@fuzdev/fuz_app 0.58.0 → 0.60.0

package/dist/testing/data_exposure.js

@@ -16,10 +16,10 @@ import { create_test_app } from './app_server.js';
 import { create_pglite_factory } from './db.js';
 import { resolve_valid_path, generate_valid_body } from './schema_generators.js';
 import { run_migrations } from '../db/migrate.js';
-import { AUTH_MIGRATION_NS } from '../auth/migrations.js';
+import { auth_migration_ns } from '../auth/migrations.js';
 import { is_null_schema, is_strict_object_schema } from '../http/schema_helpers.js';
 import { is_keeper_auth, is_public_auth } from '../http/auth_shape.js';
-import { SENSITIVE_FIELD_BLOCKLIST, ADMIN_ONLY_FIELD_BLOCKLIST, assert_no_sensitive_fields_in_json, pick_auth_headers, } from './integration_helpers.js';
+import { sensitive_field_blocklist, admin_only_field_blocklist, assert_no_sensitive_fields_in_json, pick_auth_headers, } from './integration_helpers.js';
 // --- Schema introspection ---
 /**
  * Recursively collect all property names from a JSON Schema.
@@ -58,7 +58,7 @@ export const collect_json_schema_property_names = (schema) => {
 /**
  * Assert that no output schema in the surface contains sensitive field names.
  */
-export const assert_output_schemas_no_sensitive_fields = (surface, sensitive_fields = SENSITIVE_FIELD_BLOCKLIST) => {
+export const assert_output_schemas_no_sensitive_fields = (surface, sensitive_fields = sensitive_field_blocklist) => {
     for (const route of surface.routes) {
         if (route.output_schema === null)
             continue;
@@ -71,7 +71,7 @@ export const assert_output_schemas_no_sensitive_fields = (surface, sensitive_fie
 /**
  * Assert that non-admin route output schemas don't contain admin-only fields.
  */
-export const assert_non_admin_schemas_no_admin_fields = (surface, admin_only_fields = ADMIN_ONLY_FIELD_BLOCKLIST) => {
+export const assert_non_admin_schemas_no_admin_fields = (surface, admin_only_fields = admin_only_field_blocklist) => {
     const non_admin = surface.routes.filter((r) => !is_keeper_auth(r.auth) && !(r.auth.roles?.includes('admin') ?? false));
     for (const route of non_admin) {
         if (route.output_schema === null)
@@ -92,7 +92,7 @@ export const assert_non_admin_schemas_no_admin_fields = (surface, admin_only_fie
  *    contain no sensitive fields
  */
 export const describe_data_exposure_tests = (options) => {
-    const { build, sensitive_fields = SENSITIVE_FIELD_BLOCKLIST, admin_only_fields = ADMIN_ONLY_FIELD_BLOCKLIST, } = options;
+    const { build, sensitive_fields = sensitive_field_blocklist, admin_only_fields = admin_only_field_blocklist, } = options;
     describe('data exposure — schema-level', () => {
         const { surface } = build();
         test('no sensitive fields in any output schema', () => {
@@ -118,10 +118,10 @@ export const describe_data_exposure_tests = (options) => {
 };
 // --- Runtime tests ---
 const describe_data_exposure_runtime_tests = (options) => {
-    const { sensitive_fields = SENSITIVE_FIELD_BLOCKLIST, admin_only_fields = ADMIN_ONLY_FIELD_BLOCKLIST, } = options;
+    const { sensitive_fields = sensitive_field_blocklist, admin_only_fields = admin_only_field_blocklist, } = options;
     const skip_set = new Set(options.skip_routes);
     const init_schema = async (db) => {
-        await run_migrations(db, [AUTH_MIGRATION_NS]);
+        await run_migrations(db, [auth_migration_ns]);
     };
     const factories = options.db_factories ?? [create_pglite_factory(init_schema)];
     for (const factory of factories) {

package/dist/testing/db.d.ts

@@ -61,25 +61,25 @@ export declare const create_pg_factory: (init_schema: (db: Db) => Promise<void>,
  *
  * Consumer projects can spread this into their own list and append app-specific tables.
  */
-export declare const AUTH_TRUNCATE_TABLES: string[];
+export declare const auth_truncate_tables: string[];
 /**
  * Auth tables including `audit_log` — for integration tests that exercise
  * the full middleware stack (login, admin, rate limiting).
