fix(bugbash 2026-05-21): NATS AccountSeed for post-restart revocation + test alignment (#14)

* fix(queueprovider/nats): A04-F3 — expose AccountSeed for post-restart revocation

Migration 060 added resources.queue_account_seed_encrypted to make NATS account
revocation survive a provisioner pod restart, but IssueTenantCredentials was
discarding the freshly-minted account seed (`_ = accountSeed`). Without the
seed reaching the api caller, the column was never populated and RevokeWith
Seed could never re-sign the account claim after a restart wiped the in-memory
accountCache.

This change:
  - Adds TenantCreds.AccountSeed (documented as a secret; NEVER log).
  - Populates AccountSeed in nats.IssueTenantCredentials.
  - Adds round-trip test proving RevokeWithSeed works without accountCache
    (simulates the post-restart path that migration 060 was built for).

Cross-repo: api + worker must (a) bump common, (b) AES-256-GCM-encrypt
AccountSeed via the existing keyring and persist to queue_account_seed_
encrypted, (c) decrypt + pass to RevokeWithSeed on teardown. Tracked
separately. Forward-compatible: AccountSeed is only populated on isolated
provisions, so legacy_open prod is unaffected.

Coverage block (rule 17):
  Symptom:       queue_account_seed_encrypted always NULL; revocation no-ops post-restart
  Enumeration:   rg -n 'AccountSeed|queue_account_seed_encrypted' common/
  Sites found:   3 (TenantCreds field, IssueTenantCredentials return, RevokeWithSeed param)
  Sites touched: all 3 (RevokeWithSeed already accepted seed; populating it now activates the path)
  Coverage test: TestNATS_IssueExposesAccountSeed_AndRevokeWithSeed_RoundTrips

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(test): growth tier DeploymentsAppsLimit asserts 50 (wave-3 BugBash value)

Wave-3 BugBash bumped growth tier deployments_apps from 5 → 50 in plans.yaml; test
was not updated. Test fix only — plans.yaml + common/plans/plans.go defaultYAML
are the authoritative source.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: mastermanas805

plans/plans_test.go

@@ -449,7 +449,8 @@ func TestDeploymentsAppsLimit_Tiers(t *testing.T) {
 		"hobby_plus must allow 2 deployment apps (doubles hobby's 1, vs pro's 10)")
 	assert.Equal(t, 10, r.DeploymentsAppsLimit("pro"))
 	assert.Equal(t, -1, r.DeploymentsAppsLimit("team"))
-	assert.Equal(t, 5, r.DeploymentsAppsLimit("growth"))
+	assert.Equal(t, 50, r.DeploymentsAppsLimit("growth"),
+		"growth allows 50 deployment apps (wave-3 BugBash bumped from 5 → 50, matching plans.yaml)")
 }
 
 // TestHobbyPlus_TierMatrix is the W11 lock-in test for the hobby_plus tier.

queueprovider/nats/export_test.go

@@ -0,0 +1,11 @@
+package nats
+
+import "sync"
+
+// PurgeAccountCacheForTest empties the in-memory accountCache. Used by tests
+// to simulate the post-restart scenario where the cache is empty and the only
+// way to revoke is via the persisted (encrypted) account seed via
+// RevokeWithSeed. NOT exported outside _test.go.
+func (p *Provider) PurgeAccountCacheForTest() {
+	p.accountCache = sync.Map{}
+}

queueprovider/nats/nats.go

@@ -327,10 +327,12 @@ func (p *Provider) IssueTenantCredentials(ctx context.Context, in queueprovider.
 		expiresAt = &t
 	}
 
-	// Wipe the account seed from memory once we've finished signing; the
-	// api/provisioner persist accountSeed separately (encrypted at rest) so
-	// Revoke can re-sign the updated claim later.
-	_ = accountSeed // keep ref alive until here; do NOT log
+	// Return the account seed to the caller (api/worker) so it can be
+	// encrypted at rest in resources.queue_account_seed_encrypted (migration
+	// 060). Without this, revocation after process restart is impossible —
+	// the in-memory accountCache is the only other copy. The caller MUST
+	// treat AccountSeed as a secret and MUST NOT log it; this is enforced
+	// upstream by the api crypto path that wraps the value before persist.
 
 	return &queueprovider.TenantCreds{
 		JWT:           userJWT,
@@ -341,6 +343,7 @@ func (p *Provider) IssueTenantCredentials(ctx context.Context, in queueprovider.
 		ExpiresAt:     expiresAt,
 		KeyID:         accountPub,
 		AuthMode:      queueprovider.AuthModeIsolated,
+		AccountSeed:   string(accountSeed), // secret — caller encrypts before persist; NEVER log
 	}, nil
 }
 

