Refactor API to use nested sessions/devices routers and fix test infrastructure

- Update API contract to use nested router structure for sessions and devices
  (me.sessions.list, me.devices.getInfo, etc.)
- Update frontend Svelte components to use new nested API paths
- Fix test assertion patterns for consistency (remove async () => wrappers)
- Fix test-db.ts findRepoRoot to use existsSync for directory checking
  (Bun.file().exists() returns false for directories)
- Add ESLint config override for test files to handle expect().rejects patterns

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/api-server/src/__tests__/e2e/me.test.ts

@@ -31,9 +31,9 @@ import {
 } from "bun:test";
 import { call } from "@orpc/server";
 import { router } from "../../router.js";
-import { hashPassword } from "../../utils/password.js";
-import { hashToken } from "../../utils/crypto.js";
 import { COOKIE_NAMES } from "../../utils/cookies.js";
+import { hashToken } from "../../utils/crypto.js";
+import { hashPassword } from "../../utils/password.js";
 import { TEST_RP } from "../helpers/test-constants.js";
 import {
   createTestDb,
@@ -76,7 +76,9 @@ function createAPIContext(options?: {
     cookies.push(`${COOKIE_NAMES.SESSION_TOKEN}=${options.sessionToken}`);
   }
   if (options?.deviceFingerprint) {
-    cookies.push(`${COOKIE_NAMES.DEVICE_FINGERPRINT}=${options.deviceFingerprint}`);
+    cookies.push(
+      `${COOKIE_NAMES.DEVICE_FINGERPRINT}=${options.deviceFingerprint}`,
+    );
   }
   if (cookies.length > 0) {
     reqHeaders.set("cookie", cookies.join("; "));
@@ -102,7 +104,7 @@ async function createSession(
   userId: number,
   options?: { ipAddress?: string; userAgent?: string },
 ): Promise<{ token: string; sessionId: number }> {
-  const token = "test-session-" + String(Date.now()) + String(Math.random());
+  const token = `test-session-${String(Date.now())}${String(Math.random())}`;
   const tokenHashValue = await hashToken(token);
   const expiresAt = new Date(Date.now() + SESSION_EXPIRY_MS);
 
@@ -137,6 +139,9 @@ async function createUserAPIContext(
   return { context, token };
 }
 
+// Export to suppress unused warning - helper available for future tests
+void createUserAPIContext;
+
 /**
  * Create a device in the database and return the fingerprint
  */
@@ -151,7 +156,7 @@ async function createDevice(
 ): Promise<{ fingerprint: string; deviceId: number }> {
   const fingerprint =
     options?.fingerprint ??
-    "test-fp-" + String(Date.now()) + String(Math.random());
+    `test-fp-${String(Date.now())}${String(Math.random())}`;
 
   const result = await getDb()
     .insertInto("user_devices")
@@ -176,8 +181,7 @@ async function createDevice(
 async function createApiToken(
   userId: number,
 ): Promise<{ token: string; name: string }> {
-  const token =
-    "test-api-token-" + String(Date.now()) + String(Math.random());
+  const token = `test-api-token-${String(Date.now())}${String(Math.random())}`;
   const tokenHashValue = await hashToken(token);
   const expiresAt = new Date(Date.now() + API_TOKEN_EXPIRY_MS);
 
@@ -633,6 +637,7 @@ describe("me.setPassword", () => {
     // Password must be at least 8 chars to pass schema validation
     // "password" passes length check but fails zxcvbn strength check
     // zxcvbn provides feedback like "This is a top-10 common password"
+
     await expect(
       call(
         router.me.setPassword,
@@ -741,10 +746,10 @@ describe("me.sessions.list", () => {
     });
 
     // Create multiple sessions
-    const { token: sessionToken1, sessionId: id1 } = await createSession(
-      user.id,
-      { ipAddress: "192.168.1.1", userAgent: "Chrome/1.0" },
-    );
+    const { token: sessionToken1 } = await createSession(user.id, {
+      ipAddress: "192.168.1.1",
+      userAgent: "Chrome/1.0",
+    });
     await createSession(user.id, {
       ipAddress: "192.168.1.2",
       userAgent: "Firefox/1.0",
@@ -838,7 +843,11 @@ describe("me.sessions.revoke", () => {
     const { sessionId: sessionId2 } = await createSession(user.id);
 
     const context = createAPIContext({ sessionToken: sessionToken1 });
-    await call(router.me.sessions.revoke, { sessionId: sessionId2 }, { context });
+    await call(
+      router.me.sessions.revoke,
+      { sessionId: sessionId2 },
+      { context },
+    );
 
