@fuzdev/fuz_app 0.62.0 → 0.64.0

package/dist/testing/adversarial_headers.d.ts

@@ -15,6 +15,12 @@ export interface AdversarialHeaderCase {
 /**
  * 7 standard adversarial header cases applicable to any middleware stack.
  *
+ * Origin verification is Origin-only — fuz_app's `verify_request_source`
+ * no longer falls back to `Referer` (matches `zzz_server::auth::is_request_origin_allowed`).
+ * Bearer auth still treats a `Referer` header as a browser-context
+ * indicator and silently discards the bearer token — so Referer-bearing
+ * requests reach the route as unauthenticated rather than 403.
+ *
  * @param allowed_origin - an origin that passes the origin check
  */
 export declare const create_standard_adversarial_cases: (allowed_origin: string) => Array<AdversarialHeaderCase>;

package/dist/testing/adversarial_headers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"adversarial_headers.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/adversarial_headers.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAY7B,OAAO,KAAK,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAG3B,OAAO,EAGN,KAAK,0BAA0B,EAC/B,MAAM,iBAAiB,CAAC;AAIzB,+DAA+D;AAC/D,MAAM,WAAW,qBAAqB;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,eAAe,EAAE,MAAM,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,+GAA+G;IAC/G,qBAAqB,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC;IAClC,qGAAqG;IACrG,oBAAoB,EAAE,QAAQ,GAAG,YAAY,CAAC;CAC9C;AAID;;;;GAIG;AACH,eAAO,MAAM,iCAAiC,GAC7C,gBAAgB,MAAM,KACpB,KAAK,CAAC,qBAAqB,CA+D7B,CAAC;AAIF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,qCAAqC,GACjD,YAAY,MAAM,EAClB,SAAS,0BAA0B,EACnC,gBAAgB,MAAM,EACtB,cAAc,KAAK,CAAC,qBAAqB,CAAC,KACxC,IAkCF,CAAC"}
+{"version":3,"file":"adversarial_headers.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/adversarial_headers.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAY7B,OAAO,KAAK,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAG3B,OAAO,EAGN,KAAK,0BAA0B,EAC/B,MAAM,iBAAiB,CAAC;AAIzB,+DAA+D;AAC/D,MAAM,WAAW,qBAAqB;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,eAAe,EAAE,MAAM,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,+GAA+G;IAC/G,qBAAqB,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC;IAClC,qGAAqG;IACrG,oBAAoB,EAAE,QAAQ,GAAG,YAAY,CAAC;CAC9C;AAID;;;;;;;;;;GAUG;AACH,eAAO,MAAM,iCAAiC,GAC7C,gBAAgB,MAAM,KACpB,KAAK,CAAC,qBAAqB,CAiE7B,CAAC;AAIF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,qCAAqC,GACjD,YAAY,MAAM,EAClB,SAAS,0BAA0B,EACnC,gBAAgB,MAAM,EACtB,cAAc,KAAK,CAAC,qBAAqB,CAAC,KACxC,IAkCF,CAAC"}

package/dist/testing/adversarial_headers.js

@@ -8,12 +8,18 @@ import './assert_dev_env.js';
  * @module
  */
 import { test, assert, describe } from 'vitest';
-import { ApiError, ERROR_FORBIDDEN_ORIGIN, ERROR_FORBIDDEN_REFERER } from '../http/error_schemas.js';
+import { ApiError, ERROR_FORBIDDEN_ORIGIN } from '../http/error_schemas.js';
 import { create_test_middleware_stack_app, TEST_MIDDLEWARE_PATH, } from './middleware.js';
 // --- Standard adversarial header cases ---
 /**
  * 7 standard adversarial header cases applicable to any middleware stack.
  *
+ * Origin verification is Origin-only — fuz_app's `verify_request_source`
+ * no longer falls back to `Referer` (matches `zzz_server::auth::is_request_origin_allowed`).
+ * Bearer auth still treats a `Referer` header as a browser-context
+ * indicator and silently discards the bearer token — so Referer-bearing
+ * requests reach the route as unauthenticated rather than 403.
+ *
  * @param allowed_origin - an origin that passes the origin check
  */
 export const create_standard_adversarial_cases = (allowed_origin) => [
@@ -61,17 +67,19 @@ export const create_standard_adversarial_cases = (allowed_origin) => [
         validate_expectation: 'called',
     },
     {
-        name: 'bearer token with Referer from untrusted source is rejected',
+        name: 'bearer token with rogue Referer (no Origin) passes origin check, bearer silently discarded (browser-context indicator)',
+        // Origin-only verification ignores Referer entirely. Bearer auth still
+        // treats Referer presence as a browser-context indicator and discards
+        // the token, so the request reaches the route as unauthenticated.
         headers: {
             Authorization: 'Bearer secret_fuz_token_test',
             Referer: 'https://attacker.com/page',
         },
-        expected_status: 403,
-        expected_error: ERROR_FORBIDDEN_REFERER,
+        expected_status: 200,
         validate_expectation: 'not_called',
     },
     {
-        name: 'bearer token with Referer from allowed origin — bearer silently discarded (browser context)',
+        name: 'bearer token with allowed Referer (no Origin) — bearer silently discarded (browser context)',
         headers: {
             Authorization: 'Bearer secret_fuz_token_test',
             Referer: `${allowed_origin}/page`,

