@classytic/arc 2.10.3 → 2.11.0

package/dist/testing/index.d.mts

@@ -1,477 +1,373 @@
-import { G as ResourceDefinition, dn as AnyRecord } from "../index-Cl0uoKd5.mjs";
-import { d as ResourceLike, r as CreateAppOptions } from "../types-Co8k3NyS.mjs";
+import { B as ResourceDefinition, Pt as AnyRecord } from "../index-Cm0vUrr_.mjs";
+import { d as ResourceLike, r as CreateAppOptions } from "../types-CgikqKAj.mjs";
 import { StorageContractSetup, StorageContractSetupResult, runStorageContract } from "./storageContract.mjs";
-import Fastify, { FastifyInstance, FastifyServerOptions } from "fastify";
-import { Connection } from "mongoose";
+import { FastifyInstance, FastifyServerOptions } from "fastify";
 import { Mock } from "vitest";
 import { StandardRepo } from "@classytic/repo-core/repository";
 
-//#region src/testing/authHelpers.d.ts
+//#region src/testing/assertions.d.ts
+/**
+ * expectArc — Arc-specific response assertions
+ *
+ * Wraps a Fastify `app.inject` response and exposes fluent assertions for
+ * the arc response envelope. Replaces the ~6 patterns repeated hundreds of
+ * times across the test suite:
+ *
+ *   expect(res.statusCode).toBe(200);
+ *   expect(JSON.parse(res.body).success).toBe(true);
+ *   expect(JSON.parse(res.body).data.password).toBeUndefined();
+ *
+ * becomes
+ *
+ *   expectArc(res).ok().hidesField('password');
+ *
+ * Every helper returns the assertion object so you can chain. `.body` /
+ * `.data` are lazy accessors — they parse once and cache, so repeated access
+ * is cheap.
+ *
+ * Assertions use `vitest`'s `expect` internally — import this only from
+ * test files or modules that run under vitest.
+ */
+interface ArcResponseLike {
+  statusCode: number;
+  body: string;
+}
+interface ArcAssertion {
+  /** Raw response — kept for ad-hoc drill-down. */
+  readonly response: ArcResponseLike;
+  /** Parsed body (JSON). Cached. */
+  readonly body: Record<string, unknown>;
+  /** `body.data` — undefined for failed responses. */
+  readonly data: unknown;
+  /** Full fluent chain below — every method returns `this`. */
+  ok(status?: number): ArcAssertion;
+  failed(status?: number): ArcAssertion;
+  unauthorized(): ArcAssertion;
+  forbidden(): ArcAssertion;
+  notFound(): ArcAssertion;
+  validationError(): ArcAssertion;
+  conflict(): ArcAssertion;
+  hasData(): ArcAssertion;
+  hasStatus(status: number): ArcAssertion;
+  hidesField(field: string): ArcAssertion;
+  showsField(field: string): ArcAssertion;
+  /**
+   * Asserts the arc paginated-list envelope: `success`, `docs[]`, and at
+   * least one of `page`/`limit`/`total`/`hasNext`/`hasPrev`. `expected`
+   * optionally pins specific fields.
+   */
+  paginated(expected?: {
+    page?: number;
+    limit?: number;
+    total?: number;
+    hasNext?: boolean;
+    hasPrev?: boolean;
+  }): ArcAssertion;
+  /** Assert `body.error` (or `body.message`) matches the given string or regex. */
+  hasError(matcher: string | RegExp): ArcAssertion;
+  /** Assert a specific key on `body.meta` or flattened top-level (matches sendControllerResponse flattening). */
+  hasMeta(key: string, value?: unknown): ArcAssertion;
+}
+declare function expectArc(response: ArcResponseLike): ArcAssertion;
+//#endregion
+//#region src/testing/authSession.d.ts
+/**
+ * A concrete auth session — headers ready to drop into `app.inject`.
+ *
+ * Frozen so tests can safely cache + share sessions between `it` blocks
+ * without worrying about one mutation leaking into another.
+ */
+interface TestAuthSession {
+  readonly role: string;
+  readonly token: string;
+  readonly orgId: string | undefined;
+  readonly user: Record<string, unknown> | undefined;
+  readonly headers: Readonly<Record<string, string>>;
+  /**
+   * Return a new session with extra headers merged over the defaults.
+   * Does not mutate the original — use for one-off requests that need
+   * a tracing header, idempotency key, etc.
+   */
+  withExtra(headers: Record<string, string>): TestAuthSession;
+}
+/**
+ * Per-role auth config. `user` + `token` are mutually exclusive:
+ *   - `user` → the provider signs a fresh JWT (for apps using @fastify/jwt)
+ *   - `token` → pre-signed token (Better Auth, external issuer, fixtures)
+ */
+interface RoleConfig {
+  /** JWT payload — signed on-the-fly by the provider (JWT apps only) */
+  user?: Record<string, unknown>;
+  /** Pre-signed bearer token (Better Auth, external issuer) */
+  token?: string;
+  /** Injected as `x-organization-id` header; falls back to provider default */
+  orgId?: string;
+  /** Custom headers merged into every session for this role */
+  extraHeaders?: Record<string, string>;
+}
+interface TestAuthProvider {
+  /** Register (or re-register) a named role. Later calls replace the earlier config. */
+  register(role: string, config: RoleConfig): void;
+  /** Resolve a session for a registered role. Throws if the role is unknown. */
+  as(role: string): TestAuthSession;
+  /** Unauthenticated session — empty headers. Useful for 401 tests. */
+  anonymous(): TestAuthSession;
+  /** Snapshot of registered role names (stable reference; mutates the array is UB). */
+  readonly roles: readonly string[];
+}
+/**
+ * JWT provider — signs tokens on-the-fly using `app.jwt.sign()`.