  *
- * Separate from `AUTH_TRUNCATE_TABLES` because unit-level DB tests that don't
+ * Separate from `auth_truncate_tables` because unit-level DB tests that don't
  * touch audit logging don't need to truncate it.
  */
-export declare const AUTH_INTEGRATION_TRUNCATE_TABLES: string[];
+export declare const auth_integration_truncate_tables: string[];
 /**
  * All auth tables in drop order (children first for FK safety).
  *
- * The full set created by `AUTH_MIGRATIONS` — use for clean-slate
- * test DB initialization. `AUTH_TRUNCATE_TABLES` is the subset for
+ * The full set created by `auth_migrations` — use for clean-slate
+ * test DB initialization. `auth_truncate_tables` is the subset for
  * between-test data cleanup (excludes `audit_log`).
  *
- * When adding tables to `AUTH_MIGRATIONS`, add them here too.
+ * When adding tables to `auth_migrations`, add them here too.
  */
-export declare const AUTH_DROP_TABLES: readonly ["app_settings", "invite", "audit_log", "api_token", "auth_session", "role_grant", "role_grant_offer", "actor", "account", "bootstrap_lock"];
+export declare const auth_drop_tables: readonly ["app_settings", "invite", "audit_log", "api_token", "auth_session", "role_grant", "role_grant_offer", "actor", "account", "bootstrap_lock"];
 /**
  * Drop all auth tables and schema version tracking for a clean slate.
  *
@@ -89,7 +89,7 @@ export declare const AUTH_DROP_TABLES: readonly ["app_settings", "invite", "audi
  * Safe on fresh databases (`IF EXISTS` on all statements). No-op effect for
  * PGlite (already fresh), but harmless to call unconditionally.
  *
- * @mutates db - drops every table in `AUTH_DROP_TABLES` plus `schema_version`.
+ * @mutates db - drops every table in `auth_drop_tables` plus `schema_version`.
  */
 export declare const drop_auth_schema: (db: Db) => Promise<void>;
 /**

package/dist/testing/db.js

@@ -10,10 +10,10 @@ import './assert_dev_env.js';
  * ```ts
  * import {create_pglite_factory, create_pg_factory} from '@fuzdev/fuz_app/testing/db.js';
  * import {run_migrations} from '@fuzdev/fuz_app/db/migrate.js';
- * import {AUTH_MIGRATION_NS} from '@fuzdev/fuz_app/auth/migrations.js';
+ * import {auth_migration_ns} from '@fuzdev/fuz_app/auth/migrations.js';
  *
  * const init_schema = async (db) => {
- *   await run_migrations(db, [AUTH_MIGRATION_NS]);
+ *   await run_migrations(db, [auth_migration_ns]);
  * };
  * const pglite_factory = create_pglite_factory(init_schema);
  * const pg_factory = create_pg_factory(init_schema, process.env.TEST_DATABASE_URL);
@@ -160,7 +160,7 @@ export const create_pg_factory = (init_schema, test_url) => {
  *
  * Consumer projects can spread this into their own list and append app-specific tables.
  */
-export const AUTH_TRUNCATE_TABLES = [
+export const auth_truncate_tables = [
     'invite',
     'api_token',
     'auth_session',
@@ -173,20 +173,20 @@ export const AUTH_TRUNCATE_TABLES = [
  * Auth tables including `audit_log` — for integration tests that exercise
  * the full middleware stack (login, admin, rate limiting).
  *
- * Separate from `AUTH_TRUNCATE_TABLES` because unit-level DB tests that don't
+ * Separate from `auth_truncate_tables` because unit-level DB tests that don't
  * touch audit logging don't need to truncate it.
  */
-export const AUTH_INTEGRATION_TRUNCATE_TABLES = [...AUTH_TRUNCATE_TABLES, 'audit_log'];
+export const auth_integration_truncate_tables = [...auth_truncate_tables, 'audit_log'];
 /**
  * All auth tables in drop order (children first for FK safety).
  *
- * The full set created by `AUTH_MIGRATIONS` — use for clean-slate
- * test DB initialization. `AUTH_TRUNCATE_TABLES` is the subset for
+ * The full set created by `auth_migrations` — use for clean-slate
+ * test DB initialization. `auth_truncate_tables` is the subset for
  * between-test data cleanup (excludes `audit_log`).
