@fuzdev/fuz_app 0.1.0

package/dist/testing/adversarial_input.js

@@ -0,0 +1,494 @@
+import './assert_dev_env.js';
+/**
+ * Adversarial input validation testing for route specs.
+ *
+ * Walks Zod schemas directly to generate payloads that must fail validation.
+ * Fires requests against a test app and asserts 400 responses before handlers
+ * are reached.
+ *
+ * Tests are focused: one representative wrong-type value per field, one format
+ * violation per constrained field, one null and one missing test per required
+ * field, plus whole-body structural attacks (non-object body, extra unknown keys).
+ *
+ * @module
+ */
+import { test, assert, describe } from 'vitest';
+import { z } from 'zod';
+import { zod_unwrap_to_object, zod_extract_fields } from '@fuzdev/fuz_util/zod.js';
+import { is_null_schema } from '../http/schema_helpers.js';
+import { filter_routes_with_input, filter_routes_with_params, filter_routes_with_query, } from '../http/surface_query.js';
+import { ValidationError, ERROR_INVALID_REQUEST_BODY, ERROR_INVALID_JSON_BODY, ERROR_INVALID_ROUTE_PARAMS, ERROR_INVALID_QUERY_PARAMS, } from '../http/error_schemas.js';
+import { create_auth_test_apps, select_auth_app } from './auth_apps.js';
+import { detect_format, generate_valid_value, resolve_valid_path } from './schema_generators.js';
+// --- Payload generation ---
+/** One wrong-type value per base type — one representative is sufficient. */
+const wrong_type_for = (base_type) => {
+    switch (base_type) {
+        case 'string':
+        case 'uuid':
+        case 'email':
+            return { label: 'number instead of string', value: 42 };
+        case 'number':
+        case 'int':
+            return { label: 'string instead of number', value: 'not_a_number' };
+        case 'boolean':
+            return { label: 'number instead of boolean', value: 42 };
+        case 'array':
+            return { label: 'string instead of array', value: 'not_an_array' };
+        case 'object':
+            return { label: 'string instead of object', value: 'not_an_object' };
+        case 'enum':
+            return { label: 'number instead of enum', value: 42 };
+        default:
+            return null;
+    }
+};
+/** Format violation payloads — one per constraint type. */
+const format_violation = (format) => {
+    switch (format) {
+        case 'uuid':
+            return { label: 'malformed uuid', value: 'not-a-uuid' };
+        case 'email':
+            return { label: 'malformed email', value: 'not-an-email' };
+        case 'date-time':
+            return { label: 'malformed datetime', value: 'not-a-date' };
+        case 'pattern':
+            return { label: 'pattern violation', value: "'; DROP TABLE --" };
+        default:
+            return null;
+    }
+};
+// --- Input test case generation ---
+/**
+ * Generate adversarial test cases for a route's input schema.
+ *
+ * Produces focused, non-redundant cases:
+ * - Whole-body: send array instead of object, extra unknown key
+ * - Missing required fields (without defaults)
+ * - One wrong-type value per field
+ * - Null for required non-nullable fields
+ * - One format violation per constrained field
+ */
+export const generate_input_test_cases = (input_schema) => {
+    if (is_null_schema(input_schema))
+        return [];
+    const object_schema = zod_unwrap_to_object(input_schema);
+    if (!object_schema)
+        return [];
+    const fields = zod_extract_fields(object_schema);
+    const cases = [];
+    // build a base object with valid-ish values — must pass validation itself
+    // skip optional fields without defaults to avoid generating invalid nested values
+    const base = {};
+    for (const field of fields) {
+        if (!field.required && !field.has_default)
+            continue;
+        base[field.name] = generate_valid_value(field, object_schema.shape[field.name]);
+    }
+    const base_result = input_schema.safeParse(base);
+    if (!base_result.success) {
+        throw new Error(`adversarial_input: generated base object fails validation for schema — ` +
+            `fix generate_valid_value for: ${base_result.error.issues.map((i) => `${i.path.join('.')}: ${i.message}`).join(', ')}`);
+    }
+    // whole-body structural: send array instead of object
+    cases.push({
+        label: 'non-object body (array)',
+        body: [1, 2, 3],
+        expected_error: ERROR_INVALID_JSON_BODY,
+    });
+    // whole-body structural: extra unknown key (enforces strictObject)
+    // only emit if the schema rejects unknown keys (i.e. uses z.strictObject)
+    const extra_key_result = input_schema.safeParse({ ...base, __adversarial_extra: 'rejected' });
+    if (!extra_key_result.success) {
+        cases.push({
+            label: 'extra unknown key',
+            body: { ...base, __adversarial_extra: 'should_be_rejected' },
+            expected_error: ERROR_INVALID_REQUEST_BODY,
+        });
+    }
+    for (const field of fields) {
+        const field_schema = object_schema.shape[field.name];
