@fuzdev/fuz_app 0.55.0 → 0.57.0

package/dist/testing/admin_integration.js

@@ -3,14 +3,14 @@ import './assert_dev_env.js';
  * Standard admin integration test suite for fuz_app admin routes.
  *
  * `describe_standard_admin_integration_tests` creates a composable test suite
- * that exercises admin account listing, permit grant/revoke (via the RPC
- * surface — see `permit_offer_create` / `permit_revoke`), session/token
+ * that exercises admin account listing, role_grant grant/revoke (via the RPC
+ * surface — see `role_grant_offer_create` / `role_grant_revoke`), session/token
  * management, and audit log routes against a real PGlite database.
  *
  * Consumers call it with their route factory, session config, role schema,
  * and RPC endpoint specs — all admin route tests come for free.
  *
- * Scope: admin *semantics* — cross-admin isolation, permit grant/revoke
+ * Scope: admin *semantics* — cross-admin isolation, role_grant grant/revoke
  * flow, session/token revoke-all, audit writes. Output-schema conformance
  * for admin methods is **not** the concern of this suite; it lives in:
  *
@@ -27,6 +27,7 @@ import './assert_dev_env.js';
  */
 import { describe, test, assert, afterAll } from 'vitest';
 import { ROLE_KEEPER, ROLE_ADMIN } from '../auth/role_schema.js';
+import { GRANT_PATH_ADMIN } from '../auth/grant_path_schema.js';
 import { AUTH_MIGRATION_NS } from '../auth/migrations.js';
 import { create_test_app } from './app_server.js';
 import { create_pglite_factory, create_describe_db, AUTH_INTEGRATION_TRUNCATE_TABLES, } from './db.js';
@@ -34,17 +35,20 @@ import { find_auth_route } from './integration_helpers.js';
 import { run_migrations } from '../db/migrate.js';
 import { ErrorCoverageCollector, assert_error_coverage, DEFAULT_INTEGRATION_ERROR_COVERAGE, } from './error_coverage.js';
 import { rpc_call_for_spec, require_rpc_endpoint_path, resolve_rpc_endpoints_for_setup, } from './rpc_helpers.js';
-import { permit_offer_create_action_spec, permit_revoke_action_spec, } from '../auth/permit_offer_action_specs.js';
-import { admin_account_list_action_spec, admin_session_list_action_spec, admin_session_revoke_all_action_spec, admin_token_revoke_all_action_spec, audit_log_list_action_spec, audit_log_permit_history_action_spec, } from '../auth/admin_action_specs.js';
+import { role_grant_offer_create_action_spec, role_grant_revoke_action_spec, } from '../auth/role_grant_offer_action_specs.js';
+import { admin_account_list_action_spec, admin_session_list_action_spec, admin_session_revoke_all_action_spec, admin_token_revoke_all_action_spec, audit_log_list_action_spec, audit_log_role_grant_history_action_spec, } from '../auth/admin_action_specs.js';
 import { account_token_create_action_spec, account_verify_action_spec, } from '../auth/account_action_specs.js';
-import { query_grant_permit } from '../auth/permit_queries.js';
-import { query_accept_offer } from '../auth/permit_offer_queries.js';
+import { query_create_role_grant } from '../auth/role_grant_queries.js';
+import { query_accept_offer } from '../auth/role_grant_offer_queries.js';
 /**
- * Pick a web-grantable role for testing, preferring a non-admin app-defined role.
+ * Pick a role for admin-grant testing, preferring a non-admin app-defined
+ * role whose `RoleSpec.grant_paths` includes `'admin'` (the
+ * `GRANT_PATH_ADMIN` constant). Falls back to `ROLE_ADMIN` when no
+ * app-defined admin-grant-path role is registered.
  */
-const pick_grantable_role = (role_options) => {
-    for (const [name, opts] of role_options) {
-        if (opts.web_grantable && name !== ROLE_ADMIN)
+const pick_grantable_role = (role_specs) => {
+    for (const [name, spec] of role_specs) {
+        if (spec.grant_paths?.includes(GRANT_PATH_ADMIN) && name !== ROLE_ADMIN)
             return name;
     }
     return ROLE_ADMIN; // fallback
@@ -65,17 +69,16 @@ const build_admin_test_app_options = (options, db, roles) => ({
 /**
  * Standard admin integration test suite for fuz_app admin routes.
  *
- * Exercises account listing, permit grant/revoke (via RPC), session
+ * Exercises account listing, role_grant grant/revoke (via RPC), session
  * management, token management, audit log reads, admin-to-admin
  * isolation, and 401/403 error-coverage on the admin REST surface.
  * Output-schema conformance is not in scope — see the module docstring
  * for the suites that cover it.
  *
  * @throws Error at setup time when `options.rpc_endpoints` is empty — admin
- *   permit grant/revoke, session/token revoke-all, and audit-log reads are
- *   all RPC-only since the 2026-04-22 migration. Hard-fails via
- *   `require_rpc_endpoint_path` so consumers see a clear setup error rather
- *   than `method not found` mid-suite.
+ *   role_grant grant/revoke, session/token revoke-all, and audit-log reads
+ *   are RPC-only. Hard-fails via `require_rpc_endpoint_path` so consumers
+ *   see a clear setup error rather than `method not found` mid-suite.