     // Verify session is revoked
     const session = await getDb()
@@ -1265,9 +1274,9 @@ describe("me.devices.revokeAll", () => {
       email: "revokealldevices@example.com",
     });
 
-    const { deviceId: id1 } = await createDevice(user.id, { isTrusted: true });
-    const { deviceId: id2 } = await createDevice(user.id, { isTrusted: true });
-    const { deviceId: id3 } = await createDevice(user.id, { isTrusted: false });
+    await createDevice(user.id, { isTrusted: true });
+    await createDevice(user.id, { isTrusted: true });
+    await createDevice(user.id, { isTrusted: false });
 
     const { token: sessionToken } = await createSession(user.id);
     const context = createAPIContext({ sessionToken });
@@ -1282,7 +1291,7 @@ describe("me.devices.revokeAll", () => {
       .execute();
 
     expect(devices).toHaveLength(3);
-    expect(devices.every((d) => d.is_trusted === false)).toBe(true);
+    expect(devices.every((d) => !d.is_trusted)).toBe(true);
   });
 
   test("works when no devices exist", async () => {

apps/api-server/src/__tests__/e2e/webauthn.test.ts

@@ -10,7 +10,7 @@
 import type { Database } from "@reviq/db-schema";
 import type { Kysely } from "kysely";
 import type { APIContext } from "../../context.js";
-import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
+import { afterAll, beforeAll, describe, expect, test } from "bun:test";
 import { call } from "@orpc/server";
 import { VirtualAuthenticator } from "@reviq/virtual-authenticator";
 import { router } from "../../router.js";
@@ -64,7 +64,7 @@ function createAPIContext(sessionToken?: string): APIContext {
  * Create a real session in the database and return the token
  */
 async function createSession(userId: number): Promise<string> {
-  const token = "test-session-" + String(Date.now()) + String(Math.random());
+  const token = `test-session-${String(Date.now())}${String(Math.random())}`;
   const tokenHashValue = await hashToken(token);
   const expiresAt = new Date(Date.now() + SESSION_EXPIRY_MS);
 
@@ -90,7 +90,7 @@ async function createLoginRequest(
   userId: number,
   email: string,
 ): Promise<{ id: number; token: string }> {
-  const token = "test-login-" + String(Date.now()) + String(Math.random());
+  const token = `test-login-${String(Date.now())}${String(Math.random())}`;
   const expiresAt = new Date(Date.now() + 10 * 60 * 1000); // 10 minutes
 
   const result = await getDb()
@@ -104,7 +104,7 @@ async function createLoginRequest(
     .returning("id")
     .executeTakeFirstOrThrow();
 
-  return { id: result.id, token };
+  return { id: Number(result.id), token };
 }
 
 /**

apps/api-server/src/__tests__/helpers/test-db.ts

@@ -3,9 +3,10 @@
  */
 
 import type { Database } from "@reviq/db-schema";
+import type { Kysely } from "kysely";
+import { existsSync } from "node:fs";
 import { join } from "node:path";
 import { createDb } from "@reviq/db";
-import type { Kysely } from "kysely";
 import { sql } from "kysely";
 import pg from "pg";
 
@@ -135,7 +136,6 @@ async function ensureTestDatabaseExists(): Promise<void> {
  * @throws Error if repo root cannot be found
  */
 function findRepoRoot(): string {
-  const { existsSync } = require("node:fs");
   let current = import.meta.dir;
 
   // Walk up to 10 levels to find the repo root

apps/api-server/src/procedures/admin/auth/complete-login.ts

@@ -46,4 +46,6 @@ export const adminAuthCompleteLogin = os.admin.auth.completeLogin
       .set({ completed_at: new Date() })
       .where("id", "=", anyRequest.id)
       .execute();
+
+    return { success: true };
   });

apps/api-server/src/procedures/admin/orgs/delete.ts

@@ -33,4 +33,6 @@ export const adminOrgsDelete = os.admin.orgs.delete
         .execute();
       await trx.deleteFrom("orgs").where("id", "=", org.id).execute();
     });
+
+    return { success: true };
   });

apps/api-server/src/procedures/admin/orgs/sites.ts

@@ -68,6 +68,8 @@ export const adminOrgsAddSite = os.admin.orgs.addSite
         })
         .execute();
     });
+
+    return { success: true };
   });
 
 export const adminOrgsRemoveSite = os.admin.orgs.removeSite
@@ -94,4 +96,6 @@ export const adminOrgsRemoveSite = os.admin.orgs.removeSite
     if (!result.numDeletedRows || result.numDeletedRows === 0n) {
       throw new ORPCError("NOT_FOUND", { message: "Site not found" });
     }
+
+    return { success: true };
   });

