (const row of rows) {
+    const count = typeof row.count === "string" ? Number.parseInt(row.count, 10) : row.count;
+    summary[row.status] = Number.isFinite(count) ? count : 0;
+  }
+
+  return summary;
+};
+
 /**
  * Get a single notification by ID.
  */
@@ -410,4 +480,5 @@ export const notifications = {
   update,
   getPendingSystemCount,
   sendAllPendingSystem,
+  getStatusSummary,
 };

package/src/services/oauth-tokens.ts

@@ -0,0 +1,104 @@
+import { sql } from "bun";
+import * as jose from "jose";
+import { accounts } from "./accounts";
+import * as settings from "./settings";
+import { serviceAccounts, type ServiceAccount } from "./service-accounts";
+import type { User } from "../contracts/shared";
+
+type DbKey = {
+  public_key: string;
+  kid: string;
+};
+
+const parseScopeClaim = (payload: jose.JWTPayload): string[] => {
+  const value = payload.scope;
+  if (typeof value !== "string") return [];
+  return value
+    .split(/\s+/)
+    .map((scope) => scope.trim())
+    .filter(Boolean);
+};
+
+export type AuthenticatedOAuthToken =
+  | {
+      kind: "user";
+      payload: jose.JWTPayload;
+      user: User;
+    }
+  | {
+      kind: "service_account";
+      payload: jose.JWTPayload;
+      serviceAccount: ServiceAccount;
+      delegatedUser: User | null;
+      scopes: string[];
+    };
+
+const getIssuer = async (): Promise<string> => {
+  const appUrl = await settings.get<string>("app.url");
+  return appUrl.startsWith("http") ? appUrl : `https://${appUrl}`;
+};
+
+const getCurrentPublicKey = async (): Promise<CryptoKey | null> => {
+  const [row] = await sql<DbKey[]>`
+    SELECT public_key, kid
+    FROM oauth.keys
+    WHERE id = 'current'
+  `;
+  if (!row) return null;
+  return jose.importSPKI(row.public_key, "RS256");
+};
+
+const getStringClaim = (payload: jose.JWTPayload, key: string): string | null => {
+  const value = payload[key];
+  return typeof value === "string" && value.length > 0 ? value : null;
+};
+
+export const verifyAccessToken = async (token: string): Promise<AuthenticatedOAuthToken | null> => {
+  const publicKey = await getCurrentPublicKey();
+  if (!publicKey) return null;
+
+  let payload: jose.JWTPayload;
+  try {
+    const result = await jose.jwtVerify(token, publicKey, {
+      issuer: await getIssuer(),
+      audience: "cloud",
+    });
+    payload = result.payload;
+  } catch {
+    return null;
+  }
+
+  if (payload.token_use !== "access") return null;
+
+  const serviceAccountId = getStringClaim(payload, "service_account_id");
+  if (serviceAccountId) {
+    const serviceAccount = await serviceAccounts.get({ id: serviceAccountId });
+    if (!serviceAccount || serviceAccount.status !== "active") return null;
+
+    const delegatedUser = serviceAccount.delegatedUserId ? await accounts.users.get({ id: serviceAccount.delegatedUserId }) : null;
+    if (serviceAccount.kind === "user_delegated" && !delegatedUser) return null;
+
+    return {
+      kind: "service_account",
+      payload,
+      serviceAccount,
+      delegatedUser,
+      scopes: parseScopeClaim(payload),
+    };
+  }
+
+  const userId = getStringClaim(payload, "id");
+  const uid = getStringClaim(payload, "uid") ?? (typeof payload.sub === "string" ? payload.sub : null);
+  const user = userId ? await accounts.users.get({ id: userId }) : uid ? await accounts.users.get({ uid }) : null;
+  if (!user) return null;
+
+  return {
+    kind: "user",
+    payload,
+    user,
+  };
+};
+
+export const oauthTokens = {
+  verifyAccessToken,
+};

package/src/services/postgres.ts

@@ -35,17 +35,32 @@ export const parsePgJsonRecord = (value: unknown): Record<string, unknown> | nul
 };
 
