@fuzdev/fuz_app 0.51.0 → 0.53.0

package/dist/testing/data_exposure.d.ts

@@ -9,23 +9,14 @@ import { type DbFactory } from './db.js';
  *
  * Walks `properties`, `items`, `allOf`/`anyOf`/`oneOf`, and
  * `additionalProperties` to find every declared field name at any depth.
- *
- * @param schema - JSON Schema object
- * @returns set of all property names found
  */
 export declare const collect_json_schema_property_names: (schema: unknown) => Set<string>;
 /**
  * Assert that no output schema in the surface contains sensitive field names.
- *
- * @param surface - the app surface to check
- * @param sensitive_fields - field names to flag
  */
 export declare const assert_output_schemas_no_sensitive_fields: (surface: AppSurface, sensitive_fields?: ReadonlyArray<string>) => void;
 /**
  * Assert that non-admin route output schemas don't contain admin-only fields.
- *
- * @param surface - the app surface to check
- * @param admin_only_fields - field names that are admin-only
  */
 export declare const assert_non_admin_schemas_no_admin_fields: (surface: AppSurface, admin_only_fields?: ReadonlyArray<string>) => void;
 /** Options for `describe_data_exposure_tests`. */
@@ -55,8 +46,6 @@ export interface DataExposureTestOptions {
  * 2. Runtime — fire real requests and check response bodies against blocklists
  * 3. Cross-privilege — admin routes return 403 for non-admin, error responses
  *    contain no sensitive fields
- *
- * @param options - test configuration
  */
 export declare const describe_data_exposure_tests: (options: DataExposureTestOptions) => void;
 //# sourceMappingURL=data_exposure.d.ts.map

package/dist/testing/data_exposure.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"data_exposure.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/data_exposure.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAgB7B,OAAO,KAAK,EAAC,UAAU,EAAE,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACnE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AACrD,OAAO,KAAK,EAAC,gBAAgB,EAAE,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAChF,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAG9D,OAAO,EAAwB,KAAK,SAAS,EAAC,MAAM,SAAS,CAAC;AAe9D;;;;;;;;GAQG;AACH,eAAO,MAAM,kCAAkC,GAAI,QAAQ,OAAO,KAAG,GAAG,CAAC,MAAM,CAuB9E,CAAC;AAIF;;;;;GAKG;AACH,eAAO,MAAM,yCAAyC,GACrD,SAAS,UAAU,EACnB,mBAAkB,aAAa,CAAC,MAAM,CAA6B,KACjE,IAWF,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,wCAAwC,GACpD,SAAS,UAAU,EACnB,oBAAmB,aAAa,CAAC,MAAM,CAA8B,KACnE,IAcF,CAAC;AAIF,kDAAkD;AAClD,MAAM,WAAW,uBAAuB;IACvC,4DAA4D;IAC5D,KAAK,EAAE,MAAM,cAAc,CAAC;IAC5B,wCAAwC;IACxC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,4CAA4C;IAC5C,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,2FAA2F;IAC3F,gBAAgB,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACzC,iGAAiG;IACjG,iBAAiB,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC1C,iDAAiD;IACjD,WAAW,CAAC,EAAE,OAAO,CACpB,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,CAAC,CAC5E,CAAC;IACF,qEAAqE;IACrE,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAChC,kDAAkD;IAClD,WAAW,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CAC5B;AAED;;;;;;;;;;GAUG;AACH,eAAO,MAAM,4BAA4B,GAAI,SAAS,uBAAuB,KAAG,IAmC/E,CAAC"}
+{"version":3,"file":"data_exposure.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/data_exposure.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAgB7B,OAAO,KAAK,EAAC,UAAU,EAAE,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACnE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AACrD,OAAO,KAAK,EAAC,gBAAgB,EAAE,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAChF,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAG9D,OAAO,EAAwB,KAAK,SAAS,EAAC,MAAM,SAAS,CAAC;AAe9D;;;;;GAKG;AACH,eAAO,MAAM,kCAAkC,GAAI,QAAQ,OAAO,KAAG,GAAG,CAAC,MAAM,CAuB9E,CAAC;AAIF;;GAEG;AACH,eAAO,MAAM,yCAAyC,GACrD,SAAS,UAAU,EACnB,mBAAkB,aAAa,CAAC,MAAM,CAA6B,KACjE,IAWF,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,wCAAwC,GACpD,SAAS,UAAU,EACnB,oBAAmB,aAAa,CAAC,MAAM,CAA8B,KACnE,IAcF,CAAC;AAIF,kDAAkD;AAClD,MAAM,WAAW,uBAAuB;IACvC,4DAA4D;IAC5D,KAAK,EAAE,MAAM,cAAc,CAAC;IAC5B,wCAAwC;IACxC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,4CAA4C;IAC5C,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,2FAA2F;IAC3F,gBAAgB,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACzC,iGAAiG;IACjG,iBAAiB,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC1C,iDAAiD;IACjD,WAAW,CAAC,EAAE,OAAO,CACpB,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,CAAC,CAC5E,CAAC;IACF,qEAAqE;IACrE,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAChC,kDAAkD;IAClD,WAAW,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CAC5B;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,4BAA4B,GAAI,SAAS,uBAAuB,KAAG,IAmC/E,CAAC"}