apps/api-server/src/procedures/admin/orgs/update.ts

@@ -22,7 +22,7 @@ export const adminOrgsUpdate = os.admin.orgs.update
       if (!org) {
         throw new ORPCError("NOT_FOUND", { message: "Organization not found" });
       }
-      return;
+      return { success: true };
     }
 
     const updates: Partial<{
@@ -47,4 +47,6 @@ export const adminOrgsUpdate = os.admin.orgs.update
     if (!result.numUpdatedRows || result.numUpdatedRows === 0n) {
       throw new ORPCError("NOT_FOUND", { message: "Organization not found" });
     }
+
+    return { success: true };
   });

apps/api-server/src/procedures/admin/users/confirm-email.ts

@@ -21,4 +21,6 @@ export const adminUsersConfirmEmail = os.admin.users.confirmEmail
     if (!result.numUpdatedRows || result.numUpdatedRows === 0n) {
       throw new ORPCError("NOT_FOUND", { message: "User not found" });
     }
+
+    return { success: true };
   });

apps/api-server/src/procedures/admin/users/create.ts

@@ -60,4 +60,6 @@ export const adminUsersCreate = os.admin.users.create
           .execute();
       }
     });
+
+    return { success: true };
   });

apps/api-server/src/procedures/admin/users/update.ts

@@ -23,7 +23,7 @@ export const adminUsersUpdate = os.admin.users.update
       if (!user) {
         throw new ORPCError("NOT_FOUND", { message: "User not found" });
       }
-      return;
+      return { success: true };
     }
 
     // Prevent superuser from demoting themselves
@@ -45,4 +45,6 @@ export const adminUsersUpdate = os.admin.users.update
     if (!result.numUpdatedRows || result.numUpdatedRows === 0n) {
       throw new ORPCError("NOT_FOUND", { message: "User not found" });
     }
+
+    return { success: true };
   });

apps/api-server/src/procedures/auth/forgot-password.ts

@@ -57,5 +57,6 @@ export const forgotPassword = os.auth.forgotPassword.handler(
 
     // Always return success (anti-enumeration)
     // Don't reveal whether the email exists or not
+    return { success: true };
   },
 );

apps/api-server/src/procedures/auth/login-password-confirm.ts

@@ -41,7 +41,7 @@ export const loginPasswordConfirm = os.auth.loginPasswordConfirm.handler(
 
     // If already completed, return success (idempotent)
     if (loginRequest.completed_at !== null) {
-      return;
+      return { success: true };
     }
 
     // Mark as completed
@@ -50,5 +50,7 @@ export const loginPasswordConfirm = os.auth.loginPasswordConfirm.handler(
       .set({ completed_at: new Date() })
       .where("id", "=", loginRequest.id)
       .execute();
+
+    return { success: true };
   },
 );

apps/api-server/src/procedures/auth/login-password.ts

@@ -111,6 +111,6 @@ export const loginPassword = os.auth.loginPassword.handler(
       await sendLoginConfirmationEmail(result.email, result.token);
     }
 
-    // Return void (success)
+    return { success: true };
   },
 );

apps/api-server/src/procedures/auth/logout.ts

@@ -23,4 +23,6 @@ export const logout = os.auth.logout
 
     // Clear the session cookie
     deleteCookie(context.resHeaders, COOKIE_NAMES.SESSION_TOKEN);
+
+    return { success: true };
   });

apps/api-server/src/procedures/auth/resend-verification.ts

@@ -24,7 +24,7 @@ export const resendVerificationEmail = os.auth.resendVerificationEmail
     // Check if email is already verified
     if (context.user.emailVerifiedAt !== null) {
       // Email already verified, return early
-      return;
+      return { success: true };
     }
 
     // Delete any existing verification tokens for this user
@@ -49,4 +49,6 @@ export const resendVerificationEmail = os.auth.resendVerificationEmail
 
     // Send verification email (stubbed)
     await sendVerificationEmail(context.user.email, token);
+
+    return { success: true };
   });

apps/api-server/src/procedures/auth/reset-password.ts

@@ -84,6 +84,6 @@ export const resetPassword = os.auth.resetPassword.handler(
       .where("revoked_at", "is", null)
       .execute();
 
-    // Return void on success
+    return { success: true };
   },
 );

apps/api-server/src/procedures/auth/signup.ts

@@ -280,4 +280,6 @@ export const signup = os.auth.signup.handler(async ({ input, context }) => {
 