 /**
- * Classify a thrown Postgres error. Bun's sql driver surfaces the canonical
- * SQLSTATE on `.code`. Use this at service boundaries to turn
- * unique-constraint violations into typed 409 results instead of bubbling up
- * raw DB errors to API clients.
+ * Classify a thrown Postgres error. Use at service boundaries to turn
+ * unique-constraint violations into typed 409 results instead of bubbling
+ * up raw DB errors to API clients.
+ *
+ * Two driver shapes coexist in this repo:
+ *   - postgres.js: `e.code = "23505"` (the SQLSTATE directly)
+ *   - bun.sql:     `e.code = "ERR_POSTGRES_SERVER_ERROR"`, SQLSTATE on `e.errno`
+ *
+ * Checking only `e.code` silently fails on Bun (the Wave-1.1 migration
+ * idempotence bug had the same root cause). Treat either field carrying
+ * "23505" as a unique violation so the helper works regardless of which
+ * driver instantiated the error.
  */
-export type PgError = { code?: string; constraint_name?: string; detail?: string; message?: string };
+export type PgError = {
+  code?: string;
+  errno?: string;
+  constraint_name?: string;
+  detail?: string;
+  message?: string;
+};
 
 export const isUniqueViolation = (error: unknown, constraintName?: string): boolean => {
   if (!error || typeof error !== "object") return false;
   const e = error as PgError;
-  if (e.code !== "23505") return false;
+  const sqlstate = e.code === "23505" || e.errno === "23505";
+  if (!sqlstate) return false;
   if (!constraintName) return true;
   return e.constraint_name === constraintName;
 };

package/src/services/providers/local/auth.test.ts

@@ -0,0 +1,22 @@
+import { describe, expect, test } from "bun:test";
+import {
+  consumePasswordResetToken,
+  createPasswordResetToken,
+} from "./auth";
+
+describe("local auth password reset tokens", () => {
+  test("consumes password reset tokens only once", async () => {
+    const payload = {
+      userId: crypto.randomUUID(),
+      uid: `reset-${crypto.randomUUID()}`,
+      email: `reset-${crypto.randomUUID()}@example.test`,
+    };
+    const token = await createPasswordResetToken({
+      ...payload,
+      ttlSeconds: 30,
+    });
+
+    expect(await consumePasswordResetToken(token)).toEqual(payload);
+    expect(await consumePasswordResetToken(token)).toBeNull();
+  });
+});

package/src/services/providers/local/auth.ts

@@ -1,13 +1,56 @@
 import { redis } from "bun";
 
-export const createMagicLinkToken = async (params: { email: string; ttlSeconds?: number }): Promise<string> => {
+export const createMagicLinkToken = async (params: {
+  email: string;
+  ttlSeconds?: number;
+}): Promise<string> => {
   const token = crypto.randomUUID();
-  await redis.set(`email-login:${token}`, JSON.stringify({ email: params.email }), "EX", params.ttlSeconds ?? 300);
+  await redis.set(
+    `email-login:${token}`,
+    JSON.stringify({ email: params.email }),
+    "EX",
+    params.ttlSeconds ?? 300
+  );
   return token;
 };
 
-export const consumeMagicLinkToken = async (token: string): Promise<{ email: string } | null> => {
+export const consumeMagicLinkToken = async (
+  token: string
+): Promise<{ email: string } | null> => {
   const raw = await redis.getdel(`email-login:${token}`);
   if (!raw) return null;
   return JSON.parse(raw) as { email: string };
 };
+
+type PasswordResetPayload = {
+  userId: string;
+  uid: string;
+  email: string;
+};
+
+const passwordResetTokenKey = (token: string) => `password-reset:${token}`;
+
+export const createPasswordResetToken = async (
+  params: PasswordResetPayload & { ttlSeconds?: number }
+): Promise<string> => {
+  const token = crypto.randomUUID();
+  await redis.set(
+    passwordResetTokenKey(token),
+    JSON.stringify({
+      userId: params.userId,
+      uid: params.uid,
+      email: params.email,
+    }),
+    "EX",
+    params.ttlSeconds ?? 900
+  );
+  return token;
+};
+
+export const consumePasswordResetToken = async (
+  token: string
+): Promise<PasswordResetPayload | null> => {
+  const raw = await redis.getdel(passwordResetTokenKey(token));
+  if (!raw) return null;
+  return JSON.parse(raw) as PasswordResetPayload;
+};