package/dist/testing/data_exposure.js

@@ -25,9 +25,6 @@ import { SENSITIVE_FIELD_BLOCKLIST, ADMIN_ONLY_FIELD_BLOCKLIST, assert_no_sensit
  *
  * Walks `properties`, `items`, `allOf`/`anyOf`/`oneOf`, and
  * `additionalProperties` to find every declared field name at any depth.
- *
- * @param schema - JSON Schema object
- * @returns set of all property names found
  */
 export const collect_json_schema_property_names = (schema) => {
     const names = new Set();
@@ -59,9 +56,6 @@ export const collect_json_schema_property_names = (schema) => {
 // --- Schema-level assertions ---
 /**
  * Assert that no output schema in the surface contains sensitive field names.
- *
- * @param surface - the app surface to check
- * @param sensitive_fields - field names to flag
  */
 export const assert_output_schemas_no_sensitive_fields = (surface, sensitive_fields = SENSITIVE_FIELD_BLOCKLIST) => {
     for (const route of surface.routes) {
@@ -75,9 +69,6 @@ export const assert_output_schemas_no_sensitive_fields = (surface, sensitive_fie
 };
 /**
  * Assert that non-admin route output schemas don't contain admin-only fields.
- *
- * @param surface - the app surface to check
- * @param admin_only_fields - field names that are admin-only
  */
 export const assert_non_admin_schemas_no_admin_fields = (surface, admin_only_fields = ADMIN_ONLY_FIELD_BLOCKLIST) => {
     const non_admin = surface.routes.filter((r) => r.auth.type !== 'keeper' && !(r.auth.type === 'role' && r.auth.role === 'admin'));
@@ -98,8 +89,6 @@ export const assert_non_admin_schemas_no_admin_fields = (surface, admin_only_fie
  * 2. Runtime — fire real requests and check response bodies against blocklists
  * 3. Cross-privilege — admin routes return 403 for non-admin, error responses
  *    contain no sensitive fields
- *
- * @param options - test configuration
  */
 export const describe_data_exposure_tests = (options) => {
     const { build, sensitive_fields = SENSITIVE_FIELD_BLOCKLIST, admin_only_fields = ADMIN_ONLY_FIELD_BLOCKLIST, } = options;

package/dist/testing/db.d.ts

@@ -20,7 +20,8 @@ export interface DbFactory {
  * Removes all tables, sequences, indexes, types, and functions.
  * The database instance remains usable after reset.
  *
- * @param db - the database to reset
+ * @mutates db - drops the `public` schema and recreates it; all rows in all
+ *   tables are gone after this returns.
  */
 export declare const reset_pglite: (db: Db) => Promise<void>;
 /**
@@ -33,7 +34,6 @@ export declare const reset_pglite: (db: Db) => Promise<void>;
  * cold-start cost again.
  *
  * @param init_schema - callback to initialize the database schema
- * @returns a factory that creates in-memory pglite databases
  */
 export declare const create_pglite_factory: (init_schema: (db: Db) => Promise<void>) => DbFactory;
 /**
@@ -50,7 +50,10 @@ export declare const create_pglite_factory: (init_schema: (db: Db) => Promise<vo
  *
  * @param init_schema - callback to initialize the database schema
  * @param test_url - PostgreSQL connection URL (e.g. from `TEST_DATABASE_URL`)
- * @returns a factory that creates pg databases
+ * @returns a factory that creates pg databases. The returned `create()`
+ *   throws when `test_url` is unset (despite the `skip: true` flag — defense
+ *   against direct invocation), and rewrites Postgres "database does not
+ *   exist" errors into a `createdb` hint message.
  */
 export declare const create_pg_factory: (init_schema: (db: Db) => Promise<void>, test_url?: string) => DbFactory;
 /**
@@ -86,7 +89,7 @@ export declare const AUTH_DROP_TABLES: readonly ["app_settings", "invite", "audi
  * Safe on fresh databases (`IF EXISTS` on all statements). No-op effect for
  * PGlite (already fresh), but harmless to call unconditionally.
  *
- * @param db - the database to clean
+ * @mutates db - drops every table in `AUTH_DROP_TABLES` plus `schema_version`.
  */
 export declare const drop_auth_schema: (db: Db) => Promise<void>;
 /**
@@ -99,13 +102,12 @@ export declare const drop_auth_schema: (db: Db) => Promise<void>;
  *
  * @param factories - one or more database factories to run suites against
  * @param truncate_tables - tables to truncate between tests (children first for FK safety)
- * @returns a `describe_db` function for use in test files
+ * @mutates the underlying database between tests — `beforeEach` issues
+ *   `TRUNCATE <truncate_tables> CASCADE` against the shared instance.
  */
 export declare const create_describe_db: (factories: DbFactory | Array<DbFactory>, truncate_tables: Array<string>) => ((name: string, fn: (get_db: () => Db) => void) => void);
 /**
  * Log factory status to console.
- *
- * @param factories - the database factories to report on
  */
 export declare const log_db_factory_status: (factories: Array<DbFactory>) => void;
 //# sourceMappingURL=db.d.ts.map

