@fuzdev/fuz_app 0.30.0 → 0.32.0

package/dist/testing/app_server.d.ts

@@ -18,6 +18,7 @@ import type { Db, DbType } from '../db/db.js';
 import type { PasswordHashDeps } from '../auth/password.js';
 import { type SessionOptions } from '../auth/session_cookie.js';
 import type { AuditLogEvent } from '../auth/audit_log_schema.js';
+import type { Uuid } from '../uuid.js';
 import type { AppBackend } from '../server/app_backend.js';
 import { type AppServerOptions, type AppServerContext } from '../server/app_server.js';
 import type { AppSurface, AppSurfaceSpec } from '../http/surface.js';
@@ -52,11 +53,11 @@ export interface BootstrapTestAccountOptions {
  */
 export declare const bootstrap_test_account: (options: BootstrapTestAccountOptions) => Promise<{
     account: {
-        id: string;
+        id: Uuid;
         username: string;
     };
     actor: {
-        id: string;
+        id: Uuid;
     };
     api_token: string;
     session_cookie: string;
@@ -67,12 +68,12 @@ export declare const bootstrap_test_account: (options: BootstrapTestAccountOptio
 export interface TestAppServer extends AppBackend {
     /** The bootstrapped account. */
     account: {
-        id: string;
+        id: Uuid;
         username: string;
     };
     /** The actor linked to the account. */
     actor: {
-        id: string;
+        id: Uuid;
     };
     /** Raw API token for Bearer auth. */
     api_token: string;
@@ -125,11 +126,11 @@ export interface CreateTestAppOptions extends TestAppServerOptions {
  */
 export interface TestAccount {
     account: {
-        id: string;
+        id: Uuid;
         username: string;
     };
     actor: {
-        id: string;
+        id: Uuid;
     };
     /** Signed session cookie value. */
     session_cookie: string;

package/dist/testing/app_server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"app_server.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/app_server.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAK/B,OAAO,EAA2B,KAAK,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAE1E,OAAO,KAAK,EAAC,EAAE,EAAE,MAAM,EAAC,MAAM,aAAa,CAAC;AAC5C,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAU1D,OAAO,EAA8B,KAAK,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAG3F,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,6BAA6B,CAAC;AAC/D,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAEN,KAAK,gBAAgB,EACrB,KAAK,gBAAgB,EACrB,MAAM,yBAAyB,CAAC;AACjC,OAAO,KAAK,EAAC,UAAU,EAAE,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACnE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAUrD;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,EAAE,gBAIhC,CAAC;AAEF,gFAAgF;AAChF,eAAO,MAAM,kBAAkB,QAAiB,CAAC;AASjD;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC3C,EAAE,EAAE,EAAE,CAAC;IACP,OAAO,EAAE,OAAO,CAAC;IACjB,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAED;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB,GAClC,SAAS,2BAA2B,KAClC,OAAO,CAAC;IACV,OAAO,EAAE;QAAC,EAAE,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACxC,KAAK,EAAE;QAAC,EAAE,EAAE,MAAM,CAAA;KAAC,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACvB,CAyCA,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,aAAc,SAAQ,UAAU;IAChD,gCAAgC;IAChC,OAAO,EAAE;QAAC,EAAE,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACxC,uCAAuC;IACvC,KAAK,EAAE;QAAC,EAAE,EAAE,MAAM,CAAA;KAAC,CAAC;IACpB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,cAAc,EAAE,MAAM,CAAC;IACvB,+FAA+F;IAC/F,OAAO,EAAE,OAAO,CAAC;IACjB,4EAA4E;IAC5E,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,mDAAmD;IACnD,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kGAAkG;IAClG,EAAE,CAAC,EAAE,EAAE,CAAC;IACR,0FAA0F;IAC1F,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,yHAAyH;IACzH,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,kEAAkE;IAClE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,6EAA6E;IAC7E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gDAAgD;IAChD,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACtB;;;;;;OAMG;IACH,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;CAChD;AAqBD,eAAO,MAAM,sBAAsB,GAClC,SAAS,oBAAoB,KAC3B,OAAO,CAAC,aAAa,CAuFvB,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,oBAAqB,SAAQ,oBAAoB;IACjE,yEAAyE;IACzE,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IACpE,gHAAgH;IAChH,WAAW,CAAC,EAAE,OAAO,CACpB,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,CAAC,CAC5E,CAAC;CACF;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC3B,OAAO,EAAE;QAAC,EAAE,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACxC,KAAK,EAAE;QAAC,EAAE,EAAE,MAAM,CAAA;KAAC,CAAC;IACpB,mCAAmC;IACnC,cAAc,EAAE,MAAM,CAAC;IACvB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,8DAA8D;IAC9D,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClF;AAED;;GAEG;AACH,MAAM,WAAW,OAAO;IACvB,GAAG,EAAE,IAAI,CAAC;IACV,OAAO,EAAE,aAAa,CAAC;IACvB,YAAY,EAAE,cAAc,CAAC;IAC7B,OAAO,EAAE,UAAU,CAAC;IACpB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,kEAAkE;IAClE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,gEAAgE;IAChE,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClF,iEAAiE;IACjE,2BAA2B,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxF,qDAAqD;IACrD,cAAc,EAAE,CAAC,OAAO,CAAC,EAAE;QAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;KACtB,KAAK,OAAO,CAAC,WAAW,CAAC,CAAC;IAC3B,8DAA8D;IAC9D,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,eAAe,GAAU,SAAS,oBAAoB,KAAG,OAAO,CAAC,OAAO,CAkGpF,CAAC"}
