@fuzdev/fuz_app 0.63.0 → 0.65.0

package/dist/testing/adversarial_headers.d.ts

@@ -15,6 +15,12 @@ export interface AdversarialHeaderCase {
 /**
  * 7 standard adversarial header cases applicable to any middleware stack.
  *
+ * Origin verification is Origin-only — fuz_app's `verify_request_source`
+ * no longer falls back to `Referer` (matches `zzz_server::auth::is_request_origin_allowed`).
+ * Bearer auth still treats a `Referer` header as a browser-context
+ * indicator and silently discards the bearer token — so Referer-bearing
+ * requests reach the route as unauthenticated rather than 403.
+ *
  * @param allowed_origin - an origin that passes the origin check
  */
 export declare const create_standard_adversarial_cases: (allowed_origin: string) => Array<AdversarialHeaderCase>;

package/dist/testing/adversarial_headers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"adversarial_headers.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/adversarial_headers.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAY7B,OAAO,KAAK,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAG3B,OAAO,EAGN,KAAK,0BAA0B,EAC/B,MAAM,iBAAiB,CAAC;AAIzB,+DAA+D;AAC/D,MAAM,WAAW,qBAAqB;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,eAAe,EAAE,MAAM,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,+GAA+G;IAC/G,qBAAqB,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC;IAClC,qGAAqG;IACrG,oBAAoB,EAAE,QAAQ,GAAG,YAAY,CAAC;CAC9C;AAID;;;;GAIG;AACH,eAAO,MAAM,iCAAiC,GAC7C,gBAAgB,MAAM,KACpB,KAAK,CAAC,qBAAqB,CA+D7B,CAAC;AAIF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,qCAAqC,GACjD,YAAY,MAAM,EAClB,SAAS,0BAA0B,EACnC,gBAAgB,MAAM,EACtB,cAAc,KAAK,CAAC,qBAAqB,CAAC,KACxC,IAkCF,CAAC"}
+{"version":3,"file":"adversarial_headers.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/adversarial_headers.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAY7B,OAAO,KAAK,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAG3B,OAAO,EAGN,KAAK,0BAA0B,EAC/B,MAAM,iBAAiB,CAAC;AAIzB,+DAA+D;AAC/D,MAAM,WAAW,qBAAqB;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,eAAe,EAAE,MAAM,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,+GAA+G;IAC/G,qBAAqB,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC;IAClC,qGAAqG;IACrG,oBAAoB,EAAE,QAAQ,GAAG,YAAY,CAAC;CAC9C;AAID;;;;;;;;;;GAUG;AACH,eAAO,MAAM,iCAAiC,GAC7C,gBAAgB,MAAM,KACpB,KAAK,CAAC,qBAAqB,CAiE7B,CAAC;AAIF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,qCAAqC,GACjD,YAAY,MAAM,EAClB,SAAS,0BAA0B,EACnC,gBAAgB,MAAM,EACtB,cAAc,KAAK,CAAC,qBAAqB,CAAC,KACxC,IAkCF,CAAC"}

package/dist/testing/adversarial_headers.js

@@ -8,12 +8,18 @@ import './assert_dev_env.js';
  * @module
  */
 import { test, assert, describe } from 'vitest';
-import { ApiError, ERROR_FORBIDDEN_ORIGIN, ERROR_FORBIDDEN_REFERER } from '../http/error_schemas.js';
+import { ApiError, ERROR_FORBIDDEN_ORIGIN } from '../http/error_schemas.js';
 import { create_test_middleware_stack_app, TEST_MIDDLEWARE_PATH, } from './middleware.js';
 // --- Standard adversarial header cases ---
 /**
  * 7 standard adversarial header cases applicable to any middleware stack.
  *
+ * Origin verification is Origin-only — fuz_app's `verify_request_source`
+ * no longer falls back to `Referer` (matches `zzz_server::auth::is_request_origin_allowed`).
+ * Bearer auth still treats a `Referer` header as a browser-context
+ * indicator and silently discards the bearer token — so Referer-bearing
+ * requests reach the route as unauthenticated rather than 403.
+ *
  * @param allowed_origin - an origin that passes the origin check
  */
 export const create_standard_adversarial_cases = (allowed_origin) => [
@@ -61,17 +67,19 @@ export const create_standard_adversarial_cases = (allowed_origin) => [
         validate_expectation: 'called',
     },
     {
-        name: 'bearer token with Referer from untrusted source is rejected',
+        name: 'bearer token with rogue Referer (no Origin) passes origin check, bearer silently discarded (browser-context indicator)',
+        // Origin-only verification ignores Referer entirely. Bearer auth still
+        // treats Referer presence as a browser-context indicator and discards
+        // the token, so the request reaches the route as unauthenticated.