package/dist/testing/app_server.d.ts

@@ -18,8 +18,7 @@ import { type Keyring } from '../auth/keyring.js';
 import type { Db, DbType } from '../db/db.js';
 import type { PasswordHashDeps } from '../auth/password.js';
 import { type SessionOptions } from '../auth/session_cookie.js';
-import type { AuditLogConfig, AuditLogEvent } from '../auth/audit_log_schema.js';
-import type { AppBackend } from '../server/app_backend.js';
+import { type AppBackend, type AuditFactory } from '../server/app_backend.js';
 import { type AppServerOptions, type AppServerContext } from '../server/app_server.js';
 import type { AppSurface, AppSurfaceSpec } from '../http/surface.js';
 import type { RouteSpec } from '../http/route_spec.js';
@@ -107,23 +106,21 @@ export interface TestAppServerOptions {
     /** Roles to grant. Default: `[ROLE_KEEPER]`. */
     roles?: Array<string>;
     /**
-     * Backend audit event callback — threaded into `create_audit_emitter` so
-     * it becomes the first listener on `backend.deps.audit.on_event_chain`.
-     * When `audit_log_sse: true` is passed to `create_app_server`, the SSE
-     * listener is appended after this one. Use to wire consumer SSE auth
-     * guards in tests. Default: no-op.
-     */
-    on_audit_event?: (event: AuditLogEvent) => void;
-    /**
-     * Optional audit log config — threaded into `create_audit_emitter` and
-     * captured inside `backend.deps.audit`'s closure.
+     * Build the bound `AuditEmitter` used by the test backend. Defaults to
+     * `default_audit_factory` (a no-listener `create_audit_emitter` over
+     * the test backend's `{db, log}`). Pass a custom factory when a test
+     * needs:
+     * - to capture audit events (compose `on_audit_event` inside the body)
+     * - to register consumer event-type schemas (pass `audit_log_config`)
+     * - to instrument `emit` ordering (`create_emit_ordering_audit_factory`)
+     * - to wrap or replace the emitter for some other reason
      *
-     * Use when the consumer registers extra event types via
-     * `create_audit_log_config({extra_events})` — without this, emits for
-     * those events fall back to `builtin_audit_log_config` and log
-     * "unknown event_type" warnings.
+     * Matches the production shape — `create_app_backend` requires an
+     * `audit_factory` and `create_test_app_server` mirrors that contract
+     * end-to-end. The earlier `on_audit_event` / `audit_log_config` sugar
+     * fields were removed alongside the `CreateAppBackendOptions` rename.
      */
-    audit_log_config?: AuditLogConfig;
+    audit_factory?: AuditFactory;
 }
 /**
  * Create an app server with a bootstrapped account for testing.
@@ -154,25 +151,29 @@ export interface CreateTestAppOptions extends TestAppServerOptions {
     create_route_specs: (context: AppServerContext) => Array<RouteSpec>;
     /**
      * RPC endpoints mounted by `create_app_server` — eager array or
-     * `(ctx: AppServerContext) => Array<RpcEndpointSpec>` factory. Symmetric
-     * with the suite-level `rpc_endpoints` option on
-     * `describe_standard_admin_integration_tests` etc., so callers wiring a
-     * full RPC stack don't have to switch shapes between low-level and
-     * suite-level helpers. Equivalent to `app_options.rpc_endpoints`; when
-     * both are set `app_options` wins and `console.warn` fires.
+     * `(ctx: AppServerContext) => Array<RpcEndpointSpec>` factory. Single
+     * source of truth; the equivalent slot under `app_options` is `Omit`'d
+     * so setup-time path lookup and runtime dispatch read from one place.
+     * Symmetric with the suite-level `rpc_endpoints` option on
+     * `describe_standard_admin_integration_tests` etc.
      */
     rpc_endpoints?: RpcEndpointsSuiteOption;
-    /** Optional overrides for `AppServerOptions` (backend, session_options, and create_route_specs are managed). */
-    app_options?: Partial<Omit<AppServerOptions, 'backend' | 'session_options' | 'create_route_specs'>>;
+    /**
+     * Optional overrides for `AppServerOptions`. The four fields
+     * `create_test_app` manages are excluded: `backend`, `session_options`,
+     * `create_route_specs`, and `rpc_endpoints` (see top-level slot above).
+     */
+    app_options?: SuiteAppOptions;
 }
 /**
- * `app_options` shape accepted by DB-backed suite helpers
- * (`describe_standard_integration_tests`, `describe_audit_completeness_tests`,
- * etc.). Excludes `rpc_endpoints` on top of the fields `CreateTestAppOptions`
- * excludes — suites require `rpc_endpoints` at the suite level (hard-failed
- * by `require_rpc_endpoint_path`) so setup-time path lookup and runtime
- * dispatch read from one source of truth. Low-level `create_test_app`
- * callers still pass `rpc_endpoints` via `app_options`.
+ * `app_options` shape accepted by `create_test_app` and the DB-backed suite
+ * helpers (`describe_standard_integration_tests`,
+ * `describe_audit_completeness_tests`, etc.). Excludes the four fields the
+ * helpers manage directly — `backend` / `session_options` /
+ * `create_route_specs` are constructed by the helper itself; `rpc_endpoints`
+ * lives on the top-level option (hard-failed by `require_rpc_endpoint_path`
+ * in the suites) so setup-time path lookup and runtime dispatch read from
+ * one source of truth.
  */
 export type SuiteAppOptions = Partial<Omit<AppServerOptions, 'backend' | 'session_options' | 'create_route_specs' | 'rpc_endpoints'>>;
 /**