package/src/services/secrets.ts

@@ -0,0 +1,10 @@
+import { decryptValue, encryptValue } from "./settings/crypto";
+
+export const encryptSecret = async (value: unknown): Promise<string> => encryptValue(value);
+
+export const decryptSecret = async <T = unknown>(value: string): Promise<T> => (await decryptValue(value)) as T;
+
+export const secrets = {
+  encrypt: encryptSecret,
+  decrypt: decryptSecret,
+};

package/src/services/service-account-credentials.test.ts

@@ -0,0 +1,210 @@
+import { describe, expect, test } from "bun:test";
+import { sql } from "bun";
+import { Hono } from "hono";
+import { auth, type AuthContext } from "../server/middleware/auth";
+import { accounts } from "./accounts";
+import { serviceAccountCredentials } from "./service-account-credentials";
+import { serviceAccounts } from "./service-accounts";
+
+const canUseDatabase = async () => {
+  try {
+    const [row] = await sql<{
+      users: string | null;
+      service_accounts: string | null;
+      credentials: string | null;
+      audit_events: string | null;
+      ipa_effective_groups: string | null;
+    }[]>`
+      SELECT
+        to_regclass('auth.users')::text AS users,
+        to_regclass('auth.service_accounts')::text AS service_accounts,
+        to_regclass('auth.service_account_credentials')::text AS credentials,
+        to_regclass('audit.events')::text AS audit_events,
+        to_regclass('auth.ipa_user_effective_groups')::text AS ipa_effective_groups
+    `;
+    return Boolean(row?.users && row.service_accounts && row.credentials && row.audit_events && row.ipa_effective_groups);
+  } catch {
+    return false;
+  }
+};
+
+const insertUser = async () => {
+  const suffix = crypto.randomUUID();
+  const [row] = await sql<{ id: string }[]>`
+    INSERT INTO auth.users (uid, provider, profile, display_name, mail, given_name, sn)
+    VALUES (${`api-key-${suffix}`}, 'local', 'user', 'API Key Test', ${`api-key-${suffix}@example.test`}, 'API', 'Key')
+    RETURNING id
+  `;
+  return row!.id;
+};
+
+describe("serviceAccountCredentials", () => {
+  test("creates, authenticates, lists, and revokes user delegated API keys", async () => {
+    if (!(await canUseDatabase())) {
+      console.warn("Skipping service account credential DB test: auth/audit tables are not available.");
+      return;
+    }
+
+    const userId = await insertUser();
+    try {
+      const user = await accounts.users.get({ id: userId });
+      expect(user).not.toBeNull();
+      if (!user) return;
+
+      const created = await serviceAccountCredentials.createUserApiToken({
+        user,
+        name: "Test key",
+        expiresAt: null,
+      });
+      expect(created.ok).toBe(true);
+      if (!created.ok) return;
+      expect(created.data.token).toMatch(/^cld_[0-9a-f]{24}_[0-9a-f]{64}$/);
+      expect(created.data.credential.name).toBe("Test key");
+
+      const authenticated = await serviceAccountCredentials.authenticateApiToken(created.data.token);
+      expect(authenticated?.delegatedUser?.id).toBe(user.id);
+      expect(authenticated?.serviceAccount.kind).toBe("user_delegated");
+
+      const app = new Hono<AuthContext>()
+        .use(auth.requireRole("authenticated"))
+        .get("/me", (c) => c.json({
+          actorKind: c.get("actor").kind,
+          userId: c.get("user").id,
+          accessSubject: c.get("accessSubject"),
+        }));
+      const response = await app.request("/me", {
+        headers: { Authorization: `Bearer ${created.data.token}` },
+      });
+      expect(response.status).toBe(200);
+      expect(await response.json()).toEqual({
+        actorKind: "service_account",
+        userId: user.id,
+        accessSubject: { type: "user", userId: user.id },
+      });
+
+      const listed = await serviceAccountCredentials.listForDelegatedUser({ userId: user.id });
+      expect(listed.map((key) => key.id)).toContain(created.data.credential.id);
+
+      const overview = await serviceAccountCredentials.listOverview({
+        filter: { userId: user.id, serviceAccountKind: "user_delegated", credentialStatus: "active" },
+      });
+      expect(overview.items.map((key) => key.id)).toContain(created.data.credential.id);
+      expect(overview.items.find((key) => key.id === created.data.credential.id)?.owner).toMatchObject({
