@byline/db-postgres 1.12.1 → 2.1.0

package/dist/lib/test-bootstrap.d.ts

@@ -0,0 +1,8 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+export {};

package/dist/lib/test-bootstrap.js

@@ -0,0 +1,27 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+/**
+ * Per-test-file bootstrap for node:test integration tests.
+ *
+ * The `tsx --env-file=.env.test --import ./src/lib/test-bootstrap.ts --test`
+ * invocation runs this module once at the start of each test-file process,
+ * before any test imports resolve. It:
+ *
+ *   1. Asserts `POSTGRES_CONNECTION_STRING` targets a `_test` database
+ *      (belt; the script-level guard in `common.sh` is the braces).
+ *   2. Applies Drizzle migrations (idempotent — cheap on re-run).
+ *   3. Truncates all `public` tables so the file starts from a known state.
+ *
+ * Top-level await ensures the file's own `before()` hooks don't run until
+ * the database is ready.
+ */
+import { assertTestDatabase, migrateTestDatabase, resetTestDatabase } from './test-db.js';
+const connectionString = process.env.POSTGRES_CONNECTION_STRING;
+assertTestDatabase(connectionString);
+await migrateTestDatabase(connectionString);
+await resetTestDatabase(connectionString);

package/dist/lib/test-db.d.ts

@@ -0,0 +1,39 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import { type NodePgDatabase } from 'drizzle-orm/node-postgres';
+import * as schema from '../database/schema/index.js';
+/**
+ * Belt for the script-level braces in `common.sh`. Parses the connection
+ * string and refuses to continue unless the database name ends in `_test`.
+ * Called at every test-process entry point so a stray `.env` pointed at
+ * `byline_dev` (or anything else) trips the guard before any DDL runs.
+ */
+export declare function assertTestDatabase(connectionString: string | undefined): string;
+/**
+ * Run Drizzle migrations against the configured connection. Idempotent —
+ * Drizzle tracks applied migrations in `__drizzle_migrations`. Opens and
+ * closes its own pool; safe to call from a vitest globalSetup or a node:test
+ * bootstrap module.
+ */
+export declare function migrateTestDatabase(connectionString: string): Promise<void>;
+/**
+ * Wipe every user table in the `public` schema (skipping Drizzle's own
+ * `__drizzle_migrations` ledger). Uses a single `TRUNCATE ... RESTART
+ * IDENTITY CASCADE` so foreign-key chains, sequences, and dependent rows
+ * all reset cleanly in one statement.
+ *
+ * Self-maintaining as the schema grows — new tables come along for the
+ * ride without any code change.
+ */
+export declare function truncateAllTables(db: NodePgDatabase<typeof schema>): Promise<void>;
+/**
+ * Convenience: assert + open a short-lived pool + truncate + close. Useful
+ * from a vitest setupFile (`beforeAll`) where the caller doesn't otherwise
+ * need a long-lived db handle.
+ */
+export declare function resetTestDatabase(connectionString: string): Promise<void>;

package/dist/lib/test-db.js

@@ -0,0 +1,106 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { sql } from 'drizzle-orm';
+import { drizzle } from 'drizzle-orm/node-postgres';
+import { migrate } from 'drizzle-orm/node-postgres/migrator';
+import pg from 'pg';
+import * as schema from '../database/schema/index.js';
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+/**
+ * Drizzle migrations folder. Migrations (`*.sql` + `meta/_journal.json`)
+ * live only under `src/` — the TypeScript build doesn't copy them into
+ * `dist/`. Anchor on `src/database/migrations` from either location:
+ *
+ *   src/lib/test-db.ts  → ../../src/database/migrations ✓
+ *   dist/lib/test-db.js → ../../src/database/migrations ✓
+ *
+ * `path.resolve` normalises the `../..` away, so the same string works
+ * for both build modes.
+ */
+const MIGRATIONS_FOLDER = path.resolve(__dirname, '../../src/database/migrations');
+/**
+ * Belt for the script-level braces in `common.sh`. Parses the connection
+ * string and refuses to continue unless the database name ends in `_test`.
+ * Called at every test-process entry point so a stray `.env` pointed at
+ * `byline_dev` (or anything else) trips the guard before any DDL runs.