package/dist/testing/db.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"db.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/db.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AA6B7B,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAKpC;;GAEG;AACH,eAAO,MAAM,KAAK,SAA4B,CAAC;AAE/C;;GAEG;AACH,MAAM,WAAW,SAAS;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,OAAO,CAAC,EAAE,CAAC,CAAC;IAC1B,KAAK,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACjC,IAAI,EAAE,OAAO,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;GAOG;AACH,eAAO,MAAM,YAAY,GAAU,IAAI,EAAE,KAAG,OAAO,CAAC,IAAI,CAGvD,CAAC;AAMF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,qBAAqB,GAAI,aAAa,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,KAAG,SAkB7E,CAAC;AAEH;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,iBAAiB,GAC7B,aAAa,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,EACtC,WAAW,MAAM,KACf,SA2DF,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,oBAAoB,UAQhC,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,gCAAgC,UAAyC,CAAC;AAEvF;;;;;;;;GAQG;AACH,eAAO,MAAM,gBAAgB,+IAWnB,CAAC;AAEX;;;;;;;;;;GAUG;AACH,eAAO,MAAM,gBAAgB,GAAU,IAAI,EAAE,KAAG,OAAO,CAAC,IAAI,CAK3D,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,kBAAkB,GAC9B,WAAW,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC,EACvC,iBAAiB,KAAK,CAAC,MAAM,CAAC,KAC5B,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,IAAI,KAAK,IAAI,CAwBzD,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,qBAAqB,GAAI,WAAW,KAAK,CAAC,SAAS,CAAC,KAAG,IAMnE,CAAC"}
+{"version":3,"file":"db.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/db.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AA6B7B,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAKpC;;GAEG;AACH,eAAO,MAAM,KAAK,SAA4B,CAAC;AAE/C;;GAEG;AACH,MAAM,WAAW,SAAS;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,OAAO,CAAC,EAAE,CAAC,CAAC;IAC1B,KAAK,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACjC,IAAI,EAAE,OAAO,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,YAAY,GAAU,IAAI,EAAE,KAAG,OAAO,CAAC,IAAI,CAGvD,CAAC;AAMF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,qBAAqB,GAAI,aAAa,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,KAAG,SAkB7E,CAAC;AAEH;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,iBAAiB,GAC7B,aAAa,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,EACtC,WAAW,MAAM,KACf,SA2DF,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,oBAAoB,UAQhC,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,gCAAgC,UAAyC,CAAC;AAEvF;;;;;;;;GAQG;AACH,eAAO,MAAM,gBAAgB,+IAWnB,CAAC;AAEX;;;;;;;;;;GAUG;AACH,eAAO,MAAM,gBAAgB,GAAU,IAAI,EAAE,KAAG,OAAO,CAAC,IAAI,CAK3D,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,kBAAkB,GAC9B,WAAW,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC,EACvC,iBAAiB,KAAK,CAAC,MAAM,CAAC,KAC5B,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,IAAI,KAAK,IAAI,CAwBzD,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,qBAAqB,GAAI,WAAW,KAAK,CAAC,SAAS,CAAC,KAAG,IAMnE,CAAC"}

package/dist/testing/db.js

@@ -36,7 +36,8 @@ export const IS_CI = process.env.CI === 'true';
  * Removes all tables, sequences, indexes, types, and functions.
  * The database instance remains usable after reset.
  *
- * @param db - the database to reset
+ * @mutates db - drops the `public` schema and recreates it; all rows in all
+ *   tables are gone after this returns.
  */
 export const reset_pglite = async (db) => {
     await db.query('DROP SCHEMA public CASCADE');
@@ -55,7 +56,6 @@ let module_db = null;
  * cold-start cost again.
  *
  * @param init_schema - callback to initialize the database schema
- * @returns a factory that creates in-memory pglite databases
  */
 export const create_pglite_factory = (init_schema) => ({
     name: 'pglite',
@@ -91,7 +91,10 @@ export const create_pglite_factory = (init_schema) => ({
  *
  * @param init_schema - callback to initialize the database schema
  * @param test_url - PostgreSQL connection URL (e.g. from `TEST_DATABASE_URL`)
- * @returns a factory that creates pg databases
+ * @returns a factory that creates pg databases. The returned `create()`
+ *   throws when `test_url` is unset (despite the `skip: true` flag — defense
+ *   against direct invocation), and rewrites Postgres "database does not
+ *   exist" errors into a `createdb` hint message.
  */
 export const create_pg_factory = (init_schema, test_url) => {
     const should_skip = !test_url;
@@ -204,7 +207,7 @@ export const AUTH_DROP_TABLES = [
  * Safe on fresh databases (`IF EXISTS` on all statements). No-op effect for
  * PGlite (already fresh), but harmless to call unconditionally.
  *
- * @param db - the database to clean
+ * @mutates db - drops every table in `AUTH_DROP_TABLES` plus `schema_version`.
  */
 export const drop_auth_schema = async (db) => {
     for (const table of AUTH_DROP_TABLES) {
@@ -222,7 +225,8 @@ export const drop_auth_schema = async (db) => {
  *
  * @param factories - one or more database factories to run suites against
  * @param truncate_tables - tables to truncate between tests (children first for FK safety)
- * @returns a `describe_db` function for use in test files
+ * @mutates the underlying database between tests — `beforeEach` issues
+ *   `TRUNCATE <truncate_tables> CASCADE` against the shared instance.
  */
 export const create_describe_db = (factories, truncate_tables) => {
     const factory_list = Array.isArray(factories) ? factories : [factories];
@@ -250,8 +254,6 @@ export const create_describe_db = (factories, truncate_tables) => {
 };
 /**
  * Log factory status to console.
- *
- * @param factories - the database factories to report on
  */
 export const log_db_factory_status = (factories) => {
     const enabled = factories.filter((f) => !f.skip).map((f) => f.name);