queueprovider/nats/nats_test.go

@@ -216,3 +216,68 @@ func TestNATS_Revoke_PushesAccountUpdate(t *testing.T) {
 		"Revoke should have pushed an updated claim for the account")
 	assert.Equal(t, creds.KeyID, pusher.pushes[1].Pub)
 }
+
+// TestNATS_IssueExposesAccountSeed_AndRevokeWithSeed_RoundTrips verifies the
+// fix for BugBash 2026-05-21 A04-F3: migration 060 added
+// `resources.queue_account_seed_encrypted` to make revocation survive a
+// provisioner restart, but the column was never written because IssueTenant
+// Credentials discarded the seed. This test asserts that:
+//
+//  1. IssueTenantCredentials returns a non-empty TenantCreds.AccountSeed
+//     whose NKey prefix is "SA" (the canonical NATS account-seed prefix),
+//  2. The returned seed parses cleanly as an account NKey, and
+//  3. Passing that seed back to RevokeWithSeed re-signs and pushes the
+//     account claim — proving the round-trip works WITHOUT the in-memory
+//     accountCache (which is what a process restart would have lost).
+//
+// Coverage block (rule 17):
+//
+//	Symptom:        resources.queue_account_seed_encrypted always NULL; revocation no-ops after pod restart
+//	Enumeration:    rg -n "AccountSeed\|queue_account_seed_encrypted" common/ api/ worker/
+//	Sites found:    3 (provider.go TenantCreds field, nats.go IssueTenant return, RevokeWithSeed param)
+//	Sites touched:  all 3 in common; api + worker tracked separately in cross-repo fix
+//	Coverage test:  this test — fails the moment AccountSeed is dropped from the return value
+func TestNATS_IssueExposesAccountSeed_AndRevokeWithSeed_RoundTrips(t *testing.T) {
+	seed := newOperatorSeed(t)
+	p, err := queueprovider.Factory(queueprovider.Config{
+		Backend:          "nats",
+		Host:             "nats.test.local",
+		NATSOperatorSeed: seed,
+	})
+	require.NoError(t, err)
+	natsProv := p.(*natsprov.Provider)
+	pusher := &recordingPusher{}
+	natsProv.SetResolverPusher(pusher)
+
+	creds, err := p.IssueTenantCredentials(context.Background(), queueprovider.IssueRequest{
+		ResourceToken: "tok-seed-roundtrip",
+		Subject:       "tenant_seedroundtrip.",
+	})
+	require.NoError(t, err)
+
+	// (1) AccountSeed is populated and looks like a NATS account seed.
+	require.NotEmpty(t, creds.AccountSeed,
+		"AccountSeed must be exposed on TenantCreds — without it migration 060's queue_account_seed_encrypted column is dead weight and post-restart revocation silently no-ops")
+	assert.True(t, strings.HasPrefix(creds.AccountSeed, "SA"),
+		"AccountSeed must have NKey account-seed prefix SA — got prefix %q", creds.AccountSeed[:2])
+
+	// (2) AccountSeed parses cleanly as an account NKey.
+	kp, err := nkeys.FromSeed([]byte(creds.AccountSeed))
+	require.NoError(t, err, "AccountSeed must parse as an nkeys account seed")
+	pub, err := kp.PublicKey()
+	require.NoError(t, err)
+	assert.Equal(t, creds.KeyID, pub,
+		"AccountSeed's derived public key must match the TenantCreds.KeyID (account pub) so RevokeWithSeed targets the right account")
+
+	// (3) Simulate a process restart by wiping the in-memory cache, then
+	// prove RevokeWithSeed alone (no cache hit) re-pushes the claim. This
+	// is the exact failure path migration 060 was designed to eliminate.
+	require.Len(t, pusher.pushes, 1, "issue should have pushed once")
+	natsProv.PurgeAccountCacheForTest()
+	err = natsProv.RevokeWithSeed(context.Background(), creds.AccountSeed)
+	require.NoError(t, err)
+	require.Len(t, pusher.pushes, 2,
+		"RevokeWithSeed must push the revocation claim even when accountCache is empty (post-restart scenario)")
+	assert.Equal(t, creds.KeyID, pusher.pushes[1].Pub,
+		"revocation push must target the same account public key as the original issue")
+}

queueprovider/provider.go

@@ -141,6 +141,21 @@ type TenantCreds struct {
 	// Echoed in the API response so the caller knows whether isolation is
 	// actually being enforced for this resource.
 	AuthMode string
+
+	// AccountSeed is the NATS account NKey seed (operator-mode backends only)
+	// — required for revocation after process restart. The api MUST encrypt
+	// this value at rest (AES-256-GCM keyring, same path as connection_url)
+	// and persist it in the resources.queue_account_seed_encrypted column
+	// (migration 060). On teardown the api/worker decrypts and passes the
+	// seed back to RevokeWithSeed so the account claim can be re-signed and
+	// pushed to the resolver even after the in-memory accountCache has been
+	// lost to a pod restart.
+	//
+	// Treated as a secret. NEVER log this field — it is a private NKey seed
+	// (format "SA...") that grants account-level signing authority. Backends
+	// that don't use NKey/JWT (RabbitMQ, Kafka skeletons, legacy_open) leave
+	// this empty.
+	AccountSeed string
 }
 
 // Capabilities describes what isolation a backend can ENFORCE.