+ */
+export function assertTestDatabase(connectionString) {
+    if (!connectionString) {
+        throw new Error('POSTGRES_CONNECTION_STRING is not set. Copy .env.test.example to .env.test.');
+    }
+    let dbName;
+    try {
+        const url = new URL(connectionString);
+        dbName = url.pathname.replace(/^\//, '');
+    }
+    catch (err) {
+        throw new Error(`POSTGRES_CONNECTION_STRING is not a valid URL: ${err.message}`);
+    }
+    if (!dbName.endsWith('_test')) {
+        throw new Error(`Refusing to run tests against database '${dbName}'. ` +
+            `Integration tests require a database whose name ends in '_test'. ` +
+            `Update POSTGRES_CONNECTION_STRING in .env.test.`);
+    }
+    return dbName;
+}
+/**
+ * Run Drizzle migrations against the configured connection. Idempotent —
+ * Drizzle tracks applied migrations in `__drizzle_migrations`. Opens and
+ * closes its own pool; safe to call from a vitest globalSetup or a node:test
+ * bootstrap module.
+ */
+export async function migrateTestDatabase(connectionString) {
+    assertTestDatabase(connectionString);
+    const pool = new pg.Pool({ connectionString, max: 1 });
+    try {
+        const db = drizzle(pool, { schema });
+        await migrate(db, { migrationsFolder: MIGRATIONS_FOLDER });
+    }
+    finally {
+        await pool.end();
+    }
+}
+/**
+ * Wipe every user table in the `public` schema (skipping Drizzle's own
+ * `__drizzle_migrations` ledger). Uses a single `TRUNCATE ... RESTART
+ * IDENTITY CASCADE` so foreign-key chains, sequences, and dependent rows
+ * all reset cleanly in one statement.
+ *
+ * Self-maintaining as the schema grows — new tables come along for the
+ * ride without any code change.
+ */
+export async function truncateAllTables(db) {
+    const rows = await db.execute(sql `
+    SELECT table_name FROM information_schema.tables
+    WHERE table_schema = 'public'
+      AND table_type = 'BASE TABLE'
+      AND table_name <> '__drizzle_migrations'
+  `);
+    const tables = rows.rows.map((r) => `"public"."${r.table_name}"`);
+    if (tables.length === 0)
+        return;
+    await db.execute(sql.raw(`TRUNCATE ${tables.join(', ')} RESTART IDENTITY CASCADE`));
+}
+/**
+ * Convenience: assert + open a short-lived pool + truncate + close. Useful
+ * from a vitest setupFile (`beforeAll`) where the caller doesn't otherwise
+ * need a long-lived db handle.
+ */
+export async function resetTestDatabase(connectionString) {
+    assertTestDatabase(connectionString);
+    const pool = new pg.Pool({ connectionString, max: 1 });
+    try {
+        const db = drizzle(pool, { schema });
+        await truncateAllTables(db);
+    }
+    finally {
+        await pool.end();
+    }
+}

package/dist/lib/test-helper.js

@@ -3,22 +3,21 @@ import pg from 'pg';
 import * as schema from '../database/schema/index.js';
 import { createCommandBuilders } from '../modules/storage/storage-commands.js';
 import { createQueryBuilders } from '../modules/storage/storage-queries.js';
+import { assertTestDatabase } from './test-db.js';
 let pool;
 let db;
 let commandBuilders;
 let queryBuilders;
 export function setupTestDB(collections = []) {
     if (!pool) {
+        assertTestDatabase(process.env.POSTGRES_CONNECTION_STRING);
         pool = new pg.Pool({
             connectionString: process.env.POSTGRES_CONNECTION_STRING,
-            // Integration tests share the dev database with the running webapp,
-            // and node:test may run multiple test files in separate processes.
-            // A pool-per-file of 20 connections × N files + the webapp's own
-            // pool of 20 blows past Postgres's default `max_connections=100`
-            // and throws `FATAL: sorry, too many clients already`. The tests
-            // are serial and run one query at a time, so a small pool is
-            // sufficient — keep total test connections low regardless of
-            // process / file parallelism.