  *
- * When adding tables to `AUTH_MIGRATIONS`, add them here too.
+ * When adding tables to `auth_migrations`, add them here too.
  */
-export const AUTH_DROP_TABLES = [
+export const auth_drop_tables = [
     'app_settings',
     'invite',
     'audit_log',
@@ -207,10 +207,10 @@ export const AUTH_DROP_TABLES = [
  * Safe on fresh databases (`IF EXISTS` on all statements). No-op effect for
  * PGlite (already fresh), but harmless to call unconditionally.
  *
- * @mutates db - drops every table in `AUTH_DROP_TABLES` plus `schema_version`.
+ * @mutates db - drops every table in `auth_drop_tables` plus `schema_version`.
  */
 export const drop_auth_schema = async (db) => {
-    for (const table of AUTH_DROP_TABLES) {
+    for (const table of auth_drop_tables) {
         await db.query(`DROP TABLE IF EXISTS ${assert_valid_sql_identifier(table)} CASCADE`);
     }
     await db.query('DROP TABLE IF EXISTS schema_version CASCADE');

package/dist/testing/integration.js

@@ -17,9 +17,9 @@ import './assert_dev_env.js';
  * @module
  */
 import { describe, test, assert, beforeAll, afterAll } from 'vitest';
-import { AUTH_MIGRATION_NS } from '../auth/migrations.js';
+import { auth_migration_ns } from '../auth/migrations.js';
 import { create_test_app } from './app_server.js';
-import { create_pglite_factory, create_describe_db, AUTH_INTEGRATION_TRUNCATE_TABLES, } from './db.js';
+import { create_pglite_factory, create_describe_db, auth_integration_truncate_tables, } from './db.js';
 import { find_auth_route, assert_response_matches_spec, create_expired_test_cookie, assert_no_error_info_leakage, } from './integration_helpers.js';
 import { find_rpc_action, rpc_call_for_spec, require_rpc_endpoint_path, resolve_rpc_endpoints_for_setup, } from './rpc_helpers.js';
 import { RateLimiter } from '../rate_limiter.js';
@@ -70,10 +70,10 @@ export const describe_standard_integration_tests = (options) => {
     const rpc_endpoints_for_setup = resolve_rpc_endpoints_for_setup(options.rpc_endpoints, options.session_options);
     const rpc_path = require_rpc_endpoint_path(rpc_endpoints_for_setup);
     const init_schema = async (db) => {
-        await run_migrations(db, [AUTH_MIGRATION_NS]);
+        await run_migrations(db, [auth_migration_ns]);
     };
     const factories = options.db_factories ?? [create_pglite_factory(init_schema)];
-    const describe_db = create_describe_db(factories, AUTH_INTEGRATION_TRUNCATE_TABLES);
+    const describe_db = create_describe_db(factories, auth_integration_truncate_tables);
     describe_db('standard_integration', (get_db) => {
         const { cookie_name } = options.session_options;
         // Error coverage tracking across test groups

package/dist/testing/integration_helpers.d.ts

@@ -17,18 +17,18 @@ export declare const find_route_spec: (specs: Array<RouteSpec>, method: string,
  * session/token CRUD, admin operations, and role_grant flows live on the RPC
  * surface and should be reached via `rpc_call`.
  */
-export declare const REST_AUTH_ROUTE_SUFFIXES: readonly ["/login", "/logout", "/password", "/verify", "/signup", "/bootstrap"];
-export type RestAuthRouteSuffix = (typeof REST_AUTH_ROUTE_SUFFIXES)[number];
+export declare const rest_auth_route_suffixes: readonly ["/login", "/logout", "/password", "/verify", "/signup", "/bootstrap"];
+export type RestAuthRouteSuffix = (typeof rest_auth_route_suffixes)[number];
 /**
  * Find a REST auth route by suffix and method.
  *
  * Decouples tests from consumer route prefix (`/api/account/login`,
  * `/api/auth/login`, etc.). `suffix` must be one of
- * `REST_AUTH_ROUTE_SUFFIXES` — throws otherwise so a post-migration RPC
+ * `rest_auth_route_suffixes` — throws otherwise so a post-migration RPC
  * method name (e.g. `/sessions/revoke-all`) fails loudly at the call site
  * instead of silently returning `undefined`.