package/dist/testing/app_server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"app_server.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/app_server.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAG/B,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAGjD,OAAO,EAA2B,KAAK,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAE1E,OAAO,KAAK,EAAC,EAAE,EAAE,MAAM,EAAC,MAAM,aAAa,CAAC;AAC5C,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAU1D,OAAO,EAA8B,KAAK,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAG3F,OAAO,KAAK,EAAC,cAAc,EAAE,aAAa,EAAC,MAAM,6BAA6B,CAAC;AAE/E,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAEN,KAAK,gBAAgB,EACrB,KAAK,gBAAgB,EACrB,MAAM,yBAAyB,CAAC;AACjC,OAAO,KAAK,EAAC,UAAU,EAAE,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACnE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAOrD,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,kBAAkB,CAAC;AAI9D;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,EAAE,gBAIhC,CAAC;AAEF,gFAAgF;AAChF,eAAO,MAAM,kBAAkB,QAAiB,CAAC;AASjD;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC3C,EAAE,EAAE,EAAE,CAAC;IACP,OAAO,EAAE,OAAO,CAAC;IACjB,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,sBAAsB,GAClC,SAAS,2BAA2B,KAClC,OAAO,CAAC;IACV,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACvB,CAyCA,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,aAAc,SAAQ,UAAU;IAChD,gCAAgC;IAChC,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,uCAAuC;IACvC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,cAAc,EAAE,MAAM,CAAC;IACvB,+FAA+F;IAC/F,OAAO,EAAE,OAAO,CAAC;IACjB,4EAA4E;IAC5E,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,mDAAmD;IACnD,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kGAAkG;IAClG,EAAE,CAAC,EAAE,EAAE,CAAC;IACR,0FAA0F;IAC1F,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,yHAAyH;IACzH,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,kEAAkE;IAClE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,6EAA6E;IAC7E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gDAAgD;IAChD,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACtB;;;;;;OAMG;IACH,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;IAChD;;;;;;;;OAQG;IACH,gBAAgB,CAAC,EAAE,cAAc,CAAC;CAClC;AAKD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,eAAO,MAAM,sBAAsB,GAClC,SAAS,oBAAoB,KAC3B,OAAO,CAAC,aAAa,CA+FvB,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,oBAAqB,SAAQ,oBAAoB;IACjE,yEAAyE;IACzE,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IACpE;;;;;;;;OAQG;IACH,aAAa,CAAC,EAAE,uBAAuB,CAAC;IACxC,gHAAgH;IAChH,WAAW,CAAC,EAAE,OAAO,CACpB,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,CAAC,CAC5E,CAAC;CACF;AAED;;;;;;;;GAQG;AACH,MAAM,MAAM,eAAe,GAAG,OAAO,CACpC,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,GAAG,eAAe,CAAC,CAC9F,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,WAAW;IAC3B,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,mCAAmC;IACnC,cAAc,EAAE,MAAM,CAAC;IACvB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,8DAA8D;IAC9D,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClF;AAED;;GAEG;AACH,MAAM,WAAW,OAAO;IACvB,GAAG,EAAE,IAAI,CAAC;IACV,OAAO,EAAE,aAAa,CAAC;IACvB,YAAY,EAAE,cAAc,CAAC;IAC7B,OAAO,EAAE,UAAU,CAAC;IACpB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,kEAAkE;IAClE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,gEAAgE;IAChE,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClF,iEAAiE;IACjE,2BAA2B,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxF,qDAAqD;IACrD,cAAc,EAAE,CAAC,OAAO,CAAC,EAAE;QAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;KACtB,KAAK,OAAO,CAAC,WAAW,CAAC,CAAC;IAC3B,8DAA8D;IAC9D,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,eAAe,GAAU,SAAS,oBAAoB,KAAG,OAAO,CAAC,OAAO,CAyGpF,CAAC"}
+{"version":3,"file":"app_server.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/app_server.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAG/B,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAGjD,OAAO,EAA2B,KAAK,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAE1E,OAAO,KAAK,EAAC,EAAE,EAAE,MAAM,EAAC,MAAM,aAAa,CAAC;AAC5C,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAU1D,OAAO,EAA8B,KAAK,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAG3F,OAAO,EAAwB,KAAK,UAAU,EAAE,KAAK,YAAY,EAAC,MAAM,0BAA0B,CAAC;AACnG,OAAO,EAEN,KAAK,gBAAgB,EACrB,KAAK,gBAAgB,EACrB,MAAM,yBAAyB,CAAC;AACjC,OAAO,KAAK,EAAC,UAAU,EAAE,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACnE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAOrD,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,kBAAkB,CAAC;AAI9D;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,EAAE,gBAIhC,CAAC;AAEF,gFAAgF;AAChF,eAAO,MAAM,kBAAkB,QAAiB,CAAC;AASjD;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC3C,EAAE,EAAE,EAAE,CAAC;IACP,OAAO,EAAE,OAAO,CAAC;IACjB,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,sBAAsB,GAClC,SAAS,2BAA2B,KAClC,OAAO,CAAC;IACV,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACvB,CAyCA,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,aAAc,SAAQ,UAAU;IAChD,gCAAgC;IAChC,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,uCAAuC;IACvC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,cAAc,EAAE,MAAM,CAAC;IACvB,+FAA+F;IAC/F,OAAO,EAAE,OAAO,CAAC;IACjB,4EAA4E;IAC5E,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,mDAAmD;IACnD,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kGAAkG;IAClG,EAAE,CAAC,EAAE,EAAE,CAAC;IACR,0FAA0F;IAC1F,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,yHAAyH;IACzH,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,kEAAkE;IAClE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,6EAA6E;IAC7E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gDAAgD;IAChD,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACtB;;;;;;;;;;;;;;OAcG;IACH,aAAa,CAAC,EAAE,YAAY,CAAC;CAC7B;AAKD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,eAAO,MAAM,sBAAsB,GAClC,SAAS,oBAAoB,KAC3B,OAAO,CAAC,aAAa,CAyFvB,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,oBAAqB,SAAQ,oBAAoB;IACjE,yEAAyE;IACzE,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IACpE;;;;;;;OAOG;IACH,aAAa,CAAC,EAAE,uBAAuB,CAAC;IACxC;;;;OAIG;IACH,WAAW,CAAC,EAAE,eAAe,CAAC;CAC9B;AAED;;;;;;;;;GASG;AACH,MAAM,MAAM,eAAe,GAAG,OAAO,CACpC,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,GAAG,eAAe,CAAC,CAC9F,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,WAAW;IAC3B,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,mCAAmC;IACnC,cAAc,EAAE,MAAM,CAAC;IACvB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,8DAA8D;IAC9D,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClF;AAED;;GAEG;AACH,MAAM,WAAW,OAAO;IACvB,GAAG,EAAE,IAAI,CAAC;IACV,OAAO,EAAE,aAAa,CAAC;IACvB,YAAY,EAAE,cAAc,CAAC;IAC7B,OAAO,EAAE,UAAU,CAAC;IACpB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,kEAAkE;IAClE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,gEAAgE;IAChE,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClF,iEAAiE;IACjE,2BAA2B,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxF,qDAAqD;IACrD,cAAc,EAAE,CAAC,OAAO,CAAC,EAAE;QAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;KACtB,KAAK,OAAO,CAAC,WAAW,CAAC,CAAC;IAC3B,8DAA8D;IAC9D,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,eAAe,GAAU,SAAS,oBAAoB,KAAG,OAAO,CAAC,OAAO,CAmGpF,CAAC"}