+{"version":3,"file":"app_server.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/app_server.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAK/B,OAAO,EAA2B,KAAK,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAE1E,OAAO,KAAK,EAAC,EAAE,EAAE,MAAM,EAAC,MAAM,aAAa,CAAC;AAC5C,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAU1D,OAAO,EAA8B,KAAK,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAG3F,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,6BAA6B,CAAC;AAC/D,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,YAAY,CAAC;AACrC,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAEN,KAAK,gBAAgB,EACrB,KAAK,gBAAgB,EACrB,MAAM,yBAAyB,CAAC;AACjC,OAAO,KAAK,EAAC,UAAU,EAAE,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACnE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAUrD;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,EAAE,gBAIhC,CAAC;AAEF,gFAAgF;AAChF,eAAO,MAAM,kBAAkB,QAAiB,CAAC;AASjD;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC3C,EAAE,EAAE,EAAE,CAAC;IACP,OAAO,EAAE,OAAO,CAAC;IACjB,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAED;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB,GAClC,SAAS,2BAA2B,KAClC,OAAO,CAAC;IACV,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACvB,CAyCA,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,aAAc,SAAQ,UAAU;IAChD,gCAAgC;IAChC,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,uCAAuC;IACvC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,cAAc,EAAE,MAAM,CAAC;IACvB,+FAA+F;IAC/F,OAAO,EAAE,OAAO,CAAC;IACjB,4EAA4E;IAC5E,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,mDAAmD;IACnD,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kGAAkG;IAClG,EAAE,CAAC,EAAE,EAAE,CAAC;IACR,0FAA0F;IAC1F,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,yHAAyH;IACzH,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,kEAAkE;IAClE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,6EAA6E;IAC7E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gDAAgD;IAChD,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACtB;;;;;;OAMG;IACH,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;CAChD;AAqBD,eAAO,MAAM,sBAAsB,GAClC,SAAS,oBAAoB,KAC3B,OAAO,CAAC,aAAa,CAuFvB,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,oBAAqB,SAAQ,oBAAoB;IACjE,yEAAyE;IACzE,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IACpE,gHAAgH;IAChH,WAAW,CAAC,EAAE,OAAO,CACpB,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,CAAC,CAC5E,CAAC;CACF;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC3B,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,mCAAmC;IACnC,cAAc,EAAE,MAAM,CAAC;IACvB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,8DAA8D;IAC9D,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClF;AAED;;GAEG;AACH,MAAM,WAAW,OAAO;IACvB,GAAG,EAAE,IAAI,CAAC;IACV,OAAO,EAAE,aAAa,CAAC;IACvB,YAAY,EAAE,cAAc,CAAC;IAC7B,OAAO,EAAE,UAAU,CAAC;IACpB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,kEAAkE;IAClE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,gEAAgE;IAChE,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClF,iEAAiE;IACjE,2BAA2B,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxF,qDAAqD;IACrD,cAAc,EAAE,CAAC,OAAO,CAAC,EAAE;QAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;KACtB,KAAK,OAAO,CAAC,WAAW,CAAC,CAAC;IAC3B,8DAA8D;IAC9D,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,eAAe,GAAU,SAAS,oBAAoB,KAAG,OAAO,CAAC,OAAO,CAkGpF,CAAC"}

package/dist/testing/attack_surface.d.ts

@@ -36,8 +36,14 @@ export interface StandardAttackSurfaceOptions {
     api_path_prefix?: string;
     /** Security policy configuration. Omit for sensible defaults. */
     security_policy?: SurfaceSecurityPolicyOptions;
-    /** Error schema tightness assertion. Omit for informational-only behavior. */
-    error_schema_tightness?: ErrorSchemaTightnessOptions;
+    /**
+     * Error schema tightness assertion config. Defaults to
+     * `DEFAULT_ERROR_SCHEMA_TIGHTNESS` (ignores 401/403/429,
+     * `min_specificity: 'enum'`). Pass a narrower config to extend the
+     * allowlist or tighten the threshold; pass `null` to skip the assertion
+     * and keep the audit log informational-only.
+     */
+    error_schema_tightness?: ErrorSchemaTightnessOptions | null;
 }
 /**
  * Run the standard attack surface test suite.