package/dist/testing/error_coverage.d.ts

@@ -71,12 +71,11 @@ export declare class ErrorCoverageCollector {
      * (e.g., `/api/accounts/abc` → `/api/accounts/:id`). When `code` is provided,
      * it is stored alongside the status for per-code coverage tracking.
      *
-     * @param route_specs - route specs for path resolution
-     * @param method - HTTP method
      * @param path - request path (may be concrete)
-     * @param status - observed HTTP status code
      * @param code - observed body `error` code (pass when the route's error
      *   schema declares specific codes via `z.literal` or `z.enum`)
+     * @mutates `this.observed` - adds the resolved `"METHOD /spec-path:STATUS"`
+     *   key (and the `:CODE` variant when `code` is provided).
      */
     record(route_specs: Array<RouteSpec>, method: string, path: string, status: number, code?: string): void;
     /**
@@ -88,13 +87,13 @@ export declare class ErrorCoverageCollector {
      * for per-code coverage. Pass an explicit `code` to override the
      * auto-extracted value or when the body was already consumed.
      *
-     * @param route_specs - route specs for schema lookup and path resolution
-     * @param method - HTTP method
-     * @param path - request path
-     * @param response - the Response to validate and record
      * @param code - observed body `error` code (override; if omitted and the
      *   response body is a JSON object with a string `error` field, that value
      *   is auto-extracted)
+     * @mutates `this.observed` - via `record` after `assert_response_matches_spec`
+     *   succeeds.
+     * @throws Error if the response body fails the route spec's declared
+     *   schemas (propagated from `assert_response_matches_spec`).
      */
     assert_and_record(route_specs: Array<RouteSpec>, method: string, path: string, response: Response, code?: string): Promise<void>;
     /**
@@ -105,10 +104,6 @@ export declare class ErrorCoverageCollector {
      * `z.enum`), reports per-code rows; otherwise reports one row per status.
      * A status-only observation (no code) satisfies all declared codes for that
      * status — the "any-code" rule.
-     *
-     * @param route_specs - route specs to check coverage against
-     * @param options - exclusion configuration (skip routes or statuses)
-     * @returns uncovered entries with method, path, status, and optional code
      */
     uncovered(route_specs: Array<RouteSpec>, options?: CoverageFilterOptions): Array<UncoveredEntry>;
 }
@@ -136,9 +131,9 @@ export interface ErrorCoverageOptions extends CoverageFilterOptions {
  * When `min_coverage` is 0 (default), logs coverage info without failing.
  * When > 0, fails if coverage is below the threshold.
  *
- * @param collector - the coverage collector with recorded observations
- * @param route_specs - route specs to check coverage against
- * @param options - threshold and exclusion configuration
+ * @throws AssertionError if `min_coverage > 0` and the covered/total ratio
+ *   falls below the threshold — the failure message lists every uncovered
+ *   route + status (+ code).
  */
 export declare const assert_error_coverage: (collector: ErrorCoverageCollector, route_specs: Array<RouteSpec>, options?: ErrorCoverageOptions) => void;
 //# sourceMappingURL=error_coverage.d.ts.map

package/dist/testing/error_coverage.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"error_coverage.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/error_coverage.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;;;;GAWG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAIrD;;;;;;;;;;GAUG;AACH,eAAO,MAAM,4BAA4B,GAAI,QAAQ,CAAC,CAAC,OAAO,KAAG,KAAK,CAAC,MAAM,CAAC,GAAG,IAWhF,CAAC;AAEF,sFAAsF;AACtF,MAAM,WAAW,cAAc;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,wFAAwF;IACxF,IAAI,CAAC,EAAE,MAAM,CAAC;CACd;AAED,6EAA6E;AAC7E,MAAM,WAAW,qBAAqB;IACrC,kDAAkD;IAClD,aAAa,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC9B,iCAAiC;IACjC,eAAe,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CAChC;AAqDD;;;;;;;;;;;;;;;GAeG;AACH,qBAAa,sBAAsB;IAClC;;;;;OAKG;IACH,QAAQ,CAAC,QAAQ,EAAE,GAAG,CAAC,MAAM,CAAC,CAAa;IAE3C;;;;;;;;;;;;;OAaG;IACH,MAAM,CACL,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,EAC7B,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,EACd,IAAI,CAAC,EAAE,MAAM,GACX,IAAI;IAUP;;;;;;;;;;;;;;;;OAgBG;IACG,iBAAiB,CACtB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,EAC7B,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,QAAQ,EAClB,IAAI,CAAC,EAAE,MAAM,GACX,OAAO,CAAC,IAAI,CAAC;IAgBhB;;;;;;;;;;;;OAYG;IACH,SAAS,CAAC,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,EAAE,OAAO,CAAC,EAAE,qBAAqB,GAAG,KAAK,CAAC,cAAc,CAAC;CAKhG;AAED;;;;GAIG;AACH,eAAO,MAAM,kCAAkC,MAAM,CAAC;AAEtD,2CAA2C;AAC3C,MAAM,WAAW,oBAAqB,SAAQ,qBAAqB;IAClE,sEAAsE;IACtE,YAAY,CAAC,EAAE,MAAM,CAAC;CACtB;AAaD;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,qBAAqB,GACjC,WAAW,sBAAsB,EACjC,aAAa,KAAK,CAAC,SAAS,CAAC,EAC7B,UAAU,oBAAoB,KAC5B,IAqBF,CAAC"}
+{"version":3,"file":"error_coverage.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/error_coverage.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;;;;GAWG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAIrD;;;;;;;;;;GAUG;AACH,eAAO,MAAM,4BAA4B,GAAI,QAAQ,CAAC,CAAC,OAAO,KAAG,KAAK,CAAC,MAAM,CAAC,GAAG,IAWhF,CAAC;AAEF,sFAAsF;AACtF,MAAM,WAAW,cAAc;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,wFAAwF;IACxF,IAAI,CAAC,EAAE,MAAM,CAAC;CACd;AAED,6EAA6E;AAC7E,MAAM,WAAW,qBAAqB;IACrC,kDAAkD;IAClD,aAAa,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC9B,iCAAiC;IACjC,eAAe,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CAChC;AAqDD;;;;;;;;;;;;;;;GAeG;AACH,qBAAa,sBAAsB;IAClC;;;;;OAKG;IACH,QAAQ,CAAC,QAAQ,EAAE,GAAG,CAAC,MAAM,CAAC,CAAa;IAE3C;;;;;;;;;;;;OAYG;IACH,MAAM,CACL,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,EAC7B,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,EACd,IAAI,CAAC,EAAE,MAAM,GACX,IAAI;IAUP;;;;;;;;;;;;;;;;OAgBG;IACG,iBAAiB,CACtB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,EAC7B,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,QAAQ,EAClB,IAAI,CAAC,EAAE,MAAM,GACX,OAAO,CAAC,IAAI,CAAC;IAgBhB;;;;;;;;OAQG;IACH,SAAS,CAAC,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,EAAE,OAAO,CAAC,EAAE,qBAAqB,GAAG,KAAK,CAAC,cAAc,CAAC;CAKhG;AAED;;;;GAIG;AACH,eAAO,MAAM,kCAAkC,MAAM,CAAC;AAEtD,2CAA2C;AAC3C,MAAM,WAAW,oBAAqB,SAAQ,qBAAqB;IAClE,sEAAsE;IACtE,YAAY,CAAC,EAAE,MAAM,CAAC;CACtB;AAaD;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,qBAAqB,GACjC,WAAW,sBAAsB,EACjC,aAAa,KAAK,CAAC,SAAS,CAAC,EAC7B,UAAU,oBAAoB,KAC5B,IAqBF,CAAC"}