+        // missing required field (skip fields with defaults — Zod fills them)
+        if (field.required && !field.has_default) {
+            const without = {};
+            for (const [k, v] of Object.entries(base)) {
+                if (k !== field.name)
+                    without[k] = v;
+            }
+            cases.push({
+                label: `missing: ${field.name}`,
+                body: without,
+                expected_error: ERROR_INVALID_REQUEST_BODY,
+            });
+        }
+        // one wrong-type value
+        const wrong = wrong_type_for(field.base_type);
+        if (wrong) {
+            cases.push({
+                label: `wrong type: ${field.name} (${wrong.label})`,
+                body: { ...base, [field.name]: wrong.value },
+                expected_error: ERROR_INVALID_REQUEST_BODY,
+            });
+        }
+        // null for required non-nullable fields
+        if (field.required && !field.nullable && field.base_type !== 'null') {
+            cases.push({
+                label: `null: ${field.name}`,
+                body: { ...base, [field.name]: null },
+                expected_error: ERROR_INVALID_REQUEST_BODY,
+            });
+        }
+        // format violation for constrained string fields
+        const format = detect_format(field_schema);
+        if (format) {
+            const violation = format_violation(format);
+            if (violation) {
+                cases.push({
+                    label: `format: ${field.name} (${violation.label})`,
+                    body: { ...base, [field.name]: violation.value },
+                    expected_error: ERROR_INVALID_REQUEST_BODY,
+                });
+            }
+        }
+        // --- Boundary cases via JSON Schema introspection ---
+        try {
+            const json = z.toJSONSchema(field_schema);
+            // string length boundaries
+            if (field.base_type === 'string' ||
+                field.base_type === 'uuid' ||
+                field.base_type === 'email') {
+                if (typeof json.minLength === 'number' && json.minLength > 0) {
+                    cases.push({
+                        label: `empty string: ${field.name}`,
+                        body: { ...base, [field.name]: '' },
+                        expected_error: ERROR_INVALID_REQUEST_BODY,
+                    });
+                }
+                if (typeof json.maxLength === 'number') {
+                    cases.push({
+                        label: `over maxLength: ${field.name} (${json.maxLength + 1} chars)`,
+                        body: { ...base, [field.name]: 'x'.repeat(json.maxLength + 1) },
+                        expected_error: ERROR_INVALID_REQUEST_BODY,
+                    });
+                }
+            }
+            // numeric boundaries
+            if (field.base_type === 'number' || field.base_type === 'int') {
+                if (typeof json.minimum === 'number') {
+                    cases.push({
+                        label: `below minimum: ${field.name} (${json.minimum - 1})`,
+                        body: { ...base, [field.name]: json.minimum - 1 },
+                        expected_error: ERROR_INVALID_REQUEST_BODY,
+                    });
+                }
+                if (typeof json.maximum === 'number') {
+                    cases.push({
+                        label: `above maximum: ${field.name} (${json.maximum + 1})`,
+                        body: { ...base, [field.name]: json.maximum + 1 },
+                        expected_error: ERROR_INVALID_REQUEST_BODY,
+                    });
+                }
+                if (typeof json.exclusiveMinimum === 'number') {
+                    cases.push({
+                        label: `at exclusive minimum: ${field.name} (${json.exclusiveMinimum})`,
+                        body: { ...base, [field.name]: json.exclusiveMinimum },
+                        expected_error: ERROR_INVALID_REQUEST_BODY,
+                    });
+                }
+                if (typeof json.exclusiveMaximum === 'number') {
+                    cases.push({
+                        label: `at exclusive maximum: ${field.name} (${json.exclusiveMaximum})`,
+                        body: { ...base, [field.name]: json.exclusiveMaximum },
+                        expected_error: ERROR_INVALID_REQUEST_BODY,
+                    });
+                }
+                // 0 and negative for positive-only fields
+                if (typeof json.minimum === 'number' && json.minimum > 0) {
+                    cases.push({
+                        label: `zero for positive-only: ${field.name}`,
+                        body: { ...base, [field.name]: 0 },
+                        expected_error: ERROR_INVALID_REQUEST_BODY,
+                    });
+                    cases.push({
+                        label: `negative for positive-only: ${field.name}`,
+                        body: { ...base, [field.name]: -1 },
+                        expected_error: ERROR_INVALID_REQUEST_BODY,
+                    });