@@ -49,7 +55,7 @@ export interface StandardAttackSurfaceOptions {
  * 4. Middleware stack — every API route has the full middleware chain
  * 5. Surface invariants — structural assertions (error schemas, descriptions, duplicates, consistency)
  * 6. Security policy — rate limiting on sensitive routes, no unexpected public mutations, method conventions
- * 7. Error schema tightness audit — informational log of generic vs specific error schemas
+ * 7. Error schema tightness — informational log of generic vs specific error schemas, plus assertion against `DEFAULT_ERROR_SCHEMA_TIGHTNESS` by default (opt out with `error_schema_tightness: null`)
  * 8. Adversarial auth — unauthenticated/wrong-role/correct-auth enforcement
  * 9. Adversarial input — input body and params validation
  * 10. Adversarial 404 — stub 404 handlers, validate response bodies against declared schemas

package/dist/testing/attack_surface.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"attack_surface.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/attack_surface.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAoB7B,OAAO,EAKN,KAAK,4BAA4B,EACjC,KAAK,2BAA2B,EAChC,MAAM,yBAAyB,CAAC;AAoBjC,OAAO,EAA4B,KAAK,cAAc,EAAC,MAAM,oBAAoB,CAAC;AAsClF,oFAAoF;AACpF,MAAM,WAAW,sBAAsB;IACtC,+EAA+E;IAC/E,KAAK,EAAE,MAAM,cAAc,CAAC;IAC5B,yDAAyD;IACzD,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACrB;AAED;;;;;;;;;;GAUG;AACH,eAAO,MAAM,yBAAyB,GAAI,SAAS,sBAAsB,KAAG,IAkH3E,CAAC;AAIF,0DAA0D;AAC1D,MAAM,WAAW,4BAA4B;IAC5C,+EAA+E;IAC/E,KAAK,EAAE,MAAM,cAAc,CAAC;IAC5B,yDAAyD;IACzD,aAAa,EAAE,MAAM,CAAC;IACtB,iFAAiF;IACjF,sBAAsB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACtC,gHAAgH;IAChH,uBAAuB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACvC,yDAAyD;IACzD,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACrB,qEAAqE;IACrE,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,iEAAiE;IACjE,eAAe,CAAC,EAAE,4BAA4B,CAAC;IAC/C,8EAA8E;IAC9E,sBAAsB,CAAC,EAAE,2BAA2B,CAAC;CACrD;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,eAAO,MAAM,sCAAsC,GAClD,SAAS,4BAA4B,KACnC,IAoEF,CAAC"}
+{"version":3,"file":"attack_surface.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/attack_surface.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAoB7B,OAAO,EAMN,KAAK,4BAA4B,EACjC,KAAK,2BAA2B,EAChC,MAAM,yBAAyB,CAAC;AAoBjC,OAAO,EAA4B,KAAK,cAAc,EAAC,MAAM,oBAAoB,CAAC;AAsClF,oFAAoF;AACpF,MAAM,WAAW,sBAAsB;IACtC,+EAA+E;IAC/E,KAAK,EAAE,MAAM,cAAc,CAAC;IAC5B,yDAAyD;IACzD,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACrB;AAED;;;;;;;;;;GAUG;AACH,eAAO,MAAM,yBAAyB,GAAI,SAAS,sBAAsB,KAAG,IAkH3E,CAAC;AAIF,0DAA0D;AAC1D,MAAM,WAAW,4BAA4B;IAC5C,+EAA+E;IAC/E,KAAK,EAAE,MAAM,cAAc,CAAC;IAC5B,yDAAyD;IACzD,aAAa,EAAE,MAAM,CAAC;IACtB,iFAAiF;IACjF,sBAAsB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACtC,gHAAgH;IAChH,uBAAuB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACvC,yDAAyD;IACzD,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACrB,qEAAqE;IACrE,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,iEAAiE;IACjE,eAAe,CAAC,EAAE,4BAA4B,CAAC;IAC/C;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,2BAA2B,GAAG,IAAI,CAAC;CAC5D;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,eAAO,MAAM,sCAAsC,GAClD,SAAS,4BAA4B,KACnC,IAoEF,CAAC"}

package/dist/testing/attack_surface.js

@@ -15,7 +15,7 @@ import './assert_dev_env.js';
  * @module
  */
 import { test, assert, describe } from 'vitest';
-import { assert_surface_invariants, assert_surface_security_policy, audit_error_schema_tightness, assert_error_schema_tightness, } from './surface_invariants.js';
+import { assert_surface_invariants, assert_surface_security_policy, audit_error_schema_tightness, assert_error_schema_tightness, DEFAULT_ERROR_SCHEMA_TIGHTNESS, } from './surface_invariants.js';
 import { describe_adversarial_input } from './adversarial_input.js';
 import { describe_adversarial_404 } from './adversarial_404.js';
 import { create_test_app_from_specs, create_test_request_context, create_auth_test_apps, select_auth_app, resolve_test_path, } from './auth_apps.js';
@@ -167,7 +167,7 @@ export const describe_adversarial_auth = (options) => {
  * 4. Middleware stack — every API route has the full middleware chain
  * 5. Surface invariants — structural assertions (error schemas, descriptions, duplicates, consistency)
  * 6. Security policy — rate limiting on sensitive routes, no unexpected public mutations, method conventions
- * 7. Error schema tightness audit — informational log of generic vs specific error schemas
+ * 7. Error schema tightness — informational log of generic vs specific error schemas, plus assertion against `DEFAULT_ERROR_SCHEMA_TIGHTNESS` by default (opt out with `error_schema_tightness: null`)
  * 8. Adversarial auth — unauthenticated/wrong-role/correct-auth enforcement
  * 9. Adversarial input — input body and params validation
  * 10. Adversarial 404 — stub 404 handlers, validate response bodies against declared schemas
@@ -178,7 +178,7 @@ export const describe_adversarial_auth = (options) => {
  * @param options - the test configuration
  */
 export const describe_standard_attack_surface_tests = (options) => {
-    const { build, snapshot_path, expected_public_routes, expected_api_middleware, roles, api_path_prefix = '/api/', security_policy, error_schema_tightness, } = options;
+    const { build, snapshot_path, expected_public_routes, expected_api_middleware, roles, api_path_prefix = '/api/', security_policy, error_schema_tightness = DEFAULT_ERROR_SCHEMA_TIGHTNESS, } = options;
     const built = build();
     const { surface } = built;
     describe('attack surface snapshot', () => {
@@ -202,7 +202,7 @@ export const describe_standard_attack_surface_tests = (options) => {
         test('security policy', () => {
             assert_surface_security_policy(surface, security_policy);
         });
-        test('error schema tightness audit', () => {
+        test('error schema tightness', () => {
             const entries = audit_error_schema_tightness(surface);
             const generic = entries.filter((e) => e.specificity === 'generic');
             const literal = entries.filter((e) => e.specificity === 'literal');

package/dist/testing/audit_completeness.d.ts

@@ -3,6 +3,7 @@ import type { SessionOptions } from '../auth/session_cookie.js';
 import type { AppServerContext, AppServerOptions } from '../server/app_server.js';
 import type { RouteSpec } from '../http/route_spec.js';
 import { type DbFactory } from './db.js';
+import type { RpcEndpointSpec } from '../http/surface.js';
 /**
  * Configuration for `describe_audit_completeness_tests`.