+ * Requires `@fastify/jwt` registered on the app.
+ *
+ * Accepts both `user` (payload to sign) and `token` (pre-signed) role configs,
+ * so the same provider handles mixed flows in a single test.
+ */
+declare function createJwtAuthProvider(app: FastifyInstance, opts?: {
+  defaultOrgId?: string;
+}): TestAuthProvider;
+/**
+ * Better Auth provider — uses pre-signed tokens (from signUp/signIn flows).
+ * No signing: role configs MUST carry `token`. A `user` alone will throw.
+ */
+declare function createBetterAuthProvider(opts?: {
+  defaultOrgId?: string;
+}): TestAuthProvider;
+/**
+ * Custom provider — plug in your own token minting logic. Useful for
+ * mocked external issuers, session-cookie flows, or fixtures that pre-mint.
+ */
+declare function createCustomAuthProvider(mintToken: (role: string, config: RoleConfig) => string, opts?: {
+  defaultOrgId?: string;
+}): TestAuthProvider;
+//#endregion
+//#region src/testing/betterAuth.d.ts
 interface BetterAuthTestHelpersOptions {
-  /** Base path for auth routes (default: '/api/auth') */
+  /** Base path where Better Auth is mounted (default: '/api/auth'). */
   basePath?: string;
 }
+interface SignUpInput {
+  email: string;
+  password: string;
+  name: string;
+}
+interface SignInInput {
+  email: string;
+  password: string;
+}
+interface CreateOrgInput {
+  name: string;
+  slug?: string;
+  metadata?: Record<string, unknown>;
+}
+/** Fastify-ish injection response — minimal shape we read. */
+interface InjectResponse {
+  statusCode: number;
+  body: string;
+  headers?: Record<string, unknown>;
+}
+/** Abstracted so helpers work with both Fastify and Fastify-like test instances. */
+interface Injector {
+  inject(opts: {
+    method: string;
+    url: string;
+    payload?: unknown;
+    headers?: Record<string, string>;
+  }): Promise<InjectResponse>;
+}
 interface AuthResponse {
   statusCode: number;
   token: string;
-  user: any;
-  body: any;
+  userId: string;
+  body: unknown;
 }
 interface OrgResponse {
   statusCode: number;
   orgId: string;
-  body: any;
+  body: unknown;
 }
 interface BetterAuthTestHelpers {
-  signUp(app: FastifyInstance, data: {
-    email: string;
-    password: string;
-    name: string;
-  }): Promise<AuthResponse>;
-  signIn(app: FastifyInstance, data: {
-    email: string;
-    password: string;
-  }): Promise<AuthResponse>;
-  createOrg(app: FastifyInstance, token: string, data: {
-    name: string;
-    slug: string;
-  }): Promise<OrgResponse>;
-  setActiveOrg(app: FastifyInstance, token: string, orgId: string): Promise<{
-    statusCode: number;
-    body: any;
-  }>;
+  /** POST {basePath}/sign-up/email — create a user account. */
+  signUp(app: Injector, input: SignUpInput): Promise<AuthResponse>;
+  /** POST {basePath}/sign-in/email — authenticate an existing user. */
+  signIn(app: Injector, input: SignInInput): Promise<AuthResponse>;
+  /** POST {basePath}/organization/create — create an org owned by the caller. */
+  createOrg(app: Injector, token: string, input: CreateOrgInput): Promise<OrgResponse>;
+  /** POST {basePath}/organization/set-active — switch the caller's active org. */
+  setActiveOrg(app: Injector, token: string, orgId: string): Promise<InjectResponse>;
+  /** Build `{ authorization: 'Bearer ...', 'x-organization-id': ... }` headers. */
   authHeaders(token: string, orgId?: string): Record<string, string>;
 }
-interface TestUserContext {
-  token: string;
-  userId: string;
-  email: string;
-}
-interface TestOrgContext<T = Record<string, TestUserContext>> {
-  app: FastifyInstance;
-  orgId: string;
-  users: T;
-  teardown: () => Promise<void>;
-}
-interface SetupUserConfig {
-  /** Key used to reference this user in the context (e.g. 'admin', 'member') */
+interface BetterAuthTestUser {
+  /** Identity key the caller passed in (e.g. 'admin' / 'member' / 'viewer'). */
   key: string;
   email: string;
   password: string;
   name: string;
-  /** Organization role assigned after joining */
-  role: string;
-  /** If true, this user creates the org (becomes org owner). Exactly one user should have this. */
+  role?: string;
+  /**
+   * True for the user who creates the org. The creator's signup runs first
+   * and produces the `orgId` that every subsequent user is added to.
+   */
   isCreator?: boolean;
 }
-interface SetupBetterAuthOrgOptions {
-  /** Factory function to create the Fastify app instance */
-  createApp: () => Promise<FastifyInstance>;
-  /** Organization to create */
-  org: {
-    name: string;
-    slug: string;
-  };
-  /** Users to create and add to the organization */
-  users: SetupUserConfig[];
-  /**
-   * Callback to add a member to the org.
-   * Apps wire Better Auth differently — some use auth.api.addMember, others use HTTP.
+interface SetupBetterAuthTestAppInput {
+  /** A built Fastify instance with Better Auth registered — app lifecycle is the caller's responsibility. */
+  app: FastifyInstance;
+  /** Org to create. The creator user (from `users[]`) owns it. */
+  org: CreateOrgInput;
+  /** Users to create. Exactly one MUST have `isCreator: true`. */
+  users: ReadonlyArray<BetterAuthTestUser>;
+  /**
+   * Add a non-creator user to the org. Called once per user with
+   * `isCreator !== true`. Consumer implements this — Better Auth apps can
+   * use invitations or direct member-add depending on plugin config.
