@fuzdev/fuz_app 0.59.0 → 0.61.0

package/dist/testing/CLAUDE.md

@@ -91,7 +91,7 @@ from `app_server.ts` instead.
 ## Database — `db.ts`
 
 Factory builders for parameterized DB tests. Consumer projects pass their
-`init_schema` callback (which calls `run_migrations(db, [AUTH_MIGRATION_NS, ...app_migrations])`);
+`init_schema` callback (which calls `run_migrations(db, [auth_migration_ns, ...app_migrations])`);
 factories accept any migration namespace set.
 
 | Helper                                           | Role                                                                                                                                                                                                                                                                                                 |
@@ -101,10 +101,10 @@ factories accept any migration namespace set.
 | `reset_pglite(db)`                               | `DROP SCHEMA public CASCADE` + recreate. Reuses a live PGlite instance.                                                                                                                                                                                                                              |
 | `create_pglite_factory(init_schema)`             | In-memory; no external deps; `skip: false`. See WASM caching below.                                                                                                                                                                                                                                  |
 | `create_pg_factory(init_schema, test_url?)`      | PostgreSQL; `skip: true` when `test_url` is missing; drops `schema_version` before `init_schema` so migrations re-evaluate against actual tables (prevents stale tracker rows from skipping migrations when DDL changes between test sessions); pool is reused + cleaned up across `create()` calls. |
-| `AUTH_TRUNCATE_TABLES`                           | `['invite', 'api_token', 'auth_session', 'role_grant', 'role_grant_offer', 'actor', 'account']` in FK-safe order. Excludes `audit_log` — unit DB tests don't need to truncate it.                                                                                                                    |
-| `AUTH_INTEGRATION_TRUNCATE_TABLES`               | `AUTH_TRUNCATE_TABLES + ['audit_log']` — for integration suites that exercise the audit path.                                                                                                                                                                                                        |
-| `AUTH_DROP_TABLES`                               | Full set from `AUTH_MIGRATIONS` in drop order; call `drop_auth_schema(db)` at the top of `init_schema` on persistent pg databases that may hold stale DDL from previous fuz_app versions.                                                                                                            |
-| `drop_auth_schema(db)`                           | `DROP TABLE IF EXISTS <table> CASCADE` for every entry in `AUTH_DROP_TABLES` plus `schema_version`. Safe on fresh DBs.                                                                                                                                                                               |
+| `auth_truncate_tables`                           | `['invite', 'api_token', 'auth_session', 'role_grant', 'role_grant_offer', 'actor', 'account']` in FK-safe order. Excludes `audit_log` — unit DB tests don't need to truncate it.                                                                                                                    |
+| `auth_integration_truncate_tables`               | `auth_truncate_tables + ['audit_log']` — for integration suites that exercise the audit path.                                                                                                                                                                                                        |
+| `auth_drop_tables`                               | Full set from `auth_migrations` in drop order; call `drop_auth_schema(db)` at the top of `init_schema` on persistent pg databases that may hold stale DDL from previous fuz_app versions.                                                                                                            |
+| `drop_auth_schema(db)`                           | `DROP TABLE IF EXISTS <table> CASCADE` for every entry in `auth_drop_tables` plus `schema_version`. Safe on fresh DBs.                                                                                                                                                                               |
 | `create_describe_db(factories, truncate_tables)` | Returns `describe_db(name, fn)` that runs `fn(get_db)` once per factory, inside a `describe` block with shared `beforeAll(create)` + `beforeEach(TRUNCATE)` + `afterAll(close)`. Skipped factories use `describe.skip`.                                                                              |
 | `log_db_factory_status(factories)`               | Console summary of enabled / skipped factories.                                                                                                                                                                                                                                                      |
 
@@ -234,13 +234,13 @@ Tightness audit:
   classifies every route × status combination as `'literal' | 'enum' | 'generic'`.
 - `assert_error_schema_tightness(surface, options?)` — fails routes below a
   threshold (`min_specificity`, default `'enum'`) with `allowlist` + `ignore_statuses` escape hatches.
-- `FUZ_APP_STOCK_ROUTE_TIGHTNESS_ALLOWLIST` — currently empty. Every
+- `fuz_app_stock_route_tightness_allowlist` — currently empty. Every
   fuz_app-shipped route (account login/password/bootstrap/signup, db
   health/tables/:name/tables/:name/rows/:id) has been tightened in place to
   `z.enum([...])` / `z.literal(...)` against every emit-site code. Kept as a
   forward-compatibility hook for future stock routes that need an interim
   exemption; paths assume the standard `/api/account` + `/api/db` prefixes.
-- `DEFAULT_ERROR_SCHEMA_TIGHTNESS` — `{ignore_statuses: [401, 403, 429], allowlist: FUZ_APP_STOCK_ROUTE_TIGHTNESS_ALLOWLIST}`.
+- `default_error_schema_tightness` — `{ignore_statuses: [401, 403, 429], allowlist: fuz_app_stock_route_tightness_allowlist}`.
   Applied by `describe_standard_attack_surface_tests` when
   `error_schema_tightness` is omitted; pass an override config or `null` to
   opt out.
@@ -323,8 +323,8 @@ Walks Zod schemas to generate valid values for adversarial/round-trip tests.
 | `check_error_response_fields(body)`                                | Returns the list of fields outside `KNOWN_SAFE_ERROR_FIELDS` (`error`, `issues`, `required_roles`, `required_credential_types`, `retry_after`, `has_references`, `ok`).                                                                  |
 | `assert_no_error_info_leakage(body, context)`                      | Rejects field-name patterns (`stack`, `trace`, `sql`, …) + value patterns (`node_modules`, stack-like `at …`, `.ts:NN`).                                                                                                                 |
 | `assert_rate_limit_retry_after_header(response, body)`             | `Retry-After` numeric header equals `Math.ceil(body.retry_after)`.                                                                                                                                                                       |
-| `SENSITIVE_FIELD_BLOCKLIST`                                        | `['password_hash', 'token_hash']` — never in any response body.                                                                                                                                                                          |
-| `ADMIN_ONLY_FIELD_BLOCKLIST`                                       | `['updated_by', 'created_by']` — never in non-admin response bodies.                                                                                                                                                                     |
+| `sensitive_field_blocklist`                                        | `['password_hash', 'token_hash']` — never in any response body.                                                                                                                                                                          |
+| `admin_only_field_blocklist`                                       | `['updated_by', 'created_by']` — never in non-admin response bodies.                                                                                                                                                                     |
 | `collect_json_keys_recursive(value)`                               | Deep walk; returns `Set<string>` of every key at every nesting depth.                                                                                                                                                                    |
 | `assert_no_sensitive_fields_in_json(body, blocklist, context)`     | Rejects any key in the blocklist at any depth.                                                                                                                                                                                           |
 | `pick_auth_headers(spec, test_app, authed_account, admin_account)` | `RouteAuth` → appropriate test credentials; role `admin` uses `admin_account`, other roles use bootstrapped keeper, `keeper` uses daemon token.                                                                                          |
@@ -337,7 +337,7 @@ Single-call bundle of 5 top-level groups (10 named tests + every
 adversarial case per route):
 
