@fuzdev/fuz_app 0.58.0 → 0.60.0

package/dist/auth/session_middleware.d.ts

@@ -18,7 +18,7 @@ export declare const get_session_cookie: <T>(c: Context, options: SessionOptions
  * `options.max_age` is the single source of truth for cookie lifetime: it
  * drives both the embedded `expires_at` (via `create_session_cookie_value`)
  * and the cookie's HTTP `Max-Age` attribute set here. Falls back to
- * `SESSION_COOKIE_OPTIONS.maxAge` (= `SESSION_AGE_MAX`) when unset.
+ * `session_cookie_options.maxAge` (= `SESSION_AGE_MAX`) when unset.
  * `options.cookie_options` cannot carry `maxAge` (omitted in the type) so
  * the two values can't drift.
  */

package/dist/auth/session_middleware.js

@@ -5,7 +5,7 @@
  * @module
  */
 import { getCookie, setCookie, deleteCookie } from 'hono/cookie';
-import { SESSION_COOKIE_OPTIONS, process_session_cookie, create_session_cookie_value, } from './session_cookie.js';
+import { session_cookie_options, process_session_cookie, create_session_cookie_value, } from './session_cookie.js';
 import { generate_session_token, hash_session_token, AUTH_SESSION_LIFETIME_MS, query_create_session, query_session_enforce_limit, } from './session_queries.js';
 /**
  * Read the session cookie value from a request.
@@ -19,15 +19,15 @@ export const get_session_cookie = (c, options) => {
  * `options.max_age` is the single source of truth for cookie lifetime: it
  * drives both the embedded `expires_at` (via `create_session_cookie_value`)
  * and the cookie's HTTP `Max-Age` attribute set here. Falls back to
- * `SESSION_COOKIE_OPTIONS.maxAge` (= `SESSION_AGE_MAX`) when unset.
+ * `session_cookie_options.maxAge` (= `SESSION_AGE_MAX`) when unset.
  * `options.cookie_options` cannot carry `maxAge` (omitted in the type) so
  * the two values can't drift.
  */
 export const set_session_cookie = (c, value, options) => {
     const cookie_options = {
-        ...SESSION_COOKIE_OPTIONS,
+        ...session_cookie_options,
         ...options.cookie_options,
-        maxAge: options.max_age ?? SESSION_COOKIE_OPTIONS.maxAge,
+        maxAge: options.max_age ?? session_cookie_options.maxAge,
     };
     setCookie(c, options.cookie_name, value, cookie_options);
 };
@@ -36,7 +36,7 @@ export const set_session_cookie = (c, value, options) => {
  */
 export const clear_session_cookie = (c, options) => {
     const cookie_options = {
-        ...SESSION_COOKIE_OPTIONS,
+        ...session_cookie_options,
         ...options.cookie_options,
     };
     deleteCookie(c, options.cookie_name, cookie_options);

package/dist/rate_limiter.d.ts

@@ -43,9 +43,9 @@ export interface RateLimiterOptions {
     max_keys?: number | null;
 }
 /** Default options for per-IP login rate limiting: 5 attempts per 15 minutes. */
-export declare const DEFAULT_LOGIN_IP_RATE_LIMIT: RateLimiterOptions;
+export declare const default_login_ip_rate_limit: RateLimiterOptions;
 /** Default options for per-account login rate limiting: 10 attempts per 30 minutes. */
-export declare const DEFAULT_LOGIN_ACCOUNT_RATE_LIMIT: RateLimiterOptions;
+export declare const default_login_account_rate_limit: RateLimiterOptions;
 /**
  * Default options for per-IP action-dispatcher rate limiting: 600 attempts
  * per 15 minutes. Shared by the HTTP RPC and WebSocket action dispatchers
@@ -53,7 +53,7 @@ export declare const DEFAULT_LOGIN_ACCOUNT_RATE_LIMIT: RateLimiterOptions;
  * scripts and egregious oracle probes, but well above human or normal
  * automation pace. Tighten downstream for stricter deployments.
  */
-export declare const DEFAULT_ACTION_IP_RATE_LIMIT: RateLimiterOptions;
+export declare const default_action_ip_rate_limit: RateLimiterOptions;
 /**
  * Default options for per-actor action-dispatcher rate limiting: 1200
  * attempts per 15 minutes. Shared by the HTTP RPC and WebSocket action
@@ -61,7 +61,7 @@ export declare const DEFAULT_ACTION_IP_RATE_LIMIT: RateLimiterOptions;
  * admin workflow; an oracle probing 10k addresses still finishes in
  * ~2 hours, slow enough to surface in audit. Tighten downstream.
  */
-export declare const DEFAULT_ACTION_ACCOUNT_RATE_LIMIT: RateLimiterOptions;
+export declare const default_action_account_rate_limit: RateLimiterOptions;
 /**
  * Result of a rate limit check or record operation.
  */
@@ -139,7 +139,7 @@ export declare class RateLimiter {
 /**
  * Create a `RateLimiter` with sensible defaults for per-IP login protection.
  *
- * @param options - override individual options; unset fields use `DEFAULT_LOGIN_IP_RATE_LIMIT`
+ * @param options - override individual options; unset fields use `default_login_ip_rate_limit`
  */
 export declare const create_rate_limiter: (options?: Partial<RateLimiterOptions>) => RateLimiter;
 /**