  */
@@ -11,6 +12,16 @@ export interface AuditCompletenessTestOptions {
     session_options: SessionOptions<string>;
     /** Route spec factory — same one used in production. */
     create_route_specs: (ctx: AppServerContext) => Array<RouteSpec>;
+    /**
+     * RPC endpoint specs — the source `RpcAction` arrays. Required; the
+     * admin permit flow is RPC-only and the suite hard-fails without it.
+     *
+     * Accepts either an array (eager) or a factory
+     * `(ctx: AppServerContext) => Array<RpcEndpointSpec>` — the factory form
+     * is required when action handlers must close over the per-test
+     * `ctx.app_settings` / `ctx.deps` (e.g. exercising `app_settings_update`).
+     */
+    rpc_endpoints: Array<RpcEndpointSpec> | ((ctx: AppServerContext) => Array<RpcEndpointSpec>);
     /** Optional overrides for `AppServerOptions`. */
     app_options?: Partial<Omit<AppServerOptions, 'backend' | 'session_options' | 'create_route_specs'>>;
     /** Database factories to run tests against. Default: pglite only. */

package/dist/testing/audit_completeness.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"audit_completeness.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/audit_completeness.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAkB7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAAC,gBAAgB,EAAE,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAChF,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAKrD,OAAO,EAIN,KAAK,SAAS,EACd,MAAM,SAAS,CAAC;AAKjB;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC5C,4CAA4C;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,wDAAwD;IACxD,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,iDAAiD;IACjD,WAAW,CAAC,EAAE,OAAO,CACpB,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,CAAC,CAC5E,CAAC;IACF,qEAAqE;IACrE,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;CAChC;AAkFD;;;;;;;;GAQG;AACH,eAAO,MAAM,iCAAiC,GAAI,SAAS,4BAA4B,KAAG,IA0azF,CAAC"}
+{"version":3,"file":"audit_completeness.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/audit_completeness.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAkB7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAAC,gBAAgB,EAAE,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAChF,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAMrD,OAAO,EAIN,KAAK,SAAS,EACd,MAAM,SAAS,CAAC;AAOjB,OAAO,KAAK,EAAC,eAAe,EAAC,MAAM,oBAAoB,CAAC;AAsBxD;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC5C,4CAA4C;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,wDAAwD;IACxD,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE;;;;;;;;OAQG;IACH,aAAa,EAAE,KAAK,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,eAAe,CAAC,CAAC,CAAC;IAC5F,iDAAiD;IACjD,WAAW,CAAC,EAAE,OAAO,CACpB,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,CAAC,CAC5E,CAAC;IACF,qEAAqE;IACrE,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;CAChC;AAoDD;;;;;;;;GAQG;AACH,eAAO,MAAM,iCAAiC,GAAI,SAAS,4BAA4B,KAAG,IA2ezF,CAAC"}

package/dist/testing/audit_completeness.js

@@ -20,11 +20,13 @@ import { create_test_app } from './app_server.js';
 import { create_pglite_factory, create_describe_db, AUTH_INTEGRATION_TRUNCATE_TABLES, } from './db.js';
 import { find_auth_route } from './integration_helpers.js';
 import { run_migrations } from '../db/migrate.js';
-/** Find an admin route by suffix and method. */
-const find_admin_route = (specs, suffix, method) => specs.find((s) => s.method === method &&
-    s.path.endsWith(suffix) &&
-    s.auth.type === 'role' &&
-    s.auth.role === 'admin');
+import { query_accept_offer } from '../auth/permit_offer_queries.js';
+import { rpc_call, require_rpc_endpoint_path } from './rpc_helpers.js';
+import { create_stub_app_server_context } from './stubs.js';
+import { permit_offer_create_action_spec, permit_revoke_action_spec, } from '../auth/permit_offer_action_specs.js';
+import { admin_session_revoke_all_action_spec, admin_token_revoke_all_action_spec, app_settings_update_action_spec, invite_create_action_spec, invite_delete_action_spec, } from '../auth/admin_action_specs.js';
+import { account_session_list_action_spec, account_session_revoke_action_spec, account_session_revoke_all_action_spec, account_token_create_action_spec, account_token_list_action_spec, account_token_revoke_action_spec, } from '../auth/account_action_specs.js';
+import { query_actor_by_account } from '../auth/account_queries.js';
 /** Query audit log events from the database. */
 const query_audit_events = async (db) => {
     return db.query('SELECT event_type, seq FROM audit_log ORDER BY seq');
@@ -39,7 +41,10 @@ const build_options = (options, db) => ({
     create_route_specs: options.create_route_specs,
     db,
     roles: [ROLE_KEEPER, ROLE_ADMIN],
-    app_options: options.app_options,
+    app_options: {
+        rpc_endpoints: options.rpc_endpoints,
+        ...options.app_options,
+    },
 });
 /** Headers for unauthenticated JSON requests (login, signup). */
 const UNAUTHENTICATED_JSON_HEADERS = {
@@ -52,15 +57,6 @@ const json_session_headers = (test_app, extra) => test_app.create_session_header
     'content-type': 'application/json',
     ...extra,
 });
-/**
- * Find an account-scoped parameterized route (e.g. `/tokens/:id/revoke`).