 1. **attack surface snapshot** — `matches committed snapshot`, `is deterministic`.
-2. **attack surface structure** — `only expected public routes`, `full middleware stack on API routes`, `surface invariants`, `security policy`, `error schema tightness` (logs counts and asserts against `DEFAULT_ERROR_SCHEMA_TIGHTNESS` by default; pass an override config or `null` via `error_schema_tightness`).
+2. **attack surface structure** — `only expected public routes`, `full middleware stack on API routes`, `surface invariants`, `security policy`, `error schema tightness` (logs counts and asserts against `default_error_schema_tightness` by default; pass an override config or `null` via `error_schema_tightness`).
 3. **adversarial HTTP auth enforcement** — `unauthenticated → 401`, `wrong role → 403` × roles, `authenticated without role → 403`, `keeper routes reject session credential → 403`, `correct auth passes guard`.
 4. **adversarial input validation** — delegated to `describe_adversarial_input`.
 5. **adversarial 404 response validation** — delegated to `describe_adversarial_404`.
@@ -511,8 +511,8 @@ new arrivals (default 1000ms); drops the waiter on timeout so the
 Six tests in two top-level groups:
 
 1. **schema-level** (3 tests, no DB) — walks JSON Schema representations:
-   - `no sensitive fields in any output schema` — `SENSITIVE_FIELD_BLOCKLIST`
-   - `no admin-only fields in non-admin output schemas` — `ADMIN_ONLY_FIELD_BLOCKLIST`
+   - `no sensitive fields in any output schema` — `sensitive_field_blocklist`
+   - `no admin-only fields in non-admin output schemas` — `admin_only_field_blocklist`
    - `no sensitive fields in any error schema`
 2. **runtime** (3 tests, DB-backed via `create_test_app`):
    - `unauthenticated error responses contain no sensitive fields`
@@ -699,6 +699,16 @@ deps — no DB needed.
 
 Options: `{build: () => AppSurfaceSpec, roles: Array<string>}`.
 
+**Opt-in bundles need their own per-bundle suite file.** Action bundles
+not folded into `create_standard_rpc_actions` (today `self_service_role_actions`
+and `actor_lookup_actions`) get zero adversarial / round-trip coverage
+from `describe_rpc_attack_surface_tests` + `describe_rpc_round_trip_tests`
+unless the consumer ships a `<module>.rpc_suites.db.test.ts` mounting the
+opt-in factory on the RPC endpoint and calling both suites. See
+`../../test/CLAUDE.md` §Composable Test Suites for the obligation note
+and `actor_lookup_actions.rpc_suites.db.test.ts` /
+`role_grant_offer_actions.rpc_suites.db.test.ts` as templates.
+
 ## Cross-cutting conventions
 
 - **`assert` from vitest, not `expect`.** Project-wide convention

package/dist/testing/admin_integration.js

@@ -28,9 +28,9 @@ import './assert_dev_env.js';
 import { describe, test, assert, afterAll } from 'vitest';
 import { ROLE_KEEPER, ROLE_ADMIN } from '../auth/role_schema.js';
 import { GRANT_PATH_ADMIN } from '../auth/grant_path_schema.js';
-import { AUTH_MIGRATION_NS } from '../auth/migrations.js';
+import { auth_migration_ns } from '../auth/migrations.js';
 import { create_test_app } from './app_server.js';
-import { create_pglite_factory, create_describe_db, AUTH_INTEGRATION_TRUNCATE_TABLES, } from './db.js';
+import { create_pglite_factory, create_describe_db, auth_integration_truncate_tables, } from './db.js';
 import { find_auth_route } from './integration_helpers.js';
 import { run_migrations } from '../db/migrate.js';
 import { ErrorCoverageCollector, assert_error_coverage, DEFAULT_INTEGRATION_ERROR_COVERAGE, } from './error_coverage.js';
@@ -88,10 +88,10 @@ export const describe_standard_admin_integration_tests = (options) => {
     const rpc_endpoints_for_setup = resolve_rpc_endpoints_for_setup(options.rpc_endpoints, options.session_options);
     const rpc_path = require_rpc_endpoint_path(rpc_endpoints_for_setup);
     const init_schema = async (db) => {
-        await run_migrations(db, [AUTH_MIGRATION_NS]);
+        await run_migrations(db, [auth_migration_ns]);
     };
     const factories = options.db_factories ?? [create_pglite_factory(init_schema)];
-    const describe_db = create_describe_db(factories, AUTH_INTEGRATION_TRUNCATE_TABLES);
+    const describe_db = create_describe_db(factories, auth_integration_truncate_tables);
     describe_db('standard_admin_integration', (get_db) => {
         const { cookie_name } = options.session_options;
         const { role_specs } = options.roles;