package/dist/rate_limiter.js

@@ -17,14 +17,14 @@ import { ERROR_RATE_LIMIT_EXCEEDED } from './http/error_schemas.js';
  */
 export const DEFAULT_RATE_LIMITER_MAX_KEYS = 100_000;
 /** Default options for per-IP login rate limiting: 5 attempts per 15 minutes. */
-export const DEFAULT_LOGIN_IP_RATE_LIMIT = {
+export const default_login_ip_rate_limit = {
     max_attempts: 5,
     window_ms: 15 * 60_000,
     cleanup_interval_ms: 5 * 60_000,
     max_keys: DEFAULT_RATE_LIMITER_MAX_KEYS,
 };
 /** Default options for per-account login rate limiting: 10 attempts per 30 minutes. */
-export const DEFAULT_LOGIN_ACCOUNT_RATE_LIMIT = {
+export const default_login_account_rate_limit = {
     max_attempts: 10,
     window_ms: 30 * 60_000,
     cleanup_interval_ms: 5 * 60_000,
@@ -37,7 +37,7 @@ export const DEFAULT_LOGIN_ACCOUNT_RATE_LIMIT = {
  * scripts and egregious oracle probes, but well above human or normal
  * automation pace. Tighten downstream for stricter deployments.
  */
-export const DEFAULT_ACTION_IP_RATE_LIMIT = {
+export const default_action_ip_rate_limit = {
     max_attempts: 600,
     window_ms: 15 * 60_000,
     cleanup_interval_ms: 5 * 60_000,
@@ -50,7 +50,7 @@ export const DEFAULT_ACTION_IP_RATE_LIMIT = {
  * admin workflow; an oracle probing 10k addresses still finishes in
  * ~2 hours, slow enough to surface in audit. Tighten downstream.
  */
-export const DEFAULT_ACTION_ACCOUNT_RATE_LIMIT = {
+export const default_action_account_rate_limit = {
     max_attempts: 1200,
     window_ms: 15 * 60_000,
     cleanup_interval_ms: 5 * 60_000,
@@ -203,10 +203,10 @@ export class RateLimiter {
 /**
  * Create a `RateLimiter` with sensible defaults for per-IP login protection.
  *
- * @param options - override individual options; unset fields use `DEFAULT_LOGIN_IP_RATE_LIMIT`
+ * @param options - override individual options; unset fields use `default_login_ip_rate_limit`
  */
 export const create_rate_limiter = (options) => {
-    return new RateLimiter({ ...DEFAULT_LOGIN_IP_RATE_LIMIT, ...options });
+    return new RateLimiter({ ...default_login_ip_rate_limit, ...options });
 };
 /**
  * Build a 429 rate-limit-exceeded JSON response with `Retry-After` header.

package/dist/realtime/sse_auth_guard.d.ts

@@ -27,7 +27,7 @@ export declare const AUDIT_LOG_CHANNEL = "audit_log";
  * (matched by the blake3 session hash in `event.metadata.session_id`) — closing
  * all of a user's streams for a single-session revoke would be over-aggressive.
  */
-export declare const DISCONNECT_EVENT_TYPES: ReadonlySet<string>;
+export declare const disconnect_event_types: ReadonlySet<string>;
 /**
  * Create an audit event handler that closes SSE streams on auth changes.
  *
@@ -69,7 +69,7 @@ export interface AuditLogSse {
  * One spec per `AUDIT_EVENT_TYPES` entry, all sharing the `AuditLogEventJson` params schema.
  * Pass to `create_app_server`'s `event_specs` for surface generation and DEV validation.
  */
-export declare const AUDIT_LOG_EVENT_SPECS: Array<EventSpec>;
+export declare const audit_log_event_specs: Array<EventSpec>;
 /**
  * Default max concurrent SSE subscribers per session scope for the audit log.
  *
@@ -102,7 +102,7 @@ export declare const AUDIT_LOG_SSE_MAX_PER_SCOPE = 10;
  * create_audit_log_route_specs({stream: audit_sse});
  *
  * // In create_app_server options:
- * event_specs: AUDIT_LOG_EVENT_SPECS,
+ * event_specs: audit_log_event_specs,
  * ```
  */
 export declare const create_audit_log_sse: (options: {

package/dist/realtime/sse_auth_guard.js

@@ -25,7 +25,7 @@ export const AUDIT_LOG_CHANNEL = 'audit_log';
  * (matched by the blake3 session hash in `event.metadata.session_id`) — closing
  * all of a user's streams for a single-session revoke would be over-aggressive.
  */
-export const DISCONNECT_EVENT_TYPES = new Set([
+export const disconnect_event_types = new Set([
     'role_grant_revoke', // role revoked — user lost access
     'session_revoke', // single session revoked — close only that stream
     'session_revoke_all', // all sessions invalidated — user should be kicked
@@ -51,7 +51,7 @@ export const DISCONNECT_EVENT_TYPES = new Set([
  */
 export const create_sse_auth_guard = (registry, required_role, log) => {
     return (event) => {
-        if (!DISCONNECT_EVENT_TYPES.has(event.event_type))
+        if (!disconnect_event_types.has(event.event_type))
             return;
         // Only act on successful revocations. Failed attempts carry
         // attacker-controlled identifiers (e.g., session_revoke with outcome=failure
@@ -98,7 +98,7 @@ export const create_sse_auth_guard = (registry, required_role, log) => {
  * One spec per `AUDIT_EVENT_TYPES` entry, all sharing the `AuditLogEventJson` params schema.
  * Pass to `create_app_server`'s `event_specs` for surface generation and DEV validation.
  */
-export const AUDIT_LOG_EVENT_SPECS = AUDIT_EVENT_TYPES.map((event_type) => ({
+export const audit_log_event_specs = AUDIT_EVENT_TYPES.map((event_type) => ({
     method: event_type,
     params: AuditLogEventJson,
     description: `Audit log: ${event_type.replaceAll('_', ' ')}`,
@@ -136,7 +136,7 @@ export const AUDIT_LOG_SSE_MAX_PER_SCOPE = 10;
  * create_audit_log_route_specs({stream: audit_sse});
  *
  * // In create_app_server options:
- * event_specs: AUDIT_LOG_EVENT_SPECS,
+ * event_specs: audit_log_event_specs,
  * ```
  */
 export const create_audit_log_sse = (options) => {

