@fuzdev/fuz_app 0.64.0 → 0.66.0

package/dist/testing/audit_completeness.js

@@ -3,8 +3,18 @@ import './assert_dev_env.js';
  * Composable audit log completeness test suite.
  *
  * Verifies that every auth mutation route produces the expected audit log
- * event. Uses the real middleware stack and database — audit events are
- * verified by querying the `audit_log` table after each request.
+ * event. Uses the real middleware stack and database, then **reads back
+ * through the `audit_log_list` RPC** — the production observation path the
+ * admin UI consumes. This is intentional end-to-end coverage: emit →
+ * persist → query → wire response, all in one round-trip.
+ *
+ * The trade is a deliberate transport coupling: a regression in
+ * `audit_log_list_action_spec`'s auth or response shape can surface here as
+ * a secondary failure. `describe_rpc_round_trip_tests` covers that RPC
+ * directly, so primary breakages localize there first. For *unit-level*
+ * "did the handler emit?" assertions without the persistence path, use
+ * `create_recording_audit_emitter` from `audit_drift_guard.ts` — that
+ * captures emits before they hit DB or transport.
  *
  * Bootstrap is excluded because it requires filesystem token state that
  * `create_test_app` does not provide. Bootstrap audit logging is tested
@@ -13,21 +23,48 @@ import './assert_dev_env.js';
  * @module
  */
 import { describe, test, assert } from 'vitest';
-import { ROLE_KEEPER, ROLE_ADMIN } from '../auth/role_schema.js';
-import { AUDIT_EVENT_TYPES } from '../auth/audit_log_schema.js';
-import { auth_migration_ns } from '../auth/migrations.js';
-import { create_test_app, } from './app_server.js';
-import { create_pglite_factory, create_describe_db, auth_integration_truncate_tables, } from './db.js';
+import { ROLE_ADMIN } from '../auth/role_schema.js';
+import { AUDIT_EVENT_TYPES, } from '../auth/audit_log_schema.js';
+import { DEFAULT_TEST_PASSWORD } from './app_server.js';
 import { find_auth_route } from './integration_helpers.js';
-import { run_migrations } from '../db/migrate.js';
-import { query_accept_offer } from '../auth/role_grant_offer_queries.js';
 import { rpc_call_for_spec, require_rpc_endpoint_path, resolve_rpc_endpoints_for_setup, } from './rpc_helpers.js';
-import { role_grant_offer_create_action_spec, role_grant_revoke_action_spec, } from '../auth/role_grant_offer_action_specs.js';
-import { admin_session_revoke_all_action_spec, admin_token_revoke_all_action_spec, app_settings_update_action_spec, invite_create_action_spec, invite_delete_action_spec, } from '../auth/admin_action_specs.js';
+import { role_grant_offer_and_accept } from './role_grant_helpers.js';
+import { role_grant_offer_accept_action_spec, role_grant_offer_create_action_spec, role_grant_revoke_action_spec, } from '../auth/role_grant_offer_action_specs.js';
+import { admin_session_revoke_all_action_spec, admin_token_revoke_all_action_spec, app_settings_update_action_spec, audit_log_list_action_spec, AUDIT_LOG_LIST_LIMIT_MAX, invite_create_action_spec, invite_delete_action_spec, } from '../auth/admin_action_specs.js';
 import { account_session_list_action_spec, account_session_revoke_action_spec, account_session_revoke_all_action_spec, account_token_create_action_spec, account_token_list_action_spec, account_token_revoke_action_spec, } from '../auth/account_action_specs.js';
-/** Query audit log events from the database. */
-const query_audit_events = async (db) => {
-    return db.query('SELECT event_type, seq, metadata FROM audit_log ORDER BY seq');
+/**
+ * Mint a dedicated admin account whose sole job is to read the audit log
+ * via RPC. Decoupling the *observer* from the *subject* keeps the helper
+ * shape uniform across every audit-touching test — even ones whose
+ * mutation revokes the bootstrapped admin's credentials (logout,
+ * session_revoke, password_change). The observer has no role-grants the
+ * test exercises and no credentials the test mutates, so it survives
+ * every flow.
+ */
+const create_admin_observer = (fixture) => fixture.create_account({ username: 'audit_observer', roles: [ROLE_ADMIN] });
+/**
+ * List audit log events via the `audit_log_list` RPC. Replaces the previous
+ * raw `SELECT FROM audit_log` query — the RPC is the documented contract and
+ * the same path the admin UI consumes. The RPC orders newest-first
+ * (`ORDER BY seq DESC`); assertions use `.some()` / `.find()` so ordering is
+ * invisible to test logic. Default `limit: AUDIT_LOG_LIST_LIMIT_MAX` (200)
+ * future-proofs against tests with more emissions; per-test
+ * `auth_integration_truncate_tables` keeps the table empty between cases.