+                }
+            }
+            // array length boundaries
+            if (field.base_type === 'array') {
+                if (typeof json.minItems === 'number' && json.minItems > 0) {
+                    cases.push({
+                        label: `empty array for minItems > 0: ${field.name}`,
+                        body: { ...base, [field.name]: [] },
+                        expected_error: ERROR_INVALID_REQUEST_BODY,
+                    });
+                }
+                if (typeof json.maxItems === 'number') {
+                    // generate an array one item over the max (items are null — schema-agnostic)
+                    cases.push({
+                        label: `over maxItems: ${field.name} (${json.maxItems + 1} items)`,
+                        body: { ...base, [field.name]: Array.from({ length: json.maxItems + 1 }, () => null) },
+                        expected_error: ERROR_INVALID_REQUEST_BODY,
+                    });
+                }
+            }
+        }
+        catch {
+            // schema can't be converted to JSON Schema, skip boundary cases
+        }
+    }
+    return cases;
+};
+// --- Params test case generation ---
+/**
+ * Generate adversarial test cases for a route's params schema.
+ *
+ * Params are always strings from URL segments. Only generates cases for
+ * format-constrained fields (uuid, pattern) since unconstrained string
+ * params accept any string value.
+ */
+export const generate_params_test_cases = (params_schema) => {
+    const fields = zod_extract_fields(params_schema);
+    const cases = [];
+    // build base params with valid-ish values
+    const base_params = {};
+    for (const field of fields) {
+        const field_schema = params_schema.shape[field.name];
+        const format = detect_format(field_schema);
+        if (format === 'uuid' || field.base_type === 'uuid') {
+            base_params[field.name] = '00000000-0000-0000-0000-000000000000';
+        }
+        else {
+            base_params[field.name] = 'test_value';
+        }
+    }
+    for (const field of fields) {
+        const field_schema = params_schema.shape[field.name];
+        const format = detect_format(field_schema);
+        if (!format)
+            continue; // unconstrained string — any value passes
+        const violation = format_violation(format);
+        if (violation) {
+            cases.push({
+                label: `${violation.label}: param ${field.name}`,
+                params: { ...base_params, [field.name]: violation.value },
+            });
+        }
+    }
+    return cases;
+};
+// --- Query test case generation ---
+/**
+ * Generate adversarial test cases for a route's query schema.
+ *
+ * Query params are always strings from the URL. Generates cases for:
+ * - Missing required fields
+ * - Format violations on constrained fields (uuid, pattern)
+ */
+export const generate_query_test_cases = (query_schema) => {
+    const fields = zod_extract_fields(query_schema);
+    const cases = [];
+    // build base query with valid-ish values
+    const base_query = {};
+    for (const field of fields) {
+        const field_schema = query_schema.shape[field.name];
+        const format = detect_format(field_schema);
+        if (format === 'uuid' || field.base_type === 'uuid') {
+            base_query[field.name] = '00000000-0000-0000-0000-000000000000';
+        }
+        else {
+            base_query[field.name] = 'test_value';
+        }
+    }
+    for (const field of fields) {
+        // missing required field
+        if (field.required && !field.has_default) {
+            const without = {};
+            for (const [k, v] of Object.entries(base_query)) {
+                if (k !== field.name)
+                    without[k] = v;
+            }
+            cases.push({
+                label: `missing query: ${field.name}`,
+                query: without,
+            });
+        }
+        // format violation for constrained string fields
+        const field_schema = query_schema.shape[field.name];
+        const format = detect_format(field_schema);
+        if (!format)
+            continue;
+        const violation = format_violation(format);
+        if (violation) {
+            cases.push({
+                label: `${violation.label}: query ${field.name}`,
+                query: { ...base_query, [field.name]: violation.value },
+            });
+        }
+    }
+    return cases;
+};
+// --- URL helpers ---
+/** Build a URL path with adversarial param values. */
+const build_fuzz_url = (route_path, params) => {
+    let url = route_path;
+    for (const [key, value] of Object.entries(params)) {
+        url = url.replace(`:${key}`, encodeURIComponent(value));
+    }
+    return url;
+};
+/** Build a URL with query string parameters. */
+const build_query_url = (path, query) => {
+    const search = new URLSearchParams(query).toString();
+    return search ? `${path}?${search}` : path;
+};
+// --- Test runner ---
+/**
+ * Generate adversarial input validation test suites.