         headers: {
             Authorization: 'Bearer secret_fuz_token_test',
             Referer: 'https://attacker.com/page',
         },
-        expected_status: 403,
-        expected_error: ERROR_FORBIDDEN_REFERER,
+        expected_status: 200,
         validate_expectation: 'not_called',
     },
     {
-        name: 'bearer token with Referer from allowed origin — bearer silently discarded (browser context)',
+        name: 'bearer token with allowed Referer (no Origin) — bearer silently discarded (browser context)',
         headers: {
             Authorization: 'Bearer secret_fuz_token_test',
             Referer: `${allowed_origin}/page`,

package/dist/testing/app_server.d.ts

@@ -18,9 +18,8 @@ import { type Keyring } from '../auth/keyring.js';
 import type { Db, DbType } from '../db/db.js';
 import type { PasswordHashDeps } from '../auth/password.js';
 import { type SessionOptions } from '../auth/session_cookie.js';
-import type { AuditLogConfig, AuditLogEvent } from '../auth/audit_log_schema.js';
-import type { AppBackend } from '../server/app_backend.js';
-import { type AppServerOptions, type AppServerContext } from '../server/app_server.js';
+import { type AppBackend, type AuditFactory } from '../server/app_backend.js';
+import { type AppServerOptions, type AppServerContext, type BootstrapServerOptions, type BootstrapLiveOptions } from '../server/app_server.js';
 import type { AppSurface, AppSurfaceSpec } from '../http/surface.js';
 import type { RouteSpec } from '../http/route_spec.js';
 import type { RpcEndpointsSuiteOption } from './rpc_helpers.js';
@@ -34,9 +33,12 @@ export declare const stub_password_deps: PasswordHashDeps;
 /** 64-hex-char test cookie secret — deterministic, never used in production. */
 export declare const TEST_COOKIE_SECRET: string;
 /**
- * Options for `bootstrap_test_account`.
+ * Options for `bootstrap_test_keeper` and `create_test_account_with_credentials`.
+ *
+ * Same shape for both — the data inserted is identical; the only behavioral
+ * difference is the lock flip on the keeper path.
  */
-export interface BootstrapTestAccountOptions {
+export interface CreateTestAccountWithCredentialsOptions {
     db: Db;
     keyring: Keyring;
     session_options: SessionOptions<string>;
@@ -45,17 +47,48 @@ export interface BootstrapTestAccountOptions {
     password_value?: string;
     roles?: Array<string>;
 }
+/** Alias for the keeper-flavored call site. Same shape. */
+export type BootstrapTestKeeperOptions = CreateTestAccountWithCredentialsOptions;
 /**
- * Bootstrap a test account with credentials.
+ * Create a test account with credentials. Use for additional accounts
+ * minted alongside the keeper (e.g. `TestApp.create_account` for
+ * cross-account / multi-user tests). Does NOT flip `bootstrap_lock` —
+ * non-keeper accounts should not appear to the system as bootstrap
+ * having happened.
  *
  * Creates an account with actor, grants roles, creates an API token,
- * creates a session, and signs a session cookie. Shared by
- * `create_test_app_server` and `TestApp.create_account`.
+ * creates a session, and signs a session cookie.
  *
  * @mutates the underlying `options.db` — inserts rows into `account`, `actor`,
  *   `role_grant` (one per role), `api_token`, and `auth_session`.
  */
-export declare const bootstrap_test_account: (options: BootstrapTestAccountOptions) => Promise<{
+export declare const create_test_account_with_credentials: (options: CreateTestAccountWithCredentialsOptions) => Promise<{
+    account: {
+        id: Uuid;
+        username: string;
+    };
+    actor: {
+        id: Uuid;
+    };
+    api_token: string;
+    session_cookie: string;
+}>;
+/**
+ * Bootstrap the test-DB keeper. Direct-query shortcut for the default
+ * `create_test_app` path — bootstrap is not what most tests exercise, so
+ * we skip the real `bootstrap_account` flow (no audit row, no
+ * `on_bootstrap` callback). Tests that need the full success-path flow
+ * use `create_test_app_for_bootstrap` instead.
+ *
+ * Flips `bootstrap_lock.bootstrapped = true` so the post-insert DB state
+ * matches a real bootstrap completion — production code can trust the
+ * lock as the single signal without a belt-and-suspenders
+ * `query_account_has_any` defense.
+ *
+ * @mutates the underlying `options.db` — inserts the account/actor/roles/
+ *   API token/session_cookie rows AND flips `bootstrap_lock.bootstrapped`.
+ */
+export declare const bootstrap_test_keeper: (options: BootstrapTestKeeperOptions) => Promise<{
     account: {
         id: Uuid;
         username: string;
@@ -107,44 +140,22 @@ export interface TestAppServerOptions {
     /** Roles to grant. Default: `[ROLE_KEEPER]`. */
     roles?: Array<string>;
     /**
-     * Backend audit event callback — threaded into `create_audit_emitter` so
-     * it becomes the first listener on `backend.deps.audit.on_event_chain`.
-     * When `audit_log_sse: true` is passed to `create_app_server`, the SSE
-     * listener is appended after this one. Use to wire consumer SSE auth
-     * guards in tests. Default: no-op.
-     */
-    on_audit_event?: (event: AuditLogEvent) => void;
-    /**
-     * Optional audit log config — threaded into `create_audit_emitter` and
-     * captured inside `backend.deps.audit`'s closure.
+     * Build the bound `AuditEmitter` used by the test backend. Defaults to
+     * `default_audit_factory` (a no-listener `create_audit_emitter` over
+     * the test backend's `{db, log}`). Pass a custom factory when a test
+     * needs:
+     * - to capture audit events (compose `on_audit_event` inside the body)
+     * - to register consumer event-type schemas (pass `audit_log_config`)
+     * - to instrument `emit` ordering (`create_emit_ordering_audit_factory`)
+     * - to wrap or replace the emitter for some other reason
      *
-     * Use when the consumer registers extra event types via
-     * `create_audit_log_config({extra_events})` — without this, emits for
-     * those events fall back to `builtin_audit_log_config` and log
-     * "unknown event_type" warnings.