package/dist/server/app_backend.d.ts

@@ -66,7 +66,7 @@ export interface CreateAppBackendOptions {
      * Audit-log config for consumer event-type extensions. Built once at
      * startup via `create_audit_log_config({extra_events})` and captured
      * inside `AppDeps.audit` so consumer handlers cannot silently fall
-     * back to the builtin config. Omit to use `BUILTIN_AUDIT_LOG_CONFIG`
+     * back to the builtin config. Omit to use `builtin_audit_log_config`
      * (no extra events).
      */
     audit_log_config?: AuditLogConfig;
@@ -76,7 +76,7 @@ export interface CreateAppBackendOptions {
      * (`namespace`, `name`, `sequence`); order is append-only so forward-only
      * guarantees hold per-namespace.
      *
-     * Names in `RESERVED_MIGRATION_NAMESPACES` (currently `['fuz_auth']`) are
+     * Names in `reserved_migration_namespaces` (currently `['fuz_auth']`) are
      * rejected at startup. Omit for no extra namespaces. This is the only
      * place to splice consumer migrations — DB init belongs to the backend
      * lifecycle, not server assembly.
@@ -92,7 +92,7 @@ export interface CreateAppBackendOptions {
  *
  * @param options - keyring, password deps, optional database URL, and optional `migration_namespaces`
  * @returns app backend with deps, database metadata, and combined migration results
- * @throws Error if `migration_namespaces` contains a namespace in `RESERVED_MIGRATION_NAMESPACES`
+ * @throws Error if `migration_namespaces` contains a namespace in `reserved_migration_namespaces`
  */
 export declare const create_app_backend: (options: CreateAppBackendOptions) => Promise<AppBackend>;
 //# sourceMappingURL=app_backend.d.ts.map

package/dist/server/app_backend.js

@@ -13,7 +13,7 @@
 import { Logger } from '@fuzdev/fuz_util/log.js';
 import { create_audit_emitter } from '../auth/audit_emitter.js';
 import { run_migrations } from '../db/migrate.js';
-import { AUTH_MIGRATION_NS, RESERVED_MIGRATION_NAMESPACES } from '../auth/migrations.js';
+import { auth_migration_ns, reserved_migration_namespaces } from '../auth/migrations.js';
 import { create_db } from '../db/create_db.js';
 /**
  * Initialize the backend: database + auth migrations + deps.
@@ -24,7 +24,7 @@ import { create_db } from '../db/create_db.js';
  *
  * @param options - keyring, password deps, optional database URL, and optional `migration_namespaces`
  * @returns app backend with deps, database metadata, and combined migration results
- * @throws Error if `migration_namespaces` contains a namespace in `RESERVED_MIGRATION_NAMESPACES`
+ * @throws Error if `migration_namespaces` contains a namespace in `reserved_migration_namespaces`
  */
 export const create_app_backend = async (options) => {
     const { database_url, keyring, password, stat, read_text_file, delete_file } = options;
@@ -32,13 +32,13 @@ export const create_app_backend = async (options) => {
     const { db, close, db_type, db_name } = await create_db(database_url);
     if (options.migration_namespaces?.length) {
         for (const ns of options.migration_namespaces) {
-            if (RESERVED_MIGRATION_NAMESPACES.includes(ns.namespace)) {
+            if (reserved_migration_namespaces.includes(ns.namespace)) {
                 throw new Error(`Migration namespace "${ns.namespace}" is reserved by fuz_app — choose a different namespace`);
             }
         }
     }
     const migration_results = await run_migrations(db, [
-        AUTH_MIGRATION_NS,
+        auth_migration_ns,
         ...(options.migration_namespaces ?? []),
     ]);
     const audit = create_audit_emitter({

package/dist/server/app_server.d.ts

@@ -136,7 +136,7 @@ export interface AppServerOptions {
      * When truthy, creates an `AuditLogSse` instance internally, appends the SSE
      * listener to `backend.deps.audit.on_event_chain` (composing with the
      * consumer's `on_audit_event` callback rather than rebuilding `AppDeps`), and
-     * auto-includes `AUDIT_LOG_EVENT_SPECS` in the surface. The result is exposed
+     * auto-includes `audit_log_event_specs` in the surface. The result is exposed
      * on `AppServerContext` (for route factories) and `AppServer` (for the caller).
      *
      * Pass `true` for defaults (admin role), or `{role: 'custom'}` for a custom role.