  */
 export const describe_standard_admin_integration_tests = (options) => {
     // Hard-fail early so consumers see a clear setup error instead of a
@@ -91,30 +94,30 @@ export const describe_standard_admin_integration_tests = (options) => {
     const describe_db = create_describe_db(factories, AUTH_INTEGRATION_TRUNCATE_TABLES);
     describe_db('standard_admin_integration', (get_db) => {
         const { cookie_name } = options.session_options;
-        const { role_options } = options.roles;
-        const grantable_role = pick_grantable_role(role_options);
+        const { role_specs } = options.roles;
+        const grantable_role = pick_grantable_role(role_specs);
         // Error coverage tracking across test groups
         const error_collector = new ErrorCoverageCollector();
         let captured_route_specs = null;
         afterAll(() => {
             if (captured_route_specs) {
-                // Scope coverage to admin auth-related routes. Post-2026-04-23
-                // RPC migration: account listing, session/token revoke-all,
-                // audit-log reads, and invite CRUD are RPC-only. The only
-                // admin REST route remaining is the optional
-                // `GET /audit/stream` SSE, plus the shared RPC endpoint
-                // path itself (admin methods live behind spec-level role auth).
+                // Scope coverage to admin auth-related routes. Account listing,
+                // session/token revoke-all, audit-log reads, and invite CRUD all
+                // live on the RPC surface; the only admin REST route remaining
+                // is the optional `GET /audit/stream` SSE (admin RPC methods
+                // live behind spec-level role auth on the shared endpoint path).
                 // The `/audit/stream` suffix tracks the hardcoded path in
                 // `auth/audit_log_routes.ts` — if consumers ever need to mount
                 // the audit SSE at a different suffix, promote this to an
                 // `audit_log_path_suffix` option on
                 // `StandardAdminIntegrationTestOptions`.
-                const admin_routes = captured_route_specs.filter((s) => s.path.endsWith('/audit/stream') && s.auth.type === 'role' && s.auth.role === 'admin');
+                const admin_routes = captured_route_specs.filter((s) => s.path.endsWith('/audit/stream') && (s.auth.roles?.includes('admin') ?? false));
                 // Adaptive threshold: when the scoped admin REST surface is
-                // effectively empty (0–1 routes, typical post-RPC-migration),
-                // the 20% baseline is meaningless — a single SSE route that
-                // can't be exercised against an error schema drops the ratio
-                // to 0.0%. Log an informational skip instead of asserting.
+                // effectively empty (0–1 routes — typical for the RPC-first
+                // admin surface), the 20% baseline is meaningless — a single
+                // SSE route that can't be exercised against an error schema
+                // drops the ratio to 0.0%. Log an informational skip instead
+                // of asserting.
                 // The admin RPC surface is covered by
                 // `describe_rpc_round_trip_tests`, not this collector.
                 if (admin_routes.length <= 1) {
@@ -137,7 +140,7 @@ export const describe_standard_admin_integration_tests = (options) => {
         });
         /**
          * Drive the full consent flow (admin offer → recipient accept) and
-         * return the materialized permit id. Accept is a direct transactional
+         * return the materialized role_grant id. Accept is a direct transactional
          * `query_accept_offer` call because the suite focuses on the admin
          * side; exercising the recipient's UI-wired accept path is covered by
          * `describe_rpc_round_trip_tests` + fuz_app's own action suite.
@@ -146,11 +149,11 @@ export const describe_standard_admin_integration_tests = (options) => {
             const res = await rpc_call_for_spec({
                 app: args.app,
                 path: rpc_path,
-                spec: permit_offer_create_action_spec,
+                spec: role_grant_offer_create_action_spec,
                 params: { to_account_id: args.to_account_id, role: args.role },
                 headers: args.admin_headers,
             });
-            assert.ok(res.ok, `permit_offer_create failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
+            assert.ok(res.ok, `role_grant_offer_create failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
             const { offer } = res.result;
             const accept_result = await get_db().transaction(async (tx) => query_accept_offer({ db: tx }, {
                 offer_id: offer.id,
@@ -158,7 +161,7 @@ export const describe_standard_admin_integration_tests = (options) => {
                 actor_id: args.to_actor_id,
                 ip: null,
             }));
-            return { offer_id: offer.id, permit_id: accept_result.permit.id };
+            return { offer_id: offer.id, role_grant_id: accept_result.role_grant.id };
         };
         // --- 1. Admin account listing (RPC) ---
         describe('admin account listing', () => {
@@ -194,12 +197,12 @@ export const describe_standard_admin_integration_tests = (options) => {
                 assert.strictEqual(res.status, 403);
             });
         });
-        // --- 2. Permit grant/revoke lifecycle ---
-        // Permit grant/revoke are RPC-only (see `permit_offer_create` /
-        // `permit_revoke`). End-to-end coverage lives in
+        // --- 2. Role grant create/revoke lifecycle ---
+        // Role grant create/revoke are RPC-only (see `role_grant_offer_create` /
+        // `role_grant_revoke`). End-to-end coverage lives in
         // `describe_rpc_round_trip_tests` + fuz_app's own
-        // `permit_offer_actions.db.test.ts` /
-        // `permit_offer_actions.notifications.revoke.db.test.ts`. The
+        // `role_grant_offer_actions.db.test.ts` /
+        // `role_grant_offer_actions.notifications.revoke.db.test.ts`. The
         // audit/isolation groups below exercise them as preconditions for
         // cross-cutting checks (event emission, admin-to-admin isolation).
         // --- 3. Admin session management ---
@@ -329,34 +332,34 @@ export const describe_standard_admin_integration_tests = (options) => {
             });
             test('audit log supports event_type filter', async () => {
                 const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
-                // Admin offer emits `permit_offer_create`. The downstream
-                // `permit_grant` only fires on accept — out of scope for this test.