  *
- * @throws Error if `suffix` is not in `REST_AUTH_ROUTE_SUFFIXES`.
+ * @throws Error if `suffix` is not in `rest_auth_route_suffixes`.
  */
 export declare const find_auth_route: (specs: Array<RouteSpec>, suffix: RestAuthRouteSuffix, method: RouteMethod) => RouteSpec | undefined;
 /**
@@ -74,9 +74,9 @@ export declare const assert_rate_limit_retry_after_header: (response: Response,
     retry_after: number;
 }) => void;
 /** Field names that must never appear in any HTTP response body. */
-export declare const SENSITIVE_FIELD_BLOCKLIST: ReadonlyArray<string>;
+export declare const sensitive_field_blocklist: ReadonlyArray<string>;
 /** Field names that must not appear in non-admin HTTP response bodies. */
-export declare const ADMIN_ONLY_FIELD_BLOCKLIST: ReadonlyArray<string>;
+export declare const admin_only_field_blocklist: ReadonlyArray<string>;
 /**
  * Recursively collect all key names from a parsed JSON value.
  *

package/dist/testing/integration_helpers.js

@@ -38,7 +38,7 @@ export const find_route_spec = (specs, method, path) => {
  * session/token CRUD, admin operations, and role_grant flows live on the RPC
  * surface and should be reached via `rpc_call`.
  */
-export const REST_AUTH_ROUTE_SUFFIXES = [
+export const rest_auth_route_suffixes = [
     '/login',
     '/logout',
     '/password',
@@ -51,15 +51,15 @@ export const REST_AUTH_ROUTE_SUFFIXES = [
  *
  * Decouples tests from consumer route prefix (`/api/account/login`,
  * `/api/auth/login`, etc.). `suffix` must be one of
- * `REST_AUTH_ROUTE_SUFFIXES` — throws otherwise so a post-migration RPC
+ * `rest_auth_route_suffixes` — throws otherwise so a post-migration RPC
  * method name (e.g. `/sessions/revoke-all`) fails loudly at the call site
  * instead of silently returning `undefined`.
  *
- * @throws Error if `suffix` is not in `REST_AUTH_ROUTE_SUFFIXES`.
+ * @throws Error if `suffix` is not in `rest_auth_route_suffixes`.
  */
 export const find_auth_route = (specs, suffix, method) => {
-    if (!REST_AUTH_ROUTE_SUFFIXES.includes(suffix)) {
-        throw new Error(`find_auth_route: unknown suffix ${JSON.stringify(suffix)} — expected one of ${REST_AUTH_ROUTE_SUFFIXES.join(', ')}. Use rpc_call for RPC methods.`);
+    if (!rest_auth_route_suffixes.includes(suffix)) {
+        throw new Error(`find_auth_route: unknown suffix ${JSON.stringify(suffix)} — expected one of ${rest_auth_route_suffixes.join(', ')}. Use rpc_call for RPC methods.`);
     }
     return specs.find((s) => s.method === method && s.path.endsWith(suffix));
 };
@@ -207,9 +207,9 @@ export const assert_rate_limit_retry_after_header = (response, body) => {
 };
 // --- Data exposure helpers ---
 /** Field names that must never appear in any HTTP response body. */
-export const SENSITIVE_FIELD_BLOCKLIST = ['password_hash', 'token_hash'];
+export const sensitive_field_blocklist = ['password_hash', 'token_hash'];
 /** Field names that must not appear in non-admin HTTP response bodies. */
-export const ADMIN_ONLY_FIELD_BLOCKLIST = ['updated_by', 'created_by'];
+export const admin_only_field_blocklist = ['updated_by', 'created_by'];
 /**
  * Recursively collect all key names from a parsed JSON value.