+            // node:test runs each test file in its own process. Even though
+            // tests target a dedicated `byline_test` database, a pool-per-file
+            // of 20 connections × N files can still pressure Postgres's default
+            // `max_connections=100`. Tests are serial and run one query at a
+            // time, so a small pool is sufficient.
             max: 4,
             idleTimeoutMillis: 2000,
             connectionTimeoutMillis: 1000,

package/dist/modules/admin/tests/auth-integration.test.js

@@ -5,12 +5,11 @@
  *
  * Copyright (c) Infonomic Company Limited
  */
-import assert from 'node:assert';
-import { after, afterEach, before, describe, it } from 'node:test';
 import { seedSuperAdmin } from '@byline/admin/admin-users';
 import { hashPassword, resolveActor, verifyPassword } from '@byline/admin/auth';
 import { AdminAuth } from '@byline/auth';
 import { eq, inArray } from 'drizzle-orm';
+import { afterAll, afterEach, beforeAll, describe, expect, it } from 'vitest';
 import { adminPermissions, adminRoleAdminUser, adminRoles, adminUsers, } from '../../../database/schema/auth.js';
 import { setupTestDB, teardownTestDB } from '../../../lib/test-helper.js';
 import { createAdminStore } from '../admin-store.js';
@@ -35,6 +34,13 @@ let db;
 let store;
 const trackedUserIds = new Set();
 const trackedRoleIds = new Set();
+// Pure-JS argon2id takes ~1 s per hash; this suite makes ~20 users, only
+// one of which is later verified against its plaintext (the
+// getByEmailForSignIn test). Pre-compute one hash for the common-case
+// password ('pw') and reuse it for every test that doesn't care about
+// the actual hash value — saves ~20 s on every run.
+const SHARED_PASSWORD = 'pw';
+let SHARED_HASH = '';
 function trackUser(id) {
     trackedUserIds.add(id);
 }
@@ -45,7 +51,11 @@ async function createUser(input) {
     const email = input.email.toLowerCase();
     // Clear any stale row left by a crashed prior run.
     await db.delete(adminUsers).where(eq(adminUsers.email, email));
-    const password_hash = await hashPassword(input.password);
+    // Reuse the pre-computed hash when the password is the shared marker;
+    // tests that actually verify the plaintext (verifyPassword,
+    // signInWithPassword) supply their own password and pay the real hash
+    // cost.
+    const password_hash = input.password === SHARED_PASSWORD ? SHARED_HASH : await hashPassword(input.password);
     const row = await store.adminUsers.create({
         email: input.email,
         password_hash,
@@ -74,15 +84,16 @@ async function cleanupTrackedRows() {
 }
 // ---------------------------------------------------------------------------
 describe('auth integration', () => {
-    before(() => {
+    beforeAll(async () => {
         const testDB = setupTestDB([]);
         db = testDB.db;
         store = createAdminStore(db);
+        SHARED_HASH = await hashPassword(SHARED_PASSWORD);
     });
     afterEach(async () => {
         await cleanupTrackedRows();
     });
-    after(async () => {
+    afterAll(async () => {
         await cleanupTrackedRows();
         await teardownTestDB();
     });
@@ -96,90 +107,97 @@ describe('auth integration', () => {
                 password: 'alice-password',
                 given_name: 'Alice',
             });
-            assert.ok(created.id);
-            assert.strictEqual(created.email, 'alice@example.com');
-            assert.strictEqual(created.given_name, 'Alice');
-            assert.strictEqual(created.is_enabled, false); // default false
-            assert.strictEqual(created.is_super_admin, false);
+            expect(created.id).toBeTruthy();
+            expect(created.email).toBe('alice@example.com');
+            expect(created.given_name).toBe('Alice');
+            expect(created.is_enabled).toBe(false); // default false
+            expect(created.is_super_admin).toBe(false);
             // Public columns: password_hash is never returned
-            assert.strictEqual(created.password_hash, undefined);
+            expect(created.password_hash).toBe(undefined);
             const fetched = await store.adminUsers.getById(created.id);
-            assert.strictEqual(fetched?.email, 'alice@example.com');
+            expect(fetched?.email).toBe('alice@example.com');
         });
         it('lowercases the email on insert and on lookup', async () => {
             await createUser({ email: 'Alice@Example.COM', password: 'pw' });
             const byMixed = await store.adminUsers.getByEmail('ALICE@example.com');
-            assert.ok(byMixed);
-            assert.strictEqual(byMixed.email, 'alice@example.com');
+            expect(byMixed).toBeTruthy();
+            expect(byMixed?.email).toBe('alice@example.com');
         });
         it('returns the password hash only via getByEmailForSignIn', async () => {
             await createUser({ email: 'b@example.com', password: 'pw-value' });
             const plain = await store.adminUsers.getByEmail('b@example.com');
-            assert.strictEqual(plain?.password_hash, undefined);
+            expect(plain?.password_hash).toBe(undefined);
             const withPw = await store.adminUsers.getByEmailForSignIn('b@example.com');
-            assert.ok(withPw);
-            assert.ok(await verifyPassword('pw-value', withPw.password_hash));
+            // `if !x throw` instead of `x!` so Biome's --unsafe rewrite (which
+            // turns `!` into `?.`) doesn't reintroduce `string | undefined`
+            // through verifyPassword's `hash: string` arg.