+                // Admin offer emits `role_grant_offer_create`. The downstream
+                // `role_grant_create` only fires on accept — out of scope for this test.
                 const user_two = await test_app.create_account({ username: 'user_two' });
                 const offer_res = await rpc_call_for_spec({
                     app: test_app.app,
                     path: rpc_path,
-                    spec: permit_offer_create_action_spec,
+                    spec: role_grant_offer_create_action_spec,
                     params: { to_account_id: user_two.account.id, role: grantable_role },
                     headers: test_app.create_session_headers(),
                 });
-                assert.ok(offer_res.ok, 'permit_offer_create should succeed');
+                assert.ok(offer_res.ok, 'role_grant_offer_create should succeed');
                 const res = await rpc_call_for_spec({
                     app: test_app.app,
                     path: rpc_path,
                     spec: audit_log_list_action_spec,
-                    params: { event_type: 'permit_offer_create' },
+                    params: { event_type: 'role_grant_offer_create' },
                     headers: test_app.create_session_headers(),
                 });
                 assert.ok(res.ok, `audit_log_list failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
-                assert.ok(res.result.events.length >= 1, 'Expected at least 1 permit_offer_create event');
+                assert.ok(res.result.events.length >= 1, 'Expected at least 1 role_grant_offer_create event');
                 for (const event of res.result.events) {
-                    assert.strictEqual(event.event_type, 'permit_offer_create');
+                    assert.strictEqual(event.event_type, 'role_grant_offer_create');
                 }
             });
-            test('admin can view permit history', async () => {
+            test('admin can view role_grant history', async () => {
                 const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
-                // Drive the full consent flow so `permit_grant` lands in the audit log
-                // — `query_audit_log_list_permit_history` filters to (permit_grant, permit_revoke).
+                // Drive the full consent flow so `role_grant_create` lands in the audit log
+                // — `query_audit_log_list_role_grant_history` filters to (role_grant_create, role_grant_revoke).
                 const user_two = await test_app.create_account({ username: 'user_two' });
                 await offer_and_accept({
                     app: test_app.app,
@@ -368,20 +371,20 @@ export const describe_standard_admin_integration_tests = (options) => {
                 const res = await rpc_call_for_spec({
                     app: test_app.app,
                     path: rpc_path,
-                    spec: audit_log_permit_history_action_spec,
+                    spec: audit_log_role_grant_history_action_spec,
                     params: {},
                     headers: test_app.create_session_headers(),
                 });
-                assert.ok(res.ok, `audit_log_permit_history failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
-                assert.ok(res.result.events.length >= 1, 'Expected at least 1 permit history event');
+                assert.ok(res.ok, `audit_log_role_grant_history failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
+                assert.ok(res.result.events.length >= 1, 'Expected at least 1 role_grant history event');
             });
         });
         // --- 6. Admin audit trail ---
         describe('admin audit trail', () => {
-            test('permit revoke creates audit event', async () => {
+            test('role_grant revoke creates audit event', async () => {
                 const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
                 const user_two = await test_app.create_account({ username: 'user_two' });
-                const permit = await query_grant_permit({ db: get_db() }, {
+                const role_grant = await query_create_role_grant({ db: get_db() }, {
                     actor_id: user_two.actor.id,
                     role: grantable_role,
                     granted_by: test_app.backend.actor.id,
@@ -390,22 +393,22 @@ export const describe_standard_admin_integration_tests = (options) => {
                 const revoke_res = await rpc_call_for_spec({
                     app: test_app.app,
                     path: rpc_path,
-                    spec: permit_revoke_action_spec,
-                    params: { actor_id: user_two.actor.id, permit_id: permit.id },
+                    spec: role_grant_revoke_action_spec,
+                    params: { actor_id: user_two.actor.id, role_grant_id: role_grant.id },
                     headers: test_app.create_session_headers(),
                 });
-                assert.ok(revoke_res.ok, `permit_revoke failed: ${revoke_res.ok ? '' : JSON.stringify(revoke_res.error)}`);
-                // Check audit log for permit_revoke event
+                assert.ok(revoke_res.ok, `role_grant_revoke failed: ${revoke_res.ok ? '' : JSON.stringify(revoke_res.error)}`);
+                // Check audit log for role_grant_revoke event
                 const audit_res = await rpc_call_for_spec({
                     app: test_app.app,
                     path: rpc_path,
                     spec: audit_log_list_action_spec,
-                    params: { event_type: 'permit_revoke' },
+                    params: { event_type: 'role_grant_revoke' },
                     headers: test_app.create_session_headers(),
                 });
                 assert.ok(audit_res.ok, `audit_log_list failed: ${audit_res.ok ? '' : JSON.stringify(audit_res.error)}`);
-                assert.ok(audit_res.result.events.length >= 1, 'Expected permit_revoke audit event');
-                assert.strictEqual(audit_res.result.events[0].event_type, 'permit_revoke');
+                assert.ok(audit_res.result.events.length >= 1, 'Expected role_grant_revoke audit event');
+                assert.strictEqual(audit_res.result.events[0].event_type, 'role_grant_revoke');
             });
             test('admin session revoke-all creates audit event', async () => {
                 const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
@@ -556,25 +559,25 @@ export const describe_standard_admin_integration_tests = (options) => {
                         },
                     });
                 }
-                // 3. offer permit (admin offers grantable_role to user_two) — full
-                // consentful flow: offer + accept so both `permit_offer_create` and
-                // `permit_grant` audit events land.
-                const { permit_id } = await offer_and_accept({
+                // 3. offer role_grant (admin offers grantable_role to user_two) — full
+                // consentful flow: offer + accept so both `role_grant_offer_create` and
+                // `role_grant_create` audit events land.