package/dist/testing/error_coverage.js

@@ -113,12 +113,11 @@ export class ErrorCoverageCollector {
      * (e.g., `/api/accounts/abc` → `/api/accounts/:id`). When `code` is provided,
      * it is stored alongside the status for per-code coverage tracking.
      *
-     * @param route_specs - route specs for path resolution
-     * @param method - HTTP method
      * @param path - request path (may be concrete)
-     * @param status - observed HTTP status code
      * @param code - observed body `error` code (pass when the route's error
      *   schema declares specific codes via `z.literal` or `z.enum`)
+     * @mutates `this.observed` - adds the resolved `"METHOD /spec-path:STATUS"`
+     *   key (and the `:CODE` variant when `code` is provided).
      */
     record(route_specs, method, path, status, code) {
         const spec = find_route_spec(route_specs, method, path);
@@ -138,13 +137,13 @@ export class ErrorCoverageCollector {
      * for per-code coverage. Pass an explicit `code` to override the
      * auto-extracted value or when the body was already consumed.
      *
-     * @param route_specs - route specs for schema lookup and path resolution
-     * @param method - HTTP method
-     * @param path - request path
-     * @param response - the Response to validate and record
      * @param code - observed body `error` code (override; if omitted and the
      *   response body is a JSON object with a string `error` field, that value
      *   is auto-extracted)
+     * @mutates `this.observed` - via `record` after `assert_response_matches_spec`
+     *   succeeds.
+     * @throws Error if the response body fails the route spec's declared
+     *   schemas (propagated from `assert_response_matches_spec`).
      */
     async assert_and_record(route_specs, method, path, response, code) {
         await assert_response_matches_spec(route_specs, method, path, response);
@@ -170,10 +169,6 @@ export class ErrorCoverageCollector {
      * `z.enum`), reports per-code rows; otherwise reports one row per status.
      * A status-only observation (no code) satisfies all declared codes for that
      * status — the "any-code" rule.
-     *
-     * @param route_specs - route specs to check coverage against
-     * @param options - exclusion configuration (skip routes or statuses)
-     * @returns uncovered entries with method, path, status, and optional code
      */
     uncovered(route_specs, options) {
         return walk_coverage(this, route_specs, options)
@@ -207,9 +202,9 @@ const format_uncovered = (entry) => `${entry.method} ${entry.path} → ${entry.s
  * When `min_coverage` is 0 (default), logs coverage info without failing.
  * When > 0, fails if coverage is below the threshold.
  *
- * @param collector - the coverage collector with recorded observations
- * @param route_specs - route specs to check coverage against
- * @param options - threshold and exclusion configuration
+ * @throws AssertionError if `min_coverage > 0` and the covered/total ratio
+ *   falls below the threshold — the failure message lists every uncovered
+ *   route + status (+ code).
  */
 export const assert_error_coverage = (collector, route_specs, options) => {
     const min_coverage = options?.min_coverage ?? 0;

package/dist/testing/integration.d.ts

@@ -51,7 +51,10 @@ export interface StandardIntegrationTestOptions {
  * Each test group asserts that required routes exist, failing with a descriptive
  * message if the consumer's route specs are misconfigured.
  *
- * @param options - session config and route factory
+ * @throws Error at setup time when `options.rpc_endpoints` is empty — the
+ *   suite hard-fails via `require_rpc_endpoint_path` rather than running
+ *   tests that would crash mid-suite trying to dispatch
+ *   `account_verify` / `account_session_*` / `account_token_*`.
  */
 export declare const describe_standard_integration_tests: (options: StandardIntegrationTestOptions) => void;
 //# sourceMappingURL=integration.d.ts.map

package/dist/testing/integration.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"integration.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/integration.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAsB7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAErD,OAAO,EAA6C,KAAK,eAAe,EAAC,MAAM,iBAAiB,CAAC;AACjG,OAAO,EAIN,KAAK,SAAS,EACd,MAAM,SAAS,CAAC;AAOjB,OAAO,EAKN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAqB1B;;GAEG;AACH,MAAM,WAAW,8BAA8B;IAC9C,4CAA4C;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,wDAAwD;IACxD,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,iDAAiD;IACjD,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B;;;OAGG;IACH,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAChC;;;;;;;;;;;;;;;;OAgBG;IACH,aAAa,EAAE,uBAAuB,CAAC;CACvC;AAsBD;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,mCAAmC,GAC/C,SAAS,8BAA8B,KACrC,IAg8CF,CAAC"}
+{"version":3,"file":"integration.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/integration.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAsB7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAErD,OAAO,EAA6C,KAAK,eAAe,EAAC,MAAM,iBAAiB,CAAC;AACjG,OAAO,EAIN,KAAK,SAAS,EACd,MAAM,SAAS,CAAC;AAOjB,OAAO,EAKN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAqB1B;;GAEG;AACH,MAAM,WAAW,8BAA8B;IAC9C,4CAA4C;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,wDAAwD;IACxD,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,iDAAiD;IACjD,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B;;;OAGG;IACH,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAChC;;;;;;;;;;;;;;;;OAgBG;IACH,aAAa,EAAE,uBAAuB,CAAC;CACvC;AAsBD;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,mCAAmC,GAC/C,SAAS,8BAA8B,KACrC,IAg8CF,CAAC"}