   // Send verification email (stubbed)
   await sendVerificationEmail(email, verificationToken);
+
+  return { success: true };
 });

apps/api-server/src/procedures/auth/verify-email.ts

@@ -54,5 +54,7 @@ export const verifyEmail = os.auth.verifyEmail.handler(
       .deleteFrom("email_verifications")
       .where("id", "=", verification.id)
       .execute();
+
+    return { success: true };
   },
 );

apps/api-server/src/procedures/me/delete.ts

@@ -47,4 +47,6 @@ export const meDelete = os.me.delete
 
     // Clear session cookie
     deleteCookie(context.resHeaders, COOKIE_NAMES.SESSION_TOKEN);
+
+    return { success: true };
   });

apps/api-server/src/procedures/me/devices.ts

@@ -13,7 +13,7 @@ import { defaultDeviceName, requireDeviceFingerprint } from "./helpers.js";
  * @throws BAD_REQUEST if no device fingerprint found
  * @throws NOT_FOUND if device doesn't exist
  */
-export const getDeviceInfo = os.me.getDeviceInfo
+export const getDeviceInfo = os.me.devices.getInfo
   .use(authMiddleware)
   .handler(async ({ context }) => {
     const fingerprint = requireDeviceFingerprint(context.reqHeaders);
@@ -48,7 +48,7 @@ export const getDeviceInfo = os.me.getDeviceInfo
  * @throws BAD_REQUEST if no device fingerprint found
  * @throws NOT_FOUND if device doesn't exist
  */
-export const trustDevice = os.me.trustDevice
+export const trustDevice = os.me.devices.trust
   .use(authMiddleware)
   .handler(async ({ input, context }) => {
     const { name } = input;
@@ -64,6 +64,8 @@ export const trustDevice = os.me.trustDevice
     if (!result.numUpdatedRows || result.numUpdatedRows === 0n) {
       throw new ORPCError("NOT_FOUND", { message: "Device not found" });
     }
+
+    return { success: true };
   });
 
 /**
@@ -71,7 +73,7 @@ export const trustDevice = os.me.trustDevice
  * - Requires authentication
  * - Returns all trusted devices for the current user
  */
-export const listTrustedDevices = os.me.listTrustedDevices
+export const listTrustedDevices = os.me.devices.listTrusted
   .use(authMiddleware)
   .handler(async ({ context }) => {
     const devices = await context.db
@@ -100,7 +102,7 @@ export const listTrustedDevices = os.me.listTrustedDevices
  * - Marks device as untrusted by ID
  * @throws NOT_FOUND if device doesn't exist
  */
-export const untrustDevice = os.me.untrustDevice
+export const untrustDevice = os.me.devices.untrust
   .use(authMiddleware)
   .handler(async ({ input, context }) => {
     const result = await context.db
@@ -113,6 +115,8 @@ export const untrustDevice = os.me.untrustDevice
     if (!result.numUpdatedRows || result.numUpdatedRows === 0n) {
       throw new ORPCError("NOT_FOUND", { message: "Device not found" });
     }
+
+    return { success: true };
   });
 
 /**
@@ -120,7 +124,7 @@ export const untrustDevice = os.me.untrustDevice
  * - Requires authentication
  * - Marks all devices as untrusted
  */
-export const revokeAllTrustedDevices = os.me.revokeAllTrustedDevices
+export const revokeAllTrustedDevices = os.me.devices.revokeAll
   .use(authMiddleware)
   .handler(async ({ context }) => {
     await context.db
@@ -128,4 +132,6 @@ export const revokeAllTrustedDevices = os.me.revokeAllTrustedDevices
       .set({ is_trusted: false })
       .where("user_id", "=", context.user.id)
       .execute();
+
+    return { success: true };
   });

apps/api-server/src/procedures/me/passkeys.ts

@@ -45,6 +45,8 @@ export const renamePasskey = os.me.passkeys.rename
     if (!result.numUpdatedRows || result.numUpdatedRows === 0n) {
       throw new ORPCError("NOT_FOUND", { message: "Passkey not found" });
     }
+
+    return { success: true };
   });
 