+                const { role_grant_id } = await offer_and_accept({
                     app: test_app.app,
                     admin_headers: test_app.create_session_headers(),
                     to_account_id: user_two.account.id,
                     to_actor_id: user_two.actor.id,
                     role: grantable_role,
                 });
-                // 4. revoke permit (RPC)
+                // 4. revoke role_grant (RPC)
                 const revoke_res = await rpc_call_for_spec({
                     app: test_app.app,
                     path: rpc_path,
-                    spec: permit_revoke_action_spec,
-                    params: { actor_id: user_two.actor.id, permit_id },
+                    spec: role_grant_revoke_action_spec,
+                    params: { actor_id: user_two.actor.id, role_grant_id },
                     headers: test_app.create_session_headers(),
                 });
-                assert.ok(revoke_res.ok, `permit_revoke failed: ${revoke_res.ok ? '' : JSON.stringify(revoke_res.error)}`);
+                assert.ok(revoke_res.ok, `role_grant_revoke failed: ${revoke_res.ok ? '' : JSON.stringify(revoke_res.error)}`);
                 // 5. create token (RPC)
                 const token_res = await rpc_call_for_spec({
                     app: test_app.app,
@@ -628,28 +631,28 @@ export const describe_standard_admin_integration_tests = (options) => {
                 assert.ok(audit_res.ok, `audit_log_list failed: ${audit_res.ok ? '' : JSON.stringify(audit_res.error)}`);
                 const events = audit_res.result.events;
                 // check that each operation produced at least one event.
-                // `permit_offer_create` fires on the admin RPC; `permit_grant`
+                // `role_grant_offer_create` fires on the admin RPC; `role_grant_create`
                 // fires when the recipient accepts (driven by offer_and_accept).
                 const expected_types = [
                     'login',
                     'logout',
-                    'permit_offer_create',
-                    'permit_offer_accept',
-                    'permit_grant',
-                    'permit_revoke',
+                    'role_grant_offer_create',
+                    'role_grant_offer_accept',
+                    'role_grant_create',
+                    'role_grant_revoke',
                     'token_create',
                     'password_change',
                 ];
                 for (const event_type of expected_types) {
                     const found = events.filter((e) => e.event_type === event_type);
                     assert.ok(found.length >= 1, `Expected at least 1 '${event_type}' audit event, found ${found.length}. ` +
-                        `This may indicate audit_log_fire_and_forget was removed from a handler.`);
+                        `This may indicate a deps.audit.emit call was removed from a handler.`);
                 }
             });
         });
         // --- 8. Admin-to-admin isolation ---
         describe('admin-to-admin isolation', () => {
-            test('admin B revoking own permit via RPC succeeds', async () => {
+            test('admin B revoking own role_grant via RPC succeeds', async () => {
                 const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
                 captured_route_specs ??= test_app.route_specs;
                 // Bootstrap user is admin A. Create admin B.
@@ -657,22 +660,22 @@ export const describe_standard_admin_integration_tests = (options) => {
                     username: 'admin_b_iso',
                     roles: ['admin'],
                 });
-                // Seed an active permit directly — the revoke IDOR check is the
+                // Seed an active role_grant directly — the revoke IDOR check is the
                 // subject of this test, not the grant→accept cycle.
-                const permit = await query_grant_permit({ db: get_db() }, {
+                const role_grant = await query_create_role_grant({ db: get_db() }, {
                     actor_id: admin_b.actor.id,
                     role: grantable_role,
                     granted_by: test_app.backend.actor.id,
                 });
-                // Admin B revokes their own permit via RPC — should succeed
+                // Admin B revokes their own role_grant via RPC — should succeed
                 const revoke_res = await rpc_call_for_spec({
                     app: test_app.app,
                     path: rpc_path,
-                    spec: permit_revoke_action_spec,
-                    params: { actor_id: admin_b.actor.id, permit_id: permit.id },
+                    spec: role_grant_revoke_action_spec,
+                    params: { actor_id: admin_b.actor.id, role_grant_id: role_grant.id },
                     headers: create_headers(admin_b.session_cookie),
                 });
-                assert.ok(revoke_res.ok, `permit_revoke failed: ${revoke_res.ok ? '' : JSON.stringify(revoke_res.error)}`);
+                assert.ok(revoke_res.ok, `role_grant_revoke failed: ${revoke_res.ok ? '' : JSON.stringify(revoke_res.error)}`);
                 assert.strictEqual(revoke_res.result.revoked, true);
             });
             test('admin revoke-all sessions for another admin works', async () => {
@@ -741,14 +744,13 @@ export const describe_standard_admin_integration_tests = (options) => {
             test('exercises 401/403 on admin routes for error coverage', async () => {
                 const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
                 captured_route_specs ??= test_app.route_specs;
-                // Post-RPC migration, `/api/admin` is nearly empty — admin reads
-                // and mutations live on the RPC endpoint behind spec-level role
-                // auth. The path-prefix carve is still the right scope here
+                // `/api/admin` is nearly empty — admin reads and mutations live
+                // on the RPC endpoint behind spec-level role auth. The path-prefix carve is still the right scope here
                 // because error coverage is tracked against REST `RouteSpec`s,
                 // not RPC method specs (`describe_rpc_round_trip_tests` covers
                 // the admin RPC surface separately).
                 const prefix = options.admin_prefix ?? '/api/admin';
-                const admin_routes = test_app.route_specs.filter((s) => s.path.startsWith(prefix) && s.auth.type === 'role' && s.auth.role === 'admin');
+                const admin_routes = test_app.route_specs.filter((s) => s.path.startsWith(prefix) && (s.auth.roles?.includes('admin') ?? false));
                 // Hit admin routes without auth to exercise 401 error schemas.
                 for (const route of admin_routes) {
                     const res = await test_app.app.request(route.path, {

package/dist/testing/app_server.d.ts

@@ -53,7 +53,7 @@ export interface BootstrapTestAccountOptions {
  * `create_test_app_server` and `TestApp.create_account`.
  *
  * @mutates the underlying `options.db` — inserts rows into `account`, `actor`,
- *   `permit` (one per role), `api_token`, and `auth_session`.
+ *   `role_grant` (one per role), `api_token`, and `auth_session`.