package/dist/testing/app_server.d.ts

@@ -120,7 +120,7 @@ export interface TestAppServerOptions {
      *
      * Use when the consumer registers extra event types via
      * `create_audit_log_config({extra_events})` — without this, emits for
-     * those events fall back to `BUILTIN_AUDIT_LOG_CONFIG` and log
+     * those events fall back to `builtin_audit_log_config` and log
      * "unknown event_type" warnings.
      */
     audit_log_config?: AuditLogConfig;

package/dist/testing/app_server.js

@@ -10,7 +10,7 @@ import { generate_session_token, hash_session_token, AUTH_SESSION_LIFETIME_MS, q
 import { query_create_api_token } from '../auth/api_token_queries.js';
 import { create_session_cookie_value } from '../auth/session_cookie.js';
 import { run_migrations } from '../db/migrate.js';
-import { AUTH_MIGRATION_NS } from '../auth/migrations.js';
+import { auth_migration_ns } from '../auth/migrations.js';
 import { create_audit_emitter } from '../auth/audit_emitter.js';
 import { create_app_server, } from '../server/app_server.js';
 import { generate_daemon_token, DAEMON_TOKEN_HEADER, } from '../auth/daemon_token.js';
@@ -33,7 +33,7 @@ export const TEST_COOKIE_SECRET = 'a'.repeat(64);
 // Shares the WASM instance cache from test_db.ts, avoiding redundant cold starts
 // within the same vitest worker thread. Schema is reset on each create() call.
 const fallback_pglite_factory = create_pglite_factory(async (db) => {
-    await run_migrations(db, [AUTH_MIGRATION_NS]);
+    await run_migrations(db, [auth_migration_ns]);
 });
 /**
  * Bootstrap a test account with credentials.

package/dist/testing/attack_surface.d.ts

@@ -20,7 +20,7 @@ export interface AdversarialTestOptions {
 export declare const describe_adversarial_auth: (options: AdversarialTestOptions) => void;
 /**
  * Merge a consumer's `error_schema_tightness` option with
- * `DEFAULT_ERROR_SCHEMA_TIGHTNESS` so `allowlist` and `ignore_statuses` are
+ * `default_error_schema_tightness` so `allowlist` and `ignore_statuses` are
  * additive rather than replacing.
  *
  * - `undefined` → return the default as-is.
@@ -52,9 +52,9 @@ export interface StandardAttackSurfaceOptions {
     security_policy?: SurfaceSecurityPolicyOptions;
     /**
      * Error schema tightness assertion config. Defaults to
-     * `DEFAULT_ERROR_SCHEMA_TIGHTNESS` (ignores 401/403/429,
+     * `default_error_schema_tightness` (ignores 401/403/429,
      * `min_specificity: 'enum'`, allowlist seeded with
-     * `FUZ_APP_STOCK_ROUTE_TIGHTNESS_ALLOWLIST`).
+     * `fuz_app_stock_route_tightness_allowlist`).
      *
      * Consumer-supplied `allowlist` and `ignore_statuses` are **additive** —
      * the suite merges them underneath the stock defaults, so project-specific
@@ -74,7 +74,7 @@ export interface StandardAttackSurfaceOptions {
  * 4. Middleware stack — every API route has the full middleware chain
  * 5. Surface invariants — structural assertions (error schemas, descriptions, duplicates, consistency)
  * 6. Security policy — rate limiting on sensitive routes, no unexpected public mutations, method conventions
- * 7. Error schema tightness — informational log of generic vs specific error schemas, plus assertion against `DEFAULT_ERROR_SCHEMA_TIGHTNESS` by default (opt out with `error_schema_tightness: null`)
+ * 7. Error schema tightness — informational log of generic vs specific error schemas, plus assertion against `default_error_schema_tightness` by default (opt out with `error_schema_tightness: null`)
  * 8. Adversarial auth — unauthenticated/wrong-role/correct-auth enforcement
  * 9. Adversarial input — input body and params validation
  * 10. Adversarial 404 — stub 404 handlers, validate response bodies against declared schemas