  *

package/dist/testing/rate_limiting.js

@@ -14,9 +14,9 @@ import './assert_dev_env.js';
 import { describe, test, assert } from 'vitest';
 import { RateLimiter } from '../rate_limiter.js';
 import { RateLimitError } from '../http/error_schemas.js';
-import { AUTH_MIGRATION_NS } from '../auth/migrations.js';
+import { auth_migration_ns } from '../auth/migrations.js';
 import { create_test_app } from './app_server.js';
-import { create_pglite_factory, create_describe_db, AUTH_INTEGRATION_TRUNCATE_TABLES, } from './db.js';
+import { create_pglite_factory, create_describe_db, auth_integration_truncate_tables, } from './db.js';
 import { find_auth_route, assert_rate_limit_retry_after_header } from './integration_helpers.js';
 import { rpc_call_non_browser, require_rpc_endpoint_path, resolve_rpc_endpoints_for_setup, } from './rpc_helpers.js';
 import { run_migrations } from '../db/migrate.js';
@@ -48,10 +48,10 @@ export const describe_rate_limiting_tests = (options) => {
     const rpc_endpoints_for_setup = resolve_rpc_endpoints_for_setup(options.rpc_endpoints, options.session_options);
     const rpc_path = require_rpc_endpoint_path(rpc_endpoints_for_setup);
     const init_schema = async (db) => {
-        await run_migrations(db, [AUTH_MIGRATION_NS]);
+        await run_migrations(db, [auth_migration_ns]);
     };
     const factories = options.db_factories ?? [create_pglite_factory(init_schema)];
-    const describe_db = create_describe_db(factories, AUTH_INTEGRATION_TRUNCATE_TABLES);
+    const describe_db = create_describe_db(factories, auth_integration_truncate_tables);
     /** Create a tight rate limiter for testing — low attempt count, long window. */
     const create_test_rate_limiter = () => new RateLimiter({ max_attempts, window_ms: 60_000, cleanup_interval_ms: 0 });
     describe_db('rate_limiting', (get_db) => {

package/dist/testing/round_trip.js

@@ -15,7 +15,7 @@ import { create_pglite_factory } from './db.js';
 import { assert_response_matches_spec, pick_auth_headers } from './integration_helpers.js';
 import { resolve_valid_path, generate_valid_body } from './schema_generators.js';
 import { run_migrations } from '../db/migrate.js';
-import { AUTH_MIGRATION_NS } from '../auth/migrations.js';
+import { auth_migration_ns } from '../auth/migrations.js';
 import { create_stub_app_server_context } from './stubs.js';
 /**
  * Run schema-driven round-trip validation tests.
@@ -33,7 +33,7 @@ import { create_stub_app_server_context } from './stubs.js';
 export const describe_round_trip_validation = (options) => {
     const skip_set = new Set(options.skip_routes);
     const init_schema = async (db) => {
-        await run_migrations(db, [AUTH_MIGRATION_NS]);
+        await run_migrations(db, [auth_migration_ns]);
     };
     const factories = options.db_factories ?? [create_pglite_factory(init_schema)];
     // Pre-compute route specs at describe time so test.each can register one

package/dist/testing/rpc_round_trip.js

@@ -15,7 +15,7 @@ import { create_test_app, } from './app_server.js';
 import { create_pglite_factory } from './db.js';
 import { generate_valid_body } from './schema_generators.js';
 import { run_migrations } from '../db/migrate.js';
-import { AUTH_MIGRATION_NS } from '../auth/migrations.js';
+import { auth_migration_ns } from '../auth/migrations.js';
 import { is_public_auth } from '../http/auth_shape.js';
 import { create_rpc_post_init, create_rpc_get_url, assert_jsonrpc_error_response, assert_jsonrpc_success_response, resolve_rpc_endpoints_for_setup, } from './rpc_helpers.js';
 /**
@@ -60,7 +60,7 @@ export const describe_rpc_round_trip_tests = (options) => {
     // what the live dispatcher serves.