  */
 export declare const bootstrap_test_account: (options: BootstrapTestAccountOptions) => Promise<{
     account: {
@@ -107,17 +107,16 @@ export interface TestAppServerOptions {
     /** Roles to grant. Default: `[ROLE_KEEPER]`. */
     roles?: Array<string>;
     /**
-     * Backend audit event callback — wired into `backend.deps.on_audit_event`.
-     * When `audit_log_sse: true` is passed to `create_app_server`, this runs
-     * after the audit SSE broadcast (composed downstream by app_server).
-     * Use to wire consumer SSE auth guards in tests.
-     * Default: no-op.
+     * Backend audit event callback — threaded into `create_audit_emitter` so
+     * it becomes the first listener on `backend.deps.audit.on_event_chain`.
+     * When `audit_log_sse: true` is passed to `create_app_server`, the SSE
+     * listener is appended after this one. Use to wire consumer SSE auth
+     * guards in tests. Default: no-op.
      */
     on_audit_event?: (event: AuditLogEvent) => void;
     /**
-     * Optional audit log config — written onto `backend.deps.audit_log_config`
-     * before return so it lands in time for `create_app_server`'s shallow
-     * spread of `backend.deps` (SSE branch) and the no-SSE alias branch alike.
+     * Optional audit log config — threaded into `create_audit_emitter` and
+     * captured inside `backend.deps.audit`'s closure.
      *
      * Use when the consumer registers extra event types via
      * `create_audit_log_config({extra_events})` — without this, emits for
@@ -132,7 +131,7 @@ export interface TestAppServerOptions {
  * Sets up:
  * - Auth tables (via cached PGlite factory, or reuses existing `db`)
  * - A keeper account with hashed password
- * - Role permits for each role in `options.roles`
+ * - Role role_grants for each role in `options.roles`
  * - An API token for Bearer auth
  * - A session with a signed cookie value
  *
@@ -143,10 +142,8 @@ export interface TestAppServerOptions {
  * @returns a `TestAppServer` ready for HTTP testing
  * @mutates the underlying database — when `db` is supplied, resets singleton
  *   state (`bootstrap_lock.bootstrapped`, `app_settings.open_signup`) before
- *   bootstrapping; in either branch inserts an account, actor, role permits,
- *   API token, and session row. When `audit_log_config` is provided, also
- *   sets `backend.deps.audit_log_config` so `create_app_server`'s shallow
- *   spread picks it up.
+ *   bootstrapping; in either branch inserts an account, actor, role role_grants,
+ *   API token, and session row.
  */
 export declare const create_test_app_server: (options: TestAppServerOptions) => Promise<TestAppServer>;
 /**

package/dist/testing/app_server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"app_server.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/app_server.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAG/B,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAGjD,OAAO,EAA2B,KAAK,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAE1E,OAAO,KAAK,EAAC,EAAE,EAAE,MAAM,EAAC,MAAM,aAAa,CAAC;AAC5C,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAU1D,OAAO,EAA8B,KAAK,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAG3F,OAAO,KAAK,EAAC,cAAc,EAAE,aAAa,EAAC,MAAM,6BAA6B,CAAC;AAC/E,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAEN,KAAK,gBAAgB,EACrB,KAAK,gBAAgB,EACrB,MAAM,yBAAyB,CAAC;AACjC,OAAO,KAAK,EAAC,UAAU,EAAE,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACnE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAOrD,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,kBAAkB,CAAC;AAI9D;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,EAAE,gBAIhC,CAAC;AAEF,gFAAgF;AAChF,eAAO,MAAM,kBAAkB,QAAiB,CAAC;AASjD;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC3C,EAAE,EAAE,EAAE,CAAC;IACP,OAAO,EAAE,OAAO,CAAC;IACjB,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,sBAAsB,GAClC,SAAS,2BAA2B,KAClC,OAAO,CAAC;IACV,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACvB,CAyCA,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,aAAc,SAAQ,UAAU;IAChD,gCAAgC;IAChC,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,uCAAuC;IACvC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,cAAc,EAAE,MAAM,CAAC;IACvB,+FAA+F;IAC/F,OAAO,EAAE,OAAO,CAAC;IACjB,4EAA4E;IAC5E,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,mDAAmD;IACnD,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kGAAkG;IAClG,EAAE,CAAC,EAAE,EAAE,CAAC;IACR,0FAA0F;IAC1F,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,yHAAyH;IACzH,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,kEAAkE;IAClE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,6EAA6E;IAC7E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gDAAgD;IAChD,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACtB;;;;;;OAMG;IACH,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;IAChD;;;;;;;;;OASG;IACH,gBAAgB,CAAC,EAAE,cAAc,CAAC;CAClC;AAKD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,eAAO,MAAM,sBAAsB,GAClC,SAAS,oBAAoB,KAC3B,OAAO,CAAC,aAAa,CA8FvB,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,oBAAqB,SAAQ,oBAAoB;IACjE,yEAAyE;IACzE,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IACpE;;;;;;;;OAQG;IACH,aAAa,CAAC,EAAE,uBAAuB,CAAC;IACxC,gHAAgH;IAChH,WAAW,CAAC,EAAE,OAAO,CACpB,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,CAAC,CAC5E,CAAC;CACF;AAED;;;;;;;;GAQG;AACH,MAAM,MAAM,eAAe,GAAG,OAAO,CACpC,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,GAAG,eAAe,CAAC,CAC9F,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,WAAW;IAC3B,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,mCAAmC;IACnC,cAAc,EAAE,MAAM,CAAC;IACvB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,8DAA8D;IAC9D,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClF;AAED;;GAEG;AACH,MAAM,WAAW,OAAO;IACvB,GAAG,EAAE,IAAI,CAAC;IACV,OAAO,EAAE,aAAa,CAAC;IACvB,YAAY,EAAE,cAAc,CAAC;IAC7B,OAAO,EAAE,UAAU,CAAC;IACpB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,kEAAkE;IAClE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,gEAAgE;IAChE,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClF,iEAAiE;IACjE,2BAA2B,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxF,qDAAqD;IACrD,cAAc,EAAE,CAAC,OAAO,CAAC,EAAE;QAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;KACtB,KAAK,OAAO,CAAC,WAAW,CAAC,CAAC;IAC3B,8DAA8D;IAC9D,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,eAAe,GAAU,SAAS,oBAAoB,KAAG,OAAO,CAAC,OAAO,CAyGpF,CAAC"}