+   *
+   * A successful status code in the returned `InjectResponse` is what the
+   * helper checks; body shape is app-specific.
    */
-  addMember: (data: {
-    organizationId: string;
+  addMember?: (data: {
+    app: FastifyInstance;
+    creatorToken: string;
+    orgId: string;
     userId: string;
     role: string;
-  }) => Promise<{
-    statusCode: number;
+  }) => Promise<InjectResponse>;
+  /** Better Auth base path override (default: '/api/auth'). */
+  basePath?: string;
+}
+interface SetupBetterAuthTestAppResult {
+  /** Same app the caller passed in (returned for convenience). */
+  app: FastifyInstance;
+  /** The org created by the first `isCreator: true` user. */
+  orgId: string;
+  /** Keyed by the user's `key` field — tokens + ids for every user. */
+  users: Record<string, {
+    userId: string;
+    token: string;
+    email: string;
+    role?: string;
   }>;
   /**
-   * Optional hook for app-specific initialization after all users are set up.
-   * Use this for things like recruiter→account manager hierarchy.
+   * A `TestAuthProvider` pre-populated with one role per user, so the
+   * 2.11 pattern `auth.as('admin').headers` works immediately:
+   *
+   *   const res = await app.inject({
+   *     url: '/jobs',
+   *     headers: result.auth.as('admin').headers,
+   *   });
+   *
+   * Pre-signed tokens from the signup/signin flow are registered — no
+   * on-the-fly JWT signing involved (Better Auth issues opaque session
+   * tokens, not signed JWTs).
    */
-  afterSetup?: (ctx: TestOrgContext) => Promise<void>;
-  /** Override auth helper options (e.g. custom basePath) */
-  authHelpers?: BetterAuthTestHelpersOptions;
+  auth: TestAuthProvider;
+  /** Close the app. Exposed as a single handle so tests can await it in afterAll. */
+  teardown: () => Promise<void>;
 }
 /**
- * Safely parse a JSON response body.
- * Returns null if parsing fails.
+ * Parse a JSON body safely. Returns null when empty or malformed — Better
+ * Auth endpoints occasionally emit empty 204 bodies (e.g. set-active) and
+ * tests shouldn't crash on the parse.
  */
-declare function safeParseBody(body: string): any;
+declare function safeParseBody<T = unknown>(body: string | undefined): T | null;
 /**
- * Create stateless Better Auth test helpers.
- *
- * All methods take the app instance as a parameter, making them
- * safe to use across multiple test suites.
+ * Stateless Better Auth helpers. Each function takes the app as a positional
+ * argument, so a single helper instance works across multiple test apps in
+ * the same suite.
  */
 declare function createBetterAuthTestHelpers(options?: BetterAuthTestHelpersOptions): BetterAuthTestHelpers;
 /**
- * Set up a complete test organization with users.
- *
- * Creates the app, signs up users, creates an org, adds members,
- * and returns a context object with tokens and a teardown function.
- *
- * @example
- * ```typescript
- * const ctx = await setupBetterAuthOrg({
- *   createApp: () => createAppInstance(),
- *   org: { name: 'Test Corp', slug: 'test-corp' },
- *   users: [
- *     { key: 'admin', email: 'admin@test.com', password: 'pass', name: 'Admin', role: 'admin', isCreator: true },
- *     { key: 'member', email: 'user@test.com', password: 'pass', name: 'User', role: 'member' },
- *   ],
- *   addMember: async (data) => {
- *     await auth.api.addMember({ body: data });
- *     return { statusCode: 200 };
- *   },
- * });
- *
- * // Use in tests:
- * const res = await ctx.app.inject({
- *   method: 'GET',
- *   url: '/api/products',
- *   headers: auth.authHeaders(ctx.users.admin.token, ctx.orgId),
- * });
- *
- * // Cleanup:
- * await ctx.teardown();
- * ```
- */
-declare function setupBetterAuthOrg(options: SetupBetterAuthOrgOptions): Promise<TestOrgContext>;
+ * Composite setup for Better Auth apps. Replaces the pre-v2.11
+ * `setupBetterAuthOrg` with a tighter contract:
+ *
+ *   1. Accept an already-built `app` (caller owns its lifecycle — arc's
+ *      `createTestApp` composes naturally, but any built Fastify works).
+ *   2. Sign up every user in order.
+ *   3. The creator user creates the org; orgId is captured.
+ *   4. Every non-creator user is added via the caller-supplied `addMember`
+ *      (Better Auth's org-member API is app-specific, so arc doesn't
+ *      hardcode it).
+ *   5. Set the active org on every user.
+ *   6. Register each user into a fresh `TestAuthProvider` — the 2.11
+ *      `.as(key).headers` pattern works out of the box on the result.
+ *
+ * Exactly one user must be `isCreator: true`. Throws if zero or multiple
+ * creators are supplied (ambiguous ownership is a boot-time bug, not a
+ * runtime one).