+ *
+ * Tests input body validation and params validation for all routes.
+ * Uses correct auth credentials so auth guards pass and validation
+ * middleware is actually exercised.
+ *
+ * @param options - the test configuration
+ */
+export const describe_adversarial_input = (options) => {
+    const { build, roles } = options;
+    const { surface, route_specs } = build();
+    const routes_with_input = filter_routes_with_input(surface);
+    const routes_with_params = filter_routes_with_params(surface);
+    const routes_with_query = filter_routes_with_query(surface);
+    if (routes_with_input.length === 0 &&
+        routes_with_params.length === 0 &&
+        routes_with_query.length === 0)
+        return;
+    // lookup RouteSpec by method+path for Zod schema access
+    const spec_lookup = new Map();
+    for (const spec of route_specs) {
+        spec_lookup.set(`${spec.method} ${spec.path}`, spec);
+    }
+    const apps = create_auth_test_apps(route_specs, roles);
+    describe('adversarial input validation', () => {
+        // --- Input body tests ---
+        if (routes_with_input.length > 0) {
+            // every surface route with input must have a matching RouteSpec
+            const missing_specs = routes_with_input
+                .map((r) => `${r.method} ${r.path}`)
+                .filter((key) => !spec_lookup.has(key));
+            if (missing_specs.length > 0) {
+                throw new Error(`adversarial_input: surface routes with input have no matching RouteSpec: ${missing_specs.join(', ')}`);
+            }
+            let input_test_count = 0;
+            describe('input body', () => {
+                for (const route of routes_with_input) {
+                    const key = `${route.method} ${route.path}`;
+                    const spec = spec_lookup.get(key);
+                    const test_cases = generate_input_test_cases(spec.input);
+                    if (test_cases.length === 0)
+                        continue;
+                    input_test_count += test_cases.length;
+                    const app = select_auth_app(apps, route.auth);
+                    const url = resolve_valid_path(route.path, spec.params);
+                    describe(key, () => {
+                        for (const tc of test_cases) {
+                            test(tc.label, async () => {
+                                const res = await app.request(url, {
+                                    method: route.method,
+                                    headers: { 'Content-Type': 'application/json' },
+                                    body: JSON.stringify(tc.body),
+                                });
+                                assert.strictEqual(res.status, 400, `Expected 400 for ${key} [${tc.label}], got ${res.status}`);
+                                const body = await res.json();
+                                assert.strictEqual(body.error, tc.expected_error, `Expected ${tc.expected_error} for ${key} [${tc.label}], got: ${body.error}`);
+                                // validate response body structure matches error schema
+                                if (tc.expected_error === 'invalid_request_body') {
+                                    ValidationError.parse(body);
+                                }
+                            });
+                        }
+                    });
+                }
+                test('generated input test cases', () => {
+                    assert.ok(input_test_count > 0, 'No input test cases generated — schema walking may be broken');
+                });
+            });
+        }
+        // --- Params tests ---
+        if (routes_with_params.length > 0) {
+            let params_test_count = 0;
+            describe('params', () => {
+                for (const route of routes_with_params) {
+                    const key = `${route.method} ${route.path}`;
+                    const spec = spec_lookup.get(key);
+                    if (!spec?.params)
+                        continue;
+                    const test_cases = generate_params_test_cases(spec.params);
+                    if (test_cases.length === 0)
+                        continue;
+                    params_test_count += test_cases.length;
+                    const app = select_auth_app(apps, route.auth);
+                    describe(key, () => {
+                        for (const tc of test_cases) {
+                            test(tc.label, async () => {
+                                const url = build_fuzz_url(route.path, tc.params);
+                                const res = await app.request(url, { method: route.method });
+                                assert.strictEqual(res.status, 400, `Expected 400 for ${key} [${tc.label}], got ${res.status}`);