package/dist/testing/app_server.js

@@ -11,7 +11,7 @@ import { query_create_api_token } from '../auth/api_token_queries.js';
 import { create_session_cookie_value } from '../auth/session_cookie.js';
 import { run_migrations } from '../db/migrate.js';
 import { auth_migration_ns } from '../auth/migrations.js';
-import { create_audit_emitter } from '../auth/audit_emitter.js';
+import { default_audit_factory } from '../server/app_backend.js';
 import { create_app_server, } from '../server/app_server.js';
 import { generate_daemon_token, DAEMON_TOKEN_HEADER, } from '../auth/daemon_token.js';
 import { create_pglite_factory } from './db.js';
@@ -96,8 +96,7 @@ const test_log = new Logger('test', { level: 'off' });
  *   API token, and session row.
  */
 export const create_test_app_server = async (options) => {
-    const { session_options, db: existing_db, db_type = 'pglite-memory', password = stub_password_deps, username = 'keeper', password_value = 'test-password-123', roles = [ROLE_KEEPER], on_audit_event = () => { }, // eslint-disable-line @typescript-eslint/no-empty-function
-    audit_log_config, } = options;
+    const { session_options, db: existing_db, db_type = 'pglite-memory', password = stub_password_deps, username = 'keeper', password_value = 'test-password-123', roles = [ROLE_KEEPER], audit_factory = default_audit_factory, } = options;
     // Keyring from test secret
     const keyring_result = create_validated_keyring(TEST_COOKIE_SECRET);
     if (!keyring_result.ok) {
@@ -116,12 +115,7 @@ export const create_test_app_server = async (options) => {
         await existing_db.query('UPDATE app_settings SET open_signup = false, updated_at = NULL, updated_by = NULL WHERE open_signup = true OR updated_at IS NOT NULL');
         // Use the caller's database — tables already created by the factory's init_schema.
         // Caller owns the DB lifecycle — close is a no-op.
-        const audit = create_audit_emitter({
-            db: existing_db,
-            log: test_log,
-            on_audit_event,
-            audit_log_config,
-        });
+        const audit = audit_factory({ db: existing_db, log: test_log });
         backend = {
             db_type,
             db_name: 'test',
@@ -142,7 +136,7 @@ export const create_test_app_server = async (options) => {
         // instead of creating a new PGlite each time. Schema is reset and migrations re-run
         // on each call, but the expensive WASM cold start only happens once per worker thread.
         const db = await fallback_pglite_factory.create();
-        const audit = create_audit_emitter({ db, log: test_log, on_audit_event, audit_log_config });
+        const audit = audit_factory({ db, log: test_log });
         backend = {
             db_type: 'pglite-memory',
             db_name: '(memory)',
@@ -198,9 +192,6 @@ export const create_test_app = async (options) => {
         rotated_at: new Date(),
         keeper_account_id: test_server.account.id,
     };
-    if (options.rpc_endpoints !== undefined && options.app_options?.rpc_endpoints !== undefined) {
-        console.warn('create_test_app: both top-level `rpc_endpoints` and `app_options.rpc_endpoints` are set; preferring `app_options.rpc_endpoints` (back-compat).');
-    }
     const result = await create_app_server({
         backend: test_server,
         session_options: options.session_options,