+ */
+declare function setupBetterAuthTestApp(input: SetupBetterAuthTestAppInput): Promise<SetupBetterAuthTestAppResult>;
 //#endregion
-//#region src/testing/dbHelpers.d.ts
-/**
- * Test database manager
- */
-declare class TestDatabase {
-  private connection?;
-  private dbName;
-  constructor(dbName?: string);
-  /**
-   * Connect to test database
-   */
-  connect(uri?: string): Promise<Connection>;
-  /**
-   * Disconnect and cleanup
-   */
-  disconnect(): Promise<void>;
-  /**
-   * Clear all collections
-   */
-  clear(): Promise<void>;
-  /**
-   * Get connection
-   */
-  getConnection(): Connection;
+//#region src/testing/fixtures.d.ts
+type FixtureFactory<T extends AnyRecord = AnyRecord> = (data: Partial<T>) => Promise<T>;
+/** Delete hook invoked by `clear()` for records that were created through a factory. */
+type FixtureDestroyer<T extends AnyRecord = AnyRecord> = (record: T) => Promise<void>;
+interface FixtureRegistration<T extends AnyRecord = AnyRecord> {
+  create: FixtureFactory<T>;
+  /** Optional cleanup. Defaults to a no-op; adapters that support deletion should provide one. */
+  destroy?: FixtureDestroyer<T>;
 }
-/**
- * Higher-order function to wrap tests with database setup/teardown
- *
- * @example
- * describe('Product Tests', () => {
- *   withTestDb(async (db) => {
- *     test('create product', async () => {
- *       const Product = db.getConnection().model('Product', schema);
- *       const product = await Product.create({ name: 'Test' });
- *       expect(product.name).toBe('Test');
- *     });
- *   });
- * });
- */
-declare function withTestDb(tests: (db: TestDatabase) => void | Promise<void>, options?: {
-  uri?: string;
-  dbName?: string;
-}): void;
-/**
- * Create test fixtures
- *
- * @example
- * const fixtures = new TestFixtures(connection);
- *
- * await fixtures.load('products', [
- *   { name: 'Product 1', price: 100 },
- *   { name: 'Product 2', price: 200 },
- * ]);
- *
- * const products = await fixtures.get('products');
- */
-declare class TestFixtures {
-  private fixtures;
-  private connection;
-  constructor(connection: Connection);
-  /**
-   * Load fixtures into a collection
-   */
-  load<T = any>(collectionName: string, data: Partial<T>[]): Promise<T[]>;
-  /**
-   * Get loaded fixtures
-   */
-  get<T = any>(collectionName: string): T[];
-  /**
-   * Get first fixture
-   */
-  getFirst<T = any>(collectionName: string): T | null;
-  /**
-   * Clear all fixtures
+interface TestFixtures {
+  /** Register a named factory. Later calls replace the earlier registration. */
+  register<T extends AnyRecord = AnyRecord>(name: string, factoryOrRegistration: FixtureFactory<T> | FixtureRegistration<T>): void;
+  /** Create one record through the named factory. Tracked for cleanup. */
+  create<T extends AnyRecord = AnyRecord>(name: string, data?: Partial<T>): Promise<T>;
+  /** Create many records with a shared template. Tracked for cleanup. */
+  createMany<T extends AnyRecord = AnyRecord>(name: string, count: number, template?: Partial<T>): Promise<T[]>;
+  /**
+   * Run every registered `destroy` hook over the records this instance
+   * created, then forget them. Safe to call multiple times (idempotent).
+   * Factories without a `destroy` hook silently skip — assume the test
+   * harness tears the whole DB down at the end.
    */
   clear(): Promise<void>;
+  /** All records ever created by a given factory name (read-only snapshot). */
+  all<T extends AnyRecord = AnyRecord>(name: string): readonly T[];
+  /** Registered factory names. */
+  readonly names: readonly string[];
 }
-/**
- * In-memory MongoDB for ultra-fast tests
- *
- * Requires: mongodb-memory-server
- *
- * @example
- * import { InMemoryDatabase } from '@classytic/arc/testing';
- *
- * describe('Fast Tests', () => {
- *   const memoryDb = new InMemoryDatabase();
- *
- *   beforeAll(async () => {
- *     await memoryDb.start();
- *   });
- *
- *   afterAll(async () => {
- *     await memoryDb.stop();
- *   });
- *
- *   test('create user', async () => {
- *     const uri = memoryDb.getUri();
- *     // Use uri for connection
- *   });
- * });
- */
-declare class InMemoryDatabase {
-  private mongod?;
-  private uri?;
-  /**
-   * Start in-memory MongoDB
-   */
-  start(): Promise<string>;
-  /**
-   * Stop in-memory MongoDB
-   */
-  stop(): Promise<void>;
-  /**
-   * Get connection URI
-   */
-  getUri(): string;
-}
-/**
- * Database transaction helper for testing
- */
-declare class TestTransaction {
-  private session?;
-  private connection;
-  constructor(connection: Connection);
-  /**
-   * Start transaction
-   */
-  start(): Promise<void>;
-  /**
-   * Commit transaction
-   */
-  commit(): Promise<void>;
-  /**
-   * Rollback transaction
-   */
-  rollback(): Promise<void>;
-  /**
-   * Get session
-   */
-  getSession(): any;
-}
-/**
- * Seed data helper
- */
-declare class TestSeeder {
-  private connection;
-  constructor(connection: Connection);
-  /**
-   * Seed collection with data
-   */
-  seed<T>(collectionName: string, generator: () => T[], count?: number): Promise<T[]>;
-  /**
-   * Clear collection
-   */
-  clear(collectionName: string): Promise<void>;
-  /**
-   * Clear all collections
-   */
-  clearAll(): Promise<void>;
-}
-/**
- * Database snapshot helper for rollback testing
- */
-declare class DatabaseSnapshot {
-  private snapshots;
-  private connection;
-  constructor(connection: Connection);
-  /**
-   * Take snapshot of current database state
-   */
-  take(): Promise<void>;
-  /**
-   * Restore database to snapshot
-   */
-  restore(): Promise<void>;
-  /**
-   * Clear snapshot
-   */
-  clear(): void;
-}
+declare function createTestFixtures(): TestFixtures;
 //#endregion
 //#region src/testing/HttpTestHarness.d.ts
-/**
- * Abstraction for generating auth headers in tests.