+        type: "user",
+        userId: user.id,
+      });
+
+      const adminRevoked = await serviceAccountCredentials.revoke({
+        credentialId: created.data.credential.id,
+        actor: user,
+      });
+      expect(adminRevoked.ok).toBe(true);
+
+      const afterAdminRevoke = await serviceAccountCredentials.authenticateApiToken(created.data.token);
+      expect(afterAdminRevoke).toBeNull();
+
+      const second = await serviceAccountCredentials.createUserApiToken({
+        user,
+        name: "Second test key",
+        expiresAt: null,
+      });
+      expect(second.ok).toBe(true);
+      if (!second.ok) return;
+
+      const revoked = await serviceAccountCredentials.revokeForDelegatedUser({
+        credentialId: second.data.credential.id,
+        user,
+      });
+      expect(revoked.ok).toBe(true);
+
+      const afterRevoke = await serviceAccountCredentials.authenticateApiToken(second.data.token);
+      expect(afterRevoke).toBeNull();
+    } finally {
+      await sql`DELETE FROM auth.users WHERE id = ${userId}::uuid`;
+    }
+  });
+
+  test("creates, authenticates, lists, and revokes resource-bound API keys", async () => {
+    if (!(await canUseDatabase())) {
+      console.warn("Skipping resource service account credential DB test: auth/audit tables are not available.");
+      return;
+    }
+
+    const userId = await insertUser();
+    const resourceId = crypto.randomUUID();
+    let serviceAccountId: string | null = null;
+
+    try {
+      const user = await accounts.users.get({ id: userId });
+      expect(user).not.toBeNull();
+      if (!user) return;
+
+      const serviceAccount = await serviceAccounts.getOrCreateResourceBound({
+        name: "Test notebook integration",
+        appId: "notebooks",
+        resourceType: "notebook",
+        resourceId,
+        createdBy: user.id,
+      });
+      expect(serviceAccount.ok).toBe(true);
+      if (!serviceAccount.ok) return;
+      serviceAccountId = serviceAccount.data.id;
+
+      const sameServiceAccount = await serviceAccounts.getOrCreateResourceBound({
+        name: "Ignored duplicate name",
+        appId: "notebooks",
+        resourceType: "notebook",
+        resourceId,
+        createdBy: user.id,
+      });
+      expect(sameServiceAccount.ok).toBe(true);
+      expect(sameServiceAccount.ok ? sameServiceAccount.data.id : null).toBe(serviceAccount.data.id);
+
+      const created = await serviceAccountCredentials.createResourceApiToken({
+        serviceAccountId: serviceAccount.data.id,
+        actor: user,
+        name: "Resource key",
+        expiresAt: null,
+      });
+      expect(created.ok).toBe(true);
+      if (!created.ok) return;
+      expect(created.data.token).toMatch(/^cld_[0-9a-f]{24}_[0-9a-f]{64}$/);
+
+      const authenticated = await serviceAccountCredentials.authenticateApiToken(created.data.token);
+      expect(authenticated?.delegatedUser).toBeNull();
+      expect(authenticated?.serviceAccount).toMatchObject({
+        kind: "resource_bound",
+        appId: "notebooks",
+        resourceType: "notebook",
+        resourceId,
+      });
+
+      const overview = await serviceAccountCredentials.listOverview({
+        filter: {
+          appId: "notebooks",
+          resourceType: "notebook",
+          resourceId,
+          serviceAccountKind: "resource_bound",
+          credentialStatus: "active",
+        },
+      });
+      expect(overview.items.map((key) => key.id)).toContain(created.data.credential.id);
+      expect(overview.items.find((key) => key.id === created.data.credential.id)?.owner).toEqual({
+        type: "resource",
+        appId: "notebooks",
+        resourceType: "notebook",
+        resourceId,
+      });
+
+      const revoked = await serviceAccountCredentials.revoke({
+        credentialId: created.data.credential.id,
+        actor: user,
+      });
+      expect(revoked.ok).toBe(true);
+      expect(await serviceAccountCredentials.authenticateApiToken(created.data.token)).toBeNull();
+    } finally {
+      if (serviceAccountId) await sql`DELETE FROM auth.service_accounts WHERE id = ${serviceAccountId}::uuid`;
+      await sql`DELETE FROM auth.users WHERE id = ${userId}::uuid`;
+    }
+  });
+});