package/dist/testing/attack_surface.d.ts

@@ -67,17 +67,18 @@ export interface StandardAttackSurfaceOptions {
 /**
  * Run the standard attack surface test suite.
  *
- * Generates 10 test groups:
+ * Test groups:
  * 1. Snapshot — live surface matches committed JSON
  * 2. Determinism — building twice yields identical results
  * 3. Public routes — bidirectional check (no unexpected, no missing)
  * 4. Middleware stack — every API route has the full middleware chain
- * 5. Surface invariants — structural assertions (error schemas, descriptions, duplicates, consistency)
- * 6. Security policy — rate limiting on sensitive routes, no unexpected public mutations, method conventions
- * 7. Error schema tightness — informational log of generic vs specific error schemas, plus assertion against `default_error_schema_tightness` by default (opt out with `error_schema_tightness: null`)
- * 8. Adversarial auth — unauthenticated/wrong-role/correct-auth enforcement
- * 9. Adversarial input — input body and params validation
- * 10. Adversarial 404 — stub 404 handlers, validate response bodies against declared schemas
+ * 5. Surface invariants — structural assertions over `surface.routes` (error schemas, descriptions, duplicates, consistency)
+ * 6. RPC/WS surface invariants — structural assertions over `surface.rpc_endpoints` + `surface.ws_endpoints` (descriptions, protocol-action spread, kind ⇔ auth)
+ * 7. Security policy — rate limiting on sensitive routes, no unexpected public mutations, method conventions
+ * 8. Error schema tightness — informational log of generic vs specific error schemas, plus assertion against `default_error_schema_tightness` by default (opt out with `error_schema_tightness: null`)
+ * 9. Adversarial auth — unauthenticated/wrong-role/correct-auth enforcement
+ * 10. Adversarial input — input body and params validation
+ * 11. Adversarial 404 — stub 404 handlers, validate response bodies against declared schemas
  *
  * Consumer test files call this with project-specific options, then add
  * any project-specific assertions in additional `describe` blocks.

package/dist/testing/attack_surface.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"attack_surface.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/attack_surface.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAoB7B,OAAO,EAON,KAAK,4BAA4B,EACjC,KAAK,2BAA2B,EAChC,MAAM,yBAAyB,CAAC;AAoBjC,OAAO,EAA4B,KAAK,cAAc,EAAC,MAAM,oBAAoB,CAAC;AAsClF,oFAAoF;AACpF,MAAM,WAAW,sBAAsB;IACtC,+EAA+E;IAC/E,KAAK,EAAE,MAAM,cAAc,CAAC;IAC5B,yDAAyD;IACzD,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACrB;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,yBAAyB,GAAI,SAAS,sBAAsB,KAAG,IA4H3E,CAAC;AAIF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,uCAAuC,GACnD,UAAU,2BAA2B,GAAG,IAAI,GAAG,SAAS,KACtD,2BAA2B,GAAG,IAWhC,CAAC;AAEF,0DAA0D;AAC1D,MAAM,WAAW,4BAA4B;IAC5C,+EAA+E;IAC/E,KAAK,EAAE,MAAM,cAAc,CAAC;IAC5B,yDAAyD;IACzD,aAAa,EAAE,MAAM,CAAC;IACtB,iFAAiF;IACjF,sBAAsB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACtC,gHAAgH;IAChH,uBAAuB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACvC,yDAAyD;IACzD,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACrB,qEAAqE;IACrE,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,iEAAiE;IACjE,eAAe,CAAC,EAAE,4BAA4B,CAAC;IAC/C;;;;;;;;;;;OAWG;IACH,sBAAsB,CAAC,EAAE,2BAA2B,GAAG,IAAI,CAAC;CAC5D;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,sCAAsC,GAClD,SAAS,4BAA4B,KACnC,IAuEF,CAAC"}
+{"version":3,"file":"attack_surface.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/attack_surface.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAoB7B,OAAO,EAQN,KAAK,4BAA4B,EACjC,KAAK,2BAA2B,EAChC,MAAM,yBAAyB,CAAC;AAoBjC,OAAO,EAA4B,KAAK,cAAc,EAAC,MAAM,oBAAoB,CAAC;AAsClF,oFAAoF;AACpF,MAAM,WAAW,sBAAsB;IACtC,+EAA+E;IAC/E,KAAK,EAAE,MAAM,cAAc,CAAC;IAC5B,yDAAyD;IACzD,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACrB;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,yBAAyB,GAAI,SAAS,sBAAsB,KAAG,IA4H3E,CAAC;AAIF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,uCAAuC,GACnD,UAAU,2BAA2B,GAAG,IAAI,GAAG,SAAS,KACtD,2BAA2B,GAAG,IAWhC,CAAC;AAEF,0DAA0D;AAC1D,MAAM,WAAW,4BAA4B;IAC5C,+EAA+E;IAC/E,KAAK,EAAE,MAAM,cAAc,CAAC;IAC5B,yDAAyD;IACzD,aAAa,EAAE,MAAM,CAAC;IACtB,iFAAiF;IACjF,sBAAsB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACtC,gHAAgH;IAChH,uBAAuB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACvC,yDAAyD;IACzD,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACrB,qEAAqE;IACrE,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,iEAAiE;IACjE,eAAe,CAAC,EAAE,4BAA4B,CAAC;IAC/C;;;;;;;;;;;OAWG;IACH,sBAAsB,CAAC,EAAE,2BAA2B,GAAG,IAAI,CAAC;CAC5D;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,sCAAsC,GAClD,SAAS,4BAA4B,KACnC,IA2EF,CAAC"}