- * Supports JWT, Better Auth, or any custom auth mechanism.
- */
-interface AuthProvider {
-  /** Get HTTP headers for a given role key */
-  getHeaders(role: string): Record<string, string>;
-  /** Available role keys (e.g. ['admin', 'member', 'viewer']) */
-  availableRoles: string[];
-  /** Role key that has full CRUD access */
-  adminRole: string;
-}
-/**
- * Create an auth provider for JWT-based apps.
- *
- * Generates JWT tokens on the fly using the app's JWT plugin.
- *
- * @example
- * ```typescript
- * const auth = createJwtAuthProvider({
- *   app,
- *   users: {
- *     admin: { payload: { id: '1', roles: ['admin'] }, organizationId: 'org1' },
- *     viewer: { payload: { id: '2', roles: ['viewer'] } },
- *   },
- *   adminRole: 'admin',
- * });
- * ```
- */
-declare function createJwtAuthProvider(options: {
-  app: FastifyInstance;
-  users: Record<string, {
-    payload: Record<string, unknown>;
-    organizationId?: string;
-  }>;
-  adminRole: string;
-}): AuthProvider;
-/**
- * Create an auth provider for Better Auth apps.
- *
- * Uses pre-existing tokens (from signUp/signIn) rather than generating them.
- *
- * @example
- * ```typescript
- * const auth = createBetterAuthProvider({
- *   tokens: {
- *     admin: ctx.users.admin.token,
- *     member: ctx.users.member.token,
- *   },
- *   orgId: ctx.orgId,
- *   adminRole: 'admin',
- * });
- * ```
- */
-declare function createBetterAuthProvider(options: {
-  tokens: Record<string, string>;
-  orgId: string;
-  adminRole: string;
-}): AuthProvider;
 interface HttpTestHarnessOptions<T = unknown> {
-  /** Fastify app instance (must be ready) */
+  /** Fastify app (must be ready). */
   app: FastifyInstance;
-  /** Test data fixtures */
+  /** Auth provider (from `createTestApp` or one of the auth factories). */
+  auth: TestAuthProvider;
+  /** Role name registered on `auth` that has full CRUD access. */
+  adminRole: string;
+  /** Request bodies for CRUD probes. */
   fixtures: {
-    /** Valid payload for creating a resource */valid: Partial<T>; /** Payload for updating a resource (defaults to valid) */
-    update?: Partial<T>; /** Invalid payload that should fail validation */
+    valid: Partial<T>;
+    update?: Partial<T>;
     invalid?: Partial<T>;
   };
-  /** Auth provider for generating request headers */
-  auth: AuthProvider;
-  /** API path prefix (default: '/api' for eager, '' for deferred) */
+  /** URL prefix (default: `""`; apps mounted under `/api` pass `/api`). */
   apiPrefix?: string;
 }
-/** Options can be passed directly or as a getter for deferred resolution */
 type OptionsOrGetter<T> = HttpTestHarnessOptions<T> | (() => HttpTestHarnessOptions<T>);
-/**
- * HTTP-level test harness for Arc resources.
- *
- * Generates tests that exercise the full HTTP lifecycle:
- * routes, auth, permissions, pipeline, and response envelope.
- *
- * Supports deferred options via a getter function, which is essential
- * when the app instance comes from async `beforeAll()` setup.
- */
 declare class HttpTestHarness<T = unknown> {
   private resource;
   private optionsOrGetter;
-  private eagerBaseUrl;
   private enabledRoutes;
-  private updateMethod;
-  constructor(resource: ResourceDefinition<unknown>, optionsOrGetter: OptionsOrGetter<T>);
-  /** Resolve options (supports both direct and deferred) */
-  private getOptions;
   /**
-   * Resolve the base URL for requests.
-   *
-   * - Eager mode: uses pre-computed baseUrl from constructor
-   * - Deferred mode: reads apiPrefix from the getter options at runtime
-   *
-   * Must only be called inside it()/afterAll() callbacks (after beforeAll has run).
+   * Update verbs exercised by this harness instance. One entry for single-method
+   * resources (`"PATCH"` or `"PUT"`), two for `updateMethod: "both"` so both
+   * verbs are covered — the framework mounts both, and the harness should
+   * probe both.
    */
+  private updateMethods;
+  constructor(resource: ResourceDefinition<unknown>, optionsOrGetter: OptionsOrGetter<T>);
+  private getOptions;
   private getBaseUrl;
-  /**
-   * Run all test suites: CRUD + permissions + validation
-   */
+  private adminHeaders;
   runAll(): void;
-  /**
-   * Run HTTP-level CRUD tests.
-   *
-   * Tests each enabled CRUD operation through app.inject():
-   * - POST (create) → 200/201 with { success: true, data }
-   * - GET (list) → 200 with array or paginated response
-   * - GET /:id → 200 with { success: true, data }
-   * - PATCH/PUT /:id → 200 with { success: true, data }
-   * - DELETE /:id → 200
-   * - GET /:id with non-existent ID → 404
-   */
   runCrud(): void;
-  /**
-   * Run permission tests.
-   *
-   * Tests that:
-   * - Unauthenticated requests return 401
-   * - Admin role gets 2xx for all operations
-   */
   runPermissions(): void;
-  /**
-   * Run validation tests.
-   *
-   * Tests that invalid payloads return 400.
-   */
   runValidation(): void;
 }
 /**
- * Create an HTTP test harness for an Arc resource.
- *
- * Accepts options directly or as a getter function for deferred resolution.