- *
- * Matches routes with a `:id` or `:param` segment that are NOT admin role-gated.
- */
-const find_account_parameterized_route = (specs, segment, suffix, method) => specs.find((s) => s.method === method &&
-    s.path.includes(`/${segment}/`) &&
-    s.path.endsWith(suffix) &&
-    s.auth.type !== 'role');
 /**
  * Composable audit log completeness test suite.
  *
@@ -71,6 +67,19 @@ const find_account_parameterized_route = (specs, segment, suffix, method) => spe
  * @param options - session config, route factory, and optional overrides
  */
 export const describe_audit_completeness_tests = (options) => {
+    // Hard-fail early so consumers see a clear setup error instead of a
+    // confusing test failure when `rpc_endpoints` is missing. For the
+    // factory form we invoke the factory once here with a stub ctx purely
+    // to extract the endpoint path (a stable string like `/api/rpc`); the
+    // resulting actions array is discarded. `create_app_server` invokes
+    // the factory a second time inside each test with its real ctx, and
+    // those are the handlers that actually serve requests. Safe as long
+    // as the factory is pure — the stock helpers (e.g.
+    // `create_admin_rpc_actions`) are.
+    const rpc_endpoints_for_setup = typeof options.rpc_endpoints === 'function'
+        ? options.rpc_endpoints(create_stub_app_server_context(options.session_options))
+        : options.rpc_endpoints;
+    const rpc_path = require_rpc_endpoint_path(rpc_endpoints_for_setup);
     const init_schema = async (db) => {
         await run_migrations(db, [AUTH_MIGRATION_NS]);
     };
@@ -125,37 +134,39 @@ export const describe_audit_completeness_tests = (options) => {
             });
             test('token create produces token_create event', async () => {
                 const test_app = await create_test_app(build_options(options, get_db()));
-                const route = find_auth_route(test_app.route_specs, '/tokens/create', 'POST');
-                assert.ok(route, 'Expected POST /tokens/create route');
-                const res = await test_app.app.request(route.path, {
-                    method: 'POST',
-                    headers: json_session_headers(test_app),
-                    body: JSON.stringify({ name: 'audit-test' }),
+                const res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: account_token_create_action_spec.method,
+                    params: { name: 'audit-test' },
+                    headers: test_app.create_session_headers(),
                 });
-                assert.strictEqual(res.status, 200);
+                assert.ok(res.ok, `account_token_create failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
                 const events = await query_audit_events(test_app.backend.deps.db);
-                assert_has_event(events, 'token_create', 'POST /tokens/create');
+                assert_has_event(events, 'token_create', 'account_token_create RPC');
             });
             test('token revoke produces token_revoke event', async () => {
                 const test_app = await create_test_app(build_options(options, get_db()));
                 // get a token ID to revoke
-                const tokens_route = find_auth_route(test_app.route_specs, '/tokens', 'GET');
-                assert.ok(tokens_route, 'Expected GET /tokens route');
-                const list_res = await test_app.app.request(tokens_route.path, {
+                const list_res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: account_token_list_action_spec.method,
                     headers: test_app.create_session_headers(),
                 });
-                const { tokens } = (await list_res.json());
+                assert.ok(list_res.ok, 'account_token_list should succeed');
+                const { tokens } = list_res.result;
                 assert.ok(tokens.length > 0, 'Expected at least one token');
-                const route = find_account_parameterized_route(test_app.route_specs, 'tokens', '/revoke', 'POST');
-                assert.ok(route, 'Expected POST /tokens/:id/revoke route');
-                const path = route.path.replace(':id', tokens[0].id);
-                const res = await test_app.app.request(path, {
-                    method: 'POST',
+                const res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: account_token_revoke_action_spec.method,
+                    params: { token_id: tokens[0].id },
                     headers: test_app.create_session_headers(),
                 });
-                assert.strictEqual(res.status, 200);
+                assert.ok(res.ok, `account_token_revoke failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
                 const events = await query_audit_events(test_app.backend.deps.db);
-                assert_has_event(events, 'token_revoke', 'POST /tokens/:id/revoke');
+                assert_has_event(events, 'token_revoke', 'account_token_revoke RPC');
             });
             test('session revoke produces session_revoke event', async () => {
                 const test_app = await create_test_app(build_options(options, get_db()));
@@ -171,36 +182,38 @@ export const describe_audit_completeness_tests = (options) => {
                     }),