package/dist/testing/attack_surface.js

@@ -15,7 +15,7 @@ import './assert_dev_env.js';
  * @module
  */
 import { test, assert, describe } from 'vitest';
-import { assert_surface_invariants, assert_surface_security_policy, audit_error_schema_tightness, assert_error_schema_tightness, DEFAULT_ERROR_SCHEMA_TIGHTNESS, FUZ_APP_STOCK_ROUTE_TIGHTNESS_ALLOWLIST, } from './surface_invariants.js';
+import { assert_surface_invariants, assert_surface_security_policy, audit_error_schema_tightness, assert_error_schema_tightness, default_error_schema_tightness, fuz_app_stock_route_tightness_allowlist, } from './surface_invariants.js';
 import { describe_adversarial_input } from './adversarial_input.js';
 import { describe_adversarial_404 } from './adversarial_404.js';
 import { create_test_app_from_specs, create_test_request_context, create_auth_test_apps, select_auth_app, resolve_test_path, } from './auth_apps.js';
@@ -164,7 +164,7 @@ export const describe_adversarial_auth = (options) => {
 // --- Standard attack surface test suite ---
 /**
  * Merge a consumer's `error_schema_tightness` option with
- * `DEFAULT_ERROR_SCHEMA_TIGHTNESS` so `allowlist` and `ignore_statuses` are
+ * `default_error_schema_tightness` so `allowlist` and `ignore_statuses` are
  * additive rather than replacing.
  *
  * - `undefined` → return the default as-is.
@@ -181,11 +181,11 @@ export const resolve_standard_error_schema_tightness = (consumer) => {
     if (consumer === null)
         return null;
     return {
-        ...DEFAULT_ERROR_SCHEMA_TIGHTNESS,
+        ...default_error_schema_tightness,
         ...consumer,
-        allowlist: [...FUZ_APP_STOCK_ROUTE_TIGHTNESS_ALLOWLIST, ...(consumer?.allowlist ?? [])],
+        allowlist: [...fuz_app_stock_route_tightness_allowlist, ...(consumer?.allowlist ?? [])],
         ignore_statuses: [
-            ...(DEFAULT_ERROR_SCHEMA_TIGHTNESS.ignore_statuses ?? []),
+            ...(default_error_schema_tightness.ignore_statuses ?? []),
             ...(consumer?.ignore_statuses ?? []),
         ],
     };
@@ -200,7 +200,7 @@ export const resolve_standard_error_schema_tightness = (consumer) => {
  * 4. Middleware stack — every API route has the full middleware chain
  * 5. Surface invariants — structural assertions (error schemas, descriptions, duplicates, consistency)
  * 6. Security policy — rate limiting on sensitive routes, no unexpected public mutations, method conventions
- * 7. Error schema tightness — informational log of generic vs specific error schemas, plus assertion against `DEFAULT_ERROR_SCHEMA_TIGHTNESS` by default (opt out with `error_schema_tightness: null`)
+ * 7. Error schema tightness — informational log of generic vs specific error schemas, plus assertion against `default_error_schema_tightness` by default (opt out with `error_schema_tightness: null`)
  * 8. Adversarial auth — unauthenticated/wrong-role/correct-auth enforcement
  * 9. Adversarial input — input body and params validation
  * 10. Adversarial 404 — stub 404 handlers, validate response bodies against declared schemas

package/dist/testing/audit_completeness.js

@@ -15,9 +15,9 @@ import './assert_dev_env.js';
 import { describe, test, assert } from 'vitest';
 import { ROLE_KEEPER, ROLE_ADMIN } from '../auth/role_schema.js';
 import { AUDIT_EVENT_TYPES } from '../auth/audit_log_schema.js';
-import { AUTH_MIGRATION_NS } from '../auth/migrations.js';
+import { auth_migration_ns } from '../auth/migrations.js';
 import { create_test_app, } from './app_server.js';
-import { create_pglite_factory, create_describe_db, AUTH_INTEGRATION_TRUNCATE_TABLES, } from './db.js';
+import { create_pglite_factory, create_describe_db, auth_integration_truncate_tables, } from './db.js';
 import { find_auth_route } from './integration_helpers.js';
 import { run_migrations } from '../db/migrate.js';
 import { query_accept_offer } from '../auth/role_grant_offer_queries.js';
@@ -75,10 +75,10 @@ export const describe_audit_completeness_tests = (options) => {
     const rpc_endpoints_for_setup = resolve_rpc_endpoints_for_setup(options.rpc_endpoints, options.session_options);
     const rpc_path = require_rpc_endpoint_path(rpc_endpoints_for_setup);
     const init_schema = async (db) => {
-        await run_migrations(db, [AUTH_MIGRATION_NS]);
+        await run_migrations(db, [auth_migration_ns]);
     };
     const factories = options.db_factories ?? [create_pglite_factory(init_schema)];
-    const describe_db = create_describe_db(factories, AUTH_INTEGRATION_TRUNCATE_TABLES);
+    const describe_db = create_describe_db(factories, auth_integration_truncate_tables);
     describe_db('audit_log_completeness', (get_db) => {
         // --- Account routes ---
         describe('account mutation audit events', () => {

package/dist/testing/data_exposure.d.ts

@@ -27,9 +27,9 @@ export interface DataExposureTestOptions {
     session_options: SessionOptions<string>;
     /** Route spec factory for runtime tests. */
     create_route_specs: (ctx: AppServerContext) => Array<RouteSpec>;
-    /** Fields that must never appear in any response. Default: `SENSITIVE_FIELD_BLOCKLIST`. */
+    /** Fields that must never appear in any response. Default: `sensitive_field_blocklist`. */
     sensitive_fields?: ReadonlyArray<string>;
-    /** Fields that must not appear in non-admin responses. Default: `ADMIN_ONLY_FIELD_BLOCKLIST`. */
+    /** Fields that must not appear in non-admin responses. Default: `admin_only_field_blocklist`. */
     admin_only_fields?: ReadonlyArray<string>;
     /** Optional overrides for `AppServerOptions`. */
     app_options?: Partial<Omit<AppServerOptions, 'backend' | 'session_options' | 'create_route_specs'>>;

