Unit (`tests/unit/test_user_schemas.py`):
- 4 tests on `UserCreate` (happy path, password min length, email
validation, invalid type).
- 2 tests on `UserUpdate` (all-optional, password validation when set).
- 3 tests on `EngagementMemberCreate` (default `"member"`, explicit role,
max-length 40).
- 4 tests on `PageQuery` (defaults, offset arithmetic, page_size cap,
page lower bound).
Integration (`tests/integration/test_user_mgmt_e2e.py`, marked
`integration`):
- The critical MA6-in-practice flow: rt_lead creates rt_operator, assigns
to engagement A, the operator signs in, lists engagements and sees only
A, `GET /engagements/B` returns 404 (anti-leak), `GET /engagements/B/members`
returns 404 too, `/engagements/A/members` is reachable, `GET /users` is
forbidden for the operator.
- `USER_MANAGE` gate: anonymous → 401, operator session → 403,
lead session → 200.
- 409 `email_taken` on duplicate `POST /users`.
- `/audit/log` is lead-only, paginates with `page_size`, filters by
`?action=`.
- Disabling a user blocks subsequent logins (same uniform
`invalid_credentials` envelope as for bad passwords — no enumeration
leak of "this account was disabled").
74 unit tests pass (61 sprint 1 + 13 sprint 2); integration tests run on
the testcontainers Postgres fixture in CI.