+            if (!withPw)
+                throw new Error('expected withPw to be defined');
+            expect(await verifyPassword('pw-value', withPw.password_hash)).toBeTruthy();
         });
         it('update applies partial patches and bumps vid', async () => {
             const created = await createUser({ email: 'c@example.com', password: 'pw' });
-            assert.strictEqual(created.vid, 1);
+            expect(created.vid).toBe(1);
             const updated = await store.adminUsers.update(created.id, created.vid, {
                 given_name: 'Charlie',
                 is_enabled: true,
             });
-            assert.strictEqual(updated.given_name, 'Charlie');
-            assert.strictEqual(updated.is_enabled, true);
+            expect(updated.given_name).toBe('Charlie');
+            expect(updated.is_enabled).toBe(true);
             // Unchanged fields remain
-            assert.strictEqual(updated.email, 'c@example.com');
-            assert.strictEqual(updated.vid, created.vid + 1);
+            expect(updated.email).toBe('c@example.com');
+            expect(updated.vid).toBe(created.vid + 1);
         });
         it('update throws VERSION_CONFLICT on a stale vid', async () => {
             const created = await createUser({ email: 'c2@example.com', password: 'pw' });
             // First update succeeds and bumps vid.
             await store.adminUsers.update(created.id, created.vid, { given_name: 'First' });
             // Replaying the same vid must conflict.
-            await assert.rejects(() => store.adminUsers.update(created.id, created.vid, { given_name: 'Second' }), (err) => err.code === 'admin.users.versionConflict');
+            await expect(() => store.adminUsers.update(created.id, created.vid, { given_name: 'Second' })).rejects.toMatchObject({ code: 'admin.users.versionConflict' });
         });
         it('setPasswordHash rehashes, bumps vid, and returns the fresh row', async () => {
             const created = await createUser({ email: 'd@example.com', password: 'old' });
             const updated = await store.adminUsers.setPasswordHash(created.id, created.vid, await hashPassword('new-password'));
-            assert.strictEqual(updated.id, created.id);
-            assert.strictEqual(updated.vid, created.vid + 1);
+            expect(updated.id).toBe(created.id);
+            expect(updated.vid).toBe(created.vid + 1);
             const signIn = await store.adminUsers.getByEmailForSignIn('d@example.com');
-            assert.ok(signIn);
-            assert.ok(await verifyPassword('new-password', signIn.password_hash));
-            assert.strictEqual(await verifyPassword('old', signIn.password_hash), false);
-            assert.strictEqual(signIn.vid, created.vid + 1);
+            if (!signIn)
+                throw new Error('expected signIn to be defined');
+            expect(await verifyPassword('new-password', signIn.password_hash)).toBeTruthy();
+            expect(await verifyPassword('old', signIn.password_hash)).toBe(false);
+            expect(signIn.vid).toBe(created.vid + 1);
         });
         it('setPasswordHash throws VERSION_CONFLICT on a stale vid', async () => {
             const created = await createUser({ email: 'd2@example.com', password: 'pw' });
             await store.adminUsers.update(created.id, created.vid, { given_name: 'D' });
-            await assert.rejects(() => store.adminUsers.setPasswordHash(created.id, created.vid, '$argon2id$stale-hash'), (err) => err.code === 'admin.users.versionConflict');
+            await expect(() => store.adminUsers.setPasswordHash(created.id, created.vid, '$argon2id$stale-hash')).rejects.toMatchObject({ code: 'admin.users.versionConflict' });
         });
         it('recordLoginSuccess resets failed_login_attempts and stamps last_login', async () => {
             const created = await createUser({ email: 'e@example.com', password: 'pw' });
             await store.adminUsers.recordLoginFailure(created.id);
             await store.adminUsers.recordLoginFailure(created.id);
             let row = await store.adminUsers.getById(created.id);
-            assert.strictEqual(row?.failed_login_attempts, 2);