+     * Matches the production shape — `create_app_backend` requires an
+     * `audit_factory` and `create_test_app_server` mirrors that contract
+     * end-to-end. The earlier `on_audit_event` / `audit_log_config` sugar
+     * fields were removed alongside the `CreateAppBackendOptions` rename.
      */
-    audit_log_config?: AuditLogConfig;
+    audit_factory?: AuditFactory;
 }
-/**
- * Create an app server with a bootstrapped account for testing.
- *
- * Sets up:
- * - Auth tables (via cached PGlite factory, or reuses existing `db`)
- * - A keeper account with hashed password
- * - Role role_grants for each role in `options.roles`
- * - An API token for Bearer auth
- * - A session with a signed cookie value
- *
- * Uses `stub_password_deps` by default — deterministic hashing that works
- * correctly for login/logout tests without Argon2 overhead.
- *
- * @param options - session options and optional overrides
- * @returns a `TestAppServer` ready for HTTP testing
- * @mutates the underlying database — when `db` is supplied, resets singleton
- *   state (`bootstrap_lock.bootstrapped`, `app_settings.open_signup`) before
- *   bootstrapping; in either branch inserts an account, actor, role role_grants,
- *   API token, and session row.
- */
 export declare const create_test_app_server: (options: TestAppServerOptions) => Promise<TestAppServer>;
 /**
  * Configuration for `create_test_app`.
@@ -154,27 +165,43 @@ export interface CreateTestAppOptions extends TestAppServerOptions {
     create_route_specs: (context: AppServerContext) => Array<RouteSpec>;
     /**
      * RPC endpoints mounted by `create_app_server` — eager array or
-     * `(ctx: AppServerContext) => Array<RpcEndpointSpec>` factory. Symmetric
-     * with the suite-level `rpc_endpoints` option on
-     * `describe_standard_admin_integration_tests` etc., so callers wiring a
-     * full RPC stack don't have to switch shapes between low-level and
-     * suite-level helpers. Equivalent to `app_options.rpc_endpoints`; when
-     * both are set `app_options` wins and `console.warn` fires.
+     * `(ctx: AppServerContext) => Array<RpcEndpointSpec>` factory. Single
+     * source of truth; the equivalent slot under `app_options` is `Omit`'d
+     * so setup-time path lookup and runtime dispatch read from one place.
+     * Symmetric with the suite-level `rpc_endpoints` option on
+     * `describe_standard_admin_integration_tests` etc.
      */
     rpc_endpoints?: RpcEndpointsSuiteOption;
-    /** Optional overrides for `AppServerOptions` (backend, session_options, and create_route_specs are managed). */
-    app_options?: Partial<Omit<AppServerOptions, 'backend' | 'session_options' | 'create_route_specs'>>;
+    /**
+     * Bootstrap config — symmetric with `AppServerOptions.bootstrap`. Same
+     * single-source-of-truth precedent as `rpc_endpoints`: setup-time surface
+     * generation and runtime dispatch both read this slot, so the equivalent
+     * field under `app_options` is `Omit`'d. Discriminated union over
+     * `{mode: 'disabled' | 'surface_only' | 'live'}`. Omit (or pass
+     * `{mode: 'disabled'}`) for the default — no bootstrap route mounted.
+     *
+     * For tests that exercise the bootstrap success path against a real
+     * token + empty DB, use `create_test_app_for_bootstrap` instead — it
+     * skips the keeper pre-creation that blocks the success branch.
+     */
+    bootstrap?: BootstrapServerOptions;
+    /**
+     * Optional overrides for `AppServerOptions`. Excludes fields
+     * `create_test_app` manages directly: `backend`, `session_options`,
+     * `create_route_specs`, `rpc_endpoints`, `bootstrap` (top-level slots
+     * above).
+     */
+    app_options?: SuiteAppOptions;
 }
 /**
- * `app_options` shape accepted by DB-backed suite helpers
- * (`describe_standard_integration_tests`, `describe_audit_completeness_tests`,
- * etc.). Excludes `rpc_endpoints` on top of the fields `CreateTestAppOptions`
- * excludes — suites require `rpc_endpoints` at the suite level (hard-failed
- * by `require_rpc_endpoint_path`) so setup-time path lookup and runtime
- * dispatch read from one source of truth. Low-level `create_test_app`
- * callers still pass `rpc_endpoints` via `app_options`.
+ * `app_options` shape accepted by `create_test_app` and the DB-backed suite
+ * helpers. Excludes fields the helpers manage directly — `backend` /
+ * `session_options` / `create_route_specs` are constructed by the helper
+ * itself; `rpc_endpoints` and `bootstrap` live on top-level options so
+ * setup-time surface lookup and runtime dispatch read from one source of
+ * truth.
  */
-export type SuiteAppOptions = Partial<Omit<AppServerOptions, 'backend' | 'session_options' | 'create_route_specs' | 'rpc_endpoints'>>;
+export type SuiteAppOptions = Partial<Omit<AppServerOptions, 'backend' | 'session_options' | 'create_route_specs' | 'rpc_endpoints' | 'bootstrap'>>;
 /**
  * A bootstrapped test account with credentials.