package/dist/testing/integration.js

@@ -56,7 +56,10 @@ const build_test_app_options = (options, db) => ({
  * Each test group asserts that required routes exist, failing with a descriptive
  * message if the consumer's route specs are misconfigured.
  *
- * @param options - session config and route factory
+ * @throws Error at setup time when `options.rpc_endpoints` is empty — the
+ *   suite hard-fails via `require_rpc_endpoint_path` rather than running
+ *   tests that would crash mid-suite trying to dispatch
+ *   `account_verify` / `account_session_*` / `account_token_*`.
  */
 export const describe_standard_integration_tests = (options) => {
     // Hard-fail early so consumers see a clear setup error instead of a

package/dist/testing/integration_helpers.d.ts

@@ -8,10 +8,7 @@ import type { TestApp, TestAccount } from './app_server.js';
  *
  * Supports both exact matches and parameterized paths (`:param` segments).
  *
- * @param specs - route specs to search
- * @param method - HTTP method
  * @param path - request path (exact or with concrete param values)
- * @returns matching route spec, or `undefined`
  */
 export declare const find_route_spec: (specs: Array<RouteSpec>, method: string, path: string) => RouteSpec | undefined;
 /**
@@ -31,10 +28,7 @@ export type RestAuthRouteSuffix = (typeof REST_AUTH_ROUTE_SUFFIXES)[number];
  * method name (e.g. `/sessions/revoke-all`) fails loudly at the call site
  * instead of silently returning `undefined`.
  *
- * @param specs - route specs to search
- * @param suffix - REST auth path suffix
- * @param method - HTTP method
- * @returns matching route spec, or `undefined`
+ * @throws Error if `suffix` is not in `REST_AUTH_ROUTE_SUFFIXES`.
  */
 export declare const find_auth_route: (specs: Array<RouteSpec>, suffix: RestAuthRouteSuffix, method: RouteMethod) => RouteSpec | undefined;
 /**
@@ -42,31 +36,22 @@ export declare const find_auth_route: (specs: Array<RouteSpec>, suffix: RestAuth
  *
  * For 2xx responses, validates against `spec.output`.
  * For error responses, validates against the merged error schema for that status code.
- * Throws with details on mismatch.
  *
- * @param route_specs - route specs for schema lookup
- * @param method - HTTP method of the request
- * @param path - path of the request
- * @param response - the Response to validate
+ * @throws Error if no route spec matches `method` + `path`, if the response
+ *   body fails to parse against the declared output / error schema, or if the
+ *   response is non-JSON despite a declared schema for that status.
  */
 export declare const assert_response_matches_spec: (route_specs: Array<RouteSpec>, method: string, path: string, response: Response) => Promise<void>;
 /**
  * Create an expired test cookie — validly signed but with an expiry timestamp in 1970.
- *
- * @param keyring - keyring for signing
- * @param session_options - session config
- * @returns signed cookie value with long-past expiry
  */
 export declare const create_expired_test_cookie: (keyring: Keyring, session_options: SessionOptions<string>) => Promise<string>;
 /**
- * Assert that an error response body contains no unexpected fields.
+ * List the fields in an error response body that are not in the known-safe set.
  *
  * Error schemas use `z.looseObject` (intentional — multiple producers), but
  * test responses should be checked for fields that could leak information.
- * Flags any field not in the known-safe set.
  *
- * @param body - parsed error response JSON
- * @param context - description for error messages (e.g., `'POST /api/login 401'`)
  * @returns array of unexpected field names (empty = clean)
  */
 export declare const check_error_response_fields: (body: Record<string, unknown>) => Array<string>;
@@ -76,16 +61,12 @@ export declare const check_error_response_fields: (body: Record<string, unknown>
  * Checks both field names and string values for patterns indicating
  * stack traces, SQL, or internal paths.
  *
- * @param body - parsed error response JSON
  * @param context - description for error messages
  */
 export declare const assert_no_error_info_leakage: (body: Record<string, unknown>, context: string) => void;
 /**
  * Assert that a 429 response includes a valid `Retry-After` header
  * matching the JSON body's `retry_after` field.
- *
- * @param response - the 429 response
- * @param body - parsed JSON body with `retry_after` field
  */
 export declare const assert_rate_limit_retry_after_header: (response: Response, body: {
     retry_after: number;
@@ -98,16 +79,11 @@ export declare const ADMIN_ONLY_FIELD_BLOCKLIST: ReadonlyArray<string>;
  * Recursively collect all key names from a parsed JSON value.
  *
  * Walks objects and arrays to find every property name at any nesting depth.
- *
- * @param value - parsed JSON value
- * @returns set of all key names found
  */
 export declare const collect_json_keys_recursive: (value: unknown) => Set<string>;
 /**
  * Assert that a parsed JSON body contains no fields from the given blocklist.
  *
- * @param body - parsed response JSON
- * @param blocklist - field names to check for
  * @param context - description for error messages
  */
 export declare const assert_no_sensitive_fields_in_json: (body: unknown, blocklist: ReadonlyArray<string>, context: string) => void;
@@ -120,11 +96,6 @@ export declare const assert_no_sensitive_fields_in_json: (body: unknown, blockli
  * - `role: admin` — the admin account's session cookie
  * - `role: <other>` — the test app's bootstrapped keeper session
  * - `keeper` — the test app's daemon token
- *
- * @param spec - route spec to inspect
- * @param test_app - the assembled test app (for bootstrapped credentials)
- * @param authed_account - an account with no roles (for `authenticated` auth)
- * @param admin_account - an account with `admin` role (for role-gated routes)
  */
 export declare const pick_auth_headers: (spec: RouteSpec, test_app: TestApp, authed_account: TestAccount, admin_account: TestAccount) => Record<string, string>;
 //# sourceMappingURL=integration_helpers.d.ts.map