package/dist/server/app_server.js

@@ -11,10 +11,10 @@ import { Hono } from 'hono';
 import { logger } from 'hono/logger';
 import { bodyLimit } from 'hono/body-limit';
 import { z } from 'zod';
-import { SESSION_COOKIE_OPTIONS, } from '../auth/session_cookie.js';
-import { create_audit_log_sse, AUDIT_LOG_EVENT_SPECS, } from '../realtime/sse_auth_guard.js';
+import { session_cookie_options, } from '../auth/session_cookie.js';
+import { create_audit_log_sse, audit_log_event_specs, } from '../realtime/sse_auth_guard.js';
 import { query_app_settings_load } from '../auth/app_settings_queries.js';
-import { create_rate_limiter, DEFAULT_LOGIN_ACCOUNT_RATE_LIMIT, DEFAULT_ACTION_ACCOUNT_RATE_LIMIT, DEFAULT_ACTION_IP_RATE_LIMIT, } from '../rate_limiter.js';
+import { create_rate_limiter, default_login_account_rate_limit, default_action_account_rate_limit, default_action_ip_rate_limit, } from '../rate_limiter.js';
 // Side-effect import: augments Hono's ContextVariableMap so consumers
 // that import app_server get type-safe c.get('auth_session_id') etc.
 import '../hono_context.js';
@@ -53,19 +53,19 @@ export const create_app_server = async (options) => {
     // Rate limiter defaults (undefined = default, null = disable)
     const ip_rate_limiter = options.ip_rate_limiter === undefined ? create_rate_limiter() : options.ip_rate_limiter;
     const login_account_rate_limiter = options.login_account_rate_limiter === undefined
-        ? create_rate_limiter(DEFAULT_LOGIN_ACCOUNT_RATE_LIMIT)
+        ? create_rate_limiter(default_login_account_rate_limit)
         : options.login_account_rate_limiter;
     const signup_account_rate_limiter = options.signup_account_rate_limiter === undefined
-        ? create_rate_limiter(DEFAULT_LOGIN_ACCOUNT_RATE_LIMIT)
+        ? create_rate_limiter(default_login_account_rate_limit)
         : options.signup_account_rate_limiter;
     const bearer_ip_rate_limiter = options.bearer_ip_rate_limiter === undefined
         ? create_rate_limiter()
         : options.bearer_ip_rate_limiter;
     const action_ip_rate_limiter = options.action_ip_rate_limiter === undefined
-        ? create_rate_limiter(DEFAULT_ACTION_IP_RATE_LIMIT)
+        ? create_rate_limiter(default_action_ip_rate_limit)
         : options.action_ip_rate_limiter;
     const action_account_rate_limiter = options.action_account_rate_limiter === undefined
-        ? create_rate_limiter(DEFAULT_ACTION_ACCOUNT_RATE_LIMIT)
+        ? create_rate_limiter(default_action_account_rate_limit)
         : options.action_account_rate_limiter;
     // Factory-managed audit SSE — appends a listener to the bound emitter's
     // chain so SSE fan-out runs alongside the consumer's `on_audit_event`
@@ -156,7 +156,7 @@ export const create_app_server = async (options) => {
         : middleware_specs;
     const all_event_specs = [
         ...(options.event_specs ?? []),
-        ...(audit_sse ? AUDIT_LOG_EVENT_SPECS : []),
+        ...(audit_sse ? audit_log_event_specs : []),
     ];
     const surface_spec = create_app_surface_spec({
         middleware_specs: surface_middleware,
@@ -176,11 +176,11 @@ export const create_app_server = async (options) => {
                 message: 'Session cookie secure=false — cookies sent over HTTP',
             });
         }
-        if (cookie_opts.sameSite && cookie_opts.sameSite !== SESSION_COOKIE_OPTIONS.sameSite) {
+        if (cookie_opts.sameSite && cookie_opts.sameSite !== session_cookie_options.sameSite) {
             config_diagnostics.push({
                 level: 'warning',
                 category: 'security',
-                message: `Session cookie sameSite='${cookie_opts.sameSite}' — weakened from default '${SESSION_COOKIE_OPTIONS.sameSite}'`,
+                message: `Session cookie sameSite='${cookie_opts.sameSite}' — weakened from default '${session_cookie_options.sameSite}'`,
             });
         }
         if (cookie_opts.httpOnly === false) {

package/dist/testing/CLAUDE.md

@@ -91,7 +91,7 @@ from `app_server.ts` instead.
 ## Database — `db.ts`
 
 Factory builders for parameterized DB tests. Consumer projects pass their
-`init_schema` callback (which calls `run_migrations(db, [AUTH_MIGRATION_NS, ...app_migrations])`);
+`init_schema` callback (which calls `run_migrations(db, [auth_migration_ns, ...app_migrations])`);
 factories accept any migration namespace set.
 