+{"version":3,"file":"app_server.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/app_server.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAG/B,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAGjD,OAAO,EAA2B,KAAK,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAE1E,OAAO,KAAK,EAAC,EAAE,EAAE,MAAM,EAAC,MAAM,aAAa,CAAC;AAC5C,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAU1D,OAAO,EAA8B,KAAK,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAG3F,OAAO,KAAK,EAAC,cAAc,EAAE,aAAa,EAAC,MAAM,6BAA6B,CAAC;AAE/E,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAEN,KAAK,gBAAgB,EACrB,KAAK,gBAAgB,EACrB,MAAM,yBAAyB,CAAC;AACjC,OAAO,KAAK,EAAC,UAAU,EAAE,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACnE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAOrD,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,kBAAkB,CAAC;AAI9D;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,EAAE,gBAIhC,CAAC;AAEF,gFAAgF;AAChF,eAAO,MAAM,kBAAkB,QAAiB,CAAC;AASjD;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC3C,EAAE,EAAE,EAAE,CAAC;IACP,OAAO,EAAE,OAAO,CAAC;IACjB,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,sBAAsB,GAClC,SAAS,2BAA2B,KAClC,OAAO,CAAC;IACV,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACvB,CAyCA,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,aAAc,SAAQ,UAAU;IAChD,gCAAgC;IAChC,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,uCAAuC;IACvC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,cAAc,EAAE,MAAM,CAAC;IACvB,+FAA+F;IAC/F,OAAO,EAAE,OAAO,CAAC;IACjB,4EAA4E;IAC5E,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,mDAAmD;IACnD,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kGAAkG;IAClG,EAAE,CAAC,EAAE,EAAE,CAAC;IACR,0FAA0F;IAC1F,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,yHAAyH;IACzH,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,kEAAkE;IAClE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,6EAA6E;IAC7E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gDAAgD;IAChD,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACtB;;;;;;OAMG;IACH,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;IAChD;;;;;;;;OAQG;IACH,gBAAgB,CAAC,EAAE,cAAc,CAAC;CAClC;AAKD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,eAAO,MAAM,sBAAsB,GAClC,SAAS,oBAAoB,KAC3B,OAAO,CAAC,aAAa,CA+FvB,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,oBAAqB,SAAQ,oBAAoB;IACjE,yEAAyE;IACzE,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IACpE;;;;;;;;OAQG;IACH,aAAa,CAAC,EAAE,uBAAuB,CAAC;IACxC,gHAAgH;IAChH,WAAW,CAAC,EAAE,OAAO,CACpB,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,CAAC,CAC5E,CAAC;CACF;AAED;;;;;;;;GAQG;AACH,MAAM,MAAM,eAAe,GAAG,OAAO,CACpC,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,GAAG,eAAe,CAAC,CAC9F,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,WAAW;IAC3B,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,mCAAmC;IACnC,cAAc,EAAE,MAAM,CAAC;IACvB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,8DAA8D;IAC9D,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClF;AAED;;GAEG;AACH,MAAM,WAAW,OAAO;IACvB,GAAG,EAAE,IAAI,CAAC;IACV,OAAO,EAAE,aAAa,CAAC;IACvB,YAAY,EAAE,cAAc,CAAC;IAC7B,OAAO,EAAE,UAAU,CAAC;IACpB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,kEAAkE;IAClE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,gEAAgE;IAChE,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClF,iEAAiE;IACjE,2BAA2B,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxF,qDAAqD;IACrD,cAAc,EAAE,CAAC,OAAO,CAAC,EAAE;QAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;KACtB,KAAK,OAAO,CAAC,WAAW,CAAC,CAAC;IAC3B,8DAA8D;IAC9D,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,eAAe,GAAU,SAAS,oBAAoB,KAAG,OAAO,CAAC,OAAO,CAyGpF,CAAC"}

package/dist/testing/app_server.js

@@ -5,12 +5,13 @@ import { ROLE_KEEPER } from '../auth/role_schema.js';
 import { create_validated_keyring } from '../auth/keyring.js';
 import { generate_api_token } from '../auth/api_token.js';
 import { query_create_account_with_actor } from '../auth/account_queries.js';
-import { query_grant_permit } from '../auth/permit_queries.js';
+import { query_create_role_grant } from '../auth/role_grant_queries.js';
 import { generate_session_token, hash_session_token, AUTH_SESSION_LIFETIME_MS, query_create_session, } from '../auth/session_queries.js';
 import { query_create_api_token } from '../auth/api_token_queries.js';
 import { create_session_cookie_value } from '../auth/session_cookie.js';
 import { run_migrations } from '../db/migrate.js';
 import { AUTH_MIGRATION_NS } from '../auth/migrations.js';
+import { create_audit_emitter } from '../auth/audit_emitter.js';
 import { create_app_server, } from '../server/app_server.js';
 import { generate_daemon_token, DAEMON_TOKEN_HEADER, } from '../auth/daemon_token.js';
 import { create_pglite_factory } from './db.js';
@@ -42,7 +43,7 @@ const fallback_pglite_factory = create_pglite_factory(async (db) => {
  * `create_test_app_server` and `TestApp.create_account`.
  *
  * @mutates the underlying `options.db` — inserts rows into `account`, `actor`,
- *   `permit` (one per role), `api_token`, and `auth_session`.