package/dist/testing/integration_helpers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"integration_helpers.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/integration_helpers.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAU7B,OAAO,KAAK,EAAC,SAAS,EAAE,WAAW,EAAC,MAAM,uBAAuB,CAAC;AAElE,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAA8B,KAAK,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAE3F,OAAO,KAAK,EAAC,OAAO,EAAE,WAAW,EAAC,MAAM,iBAAiB,CAAC;AAE1D;;;;;;;;;GASG;AACH,eAAO,MAAM,eAAe,GAC3B,OAAO,KAAK,CAAC,SAAS,CAAC,EACvB,QAAQ,MAAM,EACd,MAAM,MAAM,KACV,SAAS,GAAG,SAad,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,wBAAwB,iFAO3B,CAAC;AACX,MAAM,MAAM,mBAAmB,GAAG,CAAC,OAAO,wBAAwB,CAAC,CAAC,MAAM,CAAC,CAAC;AAE5E;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,eAAe,GAC3B,OAAO,KAAK,CAAC,SAAS,CAAC,EACvB,QAAQ,mBAAmB,EAC3B,QAAQ,WAAW,KACjB,SAAS,GAAG,SAOd,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,4BAA4B,GACxC,aAAa,KAAK,CAAC,SAAS,CAAC,EAC7B,QAAQ,MAAM,EACd,MAAM,MAAM,EACZ,UAAU,QAAQ,KAChB,OAAO,CAAC,IAAI,CAmDd,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,0BAA0B,GACtC,SAAS,OAAO,EAChB,iBAAiB,cAAc,CAAC,MAAM,CAAC,KACrC,OAAO,CAAC,MAAM,CAGhB,CAAC;AAuCF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,2BAA2B,GAAI,MAAM,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAG,KAAK,CAAC,MAAM,CAQvF,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,4BAA4B,GACxC,MAAM,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,SAAS,MAAM,KACb,IAkBF,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,oCAAoC,GAChD,UAAU,QAAQ,EAClB,MAAM;IAAC,WAAW,EAAE,MAAM,CAAA;CAAC,KACzB,IAUF,CAAC;AAIF,oEAAoE;AACpE,eAAO,MAAM,yBAAyB,EAAE,aAAa,CAAC,MAAM,CAAmC,CAAC;AAEhG,0EAA0E;AAC1E,eAAO,MAAM,0BAA0B,EAAE,aAAa,CAAC,MAAM,CAAgC,CAAC;AAE9F;;;;;;;GAOG;AACH,eAAO,MAAM,2BAA2B,GAAI,OAAO,OAAO,KAAG,GAAG,CAAC,MAAM,CAetE,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,kCAAkC,GAC9C,MAAM,OAAO,EACb,WAAW,aAAa,CAAC,MAAM,CAAC,EAChC,SAAS,MAAM,KACb,IAKF,CAAC;AAEF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,iBAAiB,GAC7B,MAAM,SAAS,EACf,UAAU,OAAO,EACjB,gBAAgB,WAAW,EAC3B,eAAe,WAAW,KACxB,MAAM,CAAC,MAAM,EAAE,MAAM,CAcvB,CAAC"}
+{"version":3,"file":"integration_helpers.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/integration_helpers.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAU7B,OAAO,KAAK,EAAC,SAAS,EAAE,WAAW,EAAC,MAAM,uBAAuB,CAAC;AAElE,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAA8B,KAAK,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAE3F,OAAO,KAAK,EAAC,OAAO,EAAE,WAAW,EAAC,MAAM,iBAAiB,CAAC;AAE1D;;;;;;GAMG;AACH,eAAO,MAAM,eAAe,GAC3B,OAAO,KAAK,CAAC,SAAS,CAAC,EACvB,QAAQ,MAAM,EACd,MAAM,MAAM,KACV,SAAS,GAAG,SAad,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,wBAAwB,iFAO3B,CAAC;AACX,MAAM,MAAM,mBAAmB,GAAG,CAAC,OAAO,wBAAwB,CAAC,CAAC,MAAM,CAAC,CAAC;AAE5E;;;;;;;;;;GAUG;AACH,eAAO,MAAM,eAAe,GAC3B,OAAO,KAAK,CAAC,SAAS,CAAC,EACvB,QAAQ,mBAAmB,EAC3B,QAAQ,WAAW,KACjB,SAAS,GAAG,SAOd,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,4BAA4B,GACxC,aAAa,KAAK,CAAC,SAAS,CAAC,EAC7B,QAAQ,MAAM,EACd,MAAM,MAAM,EACZ,UAAU,QAAQ,KAChB,OAAO,CAAC,IAAI,CAmDd,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,0BAA0B,GACtC,SAAS,OAAO,EAChB,iBAAiB,cAAc,CAAC,MAAM,CAAC,KACrC,OAAO,CAAC,MAAM,CAGhB,CAAC;AAgCF;;;;;;;GAOG;AACH,eAAO,MAAM,2BAA2B,GAAI,MAAM,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAG,KAAK,CAAC,MAAM,CAQvF,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,4BAA4B,GACxC,MAAM,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,SAAS,MAAM,KACb,IAkBF,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,oCAAoC,GAChD,UAAU,QAAQ,EAClB,MAAM;IAAC,WAAW,EAAE,MAAM,CAAA;CAAC,KACzB,IAUF,CAAC;AAIF,oEAAoE;AACpE,eAAO,MAAM,yBAAyB,EAAE,aAAa,CAAC,MAAM,CAAmC,CAAC;AAEhG,0EAA0E;AAC1E,eAAO,MAAM,0BAA0B,EAAE,aAAa,CAAC,MAAM,CAAgC,CAAC;AAE9F;;;;GAIG;AACH,eAAO,MAAM,2BAA2B,GAAI,OAAO,OAAO,KAAG,GAAG,CAAC,MAAM,CAetE,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,kCAAkC,GAC9C,MAAM,OAAO,EACb,WAAW,aAAa,CAAC,MAAM,CAAC,EAChC,SAAS,MAAM,KACb,IAKF,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,iBAAiB,GAC7B,MAAM,SAAS,EACf,UAAU,OAAO,EACjB,gBAAgB,WAAW,EAC3B,eAAe,WAAW,KACxB,MAAM,CAAC,MAAM,EAAE,MAAM,CAcvB,CAAC"}