package/dist/testing/attack_surface.js

@@ -15,7 +15,7 @@ import './assert_dev_env.js';
  * @module
  */
 import { test, assert, describe } from 'vitest';
-import { assert_surface_invariants, assert_surface_security_policy, audit_error_schema_tightness, assert_error_schema_tightness, default_error_schema_tightness, fuz_app_stock_route_tightness_allowlist, } from './surface_invariants.js';
+import { assert_surface_invariants, assert_rpc_ws_surface_invariants, assert_surface_security_policy, audit_error_schema_tightness, assert_error_schema_tightness, default_error_schema_tightness, fuz_app_stock_route_tightness_allowlist, } from './surface_invariants.js';
 import { describe_adversarial_input } from './adversarial_input.js';
 import { describe_adversarial_404 } from './adversarial_404.js';
 import { create_test_app_from_specs, create_test_request_context, create_auth_test_apps, select_auth_app, resolve_test_path, } from './auth_apps.js';
@@ -193,17 +193,18 @@ export const resolve_standard_error_schema_tightness = (consumer) => {
 /**
  * Run the standard attack surface test suite.
  *
- * Generates 10 test groups:
+ * Test groups:
  * 1. Snapshot — live surface matches committed JSON
  * 2. Determinism — building twice yields identical results
  * 3. Public routes — bidirectional check (no unexpected, no missing)
  * 4. Middleware stack — every API route has the full middleware chain
- * 5. Surface invariants — structural assertions (error schemas, descriptions, duplicates, consistency)
- * 6. Security policy — rate limiting on sensitive routes, no unexpected public mutations, method conventions
- * 7. Error schema tightness — informational log of generic vs specific error schemas, plus assertion against `default_error_schema_tightness` by default (opt out with `error_schema_tightness: null`)
- * 8. Adversarial auth — unauthenticated/wrong-role/correct-auth enforcement
- * 9. Adversarial input — input body and params validation
- * 10. Adversarial 404 — stub 404 handlers, validate response bodies against declared schemas
+ * 5. Surface invariants — structural assertions over `surface.routes` (error schemas, descriptions, duplicates, consistency)
+ * 6. RPC/WS surface invariants — structural assertions over `surface.rpc_endpoints` + `surface.ws_endpoints` (descriptions, protocol-action spread, kind ⇔ auth)
+ * 7. Security policy — rate limiting on sensitive routes, no unexpected public mutations, method conventions
+ * 8. Error schema tightness — informational log of generic vs specific error schemas, plus assertion against `default_error_schema_tightness` by default (opt out with `error_schema_tightness: null`)
+ * 9. Adversarial auth — unauthenticated/wrong-role/correct-auth enforcement
+ * 10. Adversarial input — input body and params validation
+ * 11. Adversarial 404 — stub 404 handlers, validate response bodies against declared schemas
  *
  * Consumer test files call this with project-specific options, then add
  * any project-specific assertions in additional `describe` blocks.
@@ -231,6 +232,9 @@ export const describe_standard_attack_surface_tests = (options) => {
         test('surface invariants', () => {
             assert_surface_invariants(surface);
         });
+        test('rpc/ws surface invariants', () => {
+            assert_rpc_ws_surface_invariants(surface);
+        });
         test('security policy', () => {
             assert_surface_security_policy(surface, security_policy);
         });

package/dist/testing/audit_completeness.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"audit_completeness.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/audit_completeness.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAkB7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAIrD,OAAO,EAGN,KAAK,eAAe,EAEpB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAIN,KAAK,SAAS,EACd,MAAM,SAAS,CAAC;AAKjB,OAAO,EAIN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAqB1B;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC5C,4CAA4C;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,wDAAwD;IACxD,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE;;;;;;;;;;;OAWG;IACH,aAAa,EAAE,uBAAuB,CAAC;IACvC,iDAAiD;IACjD,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B,qEAAqE;IACrE,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;CAChC;AAoDD;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,iCAAiC,GAAI,SAAS,4BAA4B,KAAG,IAkgBzF,CAAC"}
+{"version":3,"file":"audit_completeness.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/audit_completeness.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAkB7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAIrD,OAAO,EAGN,KAAK,eAAe,EAEpB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAIN,KAAK,SAAS,EACd,MAAM,SAAS,CAAC;AAKjB,OAAO,EAIN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAqB1B;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC5C,4CAA4C;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,wDAAwD;IACxD,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE;;;;;;;;;;;OAWG;IACH,aAAa,EAAE,uBAAuB,CAAC;IACvC,iDAAiD;IACjD,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B,qEAAqE;IACrE,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;CAChC;AAyED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,iCAAiC,GAAI,SAAS,4BAA4B,KAAG,IAihBzF,CAAC"}