 | Helper                                           | Role                                                                                                                                                                                                                                                                                                 |
@@ -101,10 +101,10 @@ factories accept any migration namespace set.
 | `reset_pglite(db)`                               | `DROP SCHEMA public CASCADE` + recreate. Reuses a live PGlite instance.                                                                                                                                                                                                                              |
 | `create_pglite_factory(init_schema)`             | In-memory; no external deps; `skip: false`. See WASM caching below.                                                                                                                                                                                                                                  |
 | `create_pg_factory(init_schema, test_url?)`      | PostgreSQL; `skip: true` when `test_url` is missing; drops `schema_version` before `init_schema` so migrations re-evaluate against actual tables (prevents stale tracker rows from skipping migrations when DDL changes between test sessions); pool is reused + cleaned up across `create()` calls. |
-| `AUTH_TRUNCATE_TABLES`                           | `['invite', 'api_token', 'auth_session', 'role_grant', 'role_grant_offer', 'actor', 'account']` in FK-safe order. Excludes `audit_log` — unit DB tests don't need to truncate it.                                                                                                                    |
-| `AUTH_INTEGRATION_TRUNCATE_TABLES`               | `AUTH_TRUNCATE_TABLES + ['audit_log']` — for integration suites that exercise the audit path.                                                                                                                                                                                                        |
-| `AUTH_DROP_TABLES`                               | Full set from `AUTH_MIGRATIONS` in drop order; call `drop_auth_schema(db)` at the top of `init_schema` on persistent pg databases that may hold stale DDL from previous fuz_app versions.                                                                                                            |
-| `drop_auth_schema(db)`                           | `DROP TABLE IF EXISTS <table> CASCADE` for every entry in `AUTH_DROP_TABLES` plus `schema_version`. Safe on fresh DBs.                                                                                                                                                                               |
+| `auth_truncate_tables`                           | `['invite', 'api_token', 'auth_session', 'role_grant', 'role_grant_offer', 'actor', 'account']` in FK-safe order. Excludes `audit_log` — unit DB tests don't need to truncate it.                                                                                                                    |
+| `auth_integration_truncate_tables`               | `auth_truncate_tables + ['audit_log']` — for integration suites that exercise the audit path.                                                                                                                                                                                                        |
+| `auth_drop_tables`                               | Full set from `auth_migrations` in drop order; call `drop_auth_schema(db)` at the top of `init_schema` on persistent pg databases that may hold stale DDL from previous fuz_app versions.                                                                                                            |
+| `drop_auth_schema(db)`                           | `DROP TABLE IF EXISTS <table> CASCADE` for every entry in `auth_drop_tables` plus `schema_version`. Safe on fresh DBs.                                                                                                                                                                               |
 | `create_describe_db(factories, truncate_tables)` | Returns `describe_db(name, fn)` that runs `fn(get_db)` once per factory, inside a `describe` block with shared `beforeAll(create)` + `beforeEach(TRUNCATE)` + `afterAll(close)`. Skipped factories use `describe.skip`.                                                                              |
 | `log_db_factory_status(factories)`               | Console summary of enabled / skipped factories.                                                                                                                                                                                                                                                      |
 
@@ -234,13 +234,13 @@ Tightness audit:
   classifies every route × status combination as `'literal' | 'enum' | 'generic'`.
 - `assert_error_schema_tightness(surface, options?)` — fails routes below a
   threshold (`min_specificity`, default `'enum'`) with `allowlist` + `ignore_statuses` escape hatches.
-- `FUZ_APP_STOCK_ROUTE_TIGHTNESS_ALLOWLIST` — currently empty. Every
+- `fuz_app_stock_route_tightness_allowlist` — currently empty. Every
   fuz_app-shipped route (account login/password/bootstrap/signup, db
   health/tables/:name/tables/:name/rows/:id) has been tightened in place to
   `z.enum([...])` / `z.literal(...)` against every emit-site code. Kept as a
   forward-compatibility hook for future stock routes that need an interim
   exemption; paths assume the standard `/api/account` + `/api/db` prefixes.
-- `DEFAULT_ERROR_SCHEMA_TIGHTNESS` — `{ignore_statuses: [401, 403, 429], allowlist: FUZ_APP_STOCK_ROUTE_TIGHTNESS_ALLOWLIST}`.
+- `default_error_schema_tightness` — `{ignore_statuses: [401, 403, 429], allowlist: fuz_app_stock_route_tightness_allowlist}`.
   Applied by `describe_standard_attack_surface_tests` when
   `error_schema_tightness` is omitted; pass an override config or `null` to
   opt out.
@@ -323,8 +323,8 @@ Walks Zod schemas to generate valid values for adversarial/round-trip tests.
 | `check_error_response_fields(body)`                                | Returns the list of fields outside `KNOWN_SAFE_ERROR_FIELDS` (`error`, `issues`, `required_roles`, `required_credential_types`, `retry_after`, `has_references`, `ok`).                                                                  |
 | `assert_no_error_info_leakage(body, context)`                      | Rejects field-name patterns (`stack`, `trace`, `sql`, …) + value patterns (`node_modules`, stack-like `at …`, `.ts:NN`).                                                                                                                 |
 | `assert_rate_limit_retry_after_header(response, body)`             | `Retry-After` numeric header equals `Math.ceil(body.retry_after)`.                                                                                                                                                                       |
-| `SENSITIVE_FIELD_BLOCKLIST`                                        | `['password_hash', 'token_hash']` — never in any response body.                                                                                                                                                                          |
-| `ADMIN_ONLY_FIELD_BLOCKLIST`                                       | `['updated_by', 'created_by']` — never in non-admin response bodies.                                                                                                                                                                     |
+| `sensitive_field_blocklist`                                        | `['password_hash', 'token_hash']` — never in any response body.                                                                                                                                                                          |
+| `admin_only_field_blocklist`                                       | `['updated_by', 'created_by']` — never in non-admin response bodies.                                                                                                                                                                     |
 | `collect_json_keys_recursive(value)`                               | Deep walk; returns `Set<string>` of every key at every nesting depth.                                                                                                                                                                    |
 | `assert_no_sensitive_fields_in_json(body, blocklist, context)`     | Rejects any key in the blocklist at any depth.                                                                                                                                                                                           |
 | `pick_auth_headers(spec, test_app, authed_account, admin_account)` | `RouteAuth` → appropriate test credentials; role `admin` uses `admin_account`, other roles use bootstrapped keeper, `keeper` uses daemon token.                                                                                          |
@@ -337,7 +337,7 @@ Single-call bundle of 5 top-level groups (10 named tests + every
 adversarial case per route):
 