  */
@@ -233,4 +260,65 @@ export interface TestApp {
  * @returns a `TestApp` ready for HTTP testing
  */
 export declare const create_test_app: (options: CreateTestAppOptions) => Promise<TestApp>;
+/**
+ * Configuration for `create_test_app_for_bootstrap`. Like
+ * `CreateTestAppOptions` but the keeper-related fields drop (no
+ * pre-bootstrap keeper) and `bootstrap` is required + narrowed to
+ * `live` mode (the helper exists specifically to drive the success
+ * path).
+ */
+export interface CreateTestAppForBootstrapOptions {
+    session_options: SessionOptions<string>;
+    create_route_specs: (context: AppServerContext) => Array<RouteSpec>;
+    rpc_endpoints?: RpcEndpointsSuiteOption;
+    app_options?: SuiteAppOptions;
+    /** Live bootstrap config — the test drives `POST /bootstrap` against this. */
+    bootstrap: BootstrapLiveOptions;
+    /**
+     * Token contents the stub fs returns when reading `bootstrap.token_path`.
+     * The test posts a body containing this same value as `token` to satisfy
+     * the timing-safe equality check inside `bootstrap_account`.
+     */
+    bootstrap_token: string;
+    db?: Db;
+    db_type?: DbType;
+    password?: PasswordHashDeps;
+    audit_factory?: AuditFactory;
+}
+/**
+ * A fully assembled test app in the pre-bootstrap state — empty DB,
+ * `bootstrap_lock.bootstrapped = false`, no keeper account. Test drives
+ * `POST /bootstrap` itself.
+ */
+export interface TestAppForBootstrap {
+    app: Hono;
+    backend: AppBackend;
+    surface_spec: AppSurfaceSpec;
+    surface: AppSurface;
+    route_specs: Array<RouteSpec>;
+    /** Build host/origin request headers for the anonymous bootstrap POST. */
+    create_request_headers: (extra?: Record<string, string>) => Record<string, string>;
+    /** Release test resources (no-op when DB is injected or factory-cached). */
+    cleanup: () => Promise<void>;
+}
+/**
+ * Create a test app in the pre-bootstrap state for exercising the
+ * bootstrap success path end-to-end.
+ *
+ * Skips the keeper pre-creation `create_test_app` does by default —
+ * `bootstrap_lock.bootstrapped` stays at `false` and the DB has no
+ * accounts. The fs stubs return `options.bootstrap_token` when the
+ * bootstrap handler reads `bootstrap.token_path`, so a `POST /bootstrap`
+ * with `{token: bootstrap_token, username, password}` reaches the
+ * success branch.
+ *
+ * Pair with `describe_bootstrap_success_tests` for the consumer-runnable
+ * suite that drives the full happy path + adjacent assertions on
+ * observable state (account exists, audit row emitted, on_bootstrap
+ * callback fired).
+ *
+ * @param options - bootstrap config + factory inputs
+ * @returns a `TestAppForBootstrap` ready for the test to drive bootstrap
+ */
+export declare const create_test_app_for_bootstrap: (options: CreateTestAppForBootstrapOptions) => Promise<TestAppForBootstrap>;
 //# sourceMappingURL=app_server.d.ts.map

package/dist/testing/app_server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"app_server.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/app_server.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAG/B,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAGjD,OAAO,EAA2B,KAAK,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAE1E,OAAO,KAAK,EAAC,EAAE,EAAE,MAAM,EAAC,MAAM,aAAa,CAAC;AAC5C,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAU1D,OAAO,EAA8B,KAAK,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAG3F,OAAO,KAAK,EAAC,cAAc,EAAE,aAAa,EAAC,MAAM,6BAA6B,CAAC;AAE/E,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAEN,KAAK,gBAAgB,EACrB,KAAK,gBAAgB,EACrB,MAAM,yBAAyB,CAAC;AACjC,OAAO,KAAK,EAAC,UAAU,EAAE,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACnE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAOrD,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,kBAAkB,CAAC;AAI9D;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,EAAE,gBAIhC,CAAC;AAEF,gFAAgF;AAChF,eAAO,MAAM,kBAAkB,QAAiB,CAAC;AASjD;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC3C,EAAE,EAAE,EAAE,CAAC;IACP,OAAO,EAAE,OAAO,CAAC;IACjB,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,sBAAsB,GAClC,SAAS,2BAA2B,KAClC,OAAO,CAAC;IACV,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACvB,CAyCA,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,aAAc,SAAQ,UAAU;IAChD,gCAAgC;IAChC,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,uCAAuC;IACvC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,cAAc,EAAE,MAAM,CAAC;IACvB,+FAA+F;IAC/F,OAAO,EAAE,OAAO,CAAC;IACjB,4EAA4E;IAC5E,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,mDAAmD;IACnD,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kGAAkG;IAClG,EAAE,CAAC,EAAE,EAAE,CAAC;IACR,0FAA0F;IAC1F,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,yHAAyH;IACzH,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,kEAAkE;IAClE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