- shrink roleDefaults cache TTL from 60s to 10s (safety-net staleness bound)
- publish/subscribe on capakraken:rbac-invalidate so peer instances drop
their local role-defaults cache on mutation (ioredis pub/sub; lazy init
so idle test files don't open connections)
- after updateUserRole/setUserPermissions/resetUserPermissions: delete
all ActiveSession rows for that user so the next request re-auths via
tRPC's jti check, and invalidate the role-defaults cache
- tests: peer-instance invalidation via FakeRedis pub/sub fan-out; mutation
side-effects assert session deletion + cache invalidation on each path
Without this, demoted admins kept their JWT valid until expiry and peer
instances kept serving stale role defaults for up to the TTL window.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Hartmut
e2dddd30df