package/dist/testing/audit_completeness.js

@@ -27,22 +27,31 @@ import { admin_session_revoke_all_action_spec, admin_token_revoke_all_action_spe
 import { account_session_list_action_spec, account_session_revoke_action_spec, account_session_revoke_all_action_spec, account_token_create_action_spec, account_token_list_action_spec, account_token_revoke_action_spec, } from '../auth/account_action_specs.js';
 /** Query audit log events from the database. */
 const query_audit_events = async (db) => {
-    return db.query('SELECT event_type, seq FROM audit_log ORDER BY seq');
+    return db.query('SELECT event_type, seq, metadata FROM audit_log ORDER BY seq');
 };
 /** Assert that audit events contain the expected event type. */
 const assert_has_event = (events, expected, context) => {
     assert.ok(events.some((e) => e.event_type === expected), `Expected '${expected}' audit event after ${context}`);
 };
+/**
+ * Assert that an event type was emitted with the expected `credential_type`
+ * recorded in metadata — defense-in-depth coverage for the spec gate
+ * documented in `docs/security.md` §Credential-channel gating.
+ */
+const assert_event_credential_type = (events, expected, credential_type, context) => {
+    const match = events.find((e) => e.event_type === expected);
+    assert.ok(match, `Expected '${expected}' audit event after ${context}`);
+    const recorded = (match.metadata ?? {}).credential_type;
+    assert.strictEqual(recorded, credential_type, `Expected '${expected}' audit metadata.credential_type === '${credential_type}' after ${context} (got ${JSON.stringify(recorded)})`);
+};
 /** Build CreateTestAppOptions with admin+keeper roles. */
 const build_options = (options, db) => ({
     session_options: options.session_options,
     create_route_specs: options.create_route_specs,
     db,
     roles: [ROLE_KEEPER, ROLE_ADMIN],
-    app_options: {
-        ...options.app_options,
-        rpc_endpoints: options.rpc_endpoints,
-    },
+    rpc_endpoints: options.rpc_endpoints,
+    app_options: options.app_options,
 });
 /** Headers for unauthenticated JSON requests (login, signup). */
 const UNAUTHENTICATED_JSON_HEADERS = {
@@ -71,7 +80,7 @@ export const describe_audit_completeness_tests = (options) => {
     // Hard-fail early so consumers see a clear setup error instead of a
     // confusing test failure when `rpc_endpoints` is missing. Factory-form
     // callers are resolved with a stub ctx purely to extract the endpoint
-    // path; real handlers run per-test via `app_options.rpc_endpoints`.
+    // path; real handlers run per-test via the top-level `rpc_endpoints` slot on `CreateTestAppOptions`.
     const rpc_endpoints_for_setup = resolve_rpc_endpoints_for_setup(options.rpc_endpoints, options.session_options);
     const rpc_path = require_rpc_endpoint_path(rpc_endpoints_for_setup);
     const init_schema = async (db) => {
@@ -138,6 +147,7 @@ export const describe_audit_completeness_tests = (options) => {
                 assert.ok(res.ok, `account_token_create failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
                 const events = await query_audit_events(test_app.backend.deps.db);
                 assert_has_event(events, 'token_create', 'account_token_create RPC');
+                assert_event_credential_type(events, 'token_create', 'session', 'account_token_create RPC');
             });
             test('token revoke produces token_revoke event', async () => {
                 const test_app = await create_test_app(build_options(options, get_db()));
@@ -162,6 +172,7 @@ export const describe_audit_completeness_tests = (options) => {
                 assert.ok(res.ok, `account_token_revoke failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
                 const events = await query_audit_events(test_app.backend.deps.db);
                 assert_has_event(events, 'token_revoke', 'account_token_revoke RPC');
+                assert_event_credential_type(events, 'token_revoke', 'session', 'account_token_revoke RPC');
             });
             test('session revoke produces session_revoke event', async () => {
                 const test_app = await create_test_app(build_options(options, get_db()));
@@ -198,6 +209,7 @@ export const describe_audit_completeness_tests = (options) => {
                 assert.ok(res.ok, `account_session_revoke failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
                 const events = await query_audit_events(test_app.backend.deps.db);
                 assert_has_event(events, 'session_revoke', 'account_session_revoke RPC');
+                assert_event_credential_type(events, 'session_revoke', 'session', 'account_session_revoke RPC');
             });
             test('session revoke-all produces session_revoke_all event', async () => {
                 const test_app = await create_test_app(build_options(options, get_db()));
@@ -211,6 +223,7 @@ export const describe_audit_completeness_tests = (options) => {
                 assert.ok(res.ok, `account_session_revoke_all failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
                 const events = await query_audit_events(test_app.backend.deps.db);
                 assert_has_event(events, 'session_revoke_all', 'account_session_revoke_all RPC');
+                assert_event_credential_type(events, 'session_revoke_all', 'session', 'account_session_revoke_all RPC');
             });
             test('password change produces password_change event', async () => {
                 const test_app = await create_test_app(build_options(options, get_db()));
@@ -227,6 +240,7 @@ export const describe_audit_completeness_tests = (options) => {
                 assert.strictEqual(res.status, 200);
                 const events = await query_audit_events(test_app.backend.deps.db);
                 assert_has_event(events, 'password_change', 'POST /password');
+                assert_event_credential_type(events, 'password_change', 'session', 'POST /password');
             });
         });
         // --- Admin routes ---