,6EAA6E;IAC7E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gDAAgD;IAChD,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACtB;;;;;;OAMG;IACH,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;IAChD;;;;;;;;OAQG;IACH,gBAAgB,CAAC,EAAE,cAAc,CAAC;CAClC;AAKD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,eAAO,MAAM,sBAAsB,GAClC,SAAS,oBAAoB,KAC3B,OAAO,CAAC,aAAa,CA+FvB,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,oBAAqB,SAAQ,oBAAoB;IACjE,yEAAyE;IACzE,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IACpE;;;;;;;;OAQG;IACH,aAAa,CAAC,EAAE,uBAAuB,CAAC;IACxC,gHAAgH;IAChH,WAAW,CAAC,EAAE,OAAO,CACpB,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,CAAC,CAC5E,CAAC;CACF;AAED;;;;;;;;GAQG;AACH,MAAM,MAAM,eAAe,GAAG,OAAO,CACpC,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,GAAG,eAAe,CAAC,CAC9F,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,WAAW;IAC3B,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,mCAAmC;IACnC,cAAc,EAAE,MAAM,CAAC;IACvB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,8DAA8D;IAC9D,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClF;AAED;;GAEG;AACH,MAAM,WAAW,OAAO;IACvB,GAAG,EAAE,IAAI,CAAC;IACV,OAAO,EAAE,aAAa,CAAC;IACvB,YAAY,EAAE,cAAc,CAAC;IAC7B,OAAO,EAAE,UAAU,CAAC;IACpB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,kEAAkE;IAClE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,gEAAgE;IAChE,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClF,iEAAiE;IACjE,2BAA2B,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxF,qDAAqD;IACrD,cAAc,EAAE,CAAC,OAAO,CAAC,EAAE;QAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;KACtB,KAAK,OAAO,CAAC,WAAW,CAAC,CAAC;IAC3B,8DAA8D;IAC9D,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,eAAe,GAAU,SAAS,oBAAoB,KAAG,OAAO,CAAC,OAAO,CAyGpF,CAAC"}
+{"version":3,"file":"app_server.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/app_server.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAG/B,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAGjD,OAAO,EAA2B,KAAK,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAE1E,OAAO,KAAK,EAAC,EAAE,EAAE,MAAM,EAAC,MAAM,aAAa,CAAC;AAC5C,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAU1D,OAAO,EAA8B,KAAK,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAG3F,OAAO,EAAwB,KAAK,UAAU,EAAE,KAAK,YAAY,EAAC,MAAM,0BAA0B,CAAC;AACnG,OAAO,EAEN,KAAK,gBAAgB,EACrB,KAAK,gBAAgB,EACrB,KAAK,sBAAsB,EAC3B,KAAK,oBAAoB,EACzB,MAAM,yBAAyB,CAAC;AACjC,OAAO,KAAK,EAAC,UAAU,EAAE,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACnE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAOrD,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,kBAAkB,CAAC;AAE9D;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,EAAE,gBAIhC,CAAC;AAEF,gFAAgF;AAChF,eAAO,MAAM,kBAAkB,QAAiB,CAAC;AASjD;;;;;GAKG;AACH,MAAM,WAAW,uCAAuC;IACvD,EAAE,EAAE,EAAE,CAAC;IACP,OAAO,EAAE,OAAO,CAAC;IACjB,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAED,2DAA2D;AAC3D,MAAM,MAAM,0BAA0B,GAAG,uCAAuC,CAAC;AAEjF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,oCAAoC,GAChD,SAAS,uCAAuC,KAC9C,OAAO,CAAC;IACV,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACvB,CAyCA,CAAC;AAEF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,qBAAqB,GACjC,SAAS,0BAA0B,KACjC,OAAO,CAAC;IACV,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACvB,CAQA,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,aAAc,SAAQ,UAAU;IAChD,gCAAgC;IAChC,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,uCAAuC;IACvC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,cAAc,EAAE,MAAM,CAAC;IACvB,+FAA+F;IAC/F,OAAO,EAAE,OAAO,CAAC;IACjB,4EAA4E;IAC5E,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,mDAAmD;IACnD,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kGAAkG;IAClG,EAAE,CAAC,EAAE,EAAE,CAAC;IACR,0FAA0F;IAC1F,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,yHAAyH;IACzH,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,kEAAkE;IAClE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,6EAA6E;IAC7E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gDAAgD;IAChD,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACtB;;;;;;;;;;;;;;OAcG;IACH,aAAa,CAAC,EAAE,YAAY,CAAC;CAC7B;AA4HD,eAAO,MAAM,sBAAsB,GAClC,SAAS,oBAAoB,KAC3B,OAAO,CAAC,aAAa,CA2BvB,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,oBAAqB,SAAQ,oBAAoB;IACjE,yEAAyE;IACzE,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IACpE;;;;;;;OAOG;IACH,aAAa,CAAC,EAAE,uBAAuB,CAAC;IACxC;;;;;;;;;;;OAWG;IACH,SAAS,CAAC,EAAE,sBAAsB,CAAC;IACnC;;;;;OAKG;IACH,WAAW,CAAC,EAAE,eAAe,CAAC;CAC9B;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,eAAe,GAAG,OAAO,CACpC,IAAI,CACH,gBAAgB,EAChB,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,GAAG,eAAe,GAAG,WAAW,CACpF,CACD,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,WAAW;IAC3B,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,mCAAmC;IACnC,cAAc,EAAE,MAAM,CAAC;IACvB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,8DAA8D;IAC