package/dist/testing/integration_helpers.js

@@ -13,10 +13,7 @@ import { ROLE_ADMIN } from '../auth/role_schema.js';
  *
  * Supports both exact matches and parameterized paths (`:param` segments).
  *
- * @param specs - route specs to search
- * @param method - HTTP method
  * @param path - request path (exact or with concrete param values)
- * @returns matching route spec, or `undefined`
  */
 export const find_route_spec = (specs, method, path) => {
     // exact match first
@@ -57,10 +54,7 @@ export const REST_AUTH_ROUTE_SUFFIXES = [
  * method name (e.g. `/sessions/revoke-all`) fails loudly at the call site
  * instead of silently returning `undefined`.
  *
- * @param specs - route specs to search
- * @param suffix - REST auth path suffix
- * @param method - HTTP method
- * @returns matching route spec, or `undefined`
+ * @throws Error if `suffix` is not in `REST_AUTH_ROUTE_SUFFIXES`.
  */
 export const find_auth_route = (specs, suffix, method) => {
     if (!REST_AUTH_ROUTE_SUFFIXES.includes(suffix)) {
@@ -73,12 +67,10 @@ export const find_auth_route = (specs, suffix, method) => {
  *
  * For 2xx responses, validates against `spec.output`.
  * For error responses, validates against the merged error schema for that status code.
- * Throws with details on mismatch.
  *
- * @param route_specs - route specs for schema lookup
- * @param method - HTTP method of the request
- * @param path - path of the request
- * @param response - the Response to validate
+ * @throws Error if no route spec matches `method` + `path`, if the response
+ *   body fails to parse against the declared output / error schema, or if the
+ *   response is non-JSON despite a declared schema for that status.
  */
 export const assert_response_matches_spec = async (route_specs, method, path, response) => {
     const spec = find_route_spec(route_specs, method, path);
@@ -126,22 +118,11 @@ export const assert_response_matches_spec = async (route_specs, method, path, re
 };
 /**
  * Create an expired test cookie — validly signed but with an expiry timestamp in 1970.
- *
- * @param keyring - keyring for signing
- * @param session_options - session config
- * @returns signed cookie value with long-past expiry
  */
 export const create_expired_test_cookie = async (keyring, session_options) => {
     // now_seconds=1 puts the expiry at 1 + max_age seconds past epoch — still in 1970
     return create_session_cookie_value(keyring, 'expired_test_token', session_options, 1);
 };
-/**
- * Assert that a 429 response includes a valid `Retry-After` header
- * matching the JSON body's `retry_after` field.
- *
- * @param response - the 429 response
- * @param body - parsed JSON body with `retry_after` field
- */
 /**
  * Known safe fields that may appear in any error response.
  *
@@ -171,14 +152,11 @@ const LEAKY_FIELD_PATTERNS = [
     'token',
 ];
 /**
- * Assert that an error response body contains no unexpected fields.
+ * List the fields in an error response body that are not in the known-safe set.
  *
  * Error schemas use `z.looseObject` (intentional — multiple producers), but
  * test responses should be checked for fields that could leak information.
- * Flags any field not in the known-safe set.
  *
- * @param body - parsed error response JSON
- * @param context - description for error messages (e.g., `'POST /api/login 401'`)
  * @returns array of unexpected field names (empty = clean)
  */
 export const check_error_response_fields = (body) => {
@@ -196,7 +174,6 @@ export const check_error_response_fields = (body) => {
  * Checks both field names and string values for patterns indicating
  * stack traces, SQL, or internal paths.
  *
- * @param body - parsed error response JSON
  * @param context - description for error messages
  */
 export const assert_no_error_info_leakage = (body, context) => {
@@ -215,9 +192,6 @@ export const assert_no_error_info_leakage = (body, context) => {
 /**
  * Assert that a 429 response includes a valid `Retry-After` header
  * matching the JSON body's `retry_after` field.
- *
- * @param response - the 429 response
- * @param body - parsed JSON body with `retry_after` field
  */
 export const assert_rate_limit_retry_after_header = (response, body) => {
     const header = response.headers.get('Retry-After');
@@ -235,9 +209,6 @@ export const ADMIN_ONLY_FIELD_BLOCKLIST = ['updated_by', 'created_by'];
  * Recursively collect all key names from a parsed JSON value.
  *
  * Walks objects and arrays to find every property name at any nesting depth.
- *
- * @param value - parsed JSON value
- * @returns set of all key names found
  */
 export const collect_json_keys_recursive = (value) => {
     const keys = new Set();
@@ -260,8 +231,6 @@ export const collect_json_keys_recursive = (value) => {
 /**
  * Assert that a parsed JSON body contains no fields from the given blocklist.
  *
- * @param body - parsed response JSON
- * @param blocklist - field names to check for
  * @param context - description for error messages
  */
 export const assert_no_sensitive_fields_in_json = (body, blocklist, context) => {
@@ -279,11 +248,6 @@ export const assert_no_sensitive_fields_in_json = (body, blocklist, context) =>
  * - `role: admin` — the admin account's session cookie
  * - `role: <other>` — the test app's bootstrapped keeper session
  * - `keeper` — the test app's daemon token
- *
- * @param spec - route spec to inspect
- * @param test_app - the assembled test app (for bootstrapped credentials)
- * @param authed_account - an account with no roles (for `authenticated` auth)
- * @param admin_account - an account with `admin` role (for role-gated routes)
  */
 export const pick_auth_headers = (spec, test_app, authed_account, admin_account) => {
     switch (spec.auth.type) {