+ *
+ * `observer` is a dedicated admin account (see {@link create_admin_observer})
+ * — its credentials are never the subject of the mutation under test, so the
+ * read works uniformly across every flow including session-revoking ones.
+ */
+const list_audit_events = async (app, rpc_path, observer, params = {}) => {
+    const res = await rpc_call_for_spec({
+        app,
+        path: rpc_path,
+        spec: audit_log_list_action_spec,
+        params: { limit: AUDIT_LOG_LIST_LIMIT_MAX, ...params },
+        headers: observer.create_session_headers(),
+    });
+    assert.ok(res.ok, `audit_log_list failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
+    return res.result.events;
 };
 /** Assert that audit events contain the expected event type. */
 const assert_has_event = (events, expected, context) => {
@@ -44,15 +81,6 @@ const assert_event_credential_type = (events, expected, credential_type, context
     const recorded = (match.metadata ?? {}).credential_type;
     assert.strictEqual(recorded, credential_type, `Expected '${expected}' audit metadata.credential_type === '${credential_type}' after ${context} (got ${JSON.stringify(recorded)})`);
 };
-/** Build CreateTestAppOptions with admin+keeper roles. */
-const build_options = (options, db) => ({
-    session_options: options.session_options,
-    create_route_specs: options.create_route_specs,
-    db,
-    roles: [ROLE_KEEPER, ROLE_ADMIN],
-    rpc_endpoints: options.rpc_endpoints,
-    app_options: options.app_options,
-});
 /** Headers for unauthenticated JSON requests (login, signup). */
 const UNAUTHENTICATED_JSON_HEADERS = {
     host: 'localhost',
@@ -60,7 +88,7 @@ const UNAUTHENTICATED_JSON_HEADERS = {
     'content-type': 'application/json',
 };
 /** Standard request headers for session-authenticated JSON requests. */
-const json_session_headers = (test_app, extra) => test_app.create_session_headers({
+const json_session_headers = (fixture, extra) => fixture.create_session_headers({
     'content-type': 'application/json',
     ...extra,
 });
@@ -69,7 +97,8 @@ const json_session_headers = (test_app, extra) => test_app.create_session_header
  *
  * Verifies that every auth mutation route produces the correct audit log
  * event type. Exercises routes via HTTP requests against a real PGlite
- * database, then queries the `audit_log` table to verify events.
+ * database, then reads events back through the `audit_log_list` RPC
+ * (the production observation path the admin UI consumes).
  *
  * @throws Error at setup time when `options.rpc_endpoints` is empty — the
  *   mutation-audit tests drive role_grant flow, session/token revoke-all, and
@@ -77,294 +106,297 @@ const json_session_headers = (test_app, extra) => test_app.create_session_header
  *   `require_rpc_endpoint_path`.
  */
 export const describe_audit_completeness_tests = (options) => {
+    const route_specs = options.surface_source.route_specs;
     // Hard-fail early so consumers see a clear setup error instead of a
-    // confusing test failure when `rpc_endpoints` is missing. Factory-form
-    // callers are resolved with a stub ctx purely to extract the endpoint
-    // path; real handlers run per-test via the top-level `rpc_endpoints` slot on `CreateTestAppOptions`.
+    // confusing test failure when `rpc_endpoints` is missing.