+            expect(row?.failed_login_attempts).toBe(2);
             await store.adminUsers.recordLoginSuccess(created.id, '10.0.0.1');
             row = await store.adminUsers.getById(created.id);
-            assert.strictEqual(row?.failed_login_attempts, 0);
-            assert.strictEqual(row?.last_login_ip, '10.0.0.1');
-            assert.ok(row?.last_login);
+            expect(row?.failed_login_attempts).toBe(0);
+            expect(row?.last_login_ip).toBe('10.0.0.1');
+            expect(row?.last_login).toBeTruthy();
         });
         it('delete removes the row when vid matches', async () => {
             const created = await createUser({ email: 'f@example.com', password: 'pw' });
             await store.adminUsers.delete(created.id, created.vid);
             const fetched = await store.adminUsers.getById(created.id);
-            assert.strictEqual(fetched, null);
+            expect(fetched).toBe(null);
         });
         it('delete throws VERSION_CONFLICT on a stale vid', async () => {
             const created = await createUser({ email: 'f2@example.com', password: 'pw' });
             await store.adminUsers.update(created.id, created.vid, { given_name: 'F' });
-            await assert.rejects(() => store.adminUsers.delete(created.id, created.vid), (err) => err.code === 'admin.users.versionConflict');
+            await expect(() => store.adminUsers.delete(created.id, created.vid)).rejects.toMatchObject({
+                code: 'admin.users.versionConflict',
+            });
             // Row should still be present.
-            assert.ok(await store.adminUsers.getById(created.id));
+            expect(await store.adminUsers.getById(created.id)).toBeTruthy();
         });
         it('list applies pagination, order, and query filter', async () => {
             await createUser({ email: 'list1@example.com', password: 'pw', given_name: 'Aaron' });
@@ -194,7 +212,7 @@ describe('auth integration', () => {
                 order: 'email',
                 desc: false,
             });
-            assert.strictEqual(filtered.length, 3);
+            expect(filtered.length).toBe(3);
             const named = await store.adminUsers.list({
                 page: 1,
                 pageSize: 10,
@@ -202,10 +220,10 @@ describe('auth integration', () => {
                 order: 'email',
                 desc: false,
             });
-            assert.strictEqual(named.length, 1);
-            assert.strictEqual(named[0]?.given_name, 'Bea');
+            expect(named.length).toBe(1);
+            expect(named[0]?.given_name).toBe('Bea');
             const total = await store.adminUsers.count({ query: 'list' });
-            assert.strictEqual(total, 3);
+            expect(total).toBe(3);
         });
     });
     // -------------------------------------------------------------------------
@@ -218,9 +236,9 @@ describe('auth integration', () => {
                 machine_name: 'test-editor',
                 description: 'Can edit content',
             });
-            assert.strictEqual(role.machine_name, 'test-editor');
+            expect(role.machine_name).toBe('test-editor');
             const byMachine = await store.adminRoles.getByMachineName('test-editor');
-            assert.strictEqual(byMachine?.id, role.id);
+            expect(byMachine?.id).toBe(role.id);
         });
         it('assignToUser is idempotent and listRolesForUser returns the role', async () => {
             const user = await createUser({ email: 'g@example.com', password: 'pw' });
@@ -228,17 +246,17 @@ describe('auth integration', () => {
             await store.adminRoles.assignToUser(role.id, user.id);
             await store.adminRoles.assignToUser(role.id, user.id); // idempotent
             const userRoles = await store.adminRoles.listRolesForUser(user.id);
-            assert.strictEqual(userRoles.length, 1);
-            assert.strictEqual(userRoles[0]?.machine_name, 'test-r');
+            expect(userRoles.length).toBe(1);
+            expect(userRoles[0]?.machine_name).toBe('test-r');
             const usersForRole = await store.adminRoles.listUsersForRole(role.id);
-            assert.deepStrictEqual(usersForRole, [user.id]);