     const rpc_endpoints_for_setup = resolve_rpc_endpoints_for_setup(options.rpc_endpoints, options.session_options);
     const init_schema = async (db) => {
-        await run_migrations(db, [AUTH_MIGRATION_NS]);
+        await run_migrations(db, [auth_migration_ns]);
     };
     const factories = options.db_factories ?? [create_pglite_factory(init_schema)];
     for (const factory of factories) {

package/dist/testing/schema_generators.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"schema_generators.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/schema_generators.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAKN,KAAK,YAAY,EACjB,MAAM,yBAAyB,CAAC;AAIjC;;;GAGG;AACH,eAAO,MAAM,aAAa,GAAI,cAAc,CAAC,CAAC,OAAO,KAAG,MAAM,GAAG,IAkBhE,CAAC;AA+FF,qEAAqE;AACrE,eAAO,MAAM,oBAAoB,GAAI,OAAO,YAAY,EAAE,cAAc,CAAC,CAAC,OAAO,KAAG,OA+EnF,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,kBAAkB,GAAI,MAAM,MAAM,EAAE,gBAAgB,CAAC,CAAC,SAAS,KAAG,MAa9E,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,mBAAmB,GAC/B,cAAc,CAAC,CAAC,OAAO,KACrB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SA6B5B,CAAC"}
+{"version":3,"file":"schema_generators.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/schema_generators.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAKN,KAAK,YAAY,EACjB,MAAM,yBAAyB,CAAC;AAIjC;;;GAGG;AACH,eAAO,MAAM,aAAa,GAAI,cAAc,CAAC,CAAC,OAAO,KAAG,MAAM,GAAG,IAkBhE,CAAC;AA+FF,qEAAqE;AACrE,eAAO,MAAM,oBAAoB,GAAI,OAAO,YAAY,EAAE,cAAc,CAAC,CAAC,OAAO,KAAG,OAgGnF,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,kBAAkB,GAAI,MAAM,MAAM,EAAE,gBAAgB,CAAC,CAAC,SAAS,KAAG,MAa9E,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,mBAAmB,GAC/B,cAAc,CAAC,CAAC,OAAO,KACrB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SA6B5B,CAAC"}

package/dist/testing/schema_generators.js

@@ -158,8 +158,29 @@ export const generate_valid_value = (field, field_schema) => {
             return 1;
         case 'boolean':
             return true;
-        case 'array':
-            return [];
+        case 'array': {
+            let min_items = 0;
+            try {
+                const json = z.toJSONSchema(field_schema);
+                if (typeof json.minItems === 'number')
+                    min_items = json.minItems;
+            }
+            catch {
+                // no constraint
+            }
+            if (min_items === 0)
+                return [];
+            const def = zod_unwrap_def(field_schema);
+            const element_schema = def.element;
+            if (!element_schema)
+                return [];
+            const element_field = {
+                ...field,
+                base_type: zod_get_base_type(element_schema),
+            };
+            const item = generate_valid_value(element_field, element_schema);
+            return Array.from({ length: min_items }, () => item);
+        }
         case 'object': {
             // Recursively generate valid nested objects
             const nested_schema = zod_unwrap_to_object(field_schema);

package/dist/testing/sse_round_trip.js

@@ -21,7 +21,7 @@ import { create_pglite_factory } from './db.js';
 import { find_route_spec, pick_auth_headers } from './integration_helpers.js';
 import { rpc_call, require_rpc_endpoint_path, resolve_rpc_endpoints_for_setup, } from './rpc_helpers.js';
 import { run_migrations } from '../db/migrate.js';
-import { AUTH_MIGRATION_NS } from '../auth/migrations.js';
+import { auth_migration_ns } from '../auth/migrations.js';
 import { account_session_revoke_all_action_spec } from '../auth/account_action_specs.js';
 /**
  * Read one complete SSE frame (up to `\n\n`) from a stream reader.
@@ -138,7 +138,7 @@ export const describe_sse_route_tests = (options) => {
     const rpc_endpoints_for_setup = resolve_rpc_endpoints_for_setup(options.rpc_endpoints, options.session_options);
     const rpc_path = require_rpc_endpoint_path(rpc_endpoints_for_setup);
     const init_schema = async (db) => {
-        await run_migrations(db, [AUTH_MIGRATION_NS]);
+        await run_migrations(db, [auth_migration_ns]);
     };
     const factories = options.db_factories ?? [create_pglite_factory(init_schema)];
     for (const factory of factories) {

package/dist/testing/surface_invariants.d.ts

@@ -178,13 +178,13 @@ export interface ErrorSchemaTightnessOptions {
  * them here instead of forcing every consumer to hand-maintain the entry.
  *
  * Paths assume the standard `/api/account` + `/api/db` prefixes used by every
- * fuz_app consumer. Merged into `DEFAULT_ERROR_SCHEMA_TIGHTNESS.allowlist` so
+ * fuz_app consumer. Merged into `default_error_schema_tightness.allowlist` so
  * consumers calling `assert_error_schema_tightness` directly inherit the
  * exemptions; the standard attack-surface suite also prepends these entries
  * underneath any consumer-supplied allowlist so project-specific entries are
  * additive.