     const rpc_endpoints_for_setup = resolve_rpc_endpoints_for_setup(options.rpc_endpoints, options.session_options);
     const rpc_path = require_rpc_endpoint_path(rpc_endpoints_for_setup);
-    const init_schema = async (db) => {
-        await run_migrations(db, [auth_migration_ns]);
-    };
-    const factories = options.db_factories ?? [create_pglite_factory(init_schema)];
-    const describe_db = create_describe_db(factories, auth_integration_truncate_tables);
-    describe_db('audit_log_completeness', (get_db) => {
+    void options.capabilities;
+    describe('audit_log_completeness', () => {
         // --- Account routes ---
         describe('account mutation audit events', () => {
             test('login success produces login event', async () => {
-                const test_app = await create_test_app(build_options(options, get_db()));
-                const login_route = find_auth_route(test_app.route_specs, '/login', 'POST');
+                const fixture = await options.setup_test();
+                const observer = await create_admin_observer(fixture);
+                const login_route = find_auth_route(route_specs, '/login', 'POST');
                 assert.ok(login_route, 'Expected POST /login route');
-                const res = await test_app.app.request(login_route.path, {
+                const res = await fixture.transport(login_route.path, {
                     method: 'POST',
                     headers: UNAUTHENTICATED_JSON_HEADERS,
                     body: JSON.stringify({
-                        username: test_app.backend.account.username,
-                        password: 'test-password-123',
+                        username: fixture.account.username,
+                        password: DEFAULT_TEST_PASSWORD,
                     }),
                 });
                 assert.strictEqual(res.status, 200);
-                const events = await query_audit_events(test_app.backend.deps.db);
+                const events = await list_audit_events({ request: fixture.transport }, rpc_path, observer);
                 assert_has_event(events, 'login', 'POST /login (success)');
             });
             test('login failure produces login event with failure outcome', async () => {
-                const test_app = await create_test_app(build_options(options, get_db()));
-                const login_route = find_auth_route(test_app.route_specs, '/login', 'POST');
+                const fixture = await options.setup_test();
+                const observer = await create_admin_observer(fixture);
+                const login_route = find_auth_route(route_specs, '/login', 'POST');
                 assert.ok(login_route, 'Expected POST /login route');
-                const res = await test_app.app.request(login_route.path, {
+                const res = await fixture.transport(login_route.path, {
                     method: 'POST',
                     headers: UNAUTHENTICATED_JSON_HEADERS,
                     body: JSON.stringify({
-                        username: test_app.backend.account.username,
+                        username: fixture.account.username,
                         password: 'wrong-password',
                     }),
                 });
                 assert.strictEqual(res.status, 401);
-                const events = await query_audit_events(test_app.backend.deps.db);
+                const events = await list_audit_events({ request: fixture.transport }, rpc_path, observer);
                 assert_has_event(events, 'login', 'POST /login (failure)');
             });
             test('logout produces logout event', async () => {
-                const test_app = await create_test_app(build_options(options, get_db()));
-                const logout_route = find_auth_route(test_app.route_specs, '/logout', 'POST');
+                const fixture = await options.setup_test();
+                const observer = await create_admin_observer(fixture);
+                const logout_route = find_auth_route(route_specs, '/logout', 'POST');
                 assert.ok(logout_route, 'Expected POST /logout route');
-                const res = await test_app.app.request(logout_route.path, {
+                const res = await fixture.transport(logout_route.path, {
                     method: 'POST',
-                    headers: test_app.create_session_headers(),
+                    headers: fixture.create_session_headers(),
                 });
                 assert.strictEqual(res.status, 200);
-                const events = await query_audit_events(test_app.backend.deps.db);
+                const events = await list_audit_events({ request: fixture.transport }, rpc_path, observer);
                 assert_has_event(events, 'logout', 'POST /logout');
             });
             test('token create produces token_create event', async () => {
-                const test_app = await create_test_app(build_options(options, get_db()));
+                const fixture = await options.setup_test();
+                const observer = await create_admin_observer(fixture);
                 const res = await rpc_call_for_spec({
-                    app: test_app.app,
+                    app: { request: fixture.transport },
                     path: rpc_path,
                     spec: account_token_create_action_spec,
                     params: { name: 'audit-test' },
-                    headers: test_app.create_session_headers(),
+                    headers: fixture.create_session_headers(),
                 });
                 assert.ok(res.ok, `account_token_create failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
-                const events = await query_audit_events(test_app.backend.deps.db);
+                const events = await list_audit_events({ request: fixture.transport }, rpc_path, observer);
                 assert_has_event(events, 'token_create', 'account_token_create RPC');
                 assert_event_credential_type(events, 'token_create', 'session', 'account_token_create RPC');
             });
             test('token revoke produces token_revoke event', async () => {
-                const test_app = await create_test_app(build_options(options, get_db()));
+                const fixture = await options.setup_test();
+                const observer = await create_admin_observer(fixture);