package/dist/testing/data_exposure.js

@@ -16,10 +16,10 @@ import { create_test_app } from './app_server.js';
 import { create_pglite_factory } from './db.js';
 import { resolve_valid_path, generate_valid_body } from './schema_generators.js';
 import { run_migrations } from '../db/migrate.js';
-import { AUTH_MIGRATION_NS } from '../auth/migrations.js';
+import { auth_migration_ns } from '../auth/migrations.js';
 import { is_null_schema, is_strict_object_schema } from '../http/schema_helpers.js';
 import { is_keeper_auth, is_public_auth } from '../http/auth_shape.js';
-import { SENSITIVE_FIELD_BLOCKLIST, ADMIN_ONLY_FIELD_BLOCKLIST, assert_no_sensitive_fields_in_json, pick_auth_headers, } from './integration_helpers.js';
+import { sensitive_field_blocklist, admin_only_field_blocklist, assert_no_sensitive_fields_in_json, pick_auth_headers, } from './integration_helpers.js';
 // --- Schema introspection ---
 /**
  * Recursively collect all property names from a JSON Schema.
@@ -58,7 +58,7 @@ export const collect_json_schema_property_names = (schema) => {
 /**
  * Assert that no output schema in the surface contains sensitive field names.
  */
-export const assert_output_schemas_no_sensitive_fields = (surface, sensitive_fields = SENSITIVE_FIELD_BLOCKLIST) => {
+export const assert_output_schemas_no_sensitive_fields = (surface, sensitive_fields = sensitive_field_blocklist) => {
     for (const route of surface.routes) {
         if (route.output_schema === null)
             continue;
@@ -71,7 +71,7 @@ export const assert_output_schemas_no_sensitive_fields = (surface, sensitive_fie
 /**
  * Assert that non-admin route output schemas don't contain admin-only fields.
  */
-export const assert_non_admin_schemas_no_admin_fields = (surface, admin_only_fields = ADMIN_ONLY_FIELD_BLOCKLIST) => {
+export const assert_non_admin_schemas_no_admin_fields = (surface, admin_only_fields = admin_only_field_blocklist) => {
     const non_admin = surface.routes.filter((r) => !is_keeper_auth(r.auth) && !(r.auth.roles?.includes('admin') ?? false));
     for (const route of non_admin) {
         if (route.output_schema === null)
@@ -92,7 +92,7 @@ export const assert_non_admin_schemas_no_admin_fields = (surface, admin_only_fie
  *    contain no sensitive fields
  */
 export const describe_data_exposure_tests = (options) => {
-    const { build, sensitive_fields = SENSITIVE_FIELD_BLOCKLIST, admin_only_fields = ADMIN_ONLY_FIELD_BLOCKLIST, } = options;
+    const { build, sensitive_fields = sensitive_field_blocklist, admin_only_fields = admin_only_field_blocklist, } = options;
     describe('data exposure — schema-level', () => {
         const { surface } = build();
         test('no sensitive fields in any output schema', () => {
@@ -118,10 +118,10 @@ export const describe_data_exposure_tests = (options) => {
 };
 // --- Runtime tests ---
 const describe_data_exposure_runtime_tests = (options) => {
-    const { sensitive_fields = SENSITIVE_FIELD_BLOCKLIST, admin_only_fields = ADMIN_ONLY_FIELD_BLOCKLIST, } = options;
+    const { sensitive_fields = sensitive_field_blocklist, admin_only_fields = admin_only_field_blocklist, } = options;
     const skip_set = new Set(options.skip_routes);
     const init_schema = async (db) => {
-        await run_migrations(db, [AUTH_MIGRATION_NS]);
+        await run_migrations(db, [auth_migration_ns]);
     };
     const factories = options.db_factories ?? [create_pglite_factory(init_schema)];
     for (const factory of factories) {

package/dist/testing/db.d.ts

@@ -61,25 +61,25 @@ export declare const create_pg_factory: (init_schema: (db: Db) => Promise<void>,
  *
  * Consumer projects can spread this into their own list and append app-specific tables.
  */
-export declare const AUTH_TRUNCATE_TABLES: string[];
+export declare const auth_truncate_tables: string[];
 /**
  * Auth tables including `audit_log` — for integration tests that exercise
  * the full middleware stack (login, admin, rate limiting).
  *
- * Separate from `AUTH_TRUNCATE_TABLES` because unit-level DB tests that don't
+ * Separate from `auth_truncate_tables` because unit-level DB tests that don't
  * touch audit logging don't need to truncate it.
  */
-export declare const AUTH_INTEGRATION_TRUNCATE_TABLES: string[];
+export declare const auth_integration_truncate_tables: string[];
 /**
  * All auth tables in drop order (children first for FK safety).
  *
- * The full set created by `AUTH_MIGRATIONS` — use for clean-slate
- * test DB initialization. `AUTH_TRUNCATE_TABLES` is the subset for
+ * The full set created by `auth_migrations` — use for clean-slate
+ * test DB initialization. `auth_truncate_tables` is the subset for
  * between-test data cleanup (excludes `audit_log`).
  *
- * When adding tables to `AUTH_MIGRATIONS`, add them here too.
+ * When adding tables to `auth_migrations`, add them here too.
  */
-export declare const AUTH_DROP_TABLES: readonly ["app_settings", "invite", "audit_log", "api_token", "auth_session", "role_grant", "role_grant_offer", "actor", "account", "bootstrap_lock"];
+export declare const auth_drop_tables: readonly ["app_settings", "invite", "audit_log", "api_token", "auth_session", "role_grant", "role_grant_offer", "actor", "account", "bootstrap_lock"];
 /**
  * Drop all auth tables and schema version tracking for a clean slate.
  *
@@ -89,7 +89,7 @@ export declare const AUTH_DROP_TABLES: readonly ["app_settings", "invite", "audi
  * Safe on fresh databases (`IF EXISTS` on all statements). No-op effect for
  * PGlite (already fresh), but harmless to call unconditionally.
  *
- * @mutates db - drops every table in `AUTH_DROP_TABLES` plus `schema_version`.
+ * @mutates db - drops every table in `auth_drop_tables` plus `schema_version`.
  */
 export declare const drop_auth_schema: (db: Db) => Promise<void>;
 /**

