test(webapp): replace stubs with real DB seed in PAT tenant-context test

The previous version stubbed `rbac.authenticatePat` and
`updateLastAccessedAtIfStale` to keep the test unit-scoped, but that
violated the "never mock — use a real database" guidance in
CLAUDE.md. The webapp's vitest setup already points `~/db.server` at
the local postgres (`apps/webapp/test/setup.ts` loads
`apps/webapp/.env`), so the test can seed a real User + PAT via
Prisma and let `rbac.authenticatePat` validate end-to-end. No mocks.

Cleanup runs in `afterAll` — deletes the PATs and the user.

Verified to fail if the `enrich` call is removed from
`createLoaderPATApiRoute`.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: d-cs

apps/webapp/test/apiBuilderPAT.test.ts

@@ -1,41 +1,48 @@
-// Behavioural test for `createLoaderPATApiRoute` to confirm PAT-authenticated
+// Integration test for `createLoaderPATApiRoute` — confirms PAT-authenticated
 // requests stamp `userId` onto the tenant context (so Sentry events from
 // PAT routes get user-level attribution).
 //
-// PAT auth normally hits the DB via `rbac.authenticatePat`. To keep this
-// a unit test, we stub the two DB-touching dependencies — narrow enough
-// that the test exercises the wrapping behaviour without bringing up a
-// real database.
+// Runs against the local postgres the webapp test setup already targets
+// (`apps/webapp/.env` → `DATABASE_URL`). Seeds a real User + PersonalAccessToken
+// via Prisma, calls the real loader with the real bearer, and lets
+// `rbac.authenticatePat` validate against the DB end-to-end. No stubs.
+//
+// Cleans up the rows it creates so the test is repeatable.
 
-import { describe, it, expect, vi } from "vitest";
+import { afterAll, describe, expect, it } from "vitest";
+import { prisma } from "../app/db.server";
+import { createPersonalAccessToken } from "../app/services/personalAccessToken.server";
+import { tenantContext } from "../app/services/tenantContext.server";
+import { createLoaderPATApiRoute } from "../app/services/routeBuilders/apiBuilder.server";
 
-vi.mock("~/services/rbac.server", () => ({
-  rbac: {
-    authenticatePat: vi.fn(async () => ({
-      ok: true,
-      userId: "usr_test_42",
-      ability: {},
-      tokenId: "tok_1",
-      lastAccessedAt: new Date(),
-    })),
-  },
-}));
+const cleanup: Array<() => Promise<unknown>> = [];
 
-vi.mock("~/services/personalAccessToken.server", async (orig) => {
-  const actual = (await orig()) as Record<string, unknown>;
-  return {
-    ...actual,
-    updateLastAccessedAtIfStale: vi.fn(async () => undefined),
-  };
+afterAll(async () => {
+  for (const fn of cleanup) {
+    await fn().catch(() => {});
+  }
 });
 
-import { tenantContext } from "../app/services/tenantContext.server";
-import { createLoaderPATApiRoute } from "../app/services/routeBuilders/apiBuilder.server";
-
 describe("createLoaderPATApiRoute", () => {
-  it("enriches tenant context with `userId` from the PAT auth result", async () => {
-    let observedUserId: string | undefined;
+  it("enriches tenant context with the authenticated PAT's userId", async () => {
+    const suffix = `${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+    const user = await prisma.user.create({
+      data: {
+        email: `pat-tenant-test-${suffix}@test.local`,
+        authenticationMethod: "MAGIC_LINK",
+      },
+    });
+    cleanup.push(async () => {
+      await prisma.personalAccessToken.deleteMany({ where: { userId: user.id } });
+      await prisma.user.delete({ where: { id: user.id } });
+    });
 
+    const created = await createPersonalAccessToken({
+      name: `pat-tenant-test-${suffix}`,
+      userId: user.id,
+    });
+
+    let observedUserId: string | undefined;
     const loader = createLoaderPATApiRoute({}, async () => {
       observedUserId = tenantContext.get()?.userId;
       return new Response(null, { status: 200 });
@@ -44,32 +51,46 @@ describe("createLoaderPATApiRoute", () => {
     await tenantContext.run({}, async () => {
       await loader({
         request: new Request("http://localhost/api/test", {
-          headers: { Authorization: "Bearer pat_irrelevant_for_this_test" },
+          headers: { Authorization: `Bearer ${created.token}` },
         }),
         params: {},
         context: {},
       });
     });
 
-    expect(observedUserId).toBe("usr_test_42");
+    expect(observedUserId).toBe(user.id);
   });
 
-  it("does not leak the enrich across requests once the scope ends", async () => {
-    const loader = createLoaderPATApiRoute({}, async () => {
-      return new Response(null, { status: 200 });
+  it("does not leave the enrich behind once the request scope ends", async () => {
+    const suffix = `${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+    const user = await prisma.user.create({
+      data: {
+        email: `pat-tenant-leak-${suffix}@test.local`,
+        authenticationMethod: "MAGIC_LINK",
+      },
     });
+    cleanup.push(async () => {
+      await prisma.personalAccessToken.deleteMany({ where: { userId: user.id } });
+      await prisma.user.delete({ where: { id: user.id } });
+    });
+
+    const created = await createPersonalAccessToken({
+      name: `pat-tenant-leak-${suffix}`,
+      userId: user.id,
+    });
+
+    const loader = createLoaderPATApiRoute({}, async () => new Response(null, { status: 200 }));
 
     await tenantContext.run({}, async () => {
       await loader({
         request: new Request("http://localhost/api/test", {
-          headers: { Authorization: "Bearer pat_irrelevant_for_this_test" },
+          headers: { Authorization: `Bearer ${created.token}` },
         }),
         params: {},
         context: {},
       });
     });
 
-    // Outside the run() scope, the enrich is gone with the scope.
     expect(tenantContext.get()).toBeUndefined();
   });
 });