 1. **attack surface snapshot** — `matches committed snapshot`, `is deterministic`.
-2. **attack surface structure** — `only expected public routes`, `full middleware stack on API routes`, `surface invariants`, `security policy`, `error schema tightness` (logs counts and asserts against `DEFAULT_ERROR_SCHEMA_TIGHTNESS` by default; pass an override config or `null` via `error_schema_tightness`).
+2. **attack surface structure** — `only expected public routes`, `full middleware stack on API routes`, `surface invariants`, `security policy`, `error schema tightness` (logs counts and asserts against `default_error_schema_tightness` by default; pass an override config or `null` via `error_schema_tightness`).
 3. **adversarial HTTP auth enforcement** — `unauthenticated → 401`, `wrong role → 403` × roles, `authenticated without role → 403`, `keeper routes reject session credential → 403`, `correct auth passes guard`.
 4. **adversarial input validation** — delegated to `describe_adversarial_input`.
 5. **adversarial 404 response validation** — delegated to `describe_adversarial_404`.
@@ -511,8 +511,8 @@ new arrivals (default 1000ms); drops the waiter on timeout so the
 Six tests in two top-level groups:
 
 1. **schema-level** (3 tests, no DB) — walks JSON Schema representations:
-   - `no sensitive fields in any output schema` — `SENSITIVE_FIELD_BLOCKLIST`
-   - `no admin-only fields in non-admin output schemas` — `ADMIN_ONLY_FIELD_BLOCKLIST`
+   - `no sensitive fields in any output schema` — `sensitive_field_blocklist`
+   - `no admin-only fields in non-admin output schemas` — `admin_only_field_blocklist`
    - `no sensitive fields in any error schema`
 2. **runtime** (3 tests, DB-backed via `create_test_app`):
    - `unauthenticated error responses contain no sensitive fields`
@@ -699,6 +699,16 @@ deps — no DB needed.
 
 Options: `{build: () => AppSurfaceSpec, roles: Array<string>}`.
 
+**Opt-in bundles need their own per-bundle suite file.** Action bundles
+not folded into `create_standard_rpc_actions` (today `self_service_role_actions`
+and `actor_lookup_actions`) get zero adversarial / round-trip coverage
+from `describe_rpc_attack_surface_tests` + `describe_rpc_round_trip_tests`
+unless the consumer ships a `<module>.rpc_suites.db.test.ts` mounting the
+opt-in factory on the RPC endpoint and calling both suites. See
+`../../test/CLAUDE.md` §Composable Test Suites for the obligation note
+and `actor_lookup_actions.rpc_suites.db.test.ts` /
+`role_grant_offer_actions.rpc_suites.db.test.ts` as templates.
+
 ## Cross-cutting conventions
 
 - **`assert` from vitest, not `expect`.** Project-wide convention

package/dist/testing/admin_integration.js

@@ -28,9 +28,9 @@ import './assert_dev_env.js';
 import { describe, test, assert, afterAll } from 'vitest';
 import { ROLE_KEEPER, ROLE_ADMIN } from '../auth/role_schema.js';
 import { GRANT_PATH_ADMIN } from '../auth/grant_path_schema.js';
-import { AUTH_MIGRATION_NS } from '../auth/migrations.js';
+import { auth_migration_ns } from '../auth/migrations.js';
 import { create_test_app } from './app_server.js';
-import { create_pglite_factory, create_describe_db, AUTH_INTEGRATION_TRUNCATE_TABLES, } from './db.js';
+import { create_pglite_factory, create_describe_db, auth_integration_truncate_tables, } from './db.js';
 import { find_auth_route } from './integration_helpers.js';
 import { run_migrations } from '../db/migrate.js';
 import { ErrorCoverageCollector, assert_error_coverage, DEFAULT_INTEGRATION_ERROR_COVERAGE, } from './error_coverage.js';
@@ -88,10 +88,10 @@ export const describe_standard_admin_integration_tests = (options) => {
     const rpc_endpoints_for_setup = resolve_rpc_endpoints_for_setup(options.rpc_endpoints, options.session_options);
     const rpc_path = require_rpc_endpoint_path(rpc_endpoints_for_setup);
     const init_schema = async (db) => {
-        await run_migrations(db, [AUTH_MIGRATION_NS]);
+        await run_migrations(db, [auth_migration_ns]);
     };
     const factories = options.db_factories ?? [create_pglite_factory(init_schema)];
-    const describe_db = create_describe_db(factories, AUTH_INTEGRATION_TRUNCATE_TABLES);
+    const describe_db = create_describe_db(factories, auth_integration_truncate_tables);
     describe_db('standard_admin_integration', (get_db) => {
         const { cookie_name } = options.session_options;
         const { role_specs } = options.roles;