- *
- * @example Deferred (recommended for async setup)
- * ```typescript
- * let ctx: TestContext;
- * beforeAll(async () => { ctx = await setupTestOrg(); });
- *
- * createHttpTestHarness(jobResource, () => ({
- *   app: ctx.app,
- *   apiPrefix: '',
- *   fixtures: { valid: { title: 'Test' } },
- *   auth: createBetterAuthProvider({ ... }),
- * })).runAll();
- * ```
+ * Create an HTTP test harness. `optionsOrGetter` may be a plain object
+ * (for eager app setup) or a getter function (for async `beforeAll` apps).
  */
 declare function createHttpTestHarness<T = unknown>(resource: ResourceDefinition<unknown>, optionsOrGetter: HttpTestHarnessOptions<T> | (() => HttpTestHarnessOptions<T>)): HttpTestHarness<T>;
 //#endregion
@@ -597,321 +493,81 @@ declare function preloadResources(globResult: EagerGlobResult): ResourceLike[];
  */
 declare function preloadResourcesAsync(globResult: LazyGlobResult): Promise<ResourceLike[]>;
 //#endregion
-//#region src/testing/TestHarness.d.ts
-/**
- * Test fixtures for a resource
- */
-interface TestFixtures$1<T = any> {
-  /** Valid create payload */
-  valid: Partial<T>;
-  /** Update payload (optional, defaults to valid) */
-  update?: Partial<T>;
-  /** Invalid payload for validation tests (optional) */
-  invalid?: Partial<T>;
-}
-/**
- * Test harness options
- */
-interface TestHarnessOptions<T = any> {
-  /** Test data fixtures */
-  fixtures: TestFixtures$1<T>;
-  /** Custom setup function (runs before all tests) */
-  setupFn?: () => Promise<void> | void;
-  /** Custom teardown function (runs after all tests) */
-  teardownFn?: () => Promise<void> | void;
-  /** MongoDB connection URI (defaults to process.env.MONGO_URI) */
-  mongoUri?: string;
-}
-declare class TestHarness<T = unknown> {
-  private resource;
-  private Model;
-  private fixtures;
-  private setupFn?;
-  private teardownFn?;
-  private mongoUri;
-  private _createdIds;
-  constructor(resource: ResourceDefinition<unknown>, options: TestHarnessOptions<T>);
-  /**
-   * Run all baseline tests (schema, presets, field permissions, pipeline, events).
-   *
-   * For HTTP-level CRUD coverage (routes, auth, permissions), use
-   * {@link HttpTestHarness} instead.
-   */
-  runAll(): void;
-  /**
-   * Run validation tests
-   *
-   * Tests schema validation, required fields, etc.
-   */
-  runValidation(): void;
-  /**
-   * Run preset-specific tests
+//#region src/testing/testApp.d.ts
+type DbMode = "in-memory" | {
+  uri: string;
+} | false;
+type AuthMode = "jwt" | "better-auth" | "none";
+interface CreateTestAppOptions extends Partial<Omit<CreateAppOptions, "resources">> {
+  /**
+   * Resources to auto-register. Pass `defineResource` results directly —
+   * createTestApp registers each as a Fastify plugin under their `prefix`.
+   * For apps that need custom registration, use `plugins: async (f) => { ... }`
+   * instead (standard createApp hook, passed through).
+   */
+  resources?: ReadonlyArray<ResourceDefinition<unknown>>;
+  /**
+   * Database mode:
+   *   - `'in-memory'` (default) — boot a MongoMemoryServer, expose `dbUri`,
+   *     tear down on `close()`. Requires `mongodb-memory-server`.
+   *   - `{ uri }` — external Mongo URI; lifecycle is the caller's responsibility.
+   *   - `false` — no DB wiring at all. Useful for pure Fastify unit tests.
    *
-   * Auto-detects applied presets and tests their functionality:
-   * - softDelete: deletedAt field, soft delete/restore
-   * - slugLookup: slug generation
-   * - tree: parent references, displayOrder
-   * - multiTenant: organizationId requirement
-   * - ownedByUser: userId requirement
+   * `dbUri` is returned on the context in every mode except `false`. Arc does
+   * NOT automatically thread it into resource adapters — set
+   * `connectMongoose: true` (Mongoose apps) or connect your adapter manually
+   * before importing resources.
    */
-  runPresets(): void;
+  db?: DbMode;
   /**
-   * Run field-level permission tests
+   * When `true`, runs `mongoose.connect(dbUri)` before booting the Fastify
+   * app and `mongoose.disconnect()` on `close()`. Turns the `db: 'in-memory'`
+   * path into a one-liner for Mongoose-backed tests. Defaults to `false`.
    *
-   * Auto-generates tests for each field permission:
-   * - hidden: field is stripped from responses
-   * - visibleTo: field only shown to specified roles
-   * - writableBy: field stripped from writes by non-privileged users
-   * - redactFor: field shows redacted value for specified roles
+   * Non-Mongoose adapters (Prisma, sqlitekit, custom) should leave this
+   * `false` and wire their own connection to `ctx.dbUri`.
    */
-  runFieldPermissions(): void;
+  connectMongoose?: boolean;
   /**
-   * Run pipeline configuration tests
+   * Auth mode attached to `ctx.auth` (and, for `'jwt'`, the default auth
+   * plugin on the app):
    *
-   * Validates that pipeline steps are properly configured:
-   * - All steps have names
-   * - All steps have valid _type discriminants
-   * - Operation filters (if set) use valid CRUD operation names
-   */
-  runPipeline(): void;
-  /**
-   * Run event definition tests
-   *
-   * Validates that events are properly defined:
-   * - All events have handler functions
-   * - Event names follow resource:action convention
-   * - Schema definitions (if present) are valid objects
-   */
-  runEvents(): void;
+   *   - `'jwt'` (default) — provider signs tokens via `app.jwt.sign()`; the
+   *     factory applies a default `auth: { type: 'jwt', jwt: {...} }` config
+   *     UNLESS the caller supplies their own `auth` in options.