+                                const body = await res.json();
+                                assert.strictEqual(body.error, ERROR_INVALID_ROUTE_PARAMS, `Expected ${ERROR_INVALID_ROUTE_PARAMS} for ${key} [${tc.label}], got: ${body.error}`);
+                                // validate response body structure matches error schema
+                                ValidationError.parse(body);
+                            });
+                        }
+                    });
+                }
+                // params coverage check is softer — not all param routes have format constraints
+                if (params_test_count === 0) {
+                    test('no params test cases generated (all params unconstrained)', () => {
+                        // informational — unconstrained string params accept any value
+                        assert.ok(true);
+                    });
+                }
+            });
+        }
+        // --- Query tests ---
+        if (routes_with_query.length > 0) {
+            let query_test_count = 0;
+            describe('query params', () => {
+                for (const route of routes_with_query) {
+                    const key = `${route.method} ${route.path}`;
+                    const spec = spec_lookup.get(key);
+                    if (!spec?.query)
+                        continue;
+                    const test_cases = generate_query_test_cases(spec.query);
+                    if (test_cases.length === 0)
+                        continue;
+                    query_test_count += test_cases.length;
+                    const app = select_auth_app(apps, route.auth);
+                    const base_url = resolve_valid_path(route.path, spec.params);
+                    describe(key, () => {
+                        for (const tc of test_cases) {
+                            test(tc.label, async () => {
+                                const url = build_query_url(base_url, tc.query);
+                                const res = await app.request(url, { method: route.method });
+                                assert.strictEqual(res.status, 400, `Expected 400 for ${key} [${tc.label}], got ${res.status}`);
+                                const body = await res.json();
+                                assert.strictEqual(body.error, ERROR_INVALID_QUERY_PARAMS, `Expected ${ERROR_INVALID_QUERY_PARAMS} for ${key} [${tc.label}], got: ${body.error}`);
+                                // validate response body structure matches error schema
+                                ValidationError.parse(body);
+                            });
+                        }
+                    });
+                }
+                // query coverage check is softer — not all query routes have format constraints
+                if (query_test_count === 0) {
+                    test('no query test cases generated (all query params unconstrained)', () => {
+                        // informational — unconstrained string query params accept any value
+                        assert.ok(true);
+                    });
+                }
+            });
+        }
+    });
+};

package/dist/testing/app_server.d.ts

@@ -0,0 +1,169 @@
+import './assert_dev_env.js';
+/**
+ * Bootstrapped app server factory for integration tests.
+ *
+ * Creates a keeper account, API token, and signed session cookie on a
+ * database. By default uses a cached in-memory PGlite (shared WASM instance
+ * per vitest worker thread via `test_db.ts` module cache); pass `db` to use
+ * an existing database (any driver) instead.
+ *
+ * Also provides `create_test_app` — a combined helper that creates both
+ * a `TestAppServer` and a fully assembled Hono app with middleware and routes.
+ *
+ * @module
+ */
+import type { Hono } from 'hono';
+import { type Keyring } from '../auth/keyring.js';
+import type { Db, DbType } from '../db/db.js';
+import type { PasswordHashDeps } from '../auth/password.js';
+import { type SessionOptions } from '../auth/session_cookie.js';
+import type { AppBackend } from '../server/app_backend.js';
+import { type AppServerOptions, type AppServerContext } from '../server/app_server.js';
+import type { AppSurface } from '../http/surface.js';
+import type { RouteSpec } from '../http/route_spec.js';
+/**
+ * Fast password stub for tests that don't exercise login/password flows.
+ *
+ * Hashes are deterministic (`stub_hash_<password>`) and verify correctly,
+ * so auth bootstrap and session creation work without Argon2 overhead.
+ */
+export declare const stub_password_deps: PasswordHashDeps;
+/** 64-hex-char test cookie secret — deterministic, never used in production. */
+export declare const TEST_COOKIE_SECRET: string;
+/**
+ * Options for `bootstrap_test_account`.