                 });
                 // get session IDs (newest first)
-                const sessions_route = find_auth_route(test_app.route_specs, '/sessions', 'GET');
-                assert.ok(sessions_route, 'Expected GET /sessions route');
-                const list_res = await test_app.app.request(sessions_route.path, {
+                const list_res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: account_session_list_action_spec.method,
                     headers: test_app.create_session_headers(),
                 });
-                const { sessions } = (await list_res.json());
+                assert.ok(list_res.ok, 'account_session_list should succeed');
+                const { sessions } = list_res.result;
                 assert.ok(sessions.length >= 2, 'Expected at least 2 sessions');
-                const route = find_account_parameterized_route(test_app.route_specs, 'sessions', '/revoke', 'POST');
-                assert.ok(route, 'Expected POST /sessions/:id/revoke route');
                 // revoke the second session (not the one used for auth)
-                const path = route.path.replace(':id', sessions[1].id);
-                const res = await test_app.app.request(path, {
-                    method: 'POST',
+                const res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: account_session_revoke_action_spec.method,
+                    params: { session_id: sessions[1].id },
                     headers: test_app.create_session_headers(),
                 });
-                assert.strictEqual(res.status, 200);
+                assert.ok(res.ok, `account_session_revoke failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
                 const events = await query_audit_events(test_app.backend.deps.db);
-                assert_has_event(events, 'session_revoke', 'POST /sessions/:id/revoke');
+                assert_has_event(events, 'session_revoke', 'account_session_revoke RPC');
             });
             test('session revoke-all produces session_revoke_all event', async () => {
                 const test_app = await create_test_app(build_options(options, get_db()));
-                const route = find_auth_route(test_app.route_specs, '/sessions/revoke-all', 'POST');
-                assert.ok(route, 'Expected POST /sessions/revoke-all route');
-                const res = await test_app.app.request(route.path, {
-                    method: 'POST',
+                const res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: account_session_revoke_all_action_spec.method,
                     headers: test_app.create_session_headers(),
                 });
-                assert.strictEqual(res.status, 200);
+                assert.ok(res.ok, `account_session_revoke_all failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
                 const events = await query_audit_events(test_app.backend.deps.db);
-                assert_has_event(events, 'session_revoke_all', 'POST /sessions/revoke-all');
+                assert_has_event(events, 'session_revoke_all', 'account_session_revoke_all RPC');
             });
             test('password change produces password_change event', async () => {
                 const test_app = await create_test_app(build_options(options, get_db()));
@@ -221,137 +234,144 @@ export const describe_audit_completeness_tests = (options) => {
         });
         // --- Admin routes ---
         describe('admin mutation audit events', () => {
-            test('permit grant produces permit_grant event', async () => {
+            test('admin offer (RPC) + accept produces permit_offer_create and permit_grant events', async () => {
                 const test_app = await create_test_app(build_options(options, get_db()));
-                const route = find_admin_route(test_app.route_specs, '/permits/grant', 'POST');
-                assert.ok(route, 'Expected admin POST /permits/grant route');
                 const target = await test_app.create_account({ username: 'audit_target' });
-                const path = route.path.replace(':account_id', target.account.id);
-                const res = await test_app.app.request(path, {
-                    method: 'POST',
-                    headers: json_session_headers(test_app),
-                    body: JSON.stringify({ role: ROLE_ADMIN }),
+                const offer_res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: permit_offer_create_action_spec.method,
+                    params: { to_account_id: target.account.id, role: ROLE_ADMIN },
+                    headers: test_app.create_session_headers(),
                 });
-                assert.strictEqual(res.status, 200);
-                const events = await query_audit_events(test_app.backend.deps.db);
-                assert_has_event(events, 'permit_grant', 'POST /permits/grant');
+                assert.ok(offer_res.ok, `permit_offer_create failed: ${offer_res.ok ? '' : JSON.stringify(offer_res.error)}`);
+                const { offer } = offer_res.result;
+                // Admin offer emits `permit_offer_create` only — the permit doesn't
+                // exist yet. Drive the accept to confirm `permit_grant` fires on the
+                // downstream consent transition.