package/dist/testing/audit_drift_guard.d.ts

@@ -0,0 +1,116 @@
+import './assert_dev_env.js';
+import { type AuditEmitter, type CreateAuditEmitterOptions } from '../auth/audit_emitter.js';
+import type { AuditLogInput } from '../auth/audit_log_schema.js';
+import type { AuditFactory } from '../server/app_backend.js';
+/**
+ * Register per-test `beforeEach` + `afterEach` hooks that catch any audit
+ * emission with a metadata shape that fails its `audit_metadata_schemas`
+ * entry, or an `event_type` not present in the active `AuditLogConfig`.
+ *
+ * The production validation in `query_audit_log` is fail-open — it bumps
+ * process-wide counters and proceeds, so a regression that emits an
+ * undeclared metadata field or a typo'd event-type lands a row that
+ * passes downstream queries but breaks forensics. Tests that exercise
+ * audit emits should fail loudly when this happens.
+ *
+ * Call at the top of every `describe` / `describe_db` block that fires
+ * audit writes through `deps.audit.emit`. Resets counters before each
+ * test and asserts zero on completion.
+ *
+ * Pair with `await_pending_effects: true` (the default for
+ * `create_test_app`) so fire-and-forget audit writes have completed by
+ * the time the after-each check observes counter state.
+ */
+export declare const install_audit_drift_guard: () => void;
+/**
+ * Marker pushed into a shared sequence array by an emit-recording
+ * `audit_factory`. Pair with `RecordedClose` from
+ * `connection_closer_helpers.ts` to test close-vs-emit ordering at
+ * handler call sites — see `create_emit_ordering_audit_factory` below.
+ */
+export interface AuditEmitMarker {
+    kind: 'emit';
+    at: number;
+}
+/**
+ * Pair returned by {@link create_recording_audit_emitter} — the
+ * `AuditEmitter` to inject as `deps.audit`, plus the shared `calls`
+ * array that records every captured emission. Both fields are live —
+ * callers read `calls` after exercising the handler to assert on the
+ * audit metadata shape.
+ */
+export interface RecordingAuditEmitter {
+    emitter: AuditEmitter;
+    calls: Array<AuditLogInput>;
+}
+/**
+ * Build a no-op `AuditEmitter` that records every `emit`, `emit_pool`, and
+ * `emit_role_grant_target` call into `calls` as an `AuditLogInput`. Use to
+ * capture audit metadata shapes in unit tests (e.g. password change failure
+ * outcome, role-grant create denial) without standing up the full PGlite +
+ * `query_audit_log` pipeline.
+ *
+ * **Capture scope — all four production fan-out shapes.**
+ * `emit_role_grant_target` mirrors `create_audit_emitter`'s lift logic in
+ * place — `actor_id` / `account_id` / `ip` are populated from `auth` + `ctx`
+ * and the `event_type` / `outcome` / `target_*_id` / `metadata` fields
+ * forward from the input envelope. Tests asserting on role-grant-shape
+ * emissions read out of the same homogeneous `calls` array.
+ * `notify` is a no-op; `on_event_chain` is an empty array.
+ *
+ * `emit` AND `emit_pool` both append to `calls` so cleanup-sweep tests
+ * (which use `emit_pool` exclusively — see `auth/cleanup.ts`) can also
+ * read assertions off the same array.
+ *
+ * Pass `calls_ref` to write into a caller-owned array (callers that
+ * declared `const events: Array<AuditLogInput> = []` and want to keep
+ * the reference). Omit to let the helper allocate a fresh array and
+ * return it on the `calls` field of the result.
+ *
+ * The returned emitter is deliberately NOT frozen — slots stay mutable
+ * so a test can override one when it needs bespoke shape (e.g. an
+ * `emit_pool` that throws on the first call). The production
+ * `create_audit_emitter` freeze invariant exists to catch the
+ * `patch_audit_emit_capture` hot-patch footgun against the
+ * closure-captured `emit`; the recording emitter has no inner closure,
+ * so the freeze isn't load-bearing here.
+ */
+export declare const create_recording_audit_emitter: (calls_ref?: Array<AuditLogInput>) => RecordingAuditEmitter;
+/**
+ * Build an `audit_factory` that produces a real `create_audit_emitter`
+ * with its `emit` decorated to push a `{kind: 'emit', at: seq.value++}`
+ * marker into a shared sequence + events array. Used by the close-vs-emit
+ * ordering test to compose against a shared sequence counter (typically
+ * `create_recording_closer(seq_ref)` capturing eager-close calls).
+ *
+ * Pass the returned factory through `create_test_app({audit_factory: …})`
+ * — the test backend invokes it with its constructed `{db, log}` and
+ * lands the decorated emitter on `backend.deps.audit`. Production
+ * handlers dereference `deps.audit.emit` at call time, so the decorator
+ * sees every subsequent handler invocation. The underlying `emit` still
+ * runs — the decorator records the call, it does not suppress side
+ * effects.
+ *
+ * **Scope — both `emit` and `emit_role_grant_target`.** The decorator
+ * is captured by `emit_role_grant_target`'s closure inside
+ * `create_audit_emitter` (and re-exposed as the outer `emit` slot), so
+ * role-grant-shape emissions land in `events_ref` alongside bare `emit`
+ * calls. `emit_pool` and `notify` are not decorated — they take
+ * `AuditLogInput` / `AuditLogEvent` directly without going through
+ * `emit`, so handler-side `emit_pool` writes (today only
+ * `auth/cleanup.ts`) skip capture. Close-firing handlers all reach for
+ * `emit` or `emit_role_grant_target`, so the ordering test sees them
+ * regardless of which entry point a future refactor picks.
+ *
+ * Optionally accept `extra_options` to thread `on_audit_event` /
+ * `audit_log_config` into the inner emitter — useful when a test wants
+ * both ordering capture and a real SSE/WS guard wired into the same
+ * emitter chain.
+ */
+export declare const create_emit_ordering_audit_factory: <E extends {
+    kind: string;
+    at: number;
+}>(seq_ref: {
+    value: number;
+}, events_ref: Array<AuditEmitMarker | E>, extra_options?: Omit<CreateAuditEmitterOptions, "db" | "log" | "emit_decorator">) => AuditFactory;
+//# sourceMappingURL=audit_drift_guard.d.ts.map

package/dist/testing/audit_drift_guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit_drift_guard.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/audit_drift_guard.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAU7B,OAAO,EAEN,KAAK,YAAY,EACjB,KAAK,yBAAyB,EAC9B,MAAM,0BAA0B,CAAC;AAClC,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,6BAA6B,CAAC;AAC/D,OAAO,KAAK,EAAC,YAAY,EAAC,MAAM,0BAA0B,CAAC;AAE3D;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,yBAAyB,QAAO,IAiB5C,CAAC;AAEF;;;;;GAKG;AACH,MAAM,WAAW,eAAe;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;CACX;AAED;;;;;;GAMG;AACH,MAAM,WAAW,qBAAqB;IACrC,OAAO,EAAE,YAAY,CAAC;IACtB,KAAK,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC;CAC5B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,eAAO,MAAM,8BAA8B,GAC1C,YAAY,KAAK,CAAC,aAAa,CAAC,KAC9B,qBA0BF,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,eAAO,MAAM,kCAAkC,GAAI,CAAC,SAAS;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,MAAM,CAAA;CAAC,EACtF,SAAS;IAAC,KAAK,EAAE,MAAM,CAAA;CAAC,EACxB,YAAY,KAAK,CAAC,eAAe,GAAG,CAAC,CAAC,EACtC,gBAAgB,IAAI,CAAC,yBAAyB,EAAE,IAAI,GAAG,KAAK,GAAG,gBAAgB,CAAC,KAC9E,YAWF,CAAC"}