9D,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClF;AAED;;GAEG;AACH,MAAM,WAAW,OAAO;IACvB,GAAG,EAAE,IAAI,CAAC;IACV,OAAO,EAAE,aAAa,CAAC;IACvB,YAAY,EAAE,cAAc,CAAC;IAC7B,OAAO,EAAE,UAAU,CAAC;IACpB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,kEAAkE;IAClE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,gEAAgE;IAChE,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClF,iEAAiE;IACjE,2BAA2B,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxF,qDAAqD;IACrD,cAAc,EAAE,CAAC,OAAO,CAAC,EAAE;QAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;KACtB,KAAK,OAAO,CAAC,WAAW,CAAC,CAAC;IAC3B,8DAA8D;IAC9D,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,eAAe,GAAU,SAAS,oBAAoB,KAAG,OAAO,CAAC,OAAO,CAoGpF,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,WAAW,gCAAgC;IAChD,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IACpE,aAAa,CAAC,EAAE,uBAAuB,CAAC;IACxC,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B,8EAA8E;IAC9E,SAAS,EAAE,oBAAoB,CAAC;IAChC;;;;OAIG;IACH,eAAe,EAAE,MAAM,CAAC;IACxB,EAAE,CAAC,EAAE,EAAE,CAAC;IACR,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,aAAa,CAAC,EAAE,YAAY,CAAC;CAC7B;AAED;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IACnC,GAAG,EAAE,IAAI,CAAC;IACV,OAAO,EAAE,UAAU,CAAC;IACpB,YAAY,EAAE,cAAc,CAAC;IAC7B,OAAO,EAAE,UAAU,CAAC;IACpB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,0EAA0E;IAC1E,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,4EAA4E;IAC5E,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,6BAA6B,GACzC,SAAS,gCAAgC,KACvC,OAAO,CAAC,mBAAmB,CAuE7B,CAAC"}

package/dist/testing/app_server.js

@@ -11,11 +11,10 @@ import { query_create_api_token } from '../auth/api_token_queries.js';
 import { create_session_cookie_value } from '../auth/session_cookie.js';
 import { run_migrations } from '../db/migrate.js';
 import { auth_migration_ns } from '../auth/migrations.js';
-import { create_audit_emitter } from '../auth/audit_emitter.js';
+import { default_audit_factory } from '../server/app_backend.js';
 import { create_app_server, } from '../server/app_server.js';
 import { generate_daemon_token, DAEMON_TOKEN_HEADER, } from '../auth/daemon_token.js';
 import { create_pglite_factory } from './db.js';
-/* eslint-disable @typescript-eslint/require-await */
 /**
  * Fast password stub for tests that don't exercise login/password flows.
  *
@@ -36,16 +35,19 @@ const fallback_pglite_factory = create_pglite_factory(async (db) => {
     await run_migrations(db, [auth_migration_ns]);
 });
 /**
- * Bootstrap a test account with credentials.
+ * Create a test account with credentials. Use for additional accounts
+ * minted alongside the keeper (e.g. `TestApp.create_account` for
+ * cross-account / multi-user tests). Does NOT flip `bootstrap_lock` —
+ * non-keeper accounts should not appear to the system as bootstrap
+ * having happened.
  *
  * Creates an account with actor, grants roles, creates an API token,
- * creates a session, and signs a session cookie. Shared by
- * `create_test_app_server` and `TestApp.create_account`.
+ * creates a session, and signs a session cookie.
  *
  * @mutates the underlying `options.db` — inserts rows into `account`, `actor`,
  *   `role_grant` (one per role), `api_token`, and `auth_session`.
  */
-export const bootstrap_test_account = async (options) => {
+export const create_test_account_with_credentials = async (options) => {
     const { db, keyring, session_options, password, username = 'keeper', password_value = 'test-password-123', roles = [], } = options;
     const deps = { db };
     const password_hash = await password.hash_password(password_value);
@@ -73,60 +75,63 @@ export const bootstrap_test_account = async (options) => {
         session_cookie,
     };
 };
-/** Silent logger for tests — suppresses all output. */
-const test_log = new Logger('test', { level: 'off' });
 /**
- * Create an app server with a bootstrapped account for testing.
+ * Bootstrap the test-DB keeper. Direct-query shortcut for the default
+ * `create_test_app` path — bootstrap is not what most tests exercise, so
+ * we skip the real `bootstrap_account` flow (no audit row, no
+ * `on_bootstrap` callback). Tests that need the full success-path flow
+ * use `create_test_app_for_bootstrap` instead.
  *
- * Sets up:
- * - Auth tables (via cached PGlite factory, or reuses existing `db`)
- * - A keeper account with hashed password
- * - Role role_grants for each role in `options.roles`
- * - An API token for Bearer auth
- * - A session with a signed cookie value
+ * Flips `bootstrap_lock.bootstrapped = true` so the post-insert DB state
+ * matches a real bootstrap completion — production code can trust the
+ * lock as the single signal without a belt-and-suspenders
+ * `query_account_has_any` defense.
  *
- * Uses `stub_password_deps` by default — deterministic hashing that works
- * correctly for login/logout tests without Argon2 overhead.