+   *   - `'better-auth'` — provider uses pre-signed tokens you register.
+   *     **No default auth config is applied** — the caller MUST pass their
+   *     own `auth: { type: 'better-auth', ... }` via options, otherwise the
+   *     app runs without an auth plugin and every request is unauthenticated.
+   *     Mismatched `authMode: 'better-auth'` with a JWT-configured app would
+   *     be a subtle bug (tests look like they pass but hit the wrong
+   *     middleware), so we reject it at setup time.
+   *   - `'none'` — no `ctx.auth` attached; no default auth config.
+   */
+  authMode?: AuthMode;
+  /** Default org ID stamped on every session unless the role overrides. */
+  defaultOrgId?: string;
 }
-/**
- * Create a test harness for an Arc resource
- *
- * @param resource - The Arc resource definition to test
- * @param options - Test harness configuration
- * @returns Test harness instance
- *
- * @example
- * import { createTestHarness } from '@classytic/arc/testing';
- *
- * const harness = createTestHarness(productResource, {
- *   fixtures: {
- *     valid: { name: 'Product', price: 100 },
- *     update: { name: 'Updated' },
- *   },
- * });
- *
- * harness.runAll(); // Generates 50+ baseline tests
- */
-declare function createTestHarness<T = any>(resource: ResourceDefinition, options: TestHarnessOptions<T>): TestHarness<T>;
-/**
- * Test file generation options
- */
-interface GenerateTestFileOptions {
-  /** Applied presets (e.g., ['softDelete', 'slugLookup']) */
-  presets?: string[];
-  /** Module path for imports (default: '.') */
-  modulePath?: string;
-}
-/**
- * Generate test file content for a resource
- *
- * Useful for scaffolding new resource tests via CLI
- *
- * @param resourceName - Resource name in kebab-case (e.g., 'product')
- * @param options - Generation options
- * @returns Complete test file content as string
- *
- * @example
- * const testContent = generateTestFile('product', {
- *   presets: ['softDelete'],
- *   modulePath: './modules/catalog',
- * });
- * fs.writeFileSync('product.test.js', testContent);
- */
-declare function generateTestFile(resourceName: string, options?: GenerateTestFileOptions): string;
-/**
- * Run config-level tests for a resource (no DB required)
- *
- * Tests field permissions, pipeline configuration, and event definitions.
- * Works with any adapter — no Mongoose dependency.
- *
- * @param resource - The Arc resource definition to test
- *
- * @example
- * ```typescript
- * import { createConfigTestSuite } from '@classytic/arc/testing';
- * import productResource from './product.resource.js';
- *
- * // Generates field permission, pipeline, and event tests
- * createConfigTestSuite(productResource);
- * ```
- */
-declare function createConfigTestSuite(resource: ResourceDefinition<unknown>): void;
-//#endregion
-//#region src/testing/testFactory.d.ts
-interface CreateTestAppOptions extends Partial<CreateAppOptions> {
-  /**
-   * Use in-memory MongoDB for faster tests (default: true)
-   * Requires: mongodb-memory-server
-   *
-   * Set to false to use a provided mongoUri instead
-   */
-  useInMemoryDb?: boolean;
-  /**
-   * MongoDB connection URI (only used if useInMemoryDb is false)
-   */
-  mongoUri?: string;
-}
-interface TestAppResult {
-  /** Fastify app instance */
+interface TestAppContext {
   app: FastifyInstance;
+  /** Unified auth provider; `undefined` when `authMode: 'none'`. */
+  auth: TestAuthProvider | undefined;
+  /** Fixture tracker for record seeding. Always attached. */
+  fixtures: TestFixtures;
+  /** Connection URI — present when `db: 'in-memory'` or `{ uri }`. */
+  dbUri?: string;
   /**
-   * Cleanup function to close app and disconnect database
-   * Call this in afterAll() or afterEach()
+   * One cleanup for fixtures + app + Mongoose (if connected) + in-memory DB.
+   * Idempotent.
    */
-  close: () => Promise<void>;
-  /** MongoDB connection URI (useful for connecting models) */
-  mongoUri?: string;
+  close(): Promise<void>;
 }
+declare function createTestApp(options?: CreateTestAppOptions): Promise<TestAppContext>;
 /**
- * Create a test application instance with optional in-memory MongoDB
- *
- * **Performance Boost**: Uses in-memory MongoDB by default for 10x faster tests.
- *
- * @example Basic usage with in-memory DB
- * ```typescript
- * import { createTestApp } from '@classytic/arc/testing';
- *
- * describe('API Tests', () => {
- *   let testApp: TestAppResult;
- *
- *   beforeAll(async () => {
- *     testApp = await createTestApp({
- *       auth: { type: 'jwt', jwt: { secret: 'test-secret' } },
- *     });
- *   });
- *
- *   afterAll(async () => {
- *     await testApp.close(); // Cleans up DB and disconnects
- *   });
- *
- *   test('GET /health', async () => {
- *     const response = await testApp.app.inject({
- *       method: 'GET',
- *       url: '/health',
- *     });
- *     expect(response.statusCode).toBe(200);
- *   });
- * });
- * ```
- *
- * @example Using external MongoDB
- * ```typescript
- * const testApp = await createTestApp({
- *   auth: { type: 'jwt', jwt: { secret: 'test-secret' } },
- *   useInMemoryDb: false,
- *   mongoUri: 'mongodb://localhost:27017/test-db',
- * });
- * ```
- *
- * @example Accessing MongoDB URI for model connections
- * ```typescript
- * const testApp = await createTestApp({
- *   auth: { type: 'jwt', jwt: { secret: 'test-secret' } },
- * });
- * await mongoose.connect(testApp.mongoUri); // Connect your models
- * ```
- */
-declare function createTestApp(options?: CreateTestAppOptions): Promise<TestAppResult>;
-/**
- * Create a minimal Fastify instance for unit tests
- *
- * Use when you don't need Arc's full plugin stack
- *
- * @example
- * const app = createMinimalTestApp();
- * app.get('/test', async () => ({ success: true }));
- *
- * const response = await app.inject({ method: 'GET', url: '/test' });
- * expect(response.json()).toEqual({ success: true });
+ * Minimal Fastify instance — no arc plugins, no auth, no db. Use when a test
+ * needs bare Fastify (e.g. plugin unit tests that manually register their
+ * dependencies).