+            expect(usersForRole).toEqual([user.id]);
         });
         it('unassignFromUser removes the assignment', async () => {
             const user = await createUser({ email: 'h@example.com', password: 'pw' });
             const role = await createRole({ name: 'test-r', machine_name: 'test-r' });
             await store.adminRoles.assignToUser(role.id, user.id);
             await store.adminRoles.unassignFromUser(role.id, user.id);
-            assert.strictEqual((await store.adminRoles.listRolesForUser(user.id)).length, 0);
+            expect((await store.adminRoles.listRolesForUser(user.id)).length).toBe(0);
         });
         it('delete cascades to permissions and role-user assignments', async () => {
             const user = await createUser({ email: 'i@example.com', password: 'pw' });
@@ -247,21 +265,21 @@ describe('auth integration', () => {
             await store.adminRoles.assignToUser(role.id, user.id);
             await store.adminRoles.delete(role.id, role.vid);
             // The role is gone…
-            assert.strictEqual(await store.adminRoles.getById(role.id), null);
+            expect(await store.adminRoles.getById(role.id)).toBe(null);
             // …and its grants are gone…
             const grantsForRole = await db
                 .select()
                 .from(adminPermissions)
                 .where(eq(adminPermissions.admin_role_id, role.id));
-            assert.strictEqual(grantsForRole.length, 0);
+            expect(grantsForRole.length).toBe(0);
             // …and no assignment for the role remains.
             const assignsForRole = await db
                 .select()
                 .from(adminRoleAdminUser)
                 .where(eq(adminRoleAdminUser.admin_role_id, role.id));
-            assert.strictEqual(assignsForRole.length, 0);
+            expect(assignsForRole.length).toBe(0);
             // The user still exists.
-            assert.ok(await store.adminUsers.getById(user.id));
+            expect(await store.adminUsers.getById(user.id)).toBeTruthy();
         });
     });
     // -------------------------------------------------------------------------
@@ -273,7 +291,7 @@ describe('auth integration', () => {
             await store.adminPermissions.grantAbility(role.id, 'collections.pages.publish');
             await store.adminPermissions.grantAbility(role.id, 'collections.pages.publish');
             const abilities = await store.adminPermissions.listAbilities(role.id);
-            assert.deepStrictEqual(abilities, ['collections.pages.publish']);
+            expect(abilities).toEqual(['collections.pages.publish']);
         });
         it('revokeAbility removes the grant', async () => {
             const role = await createRole({ name: 'test-r', machine_name: 'test-r' });
@@ -281,7 +299,7 @@ describe('auth integration', () => {
             await store.adminPermissions.grantAbility(role.id, 'a.two');
             await store.adminPermissions.revokeAbility(role.id, 'a.one');
             const abilities = await store.adminPermissions.listAbilities(role.id);
-            assert.deepStrictEqual(abilities.sort(), ['a.two']);
+            expect(abilities.sort()).toEqual(['a.two']);
         });
         it('setAbilities replaces the ability set wholesale', async () => {
             const role = await createRole({ name: 'test-r', machine_name: 'test-r' });
@@ -289,7 +307,7 @@ describe('auth integration', () => {
             await store.adminPermissions.grantAbility(role.id, 'a.two');
             await store.adminPermissions.setAbilities(role.id, ['a.three', 'a.four']);
             const abilities = await store.adminPermissions.listAbilities(role.id);
-            assert.deepStrictEqual(abilities.sort(), ['a.four', 'a.three']);
+            expect(abilities.sort()).toEqual(['a.four', 'a.three']);
         });
     });
     // -------------------------------------------------------------------------
@@ -298,13 +316,13 @@ describe('auth integration', () => {
     describe('resolveActor', () => {
         it('returns null for unknown user ids', async () => {
             const actor = await resolveActor(store, '00000000-0000-7000-8000-000000000000');