+ * @mutates the underlying `options.db` — inserts the account/actor/roles/
+ *   API token/session_cookie rows AND flips `bootstrap_lock.bootstrapped`.
+ */
+export const bootstrap_test_keeper = async (options) => {
+    const result = await create_test_account_with_credentials(options);
+    // Lock flip — mirrors production `bootstrap_account` so test/prod write
+    // semantics stay in parity.
+    await options.db.query('UPDATE bootstrap_lock SET bootstrapped = true WHERE id = 1 AND bootstrapped = false');
+    return result;
+};
+/** Silent logger for tests — suppresses all output. */
+const test_log = new Logger('test', { level: 'off' });
+const default_test_fs_stubs = {
+    stat: async () => null,
+    read_text_file: async () => '',
+    delete_file: async () => { },
+};
+/**
+ * Shared backend-assembly path for `create_test_app_server` and
+ * `create_test_app_for_bootstrap`. Returns the raw `AppBackend` + the
+ * keyring used to sign session cookies; callers wrap with their own
+ * concerns (keeper pre-creation vs. pre-bootstrap state).
  *
- * @param options - session options and optional overrides
- * @returns a `TestAppServer` ready for HTTP testing
- * @mutates the underlying database — when `db` is supplied, resets singleton
- *   state (`bootstrap_lock.bootstrapped`, `app_settings.open_signup`) before
- *   bootstrapping; in either branch inserts an account, actor, role role_grants,
- *   API token, and session row.
+ * Resets `app_settings` singleton row for caller-supplied DBs so prior
+ * tests don't leak `open_signup`. Does NOT reset `bootstrap_lock` —
+ * callers own that policy (`create_test_app_server` lets
+ * `bootstrap_test_keeper` flip it; `create_test_app_for_bootstrap`
+ * resets it to false before this runs).
  */
-export const create_test_app_server = async (options) => {
-    const { session_options, db: existing_db, db_type = 'pglite-memory', password = stub_password_deps, username = 'keeper', password_value = 'test-password-123', roles = [ROLE_KEEPER], on_audit_event = () => { }, // eslint-disable-line @typescript-eslint/no-empty-function
-    audit_log_config, } = options;
-    // Keyring from test secret
+const _build_test_backend = async (options) => {
+    const { db: existing_db, db_type = 'pglite-memory', password = stub_password_deps, audit_factory = default_audit_factory, fs_stubs = default_test_fs_stubs, } = options;
     const keyring_result = create_validated_keyring(TEST_COOKIE_SECRET);
     if (!keyring_result.ok) {
         throw new Error(`Test keyring failed: ${keyring_result.errors.join(', ')}`);
     }
-    const fs_stubs = {
-        stat: async () => null,
-        read_text_file: async () => '',
-        delete_file: async (_path) => { }, // eslint-disable-line @typescript-eslint/no-empty-function
-    };
     let backend;
     if (existing_db) {
-        // Reset singleton config rows that may retain state from a previous test.
-        // Harmless for fresh pglite (these are already at defaults).
-        await existing_db.query('UPDATE bootstrap_lock SET bootstrapped = false WHERE bootstrapped = true');
+        // Reset singleton config row from a previous test (harmless on fresh pglite).
         await existing_db.query('UPDATE app_settings SET open_signup = false, updated_at = NULL, updated_by = NULL WHERE open_signup = true OR updated_at IS NOT NULL');
-        // Use the caller's database — tables already created by the factory's init_schema.
-        // Caller owns the DB lifecycle — close is a no-op.
-        const audit = create_audit_emitter({
-            db: existing_db,
-            log: test_log,
-            on_audit_event,
-            audit_log_config,
-        });
+        const audit = audit_factory({ db: existing_db, log: test_log });
         backend = {
             db_type,
             db_name: 'test',
-            migration_results: [], // migrations ran in the factory's init_schema, results not captured
-            close: async () => { }, // eslint-disable-line @typescript-eslint/no-empty-function
+            migration_results: [], // migrations ran in the factory's init_schema
+            close: async () => { },
             deps: {
                 keyring: keyring_result.keyring,
                 password,
@@ -142,12 +147,12 @@ export const create_test_app_server = async (options) => {
         // instead of creating a new PGlite each time. Schema is reset and migrations re-run
         // on each call, but the expensive WASM cold start only happens once per worker thread.