  */
-export declare const FUZ_APP_STOCK_ROUTE_TIGHTNESS_ALLOWLIST: ReadonlyArray<string>;
+export declare const fuz_app_stock_route_tightness_allowlist: ReadonlyArray<string>;
 /**
  * Baseline error schema tightness applied by
  * `describe_standard_attack_surface_tests` when no config is passed.
@@ -192,13 +192,13 @@ export declare const FUZ_APP_STOCK_ROUTE_TIGHTNESS_ALLOWLIST: ReadonlyArray<stri
  * Uses `min_specificity: 'enum'` (the assertion default) with `ignore_statuses`
  * for middleware-derived status codes that are commonly generic (auth middleware
  * produces multiple error codes at 401/403, and 429 comes from rate limiters),
- * and `allowlist` seeded with `FUZ_APP_STOCK_ROUTE_TIGHTNESS_ALLOWLIST` so
+ * and `allowlist` seeded with `fuz_app_stock_route_tightness_allowlist` so
  * fuz_app-shipped routes with heterogeneous generic schemas don't force every
  * consumer to hand-maintain an identical allowlist. Consumers can pass a
  * narrower config with project-specific `allowlist` entries, or pass `null`
  * to skip the assertion entirely.
  */
-export declare const DEFAULT_ERROR_SCHEMA_TIGHTNESS: ErrorSchemaTightnessOptions;
+export declare const default_error_schema_tightness: ErrorSchemaTightnessOptions;
 /**
  * Assert that all error schemas meet a minimum specificity threshold.
  *

package/dist/testing/surface_invariants.js

@@ -467,13 +467,13 @@ const SPECIFICITY_ORDER = {
  * them here instead of forcing every consumer to hand-maintain the entry.
  *
  * Paths assume the standard `/api/account` + `/api/db` prefixes used by every
- * fuz_app consumer. Merged into `DEFAULT_ERROR_SCHEMA_TIGHTNESS.allowlist` so
+ * fuz_app consumer. Merged into `default_error_schema_tightness.allowlist` so
  * consumers calling `assert_error_schema_tightness` directly inherit the
  * exemptions; the standard attack-surface suite also prepends these entries
  * underneath any consumer-supplied allowlist so project-specific entries are
  * additive.
  */
-export const FUZ_APP_STOCK_ROUTE_TIGHTNESS_ALLOWLIST = [];
+export const fuz_app_stock_route_tightness_allowlist = [];
 /**
  * Baseline error schema tightness applied by
  * `describe_standard_attack_surface_tests` when no config is passed.
@@ -481,15 +481,15 @@ export const FUZ_APP_STOCK_ROUTE_TIGHTNESS_ALLOWLIST = [];
  * Uses `min_specificity: 'enum'` (the assertion default) with `ignore_statuses`
  * for middleware-derived status codes that are commonly generic (auth middleware
  * produces multiple error codes at 401/403, and 429 comes from rate limiters),
- * and `allowlist` seeded with `FUZ_APP_STOCK_ROUTE_TIGHTNESS_ALLOWLIST` so
+ * and `allowlist` seeded with `fuz_app_stock_route_tightness_allowlist` so
  * fuz_app-shipped routes with heterogeneous generic schemas don't force every
  * consumer to hand-maintain an identical allowlist. Consumers can pass a
  * narrower config with project-specific `allowlist` entries, or pass `null`
  * to skip the assertion entirely.
  */
-export const DEFAULT_ERROR_SCHEMA_TIGHTNESS = {
+export const default_error_schema_tightness = {
     ignore_statuses: [401, 403, 429],
-    allowlist: [...FUZ_APP_STOCK_ROUTE_TIGHTNESS_ALLOWLIST],
+    allowlist: [...fuz_app_stock_route_tightness_allowlist],
 };
 /**
  * Assert that all error schemas meet a minimum specificity threshold.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fuzdev/fuz_app",
-  "version": "0.58.0",
+  "version": "0.60.0",
   "description": "fullstack app library",
   "glyph": "🗝",
   "logo": "logo.svg",