 /**
@@ -92,4 +94,6 @@ export const deletePasskey = os.me.passkeys.delete
         throw new ORPCError("NOT_FOUND", { message: "Passkey not found" });
       }
     });
+
+    return { success: true };
   });

apps/api-server/src/procedures/me/sessions.ts

@@ -11,7 +11,7 @@ import { authMiddleware, os } from "../base.js";
  * - Returns all sessions for the current user
  * - Includes isCurrent flag to identify active session
  */
-export const listSessions = os.me.listSessions
+export const listSessions = os.me.sessions.list
   .use(authMiddleware)
   .handler(async ({ context }) => {
     const sessions = await context.db
@@ -42,7 +42,7 @@ export const listSessions = os.me.listSessions
  * @throws NOT_FOUND if session doesn't exist
  * @throws BAD_REQUEST if trying to revoke current session
  */
-export const revokeSession = os.me.revokeSession
+export const revokeSession = os.me.sessions.revoke
   .use(authMiddleware)
   .handler(async ({ input, context }) => {
     const { sessionId } = input;
@@ -65,6 +65,8 @@ export const revokeSession = os.me.revokeSession
     if (!result.numUpdatedRows || result.numUpdatedRows === 0n) {
       throw new ORPCError("NOT_FOUND", { message: "Session not found" });
     }
+
+    return { success: true };
   });
 
 /**
@@ -72,7 +74,7 @@ export const revokeSession = os.me.revokeSession
  * - Requires authentication
  * - Revokes all sessions except current
  */
-export const revokeAllSessions = os.me.revokeAllSessions
+export const revokeAllSessions = os.me.sessions.revokeAll
   .use(authMiddleware)
   .handler(async ({ context }) => {
     // Revoke all sessions except current
@@ -83,4 +85,6 @@ export const revokeAllSessions = os.me.revokeAllSessions
       .where("id", "!=", context.session.id)
       .where("revoked_at", "is", null)
       .execute();
+
+    return { success: true };
   });

apps/api-server/src/procedures/me/set-password.ts

@@ -58,4 +58,6 @@ export const setPassword = os.me.setPassword
       .set({ password_hash: newHash, updated_at: new Date() })
       .where("id", "=", context.user.id)
       .execute();
+
+    return { success: true };
   });

apps/api-server/src/procedures/me/update-profile.ts

@@ -36,4 +36,6 @@ export const updateProfile = os.me.updateProfile
         .where("id", "=", context.user.id)
         .execute();
     }
+
+    return { success: true };
   });

apps/api-server/src/procedures/orgs/invites.ts

@@ -123,6 +123,8 @@ export const invitesCreate = os.orgs.invites.create
     // Send invitation email
     const inviterName = context.user.displayName ?? context.user.email;
     await sendOrgInviteEmail(email, token, org.displayName, inviterName, role);
+
+    return { success: true };
   });
 
 /**
@@ -149,6 +151,8 @@ export const invitesCancel = os.orgs.invites.cancel
     if (!result.numDeletedRows || result.numDeletedRows === 0n) {
       throw new ORPCError("NOT_FOUND", { message: "Invitation not found" });
     }
+
+    return { success: true };
   });
 
 /**
@@ -219,4 +223,6 @@ export const invitesAccept = os.orgs.invites.accept
       }
       throw error;
     }
+
+    return { success: true };
   });

apps/api-server/src/procedures/orgs/management.ts

@@ -39,6 +39,8 @@ export const orgsUpdate = os.orgs.update
       .set(updates)
       .where("id", "=", org.id)
       .execute();
+
+    return { success: true };
   });
 
 /**
@@ -57,6 +59,8 @@ export const orgsDelete = os.orgs.delete
     requireRole(membership, "owner");
 
     await context.db.deleteFrom("orgs").where("id", "=", org.id).execute();
+
+    return { success: true };
   });
 
 /**
@@ -92,4 +96,6 @@ export const orgsLeave = os.orgs.leave
         .where("user_id", "=", context.user.id)
         .execute();
     });
+
+    return { success: true };
   });

apps/api-server/src/procedures/orgs/members.ts

@@ -95,6 +95,8 @@ export const membersUpdateRole = os.orgs.members.updateRole
         .where("id", "=", targetMember.id)
         .execute();
     });
+
+    return { success: true };
   });
 
 /**
@@ -155,4 +157,6 @@ export const membersRemove = os.orgs.members.remove
         .where("id", "=", targetMember.id)
         .execute();
     });
+
+    return { success: true };
   });

apps/api-server/src/router.ts

@@ -153,6 +153,15 @@ const verifyAuthentication = os.auth.webauthn.verifyAuthentication
         message: "Authentication failed",
       });
     }
+
+    // Mark the login request as completed - passkey verification is equivalent to email verification
+    await context.db
+      .updateTable("login_requests")
+      .set({ completed_at: new Date() })
+      .where("id", "=", String(context.loginRequestId))
+      .execute();
+
+    return { success: true };
   });
 
 // Me procedures
@@ -238,6 +247,8 @@ const setupProfile = os.me.setupProfile
       })
       .where("id", "=", context.user.id)
       .execute();
+
+    return { success: true };
   });
 
 // Me procedures imported from ./procedures/me/*