+ */
+export interface BootstrapTestAccountOptions {
+    db: Db;
+    keyring: Keyring;
+    session_options: SessionOptions<string>;
+    password: PasswordHashDeps;
+    username?: string;
+    password_value?: string;
+    roles?: Array<string>;
+}
+/**
+ * Bootstrap a test account with credentials.
+ *
+ * Creates an account with actor, grants roles, creates an API token,
+ * creates a session, and signs a session cookie. Shared by
+ * `create_test_app_server` and `TestApp.create_account`.
+ */
+export declare const bootstrap_test_account: (options: BootstrapTestAccountOptions) => Promise<{
+    account: {
+        id: string;
+        username: string;
+    };
+    actor: {
+        id: string;
+    };
+    api_token: string;
+    session_cookie: string;
+}>;
+/**
+ * An `AppBackend` with a bootstrapped account, API token, and session cookie.
+ */
+export interface TestAppServer extends AppBackend {
+    /** The bootstrapped account. */
+    account: {
+        id: string;
+        username: string;
+    };
+    /** The actor linked to the account. */
+    actor: {
+        id: string;
+    };
+    /** Raw API token for Bearer auth. */
+    api_token: string;
+    /** Signed session cookie value for cookie auth. */
+    session_cookie: string;
+    /** Keyring used for cookie signing — exposed for forging expired/tampered cookies in tests. */
+    keyring: Keyring;
+    /** Release test resources (no-op when DB is injected or factory-cached). */
+    cleanup: () => Promise<void>;
+}
+/**
+ * Configuration for `create_test_app_server`.
+ */
+export interface TestAppServerOptions {
+    /** Session options — needed for cookie signing. */
+    session_options: SessionOptions<string>;
+    /** Existing database — skips internal DB creation when provided. Caller owns the DB lifecycle. */
+    db?: Db;
+    /** Database driver type — only used when `db` is provided. Default: `'pglite-memory'`. */
+    db_type?: DbType;
+    /** Password implementation. Default: `stub_password_deps`. Pass `argon2_password_deps` for tests that exercise login. */
+    password?: PasswordHashDeps;
+    /** Username for the bootstrapped account. Default: `'keeper'`. */
+    username?: string;
+    /** Password for the bootstrapped account. Default: `'test-password-123'`. */
+    password_value?: string;
+    /** Roles to grant. Default: `[ROLE_KEEPER]`. */
+    roles?: Array<string>;
+}
+export declare const create_test_app_server: (options: TestAppServerOptions) => Promise<TestAppServer>;
+/**
+ * Configuration for `create_test_app`.
+ */
+export interface CreateTestAppOptions extends TestAppServerOptions {
+    /** Route spec factory — called with the assembled `AppServerContext`. */
+    create_route_specs: (context: AppServerContext) => Array<RouteSpec>;
+    /** Optional overrides for `AppServerOptions` (backend, session_options, and create_route_specs are managed). */
+    app_options?: Partial<Omit<AppServerOptions, 'backend' | 'session_options' | 'create_route_specs'>>;
+}
+/**
+ * A bootstrapped test account with credentials.
+ */
+export interface TestAccount {
+    account: {
+        id: string;
+        username: string;
+    };
+    actor: {
+        id: string;
+    };
+    /** Signed session cookie value. */
+    session_cookie: string;
+    /** Raw API token for Bearer auth. */
+    api_token: string;
+    /** Build request headers with this account's session cookie. */
+    create_session_headers: (extra?: Record<string, string>) => Record<string, string>;
+    /** Build request headers with this account's Bearer token. */
+    create_bearer_headers: (extra?: Record<string, string>) => Record<string, string>;
+}
+/**
+ * A fully assembled test app — Hono app + backend + helpers.
+ */
+export interface TestApp {
+    app: Hono;
+    backend: TestAppServer;
+    surface: AppSurface;
+    route_specs: Array<RouteSpec>;
+    /** Build request headers with the bootstrapped session cookie. */
+    create_session_headers: (extra?: Record<string, string>) => Record<string, string>;
+    /** Build request headers with the bootstrapped Bearer token. */
+    create_bearer_headers: (extra?: Record<string, string>) => Record<string, string>;
+    /** Create an additional account with credentials. */
+    create_account: (options?: {
+        username?: string;
+        password_value?: string;
+        roles?: Array<string>;
+    }) => Promise<TestAccount>;
+    /** Cleanup resources (delegates to TestAppServer.cleanup). */
+    cleanup: () => Promise<void>;
+}
+/**
+ * Create a fully assembled test app with a Hono server, middleware, and routes.