         const db = await fallback_pglite_factory.create();
-        const audit = create_audit_emitter({ db, log: test_log, on_audit_event, audit_log_config });
+        const audit = audit_factory({ db, log: test_log });
         backend = {
             db_type: 'pglite-memory',
             db_name: '(memory)',
             migration_results: [],
-            close: async () => { }, // eslint-disable-line @typescript-eslint/no-empty-function
+            close: async () => { },
             deps: {
                 keyring: keyring_result.keyring,
                 password,
@@ -158,9 +163,14 @@ export const create_test_app_server = async (options) => {
             },
         };
     }
-    const bootstrapped = await bootstrap_test_account({
+    return { backend, keyring: keyring_result.keyring };
+};
+export const create_test_app_server = async (options) => {
+    const { session_options, password = stub_password_deps, username = 'keeper', password_value = 'test-password-123', roles = [ROLE_KEEPER], } = options;
+    const { backend, keyring } = await _build_test_backend(options);
+    const bootstrapped = await bootstrap_test_keeper({
         db: backend.deps.db,
-        keyring: keyring_result.keyring,
+        keyring,
         session_options,
         password,
         username,
@@ -170,7 +180,7 @@ export const create_test_app_server = async (options) => {
     return {
         ...backend,
         ...bootstrapped,
-        keyring: keyring_result.keyring,
+        keyring,
         cleanup: () => backend.close(),
     };
 };
@@ -198,9 +208,6 @@ export const create_test_app = async (options) => {
         rotated_at: new Date(),
         keeper_account_id: test_server.account.id,
     };
-    if (options.rpc_endpoints !== undefined && options.app_options?.rpc_endpoints !== undefined) {
-        console.warn('create_test_app: both top-level `rpc_endpoints` and `app_options.rpc_endpoints` are set; preferring `app_options.rpc_endpoints` (back-compat).');
-    }
     const result = await create_app_server({
         backend: test_server,
         session_options: options.session_options,
@@ -214,6 +221,7 @@ export const create_test_app = async (options) => {
         await_pending_effects: true,
         daemon_token_state,
         rpc_endpoints: options.rpc_endpoints,
+        bootstrap: options.bootstrap,
         ...options.app_options,
         create_route_specs: options.create_route_specs,
     });
@@ -239,7 +247,7 @@ export const create_test_app = async (options) => {
     let account_counter = 0;
     const create_account = async (account_options) => {
         account_counter++;
-        const bootstrapped = await bootstrap_test_account({
+        const bootstrapped = await create_test_account_with_credentials({
             db: test_server.deps.db,
             keyring: test_server.keyring,
             session_options: options.session_options,
@@ -276,3 +284,84 @@ export const create_test_app = async (options) => {
         cleanup: () => test_server.cleanup(),
     };
 };
+/**
+ * Create a test app in the pre-bootstrap state for exercising the
+ * bootstrap success path end-to-end.
+ *
+ * Skips the keeper pre-creation `create_test_app` does by default —
+ * `bootstrap_lock.bootstrapped` stays at `false` and the DB has no
+ * accounts. The fs stubs return `options.bootstrap_token` when the
+ * bootstrap handler reads `bootstrap.token_path`, so a `POST /bootstrap`
+ * with `{token: bootstrap_token, username, password}` reaches the
+ * success branch.
+ *
+ * Pair with `describe_bootstrap_success_tests` for the consumer-runnable
+ * suite that drives the full happy path + adjacent assertions on
+ * observable state (account exists, audit row emitted, on_bootstrap
+ * callback fired).
+ *
+ * @param options - bootstrap config + factory inputs
+ * @returns a `TestAppForBootstrap` ready for the test to drive bootstrap
+ */
+export const create_test_app_for_bootstrap = async (options) => {
+    const { session_options, bootstrap, bootstrap_token } = options;
+    // Caller-supplied DB may carry lock state from a prior test — reset to false
+    // before `_build_test_backend` runs (which doesn't touch the lock itself).
+    // Fresh pglite already starts at false (factory init).
+    if (options.db) {
+        await options.db.query('UPDATE bootstrap_lock SET bootstrapped = false WHERE bootstrapped = true');
+    }
+    // Token-aware fs stubs: the bootstrap route's filesystem operations resolve
+    // against the configured token_path; everything else returns no-op defaults.
+    let token_file_deleted = false;
+    const fs_stubs = {
+        stat: async (path) => path === bootstrap.token_path && !token_file_deleted
+            ? { is_file: true, is_directory: false }
+            : null,
+        read_text_file: async (path) => path === bootstrap.token_path && !token_file_deleted ? bootstrap_token : '',
+        delete_file: async (path) => {
+            if (path === bootstrap.token_path)
+                token_file_deleted = true;
+        },
+    };
+    const { backend } = await _build_test_backend({ ...options, fs_stubs });
+    // Daemon token state isn't reachable pre-bootstrap (no keeper account)
+    // but the field is required by AppServerOptions; pass a placeholder.
+    const daemon_token_state = {
+        current_token: generate_daemon_token(),
+        previous_token: null,
+        rotated_at: new Date(),
+        keeper_account_id: null,
+    };
+    const result = await create_app_server({
+        backend,
+        session_options,
+        allowed_origins: [/^http:\/\/localhost/],
+        proxy: { trusted_proxies: ['127.0.0.1'], get_connection_ip: () => '127.0.0.1' },
+        env_schema: z.object({}),
+        ip_rate_limiter: null,
+        login_account_rate_limiter: null,
+        signup_account_rate_limiter: null,
+        bearer_ip_rate_limiter: null,
+        await_pending_effects: true,
+        daemon_token_state,
+        rpc_endpoints: options.rpc_endpoints,
+        bootstrap,
+        ...options.app_options,
+        create_route_specs: options.create_route_specs,
+    });
+    const create_request_headers = (extra) => ({
+        host: 'localhost',
+        origin: 'http://localhost:5173',
+        ...extra,
+    });
+    return {
+        app: result.app,
+        backend,
+        surface_spec: result.surface_spec,
+        surface: result.surface_spec.surface,
+        route_specs: result.surface_spec.route_specs,
+        create_request_headers,
+        cleanup: () => backend.close(),
+    };
+};