+ *   `role_grant` (one per role), `api_token`, and `auth_session`.
  */
 export const bootstrap_test_account = async (options) => {
     const { db, keyring, session_options, password, username = 'keeper', password_value = 'test-password-123', roles = [], } = options;
@@ -54,7 +55,7 @@ export const bootstrap_test_account = async (options) => {
     });
     // Grant roles
     for (const role of roles) {
-        await query_grant_permit(deps, { actor_id: actor.id, role, granted_by: null });
+        await query_create_role_grant(deps, { actor_id: actor.id, role, granted_by: null });
     }
     // Create API token (account-scoped — acting actor is per-request)
     const { token: api_token, id: token_id, token_hash } = generate_api_token();
@@ -80,7 +81,7 @@ const test_log = new Logger('test', { level: 'off' });
  * Sets up:
  * - Auth tables (via cached PGlite factory, or reuses existing `db`)
  * - A keeper account with hashed password
- * - Role permits for each role in `options.roles`
+ * - Role role_grants for each role in `options.roles`
  * - An API token for Bearer auth
  * - A session with a signed cookie value
  *
@@ -91,10 +92,8 @@ const test_log = new Logger('test', { level: 'off' });
  * @returns a `TestAppServer` ready for HTTP testing
  * @mutates the underlying database — when `db` is supplied, resets singleton
  *   state (`bootstrap_lock.bootstrapped`, `app_settings.open_signup`) before
- *   bootstrapping; in either branch inserts an account, actor, role permits,
- *   API token, and session row. When `audit_log_config` is provided, also
- *   sets `backend.deps.audit_log_config` so `create_app_server`'s shallow
- *   spread picks it up.
+ *   bootstrapping; in either branch inserts an account, actor, role role_grants,
+ *   API token, and session row.
  */
 export const create_test_app_server = async (options) => {
     const { session_options, db: existing_db, db_type = 'pglite-memory', password = stub_password_deps, username = 'keeper', password_value = 'test-password-123', roles = [ROLE_KEEPER], on_audit_event = () => { }, // eslint-disable-line @typescript-eslint/no-empty-function
@@ -117,6 +116,12 @@ export const create_test_app_server = async (options) => {
         await existing_db.query('UPDATE app_settings SET open_signup = false, updated_at = NULL, updated_by = NULL WHERE open_signup = true OR updated_at IS NOT NULL');
         // Use the caller's database — tables already created by the factory's init_schema.
         // Caller owns the DB lifecycle — close is a no-op.
+        const audit = create_audit_emitter({
+            db: existing_db,
+            log: test_log,
+            on_audit_event,
+            audit_log_config,
+        });
         backend = {
             db_type,
             db_name: 'test',
@@ -127,7 +132,7 @@ export const create_test_app_server = async (options) => {
                 password,
                 db: existing_db,
                 log: test_log,
-                on_audit_event,
+                audit,
                 ...fs_stubs,
             },
         };
@@ -137,6 +142,7 @@ export const create_test_app_server = async (options) => {
         // instead of creating a new PGlite each time. Schema is reset and migrations re-run
         // on each call, but the expensive WASM cold start only happens once per worker thread.
         const db = await fallback_pglite_factory.create();
+        const audit = create_audit_emitter({ db, log: test_log, on_audit_event, audit_log_config });
         backend = {
             db_type: 'pglite-memory',
             db_name: '(memory)',
@@ -147,7 +153,7 @@ export const create_test_app_server = async (options) => {
                 password,
                 db,
                 log: test_log,
-                on_audit_event,
+                audit,
                 ...fs_stubs,
             },
         };
@@ -161,11 +167,6 @@ export const create_test_app_server = async (options) => {
         password_value,
         roles,
     });
-    // Land before `create_app_server`'s shallow-spread of `backend.deps` so
-    // the SSE branch's snapshot picks it up alongside the no-SSE alias branch.
-    if (audit_log_config !== undefined) {
-        backend.deps.audit_log_config = audit_log_config;
-    }
     return {
         ...backend,
         ...bootstrapped,

package/dist/testing/assertions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"assertions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/assertions.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAe7B,OAAO,KAAK,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAE3B,OAAO,KAAK,EAAC,UAAU,EAAE,eAAe,EAAC,MAAM,oBAAoB,CAAC;AACpE,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,0BAA0B,CAAC;AAEhE;;;;GAIG;AACH,eAAO,MAAM,oBAAoB,GAAI,UAAU,MAAM,EAAE,iBAAiB,MAAM,KAAG,MACtB,CAAC;AAE5D;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,+BAA+B,GAC3C,SAAS,UAAU,EACnB,eAAe,MAAM,KACnB,IAOF,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,4BAA4B,GAAI,eAAe,MAAM,UAAU,KAAG,IAE9E,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,kCAAkC,GAC9C,SAAS,UAAU,EACnB,iBAAiB,KAAK,CAAC,MAAM,CAAC,KAC5B,IAWF,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,sBAAsB,GAClC,QAAQ,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,EACtC,OAAO,eAAe,EACtB,QAAQ,MAAM,KACZ,CAAC,CAAC,OAAO,GAAG,SAGd,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,yBAAyB,GACrC,QAAQ,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,EACtC,OAAO,eAAe,EACtB,QAAQ,MAAM,EACd,MAAM,OAAO,KACX,IAIF,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,4BAA4B,GACxC,SAAS,UAAU,EACnB,aAAa,MAAM,EACnB,qBAAqB,KAAK,CAAC,MAAM,CAAC,KAChC,IAUF,CAAC"}
+{"version":3,"file":"assertions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/assertions.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAe7B,OAAO,KAAK,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAE3B,OAAO,KAAK,EAAC,UAAU,EAAE,eAAe,EAAC,MAAM,oBAAoB,CAAC;AACpE,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,0BAA0B,CAAC;AAGhE;;;;GAIG;AACH,eAAO,MAAM,oBAAoB,GAAI,UAAU,MAAM,EAAE,iBAAiB,MAAM,KAAG,MACtB,CAAC;AAE5D;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,+BAA+B,GAC3C,SAAS,UAAU,EACnB,eAAe,MAAM,KACnB,IAOF,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,4BAA4B,GAAI,eAAe,MAAM,UAAU,KAAG,IAE9E,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,kCAAkC,GAC9C,SAAS,UAAU,EACnB,iBAAiB,KAAK,CAAC,MAAM,CAAC,KAC5B,IAWF,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,sBAAsB,GAClC,QAAQ,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,EACtC,OAAO,eAAe,EACtB,QAAQ,MAAM,KACZ,CAAC,CAAC,OAAO,GAAG,SAGd,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,yBAAyB,GACrC,QAAQ,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,EACtC,OAAO,eAAe,EACtB,QAAQ,MAAM,EACd,MAAM,OAAO,KACX,IAIF,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,4BAA4B,GACxC,SAAS,UAAU,EACnB,aAAa,MAAM,EACnB,qBAAqB,KAAK,CAAC,MAAM,CAAC,KAChC,IAUF,CAAC"}

package/dist/testing/assertions.js

@@ -11,6 +11,7 @@ import { readFileSync } from 'node:fs';
 import { resolve, dirname } from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { assert } from 'vitest';
+import { is_public_auth } from '../http/auth_shape.js';
 /**
  * Resolve an absolute path relative to the caller's module.