  */
 declare function createMinimalTestApp(options?: FastifyServerOptions): FastifyInstance;
-/**
- * Test request builder for cleaner tests
- *
- * @example
- * const request = new TestRequestBuilder(app)
- *   .get('/products')
- *   .withAuth(mockUser)
- *   .withQuery({ page: 1, limit: 10 });
- *
- * const response = await request.send();
- * expect(response.statusCode).toBe(200);
- */
-declare class TestRequestBuilder {
-  private method;
-  private url;
-  private body?;
-  private query?;
-  private headers;
-  private app;
-  constructor(app: FastifyInstance);
-  get(url: string): this;
-  post(url: string): this;
-  put(url: string): this;
-  patch(url: string): this;
-  delete(url: string): this;
-  withBody(body: Record<string, unknown>): this;
-  withQuery(query: Record<string, string | string[]>): this;
-  withHeader(key: string, value: string): this;
-  withAuth(userOrHeaders: Record<string, unknown>): this;
-  withContentType(type: string): this;
-  send(): Promise<Fastify.LightMyRequestResponse>;
-}
-/**
- * Helper to create a test request builder
- */
-declare function request(app: FastifyInstance): TestRequestBuilder;
-/**
- * Test helper for authentication
- */
-declare function createTestAuth(app: FastifyInstance): {
-  /**
-   * Generate a JWT token for testing
-   */
-  generateToken(user: Record<string, unknown>): string;
-  /**
-   * Decode a JWT token
-   */
-  decodeToken(token: string): Record<string, unknown> | null;
-  /**
-   * Verify a JWT token
-   */
-  verifyToken(token: string): Promise<Record<string, unknown>>;
-};
-/**
- * Snapshot testing helper for API responses
- */
-declare function createSnapshotMatcher(): {
-  /**
-   * Match response structure (ignores dynamic values like timestamps)
-   */
-  matchStructure(response: unknown, expected: unknown): boolean;
-};
-/**
- * Bulk test data loader
- */
-declare class TestDataLoader {
-  private data;
-  /**
-   * Load test data into database
-   */
-  load(collection: string, items: Record<string, unknown>[]): Promise<Record<string, unknown>[]>;
-  /**
-   * Clear all loaded test data
-   */
-  cleanup(): Promise<void>;
-}
 //#endregion
-export { type AuthProvider, type AuthResponse, type BetterAuthTestHelpers, type BetterAuthTestHelpersOptions, type CreateTestAppOptions, DatabaseSnapshot, TestFixtures as DbTestFixtures, type GenerateTestFileOptions, HttpTestHarness, type HttpTestHarnessOptions, InMemoryDatabase, type OrgResponse, type SetupBetterAuthOrgOptions, type SetupUserConfig, type StorageContractSetup, type StorageContractSetupResult, type TestAppResult, TestDataLoader, TestDatabase, type TestFixtures$1 as TestFixtures, TestHarness, type TestHarnessOptions, type TestOrgContext, TestRequestBuilder, TestSeeder, TestTransaction, type TestUserContext, createBetterAuthProvider, createBetterAuthTestHelpers, createConfigTestSuite, createDataFactory, createHttpTestHarness, createJwtAuthProvider, createMinimalTestApp, createMockController, createMockReply, createMockRepository, createMockRequest, createMockUser, createSnapshotMatcher, createSpy, createTestApp, createTestAuth, createTestHarness, createTestTimer, generateTestFile, preloadResources, preloadResourcesAsync, request, runStorageContract, safeParseBody, setupBetterAuthOrg, waitFor, withTestDb };
+export { type ArcAssertion, type ArcResponseLike, type AuthMode, type AuthResponse, type BetterAuthTestHelpers, type BetterAuthTestHelpersOptions, type BetterAuthTestUser, type CreateOrgInput, type CreateTestAppOptions, type DbMode, type FixtureDestroyer, type FixtureFactory, type FixtureRegistration, HttpTestHarness, type HttpTestHarnessOptions, type MockRepository, type OrgResponse, type RoleConfig, type SetupBetterAuthTestAppInput, type SetupBetterAuthTestAppResult, type SignInInput, type SignUpInput, type StorageContractSetup, type StorageContractSetupResult, type TestAppContext, type TestAuthProvider, type TestAuthSession, type TestFixtures, createBetterAuthProvider, createBetterAuthTestHelpers, createCustomAuthProvider, createDataFactory, createHttpTestHarness, createJwtAuthProvider, createMinimalTestApp, createMockController, createMockReply, createMockRepository, createMockRequest, createMockUser, createSpy, createTestApp, createTestFixtures, createTestTimer, expectArc, preloadResources, preloadResourcesAsync, runStorageContract, safeParseBody, setupBetterAuthTestApp, waitFor };