-            assert.strictEqual(actor, null);
+            expect(actor).toBe(null);
         });
         it('returns null for disabled users', async () => {
             const user = await createUser({ email: 'j@example.com', password: 'pw' });
             // Created with is_enabled: false by default
             const actor = await resolveActor(store, user.id);
-            assert.strictEqual(actor, null);
+            expect(actor).toBe(null);
         });
         it('builds an AdminAuth with the union of abilities across roles', async () => {
             const user = await createUser({
@@ -322,15 +340,15 @@ describe('auth integration', () => {
             await store.adminRoles.assignToUser(roleA.id, user.id);
             await store.adminRoles.assignToUser(roleB.id, user.id);
             const actor = await resolveActor(store, user.id);
-            assert.ok(actor instanceof AdminAuth);
-            assert.strictEqual(actor.id, user.id);
-            assert.strictEqual(actor.isSuperAdmin, false);
-            assert.strictEqual(actor.hasAbility('collections.pages.read'), true);
-            assert.strictEqual(actor.hasAbility('collections.pages.update'), true);
-            assert.strictEqual(actor.hasAbility('collections.pages.publish'), true);
-            assert.strictEqual(actor.hasAbility('collections.pages.delete'), false);
+            expect(actor instanceof AdminAuth).toBeTruthy();
+            expect(actor?.id).toBe(user.id);
+            expect(actor?.isSuperAdmin).toBe(false);
+            expect(actor?.hasAbility('collections.pages.read')).toBe(true);
+            expect(actor?.hasAbility('collections.pages.update')).toBe(true);
+            expect(actor?.hasAbility('collections.pages.publish')).toBe(true);
+            expect(actor?.hasAbility('collections.pages.delete')).toBe(false);
             // Distinct — duplicates across roles collapse
-            assert.strictEqual(actor.abilities.size, 3);
+            expect(actor?.abilities.size).toBe(3);
         });
         it('honours the is_super_admin flag', async () => {
             const user = await createUser({
@@ -340,10 +358,10 @@ describe('auth integration', () => {
                 is_enabled: true,
             });
             const actor = await resolveActor(store, user.id);
-            assert.ok(actor);
-            assert.strictEqual(actor.isSuperAdmin, true);
+            expect(actor).toBeTruthy();
+            expect(actor?.isSuperAdmin).toBe(true);
             // Even without granting any abilities, super-admins pass every check
-            assert.strictEqual(actor.hasAbility('anything.at.all'), true);
+            expect(actor?.hasAbility('anything.at.all')).toBe(true);
         });
     });
     // -------------------------------------------------------------------------
@@ -367,12 +385,12 @@ describe('auth integration', () => {
             const result = await seedSuperAdmin(store, seedInput);
             trackUser(result.userId);
             trackRole(result.roleId);
-            assert.ok(result.userId);
-            assert.ok(result.roleId);
-            assert.deepStrictEqual(result.created, { user: true, role: true, assignment: true });
+            expect(result.userId).toBeTruthy();
+            expect(result.roleId).toBeTruthy();
+            expect(result.created).toEqual({ user: true, role: true, assignment: true });
             const actor = await resolveActor(store, result.userId);
-            assert.ok(actor);
-            assert.strictEqual(actor.isSuperAdmin, true);
+            expect(actor).toBeTruthy();
+            expect(actor?.isSuperAdmin).toBe(true);
         });
         it('is idempotent — second run reports nothing newly created', async () => {
             await db.delete(adminUsers).where(eq(adminUsers.email, seedInput.email));
@@ -381,7 +399,7 @@ describe('auth integration', () => {
             trackUser(first.userId);
             trackRole(first.roleId);
             const second = await seedSuperAdmin(store, seedInput);
-            assert.deepStrictEqual(second.created, {
+            expect(second.created).toEqual({
                 user: false,
                 role: false,
                 assignment: false,