  *
@@ -52,7 +53,7 @@ export const assert_surface_deterministic = (build_surface) => {
 export const assert_only_expected_public_routes = (surface, expected_public) => {
     const expected = new Set(expected_public);
     const actual_public = surface.routes
-        .filter((r) => r.auth.type === 'none')
+        .filter((r) => is_public_auth(r.auth))
         .map((r) => `${r.method} ${r.path}`);
     const unexpected = actual_public.filter((r) => !expected.has(r));
     const missing = expected_public.filter((r) => !actual_public.includes(r));

package/dist/testing/attack_surface.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"attack_surface.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/attack_surface.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAoB7B,OAAO,EAON,KAAK,4BAA4B,EACjC,KAAK,2BAA2B,EAChC,MAAM,yBAAyB,CAAC;AAoBjC,OAAO,EAA4B,KAAK,cAAc,EAAC,MAAM,oBAAoB,CAAC;AAsClF,oFAAoF;AACpF,MAAM,WAAW,sBAAsB;IACtC,+EAA+E;IAC/E,KAAK,EAAE,MAAM,cAAc,CAAC;IAC5B,yDAAyD;IACzD,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACrB;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,yBAAyB,GAAI,SAAS,sBAAsB,KAAG,IAkH3E,CAAC;AAIF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,uCAAuC,GACnD,UAAU,2BAA2B,GAAG,IAAI,GAAG,SAAS,KACtD,2BAA2B,GAAG,IAWhC,CAAC;AAEF,0DAA0D;AAC1D,MAAM,WAAW,4BAA4B;IAC5C,+EAA+E;IAC/E,KAAK,EAAE,MAAM,cAAc,CAAC;IAC5B,yDAAyD;IACzD,aAAa,EAAE,MAAM,CAAC;IACtB,iFAAiF;IACjF,sBAAsB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACtC,gHAAgH;IAChH,uBAAuB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACvC,yDAAyD;IACzD,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACrB,qEAAqE;IACrE,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,iEAAiE;IACjE,eAAe,CAAC,EAAE,4BAA4B,CAAC;IAC/C;;;;;;;;;;;OAWG;IACH,sBAAsB,CAAC,EAAE,2BAA2B,GAAG,IAAI,CAAC;CAC5D;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,sCAAsC,GAClD,SAAS,4BAA4B,KACnC,IAuEF,CAAC"}
+{"version":3,"file":"attack_surface.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/attack_surface.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAoB7B,OAAO,EAON,KAAK,4BAA4B,EACjC,KAAK,2BAA2B,EAChC,MAAM,yBAAyB,CAAC;AAoBjC,OAAO,EAA4B,KAAK,cAAc,EAAC,MAAM,oBAAoB,CAAC;AAsClF,oFAAoF;AACpF,MAAM,WAAW,sBAAsB;IACtC,+EAA+E;IAC/E,KAAK,EAAE,MAAM,cAAc,CAAC;IAC5B,yDAAyD;IACzD,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACrB;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,yBAAyB,GAAI,SAAS,sBAAsB,KAAG,IA4H3E,CAAC;AAIF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,uCAAuC,GACnD,UAAU,2BAA2B,GAAG,IAAI,GAAG,SAAS,KACtD,2BAA2B,GAAG,IAWhC,CAAC;AAEF,0DAA0D;AAC1D,MAAM,WAAW,4BAA4B;IAC5C,+EAA+E;IAC/E,KAAK,EAAE,MAAM,cAAc,CAAC;IAC5B,yDAAyD;IACzD,aAAa,EAAE,MAAM,CAAC;IACtB,iFAAiF;IACjF,sBAAsB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACtC,gHAAgH;IAChH,uBAAuB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACvC,yDAAyD;IACzD,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACrB,qEAAqE;IACrE,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,iEAAiE;IACjE,eAAe,CAAC,EAAE,4BAA4B,CAAC;IAC/C;;;;;;;;;;;OAWG;IACH,sBAAsB,CAAC,EAAE,2BAA2B,GAAG,IAAI,CAAC;CAC5D;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,sCAAsC,GAClD,SAAS,4BAA4B,KACnC,IAuEF,CAAC"}