package/dist/testing/db.js

@@ -10,10 +10,10 @@ import './assert_dev_env.js';
  * ```ts
  * import {create_pglite_factory, create_pg_factory} from '@fuzdev/fuz_app/testing/db.js';
  * import {run_migrations} from '@fuzdev/fuz_app/db/migrate.js';
- * import {AUTH_MIGRATION_NS} from '@fuzdev/fuz_app/auth/migrations.js';
+ * import {auth_migration_ns} from '@fuzdev/fuz_app/auth/migrations.js';
  *
  * const init_schema = async (db) => {
- *   await run_migrations(db, [AUTH_MIGRATION_NS]);
+ *   await run_migrations(db, [auth_migration_ns]);
  * };
  * const pglite_factory = create_pglite_factory(init_schema);
  * const pg_factory = create_pg_factory(init_schema, process.env.TEST_DATABASE_URL);
@@ -160,7 +160,7 @@ export const create_pg_factory = (init_schema, test_url) => {
  *
  * Consumer projects can spread this into their own list and append app-specific tables.
  */
-export const AUTH_TRUNCATE_TABLES = [
+export const auth_truncate_tables = [
     'invite',
     'api_token',
     'auth_session',
@@ -173,20 +173,20 @@ export const AUTH_TRUNCATE_TABLES = [
  * Auth tables including `audit_log` — for integration tests that exercise
  * the full middleware stack (login, admin, rate limiting).
  *
- * Separate from `AUTH_TRUNCATE_TABLES` because unit-level DB tests that don't
+ * Separate from `auth_truncate_tables` because unit-level DB tests that don't
  * touch audit logging don't need to truncate it.
  */
-export const AUTH_INTEGRATION_TRUNCATE_TABLES = [...AUTH_TRUNCATE_TABLES, 'audit_log'];
+export const auth_integration_truncate_tables = [...auth_truncate_tables, 'audit_log'];
 /**
  * All auth tables in drop order (children first for FK safety).
  *
- * The full set created by `AUTH_MIGRATIONS` — use for clean-slate
- * test DB initialization. `AUTH_TRUNCATE_TABLES` is the subset for
+ * The full set created by `auth_migrations` — use for clean-slate
+ * test DB initialization. `auth_truncate_tables` is the subset for
  * between-test data cleanup (excludes `audit_log`).
  *
- * When adding tables to `AUTH_MIGRATIONS`, add them here too.
+ * When adding tables to `auth_migrations`, add them here too.
  */
-export const AUTH_DROP_TABLES = [
+export const auth_drop_tables = [
     'app_settings',
     'invite',
     'audit_log',
@@ -207,10 +207,10 @@ export const AUTH_DROP_TABLES = [
  * Safe on fresh databases (`IF EXISTS` on all statements). No-op effect for
  * PGlite (already fresh), but harmless to call unconditionally.
  *
- * @mutates db - drops every table in `AUTH_DROP_TABLES` plus `schema_version`.
+ * @mutates db - drops every table in `auth_drop_tables` plus `schema_version`.
  */
 export const drop_auth_schema = async (db) => {
-    for (const table of AUTH_DROP_TABLES) {
+    for (const table of auth_drop_tables) {
         await db.query(`DROP TABLE IF EXISTS ${assert_valid_sql_identifier(table)} CASCADE`);
     }
     await db.query('DROP TABLE IF EXISTS schema_version CASCADE');

package/dist/testing/integration.js

@@ -17,9 +17,9 @@ import './assert_dev_env.js';
  * @module
  */
 import { describe, test, assert, beforeAll, afterAll } from 'vitest';
-import { AUTH_MIGRATION_NS } from '../auth/migrations.js';
+import { auth_migration_ns } from '../auth/migrations.js';
 import { create_test_app } from './app_server.js';
-import { create_pglite_factory, create_describe_db, AUTH_INTEGRATION_TRUNCATE_TABLES, } from './db.js';
+import { create_pglite_factory, create_describe_db, auth_integration_truncate_tables, } from './db.js';
 import { find_auth_route, assert_response_matches_spec, create_expired_test_cookie, assert_no_error_info_leakage, } from './integration_helpers.js';
 import { find_rpc_action, rpc_call_for_spec, require_rpc_endpoint_path, resolve_rpc_endpoints_for_setup, } from './rpc_helpers.js';
 import { RateLimiter } from '../rate_limiter.js';
@@ -70,10 +70,10 @@ export const describe_standard_integration_tests = (options) => {
     const rpc_endpoints_for_setup = resolve_rpc_endpoints_for_setup(options.rpc_endpoints, options.session_options);
     const rpc_path = require_rpc_endpoint_path(rpc_endpoints_for_setup);
     const init_schema = async (db) => {
-        await run_migrations(db, [AUTH_MIGRATION_NS]);
+        await run_migrations(db, [auth_migration_ns]);
     };
     const factories = options.db_factories ?? [create_pglite_factory(init_schema)];
-    const describe_db = create_describe_db(factories, AUTH_INTEGRATION_TRUNCATE_TABLES);
+    const describe_db = create_describe_db(factories, auth_integration_truncate_tables);
     describe_db('standard_integration', (get_db) => {
         const { cookie_name } = options.session_options;
         // Error coverage tracking across test groups

package/dist/testing/integration_helpers.d.ts

@@ -17,18 +17,18 @@ export declare const find_route_spec: (specs: Array<RouteSpec>, method: string,