                 // get a token ID to revoke
                 const list_res = await rpc_call_for_spec({
-                    app: test_app.app,
+                    app: { request: fixture.transport },
                     path: rpc_path,
                     spec: account_token_list_action_spec,
                     params: undefined,
-                    headers: test_app.create_session_headers(),
+                    headers: fixture.create_session_headers(),
                 });
                 assert.ok(list_res.ok, 'account_token_list should succeed');
                 const { tokens } = list_res.result;
                 assert.ok(tokens.length > 0, 'Expected at least one token');
                 const res = await rpc_call_for_spec({
-                    app: test_app.app,
+                    app: { request: fixture.transport },
                     path: rpc_path,
                     spec: account_token_revoke_action_spec,
                     params: { token_id: tokens[0].id },
-                    headers: test_app.create_session_headers(),
+                    headers: fixture.create_session_headers(),
                 });
                 assert.ok(res.ok, `account_token_revoke failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
-                const events = await query_audit_events(test_app.backend.deps.db);
+                const events = await list_audit_events({ request: fixture.transport }, rpc_path, observer);
                 assert_has_event(events, 'token_revoke', 'account_token_revoke RPC');
                 assert_event_credential_type(events, 'token_revoke', 'session', 'account_token_revoke RPC');
             });
             test('session revoke produces session_revoke event', async () => {
-                const test_app = await create_test_app(build_options(options, get_db()));
+                const fixture = await options.setup_test();
+                const observer = await create_admin_observer(fixture);
                 // login to create a second session we can revoke
-                const login_route = find_auth_route(test_app.route_specs, '/login', 'POST');
+                const login_route = find_auth_route(route_specs, '/login', 'POST');
                 assert.ok(login_route, 'Expected POST /login route');
-                await test_app.app.request(login_route.path, {
+                await fixture.transport(login_route.path, {
                     method: 'POST',
                     headers: UNAUTHENTICATED_JSON_HEADERS,
                     body: JSON.stringify({
-                        username: test_app.backend.account.username,
-                        password: 'test-password-123',
+                        username: fixture.account.username,
+                        password: DEFAULT_TEST_PASSWORD,
                     }),
                 });
-                // get session IDs (newest first)
+                // get session IDs (newest first — `account_session_list` orders DESC
+                // by `created_at`, so [0] is the just-logged-in session and [1] is
+                // the bootstrap session driving the RPC call).
                 const list_res = await rpc_call_for_spec({
-                    app: test_app.app,
+                    app: { request: fixture.transport },
                     path: rpc_path,
                     spec: account_session_list_action_spec,
                     params: undefined,
-                    headers: test_app.create_session_headers(),
+                    headers: fixture.create_session_headers(),
                 });
                 assert.ok(list_res.ok, 'account_session_list should succeed');
                 const { sessions } = list_res.result;
                 assert.ok(sessions.length >= 2, 'Expected at least 2 sessions');
-                // revoke the second session (not the one used for auth)
+                // revoke the newest session — not the bootstrap one driving auth.
                 const res = await rpc_call_for_spec({
-                    app: test_app.app,
+                    app: { request: fixture.transport },
                     path: rpc_path,
                     spec: account_session_revoke_action_spec,
-                    params: { session_id: sessions[1].id },
-                    headers: test_app.create_session_headers(),
+                    params: { session_id: sessions[0].id },
+                    headers: fixture.create_session_headers(),
                 });
                 assert.ok(res.ok, `account_session_revoke failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
-                const events = await query_audit_events(test_app.backend.deps.db);
+                const events = await list_audit_events({ request: fixture.transport }, rpc_path, observer);
                 assert_has_event(events, 'session_revoke', 'account_session_revoke RPC');
                 assert_event_credential_type(events, 'session_revoke', 'session', 'account_session_revoke RPC');
             });
             test('session revoke-all produces session_revoke_all event', async () => {
-                const test_app = await create_test_app(build_options(options, get_db()));
+                const fixture = await options.setup_test();
+                const observer = await create_admin_observer(fixture);
                 const res = await rpc_call_for_spec({
-                    app: test_app.app,
+                    app: { request: fixture.transport },
                     path: rpc_path,
                     spec: account_session_revoke_all_action_spec,
                     params: undefined,
-                    headers: test_app.create_session_headers(),
+                    headers: fixture.create_session_headers(),
                 });
                 assert.ok(res.ok, `account_session_revoke_all failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
-                const events = await query_audit_events(test_app.backend.deps.db);
+                const events = await list_audit_events({ request: fixture.transport }, rpc_path, observer);
                 assert_has_event(events, 'session_revoke_all', 'account_session_revoke_all RPC');
                 assert_event_credential_type(events, 'session_revoke_all', 'session', 'account_session_revoke_all RPC');
             });
             test('password change produces password_change event', async () => {