package/dist/testing/app_server.d.ts

@@ -120,7 +120,7 @@ export interface TestAppServerOptions {
      *
      * Use when the consumer registers extra event types via
      * `create_audit_log_config({extra_events})` — without this, emits for
-     * those events fall back to `BUILTIN_AUDIT_LOG_CONFIG` and log
+     * those events fall back to `builtin_audit_log_config` and log
      * "unknown event_type" warnings.
      */
     audit_log_config?: AuditLogConfig;

package/dist/testing/app_server.js

@@ -10,7 +10,7 @@ import { generate_session_token, hash_session_token, AUTH_SESSION_LIFETIME_MS, q
 import { query_create_api_token } from '../auth/api_token_queries.js';
 import { create_session_cookie_value } from '../auth/session_cookie.js';
 import { run_migrations } from '../db/migrate.js';
-import { AUTH_MIGRATION_NS } from '../auth/migrations.js';
+import { auth_migration_ns } from '../auth/migrations.js';
 import { create_audit_emitter } from '../auth/audit_emitter.js';
 import { create_app_server, } from '../server/app_server.js';
 import { generate_daemon_token, DAEMON_TOKEN_HEADER, } from '../auth/daemon_token.js';
@@ -33,7 +33,7 @@ export const TEST_COOKIE_SECRET = 'a'.repeat(64);
 // Shares the WASM instance cache from test_db.ts, avoiding redundant cold starts
 // within the same vitest worker thread. Schema is reset on each create() call.
 const fallback_pglite_factory = create_pglite_factory(async (db) => {
-    await run_migrations(db, [AUTH_MIGRATION_NS]);
+    await run_migrations(db, [auth_migration_ns]);
 });
 /**
  * Bootstrap a test account with credentials.

package/dist/testing/attack_surface.d.ts

@@ -20,7 +20,7 @@ export interface AdversarialTestOptions {
 export declare const describe_adversarial_auth: (options: AdversarialTestOptions) => void;
 /**
  * Merge a consumer's `error_schema_tightness` option with
- * `DEFAULT_ERROR_SCHEMA_TIGHTNESS` so `allowlist` and `ignore_statuses` are
+ * `default_error_schema_tightness` so `allowlist` and `ignore_statuses` are
  * additive rather than replacing.
  *
  * - `undefined` → return the default as-is.
@@ -52,9 +52,9 @@ export interface StandardAttackSurfaceOptions {
     security_policy?: SurfaceSecurityPolicyOptions;
     /**
      * Error schema tightness assertion config. Defaults to
-     * `DEFAULT_ERROR_SCHEMA_TIGHTNESS` (ignores 401/403/429,
+     * `default_error_schema_tightness` (ignores 401/403/429,
      * `min_specificity: 'enum'`, allowlist seeded with
-     * `FUZ_APP_STOCK_ROUTE_TIGHTNESS_ALLOWLIST`).
+     * `fuz_app_stock_route_tightness_allowlist`).
      *
      * Consumer-supplied `allowlist` and `ignore_statuses` are **additive** —
      * the suite merges them underneath the stock defaults, so project-specific
@@ -74,7 +74,7 @@ export interface StandardAttackSurfaceOptions {
  * 4. Middleware stack — every API route has the full middleware chain
  * 5. Surface invariants — structural assertions (error schemas, descriptions, duplicates, consistency)
  * 6. Security policy — rate limiting on sensitive routes, no unexpected public mutations, method conventions
- * 7. Error schema tightness — informational log of generic vs specific error schemas, plus assertion against `DEFAULT_ERROR_SCHEMA_TIGHTNESS` by default (opt out with `error_schema_tightness: null`)
+ * 7. Error schema tightness — informational log of generic vs specific error schemas, plus assertion against `default_error_schema_tightness` by default (opt out with `error_schema_tightness: null`)
  * 8. Adversarial auth — unauthenticated/wrong-role/correct-auth enforcement
  * 9. Adversarial input — input body and params validation
  * 10. Adversarial 404 — stub 404 handlers, validate response bodies against declared schemas

