feat: add fluxer upstream source and self-hosting documentation

- Clone of github.com/fluxerapp/fluxer (official upstream)
- SELF_HOSTING.md: full VM rebuild procedure, architecture overview,
  service reference, step-by-step setup, troubleshooting, seattle reference
- dev/.env.example: all env vars with secrets redacted and generation instructions
- dev/livekit.yaml: LiveKit config template with placeholder keys
- fluxer-seattle/: existing seattle deployment setup scripts

fluxer/packages/api/src/oauth/tests/OAuth2AuthorizationsDeauthorize.test.tsx

@@ -0,0 +1,154 @@
+/*
+ * Copyright (C) 2026 Fluxer Contributors
+ *
+ * This file is part of Fluxer.
+ *
+ * Fluxer is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Fluxer is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with Fluxer. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import {createTestAccount} from '@fluxer/api/src/auth/tests/AuthTestUtils';
+import {
+	authorizeOAuth2,
+	createOAuth2Application,
+	deauthorizeOAuth2Application,
+	exchangeOAuth2AuthorizationCode,
+	getOAuth2UserInfo,
+	listOAuth2Authorizations,
+} from '@fluxer/api/src/oauth/tests/OAuthTestUtils';
+import {type ApiTestHarness, createApiTestHarness} from '@fluxer/api/src/test/ApiTestHarness';
+import {HTTP_STATUS} from '@fluxer/api/src/test/TestConstants';
+import {createBuilder} from '@fluxer/api/src/test/TestRequestBuilder';
+import {afterAll, beforeAll, beforeEach, describe, expect, it} from 'vitest';
+
+describe('OAuth2 authorizations deauthorize', () => {
+	let harness: ApiTestHarness;
+
+	beforeAll(async () => {
+		harness = await createApiTestHarness();
+	});
+
+	beforeEach(async () => {
+		await harness.reset();
+	});
+
+	afterAll(async () => {
+		await harness?.shutdown();
+	});
+
+	it('verifies that a user can deauthorize an application, which revokes all associated tokens', async () => {
+		const appOwner = await createTestAccount(harness);
+		const endUser = await createTestAccount(harness);
+
+		const redirectURI = 'https://example.com/authz/deauth';
+		const app = await createOAuth2Application(harness, appOwner, {
+			name: 'Deauth Test',
+			redirect_uris: [redirectURI],
+		});
+
+		const {code: authCode} = await authorizeOAuth2(harness, endUser.token, {
+			client_id: app.id,
+			redirect_uri: redirectURI,
+			scope: 'identify',
+		});
+
+		const tokens = await exchangeOAuth2AuthorizationCode(harness, {
+			client_id: app.id,
+			client_secret: app.client_secret,
+			code: authCode,
+			redirect_uri: redirectURI,
+		});
+
+		const userInfo = await getOAuth2UserInfo(harness, tokens.access_token);
+		expect(userInfo.sub).toBe(endUser.userId);
+
+		const beforeAuthz = await listOAuth2Authorizations(harness, endUser.token);
+		expect(beforeAuthz).toHaveLength(1);
+
+		await deauthorizeOAuth2Application(harness, endUser.token, app.id);
+
+		await createBuilder(harness, `Bearer ${tokens.access_token}`)
+			.get('/oauth2/userinfo')
+			.expect(HTTP_STATUS.UNAUTHORIZED)
+			.execute();
+
+		const afterAuthz = await listOAuth2Authorizations(harness, endUser.token);
+		expect(afterAuthz).toHaveLength(0);
+	});
+
+	it('verifies that deauthorizing one application does not affect other authorized applications', async () => {
+		const appOwner = await createTestAccount(harness);
+		const endUser = await createTestAccount(harness);
+
+		const redirectURI = 'https://example.com/authz/partial';
+
+		const app1 = await createOAuth2Application(harness, appOwner, {
+			name: 'Partial Deauth 1',
+			redirect_uris: [redirectURI],
+		});
+
+		const {code: code1} = await authorizeOAuth2(harness, endUser.token, {
+			client_id: app1.id,
+			redirect_uri: redirectURI,
+			scope: 'identify',
+		});
+
+		const tokens1 = await exchangeOAuth2AuthorizationCode(harness, {
+			client_id: app1.id,
+			client_secret: app1.client_secret,
+			code: code1,
+			redirect_uri: redirectURI,
+		});
+
+		const app2 = await createOAuth2Application(harness, appOwner, {
+			name: 'Partial Deauth 2',
+			redirect_uris: [redirectURI],
+		});
+
+		const {code: code2} = await authorizeOAuth2(harness, endUser.token, {
+			client_id: app2.id,
+			redirect_uri: redirectURI,
+			scope: 'identify',
+		});
+
+		const tokens2 = await exchangeOAuth2AuthorizationCode(harness, {
+			client_id: app2.id,
+			client_secret: app2.client_secret,
+			code: code2,
+			redirect_uri: redirectURI,
+		});
+
+		await deauthorizeOAuth2Application(harness, endUser.token, app1.id);
+
+		await createBuilder(harness, `Bearer ${tokens1.access_token}`)
+			.get('/oauth2/userinfo')
+			.expect(HTTP_STATUS.UNAUTHORIZED)
+			.execute();
+
+		const userInfo2 = await getOAuth2UserInfo(harness, tokens2.access_token);
+		expect(userInfo2.sub).toBe(endUser.userId);
+
+		const authorizations = await listOAuth2Authorizations(harness, endUser.token);
+		expect(authorizations).toHaveLength(1);
+		expect(authorizations[0].application.id).toBe(app2.id);
+	});
+
+	it('verifies that deauthorizing a non-existent application returns an appropriate error', async () => {
+		const user = await createTestAccount(harness);
+
+		await createBuilder(harness, user.token)
+			.delete('/oauth2/@me/authorizations/123456789012345678')
+			.expect(HTTP_STATUS.NOT_FOUND, 'UNKNOWN_APPLICATION')
+			.execute();
+	});
+});