  * session/token CRUD, admin operations, and role_grant flows live on the RPC
  * surface and should be reached via `rpc_call`.
  */
-export declare const REST_AUTH_ROUTE_SUFFIXES: readonly ["/login", "/logout", "/password", "/verify", "/signup", "/bootstrap"];
-export type RestAuthRouteSuffix = (typeof REST_AUTH_ROUTE_SUFFIXES)[number];
+export declare const rest_auth_route_suffixes: readonly ["/login", "/logout", "/password", "/verify", "/signup", "/bootstrap"];
+export type RestAuthRouteSuffix = (typeof rest_auth_route_suffixes)[number];
 /**
  * Find a REST auth route by suffix and method.
  *
  * Decouples tests from consumer route prefix (`/api/account/login`,
  * `/api/auth/login`, etc.). `suffix` must be one of
- * `REST_AUTH_ROUTE_SUFFIXES` — throws otherwise so a post-migration RPC
+ * `rest_auth_route_suffixes` — throws otherwise so a post-migration RPC
  * method name (e.g. `/sessions/revoke-all`) fails loudly at the call site
  * instead of silently returning `undefined`.
  *
- * @throws Error if `suffix` is not in `REST_AUTH_ROUTE_SUFFIXES`.
+ * @throws Error if `suffix` is not in `rest_auth_route_suffixes`.
  */
 export declare const find_auth_route: (specs: Array<RouteSpec>, suffix: RestAuthRouteSuffix, method: RouteMethod) => RouteSpec | undefined;
 /**
@@ -74,9 +74,9 @@ export declare const assert_rate_limit_retry_after_header: (response: Response,
     retry_after: number;
 }) => void;
 /** Field names that must never appear in any HTTP response body. */
-export declare const SENSITIVE_FIELD_BLOCKLIST: ReadonlyArray<string>;
+export declare const sensitive_field_blocklist: ReadonlyArray<string>;
 /** Field names that must not appear in non-admin HTTP response bodies. */
-export declare const ADMIN_ONLY_FIELD_BLOCKLIST: ReadonlyArray<string>;
+export declare const admin_only_field_blocklist: ReadonlyArray<string>;
 /**
  * Recursively collect all key names from a parsed JSON value.
  *

package/dist/testing/integration_helpers.js

@@ -38,7 +38,7 @@ export const find_route_spec = (specs, method, path) => {
  * session/token CRUD, admin operations, and role_grant flows live on the RPC
  * surface and should be reached via `rpc_call`.
  */
-export const REST_AUTH_ROUTE_SUFFIXES = [
+export const rest_auth_route_suffixes = [
     '/login',
     '/logout',
     '/password',
@@ -51,15 +51,15 @@ export const REST_AUTH_ROUTE_SUFFIXES = [
  *
  * Decouples tests from consumer route prefix (`/api/account/login`,
  * `/api/auth/login`, etc.). `suffix` must be one of
- * `REST_AUTH_ROUTE_SUFFIXES` — throws otherwise so a post-migration RPC
+ * `rest_auth_route_suffixes` — throws otherwise so a post-migration RPC
  * method name (e.g. `/sessions/revoke-all`) fails loudly at the call site
  * instead of silently returning `undefined`.
  *
- * @throws Error if `suffix` is not in `REST_AUTH_ROUTE_SUFFIXES`.
+ * @throws Error if `suffix` is not in `rest_auth_route_suffixes`.
  */
 export const find_auth_route = (specs, suffix, method) => {
-    if (!REST_AUTH_ROUTE_SUFFIXES.includes(suffix)) {
-        throw new Error(`find_auth_route: unknown suffix ${JSON.stringify(suffix)} — expected one of ${REST_AUTH_ROUTE_SUFFIXES.join(', ')}. Use rpc_call for RPC methods.`);
+    if (!rest_auth_route_suffixes.includes(suffix)) {
+        throw new Error(`find_auth_route: unknown suffix ${JSON.stringify(suffix)} — expected one of ${rest_auth_route_suffixes.join(', ')}. Use rpc_call for RPC methods.`);
     }
     return specs.find((s) => s.method === method && s.path.endsWith(suffix));
 };
@@ -207,9 +207,9 @@ export const assert_rate_limit_retry_after_header = (response, body) => {
 };
 // --- Data exposure helpers ---
 /** Field names that must never appear in any HTTP response body. */
-export const SENSITIVE_FIELD_BLOCKLIST = ['password_hash', 'token_hash'];
+export const sensitive_field_blocklist = ['password_hash', 'token_hash'];
 /** Field names that must not appear in non-admin HTTP response bodies. */
-export const ADMIN_ONLY_FIELD_BLOCKLIST = ['updated_by', 'created_by'];
+export const admin_only_field_blocklist = ['updated_by', 'created_by'];
 /**
  * Recursively collect all key names from a parsed JSON value.
  *

package/dist/testing/rate_limiting.js

@@ -14,9 +14,9 @@ import './assert_dev_env.js';
 import { describe, test, assert } from 'vitest';
 import { RateLimiter } from '../rate_limiter.js';
 import { RateLimitError } from '../http/error_schemas.js';
-import { AUTH_MIGRATION_NS } from '../auth/migrations.js';
+import { auth_migration_ns } from '../auth/migrations.js';
 import { create_test_app } from './app_server.js';
-import { create_pglite_factory, create_describe_db, AUTH_INTEGRATION_TRUNCATE_TABLES, } from './db.js';
+import { create_pglite_factory, create_describe_db, auth_integration_truncate_tables, } from './db.js';