package/dist/testing/attack_surface.js

@@ -15,7 +15,7 @@ import './assert_dev_env.js';
  * @module
  */
 import { test, assert, describe } from 'vitest';
-import { assert_surface_invariants, assert_surface_security_policy, audit_error_schema_tightness, assert_error_schema_tightness, DEFAULT_ERROR_SCHEMA_TIGHTNESS, FUZ_APP_STOCK_ROUTE_TIGHTNESS_ALLOWLIST, } from './surface_invariants.js';
+import { assert_surface_invariants, assert_surface_security_policy, audit_error_schema_tightness, assert_error_schema_tightness, default_error_schema_tightness, fuz_app_stock_route_tightness_allowlist, } from './surface_invariants.js';
 import { describe_adversarial_input } from './adversarial_input.js';
 import { describe_adversarial_404 } from './adversarial_404.js';
 import { create_test_app_from_specs, create_test_request_context, create_auth_test_apps, select_auth_app, resolve_test_path, } from './auth_apps.js';
@@ -164,7 +164,7 @@ export const describe_adversarial_auth = (options) => {
 // --- Standard attack surface test suite ---
 /**
  * Merge a consumer's `error_schema_tightness` option with
- * `DEFAULT_ERROR_SCHEMA_TIGHTNESS` so `allowlist` and `ignore_statuses` are
+ * `default_error_schema_tightness` so `allowlist` and `ignore_statuses` are
  * additive rather than replacing.
  *
  * - `undefined` → return the default as-is.
@@ -181,11 +181,11 @@ export const resolve_standard_error_schema_tightness = (consumer) => {
     if (consumer === null)
         return null;
     return {
-        ...DEFAULT_ERROR_SCHEMA_TIGHTNESS,
+        ...default_error_schema_tightness,
         ...consumer,
-        allowlist: [...FUZ_APP_STOCK_ROUTE_TIGHTNESS_ALLOWLIST, ...(consumer?.allowlist ?? [])],
+        allowlist: [...fuz_app_stock_route_tightness_allowlist, ...(consumer?.allowlist ?? [])],
         ignore_statuses: [
-            ...(DEFAULT_ERROR_SCHEMA_TIGHTNESS.ignore_statuses ?? []),
+            ...(default_error_schema_tightness.ignore_statuses ?? []),
             ...(consumer?.ignore_statuses ?? []),
         ],
     };
@@ -200,7 +200,7 @@ export const resolve_standard_error_schema_tightness = (consumer) => {
  * 4. Middleware stack — every API route has the full middleware chain
  * 5. Surface invariants — structural assertions (error schemas, descriptions, duplicates, consistency)
  * 6. Security policy — rate limiting on sensitive routes, no unexpected public mutations, method conventions
- * 7. Error schema tightness — informational log of generic vs specific error schemas, plus assertion against `DEFAULT_ERROR_SCHEMA_TIGHTNESS` by default (opt out with `error_schema_tightness: null`)
+ * 7. Error schema tightness — informational log of generic vs specific error schemas, plus assertion against `default_error_schema_tightness` by default (opt out with `error_schema_tightness: null`)
  * 8. Adversarial auth — unauthenticated/wrong-role/correct-auth enforcement
  * 9. Adversarial input — input body and params validation
  * 10. Adversarial 404 — stub 404 handlers, validate response bodies against declared schemas

package/dist/testing/audit_completeness.js

@@ -15,9 +15,9 @@ import './assert_dev_env.js';
 import { describe, test, assert } from 'vitest';
 import { ROLE_KEEPER, ROLE_ADMIN } from '../auth/role_schema.js';
 import { AUDIT_EVENT_TYPES } from '../auth/audit_log_schema.js';
-import { AUTH_MIGRATION_NS } from '../auth/migrations.js';
+import { auth_migration_ns } from '../auth/migrations.js';
 import { create_test_app, } from './app_server.js';
-import { create_pglite_factory, create_describe_db, AUTH_INTEGRATION_TRUNCATE_TABLES, } from './db.js';
+import { create_pglite_factory, create_describe_db, auth_integration_truncate_tables, } from './db.js';
 import { find_auth_route } from './integration_helpers.js';
 import { run_migrations } from '../db/migrate.js';
 import { query_accept_offer } from '../auth/role_grant_offer_queries.js';
@@ -75,10 +75,10 @@ export const describe_audit_completeness_tests = (options) => {
     const rpc_endpoints_for_setup = resolve_rpc_endpoints_for_setup(options.rpc_endpoints, options.session_options);
     const rpc_path = require_rpc_endpoint_path(rpc_endpoints_for_setup);
     const init_schema = async (db) => {
-        await run_migrations(db, [AUTH_MIGRATION_NS]);
+        await run_migrations(db, [auth_migration_ns]);
     };
     const factories = options.db_factories ?? [create_pglite_factory(init_schema)];
-    const describe_db = create_describe_db(factories, AUTH_INTEGRATION_TRUNCATE_TABLES);
+    const describe_db = create_describe_db(factories, auth_integration_truncate_tables);
     describe_db('audit_log_completeness', (get_db) => {
         // --- Account routes ---
         describe('account mutation audit events', () => {

package/dist/testing/data_exposure.d.ts

@@ -27,9 +27,9 @@ export interface DataExposureTestOptions {
     session_options: SessionOptions<string>;
     /** Route spec factory for runtime tests. */
     create_route_specs: (ctx: AppServerContext) => Array<RouteSpec>;
-    /** Fields that must never appear in any response. Default: `SENSITIVE_FIELD_BLOCKLIST`. */
+    /** Fields that must never appear in any response. Default: `sensitive_field_blocklist`. */
     sensitive_fields?: ReadonlyArray<string>;
-    /** Fields that must not appear in non-admin responses. Default: `ADMIN_ONLY_FIELD_BLOCKLIST`. */
+    /** Fields that must not appear in non-admin responses. Default: `admin_only_field_blocklist`. */
     admin_only_fields?: ReadonlyArray<string>;
     /** Optional overrides for `AppServerOptions`. */
     app_options?: Partial<Omit<AppServerOptions, 'backend' | 'session_options' | 'create_route_specs'>>;