+                const events_after_offer = await query_audit_events(test_app.backend.deps.db);
+                assert_has_event(events_after_offer, 'permit_offer_create', 'permit_offer_create RPC');
+                await get_db().transaction(async (tx) => {
+                    await query_accept_offer({ db: tx }, { offer_id: offer.id, to_account_id: target.account.id, ip: null });
+                });
+                const events_after_accept = await query_audit_events(test_app.backend.deps.db);
+                assert_has_event(events_after_accept, 'permit_grant', 'offer accept');
             });
-            test('permit revoke produces permit_revoke event', async () => {
+            test('permit revoke (RPC) produces permit_revoke event', async () => {
                 const test_app = await create_test_app(build_options(options, get_db()));
-                const grant_route = find_admin_route(test_app.route_specs, '/permits/grant', 'POST');
-                const revoke_route = test_app.route_specs.find((s) => s.method === 'POST' &&
-                    s.path.includes('/permits/') &&
-                    s.path.endsWith('/revoke') &&
-                    s.auth.type === 'role');
-                assert.ok(grant_route, 'Expected admin POST /permits/grant route');
-                assert.ok(revoke_route, 'Expected admin POST /permits/:permit_id/revoke route');
                 const target = await test_app.create_account({ username: 'audit_revoke_target' });
-                // grant a permit first
-                const grant_path = grant_route.path.replace(':account_id', target.account.id);
-                const grant_res = await test_app.app.request(grant_path, {
-                    method: 'POST',
-                    headers: json_session_headers(test_app),
-                    body: JSON.stringify({ role: ROLE_ADMIN }),
+                const target_actor = await query_actor_by_account({ db: get_db() }, target.account.id);
+                assert.ok(target_actor);
+                // Offer + accept to materialize a permit we can revoke.
+                const offer_res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: permit_offer_create_action_spec.method,
+                    params: { to_account_id: target.account.id, role: ROLE_ADMIN },
+                    headers: test_app.create_session_headers(),
                 });
-                const grant_body = (await grant_res.json());
-                // revoke it
-                const revoke_path = revoke_route.path
-                    .replace(':account_id', target.account.id)
-                    .replace(':permit_id', grant_body.permit.id);
-                const res = await test_app.app.request(revoke_path, {
-                    method: 'POST',
+                assert.ok(offer_res.ok, `permit_offer_create failed: ${offer_res.ok ? '' : JSON.stringify(offer_res.error)}`);
+                const { offer } = offer_res.result;
+                const accept_result = await get_db().transaction(async (tx) => {
+                    return query_accept_offer({ db: tx }, { offer_id: offer.id, to_account_id: target.account.id, ip: null });
+                });
+                // Revoke via RPC.
+                const revoke_res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: permit_revoke_action_spec.method,
+                    params: { actor_id: target_actor.id, permit_id: accept_result.permit.id },
                     headers: test_app.create_session_headers(),
                 });
-                assert.strictEqual(res.status, 200);
+                assert.ok(revoke_res.ok, `permit_revoke failed: ${revoke_res.ok ? '' : JSON.stringify(revoke_res.error)}`);
                 const events = await query_audit_events(test_app.backend.deps.db);
-                assert_has_event(events, 'permit_revoke', 'POST /permits/:permit_id/revoke');
+                assert_has_event(events, 'permit_revoke', 'permit_revoke RPC');
             });
             test('admin session revoke-all produces session_revoke_all event', async () => {
                 const test_app = await create_test_app(build_options(options, get_db()));
-                const route = find_admin_route(test_app.route_specs, '/sessions/revoke-all', 'POST');
-                assert.ok(route, 'Expected admin POST /sessions/revoke-all route');
                 const target = await test_app.create_account({ username: 'audit_sessions_target' });
-                const path = route.path.replace(':account_id', target.account.id);
-                const res = await test_app.app.request(path, {
-                    method: 'POST',
+                const res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: admin_session_revoke_all_action_spec.method,
+                    params: { account_id: target.account.id },
                     headers: test_app.create_session_headers(),
                 });
-                assert.strictEqual(res.status, 200);
+                assert.ok(res.ok, `admin_session_revoke_all failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
                 const events = await query_audit_events(test_app.backend.deps.db);
                 // admin session revoke-all also produces session_revoke_all
-                assert_has_event(events, 'session_revoke_all', 'admin POST /sessions/revoke-all');
+                assert_has_event(events, 'session_revoke_all', 'admin_session_revoke_all RPC');
             });
             test('admin token revoke-all produces token_revoke_all event', async () => {
                 const test_app = await create_test_app(build_options(options, get_db()));
-                const route = find_admin_route(test_app.route_specs, '/tokens/revoke-all', 'POST');
-                assert.ok(route, 'Expected admin POST /tokens/revoke-all route');
                 const target = await test_app.create_account({ username: 'audit_tokens_target' });
-                const path = route.path.replace(':account_id', target.account.id);
-                const res = await test_app.app.request(path, {
-                    method: 'POST',
+                const res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: admin_token_revoke_all_action_spec.method,
+                    params: { account_id: target.account.id },
                     headers: test_app.create_session_headers(),
                 });
-                assert.strictEqual(res.status, 200);
+                assert.ok(res.ok, `admin_token_revoke_all failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
                 const events = await query_audit_events(test_app.backend.deps.db);
-                assert_has_event(events, 'token_revoke_all', 'admin POST /tokens/revoke-all');
+                assert_has_event(events, 'token_revoke_all', 'admin_token_revoke_all RPC');
             });
         });
-        // --- Invite routes ---
+        // --- Invite RPC actions ---
         describe('invite mutation audit events', () => {
             test('invite create and delete produce audit events', async () => {