 import { find_auth_route, assert_rate_limit_retry_after_header } from './integration_helpers.js';
 import { rpc_call_non_browser, require_rpc_endpoint_path, resolve_rpc_endpoints_for_setup, } from './rpc_helpers.js';
 import { run_migrations } from '../db/migrate.js';
@@ -48,10 +48,10 @@ export const describe_rate_limiting_tests = (options) => {
     const rpc_endpoints_for_setup = resolve_rpc_endpoints_for_setup(options.rpc_endpoints, options.session_options);
     const rpc_path = require_rpc_endpoint_path(rpc_endpoints_for_setup);
     const init_schema = async (db) => {
-        await run_migrations(db, [AUTH_MIGRATION_NS]);
+        await run_migrations(db, [auth_migration_ns]);
     };
     const factories = options.db_factories ?? [create_pglite_factory(init_schema)];
-    const describe_db = create_describe_db(factories, AUTH_INTEGRATION_TRUNCATE_TABLES);
+    const describe_db = create_describe_db(factories, auth_integration_truncate_tables);
     /** Create a tight rate limiter for testing — low attempt count, long window. */
     const create_test_rate_limiter = () => new RateLimiter({ max_attempts, window_ms: 60_000, cleanup_interval_ms: 0 });
     describe_db('rate_limiting', (get_db) => {

package/dist/testing/round_trip.js

@@ -15,7 +15,7 @@ import { create_pglite_factory } from './db.js';
 import { assert_response_matches_spec, pick_auth_headers } from './integration_helpers.js';
 import { resolve_valid_path, generate_valid_body } from './schema_generators.js';
 import { run_migrations } from '../db/migrate.js';
-import { AUTH_MIGRATION_NS } from '../auth/migrations.js';
+import { auth_migration_ns } from '../auth/migrations.js';
 import { create_stub_app_server_context } from './stubs.js';
 /**
  * Run schema-driven round-trip validation tests.
@@ -33,7 +33,7 @@ import { create_stub_app_server_context } from './stubs.js';
 export const describe_round_trip_validation = (options) => {
     const skip_set = new Set(options.skip_routes);
     const init_schema = async (db) => {
-        await run_migrations(db, [AUTH_MIGRATION_NS]);
+        await run_migrations(db, [auth_migration_ns]);
     };
     const factories = options.db_factories ?? [create_pglite_factory(init_schema)];
     // Pre-compute route specs at describe time so test.each can register one

package/dist/testing/rpc_round_trip.js

@@ -15,7 +15,7 @@ import { create_test_app, } from './app_server.js';
 import { create_pglite_factory } from './db.js';
 import { generate_valid_body } from './schema_generators.js';
 import { run_migrations } from '../db/migrate.js';
-import { AUTH_MIGRATION_NS } from '../auth/migrations.js';
+import { auth_migration_ns } from '../auth/migrations.js';
 import { is_public_auth } from '../http/auth_shape.js';
 import { create_rpc_post_init, create_rpc_get_url, assert_jsonrpc_error_response, assert_jsonrpc_success_response, resolve_rpc_endpoints_for_setup, } from './rpc_helpers.js';
 /**
@@ -60,7 +60,7 @@ export const describe_rpc_round_trip_tests = (options) => {
     // what the live dispatcher serves.
     const rpc_endpoints_for_setup = resolve_rpc_endpoints_for_setup(options.rpc_endpoints, options.session_options);
     const init_schema = async (db) => {
-        await run_migrations(db, [AUTH_MIGRATION_NS]);
+        await run_migrations(db, [auth_migration_ns]);
     };
     const factories = options.db_factories ?? [create_pglite_factory(init_schema)];
     for (const factory of factories) {

package/dist/testing/schema_generators.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"schema_generators.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/schema_generators.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAKN,KAAK,YAAY,EACjB,MAAM,yBAAyB,CAAC;AAIjC;;;GAGG;AACH,eAAO,MAAM,aAAa,GAAI,cAAc,CAAC,CAAC,OAAO,KAAG,MAAM,GAAG,IAkBhE,CAAC;AA+FF,qEAAqE;AACrE,eAAO,MAAM,oBAAoB,GAAI,OAAO,YAAY,EAAE,cAAc,CAAC,CAAC,OAAO,KAAG,OA+EnF,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,kBAAkB,GAAI,MAAM,MAAM,EAAE,gBAAgB,CAAC,CAAC,SAAS,KAAG,MAa9E,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,mBAAmB,GAC/B,cAAc,CAAC,CAAC,OAAO,KACrB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SA6B5B,CAAC"}
+{"version":3,"file":"schema_generators.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/schema_generators.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAKN,KAAK,YAAY,EACjB,MAAM,yBAAyB,CAAC;AAIjC;;;GAGG;AACH,eAAO,MAAM,aAAa,GAAI,cAAc,CAAC,CAAC,OAAO,KAAG,MAAM,GAAG,IAkBhE,CAAC;AA+FF,qEAAqE;AACrE,eAAO,MAAM,oBAAoB,GAAI,OAAO,YAAY,EAAE,cAAc,CAAC,CAAC,OAAO,KAAG,OAgGnF,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,kBAAkB,GAAI,MAAM,MAAM,EAAE,gBAAgB,CAAC,CAAC,SAAS,KAAG,MAa9E,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,mBAAmB,GAC/B,cAAc,CAAC,CAAC,OAAO,KACrB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SA6B5B,CAAC"}