+ *
+ * Combines `create_test_app_server` + `create_app_server` into a single call.
+ * Disables rate limiters and logging by default (test-friendly).
+ *
+ * A fresh Hono app is created each call — middleware closures bind to the
+ * server's deps (db, keyring), so reuse across servers is unsafe.
+ * The expensive resource (PGlite WASM) is cached separately in `test_db.ts`.
+ *
+ * @param options - test app configuration
+ * @returns a `TestApp` ready for HTTP testing
+ */
+export declare const create_test_app: (options: CreateTestAppOptions) => Promise<TestApp>;
+//# sourceMappingURL=app_server.d.ts.map

package/dist/testing/app_server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"app_server.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/app_server.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAK/B,OAAO,EAA2B,KAAK,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAE1E,OAAO,KAAK,EAAC,EAAE,EAAE,MAAM,EAAC,MAAM,aAAa,CAAC;AAC5C,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAU1D,OAAO,EAA8B,KAAK,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAG3F,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAEN,KAAK,gBAAgB,EACrB,KAAK,gBAAgB,EACrB,MAAM,yBAAyB,CAAC;AACjC,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,oBAAoB,CAAC;AACnD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAKrD;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,EAAE,gBAIhC,CAAC;AAEF,gFAAgF;AAChF,eAAO,MAAM,kBAAkB,QAAiB,CAAC;AASjD;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC3C,EAAE,EAAE,EAAE,CAAC;IACP,OAAO,EAAE,OAAO,CAAC;IACjB,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAED;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB,GAClC,SAAS,2BAA2B,KAClC,OAAO,CAAC;IACV,OAAO,EAAE;QAAC,EAAE,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACxC,KAAK,EAAE;QAAC,EAAE,EAAE,MAAM,CAAA;KAAC,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACvB,CAyCA,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,aAAc,SAAQ,UAAU;IAChD,gCAAgC;IAChC,OAAO,EAAE;QAAC,EAAE,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACxC,uCAAuC;IACvC,KAAK,EAAE;QAAC,EAAE,EAAE,MAAM,CAAA;KAAC,CAAC;IACpB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,cAAc,EAAE,MAAM,CAAC;IACvB,+FAA+F;IAC/F,OAAO,EAAE,OAAO,CAAC;IACjB,4EAA4E;IAC5E,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,mDAAmD;IACnD,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kGAAkG;IAClG,EAAE,CAAC,EAAE,EAAE,CAAC;IACR,0FAA0F;IAC1F,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,yHAAyH;IACzH,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,kEAAkE;IAClE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,6EAA6E;IAC7E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gDAAgD;IAChD,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAqBD,eAAO,MAAM,sBAAsB,GAClC,SAAS,oBAAoB,KAC3B,OAAO,CAAC,aAAa,CAsFvB,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,oBAAqB,SAAQ,oBAAoB;IACjE,yEAAyE;IACzE,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IACpE,gHAAgH;IAChH,WAAW,CAAC,EAAE,OAAO,CACpB,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,CAAC,CAC5E,CAAC;CACF;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC3B,OAAO,EAAE;QAAC,EAAE,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACxC,KAAK,EAAE;QAAC,EAAE,EAAE,MAAM,CAAA;KAAC,CAAC;IACpB,mCAAmC;IACnC,cAAc,EAAE,MAAM,CAAC;IACvB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,8DAA8D;IAC9D,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClF;AAED;;GAEG;AACH,MAAM,WAAW,OAAO;IACvB,GAAG,EAAE,IAAI,CAAC;IACV,OAAO,EAAE,aAAa,CAAC;IACvB,OAAO,EAAE,UAAU,CAAC;IACpB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,kEAAkE;IAClE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,gEAAgE;IAChE,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClF,qDAAqD;IACrD,cAAc,EAAE,CAAC,OAAO,CAAC,EAAE;QAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;KACtB,KAAK,OAAO,CAAC,WAAW,CAAC,CAAC;IAC3B,8DAA8D;IAC9D,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,eAAe,GAAU,SAAS,oBAAoB,KAAG,OAAO,CAAC,OAAO,CA+EpF,CAAC"}