                 const test_app = await create_test_app(build_options(options, get_db()));
-                const create_route = find_admin_route(test_app.route_specs, '/invites', 'POST');
-                const delete_route = test_app.route_specs.find((s) => s.method === 'DELETE' && s.path.includes('/invites/') && s.auth.type === 'role');
-                assert.ok(create_route, 'Expected admin POST /invites route');
-                assert.ok(delete_route, 'Expected admin DELETE /invites/:id route');
-                // create invite
-                const create_res = await test_app.app.request(create_route.path, {
-                    method: 'POST',
-                    headers: json_session_headers(test_app),
-                    body: JSON.stringify({ username: 'invited_user' }),
+                const create_res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: invite_create_action_spec.method,
+                    params: { username: 'invited_user' },
+                    headers: test_app.create_session_headers(),
                 });
-                assert.strictEqual(create_res.status, 200);
-                const { invite } = (await create_res.json());
-                // delete invite
-                const delete_path = delete_route.path.replace(':id', invite.id);
-                const delete_res = await test_app.app.request(delete_path, {
-                    method: 'DELETE',
+                assert.ok(create_res.ok, `invite_create failed: ${create_res.ok ? '' : JSON.stringify(create_res.error)}`);
+                const { invite } = create_res.result;
+                const delete_res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: invite_delete_action_spec.method,
+                    params: { invite_id: invite.id },
                     headers: test_app.create_session_headers(),
                 });
-                assert.strictEqual(delete_res.status, 200);
+                assert.ok(delete_res.ok, `invite_delete failed: ${delete_res.ok ? '' : JSON.stringify(delete_res.error)}`);
                 const events = await query_audit_events(test_app.backend.deps.db);
-                assert_has_event(events, 'invite_create', 'POST /invites');
-                assert_has_event(events, 'invite_delete', 'DELETE /invites/:id');
+                assert_has_event(events, 'invite_create', 'invite_create RPC');
+                assert_has_event(events, 'invite_delete', 'invite_delete RPC');
             });
         });
-        // --- App settings routes ---
+        // --- App settings RPC action ---
         describe('app settings mutation audit events', () => {
             test('settings update produces app_settings_update event', async () => {
                 const test_app = await create_test_app(build_options(options, get_db()));
-                const route = find_admin_route(test_app.route_specs, '/settings', 'PATCH');
-                assert.ok(route, 'Expected admin PATCH /settings route');
-                const res = await test_app.app.request(route.path, {
-                    method: 'PATCH',
-                    headers: json_session_headers(test_app),
-                    body: JSON.stringify({ open_signup: true }),
+                const res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: app_settings_update_action_spec.method,
+                    params: { open_signup: true },
+                    headers: test_app.create_session_headers(),
                 });
-                assert.strictEqual(res.status, 200);
+                assert.ok(res.ok, `app_settings_update failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
                 const events = await query_audit_events(test_app.backend.deps.db);
-                assert_has_event(events, 'app_settings_update', 'PATCH /settings');
+                assert_has_event(events, 'app_settings_update', 'app_settings_update RPC');
             });
         });
         // --- Signup route ---
         describe('signup audit events', () => {
             test('signup produces signup event', async () => {
                 const test_app = await create_test_app(build_options(options, get_db()));
-                // enable open signup
-                const settings_route = find_admin_route(test_app.route_specs, '/settings', 'PATCH');
-                assert.ok(settings_route, 'Expected admin PATCH /settings route');
-                await test_app.app.request(settings_route.path, {
-                    method: 'PATCH',
-                    headers: json_session_headers(test_app),
-                    body: JSON.stringify({ open_signup: true }),
+                // enable open signup via RPC
+                const settings_res = await rpc_call({
+                    app: test_app.app,
+                    path: rpc_path,
+                    method: app_settings_update_action_spec.method,
+                    params: { open_signup: true },
+                    headers: test_app.create_session_headers(),
                 });
+                assert.ok(settings_res.ok, `app_settings_update failed: ${settings_res.ok ? '' : JSON.stringify(settings_res.error)}`);
                 // signup
                 const signup_route = find_auth_route(test_app.route_specs, '/signup', 'POST');
                 assert.ok(signup_route, 'Expected POST /signup route');
@@ -384,6 +404,7 @@ export const describe_audit_completeness_tests = (options) => {
                 'token_create',
                 'token_revoke',
                 'token_revoke_all',
+                'permit_offer_create',
                 'permit_grant',
                 'permit_revoke',
                 'invite_create',
@@ -393,6 +414,20 @@ export const describe_audit_completeness_tests = (options) => {
             /** Event types excluded with justification. */
             const EXCLUDED_EVENT_TYPES = new Set([
                 'bootstrap', // requires filesystem token — tested in bootstrap_account.db.test.ts
+                // The remaining `permit_offer_*` events fire only via the RPC
+                // endpoint or via downstream effects of `permit_revoke`. Direct
+                // coverage lives in `permit_offer_queries.db.test.ts`,
+                // `permit_offer_actions.db.test.ts`,
+                // `permit_offer_actions.notifications.db.test.ts`, and
+                // `permit_offer_actions.notifications.revoke.db.test.ts`.
+                // `permit_offer_expire` fires from the cleanup sweep
+                // (`cleanup_expired_permit_offers` in `auth/cleanup.ts`) —
+                // covered in `cleanup.db.test.ts`.
+                'permit_offer_accept',
+                'permit_offer_decline',
+                'permit_offer_retract',
+                'permit_offer_expire',
+                'permit_offer_supersede',
             ]);
             test('all audit event types are covered or explicitly excluded', () => {
                 const all_covered = new Set([...COVERED_EVENT_TYPES, ...EXCLUDED_EVENT_TYPES]);