-                const test_app = await create_test_app(build_options(options, get_db()));
-                const route = find_auth_route(test_app.route_specs, '/password', 'POST');
+                const fixture = await options.setup_test();
+                const observer = await create_admin_observer(fixture);
+                const route = find_auth_route(route_specs, '/password', 'POST');
                 assert.ok(route, 'Expected POST /password route');
-                const res = await test_app.app.request(route.path, {
+                const res = await fixture.transport(route.path, {
                     method: 'POST',
-                    headers: json_session_headers(test_app),
+                    headers: json_session_headers(fixture),
                     body: JSON.stringify({
-                        current_password: 'test-password-123',
+                        current_password: DEFAULT_TEST_PASSWORD,
                         new_password: 'new-password-456',
                     }),
                 });
                 assert.strictEqual(res.status, 200);
-                const events = await query_audit_events(test_app.backend.deps.db);
+                const events = await list_audit_events({ request: fixture.transport }, rpc_path, observer);
                 assert_has_event(events, 'password_change', 'POST /password');
                 assert_event_credential_type(events, 'password_change', 'session', 'POST /password');
             });
         });
         // --- Admin routes ---
         describe('admin mutation audit events', () => {
-            test('admin offer (RPC) + accept produces role_grant_offer_create and role_grant_create events', async () => {
-                const test_app = await create_test_app(build_options(options, get_db()));
-                const target = await test_app.create_account({ username: 'audit_target' });
+            test('admin offer (RPC) + accept (RPC) produces role_grant_offer_create, role_grant_offer_accept, and role_grant_create events', async () => {
+                const fixture = await options.setup_test();
+                const observer = await create_admin_observer(fixture);
+                const target = await fixture.create_account({ username: 'audit_target' });
                 const offer_res = await rpc_call_for_spec({
-                    app: test_app.app,
+                    app: { request: fixture.transport },
                     path: rpc_path,
                     spec: role_grant_offer_create_action_spec,
                     params: { to_account_id: target.account.id, role: ROLE_ADMIN },
-                    headers: test_app.create_session_headers(),
+                    headers: fixture.create_session_headers(),
                 });
                 assert.ok(offer_res.ok, `role_grant_offer_create failed: ${offer_res.ok ? '' : JSON.stringify(offer_res.error)}`);
                 const { offer } = offer_res.result;
                 // Admin offer emits `role_grant_offer_create` only — the role_grant doesn't
-                // exist yet. Drive the accept to confirm `role_grant_create` fires on the
-                // downstream consent transition.
-                const events_after_offer = await query_audit_events(test_app.backend.deps.db);
+                // exist yet. Drive the accept to confirm `role_grant_offer_accept` and
+                // `role_grant_create` both fire on the downstream consent transition.
+                const events_after_offer = await list_audit_events({ request: fixture.transport }, rpc_path, observer);
                 assert_has_event(events_after_offer, 'role_grant_offer_create', 'role_grant_offer_create RPC');
-                await get_db().transaction(async (tx) => {
-                    await query_accept_offer({ db: tx }, {
-                        offer_id: offer.id,
-                        to_account_id: target.account.id,
-                        actor_id: target.actor.id,
-                        ip: null,
-                    });
+                const accept_res = await rpc_call_for_spec({
+                    app: { request: fixture.transport },
+                    path: rpc_path,
+                    spec: role_grant_offer_accept_action_spec,
+                    params: { offer_id: offer.id },
+                    headers: target.create_session_headers(),
                 });
-                const events_after_accept = await query_audit_events(test_app.backend.deps.db);
-                assert_has_event(events_after_accept, 'role_grant_create', 'offer accept');
+                assert.ok(accept_res.ok, `role_grant_offer_accept failed: ${accept_res.ok ? '' : JSON.stringify(accept_res.error)}`);
+                const events_after_accept = await list_audit_events({ request: fixture.transport }, rpc_path, observer);
+                assert_has_event(events_after_accept, 'role_grant_offer_accept', 'offer accept RPC');
+                assert_has_event(events_after_accept, 'role_grant_create', 'offer accept RPC');
             });
             test('role_grant revoke (RPC) produces role_grant_revoke event with both target columns', async () => {
-                const test_app = await create_test_app(build_options(options, get_db()));
-                const target = await test_app.create_account({ username: 'audit_revoke_target' });
-                // Offer + accept to materialize a role_grant we can revoke.
-                const offer_res = await rpc_call_for_spec({
-                    app: test_app.app,
-                    path: rpc_path,
-                    spec: role_grant_offer_create_action_spec,
-                    params: { to_account_id: target.account.id, role: ROLE_ADMIN },
-                    headers: test_app.create_session_headers(),
-                });
-                assert.ok(offer_res.ok, `role_grant_offer_create failed: ${offer_res.ok ? '' : JSON.stringify(offer_res.error)}`);
-                const { offer } = offer_res.result;
-                const accept_result = await get_db().transaction(async (tx) => {
-                    return query_accept_offer({ db: tx }, {
-                        offer_id: offer.id,
-                        to_account_id: target.account.id,
-                        actor_id: target.actor.id,
-                        ip: null,
-                    });
+                const fixture = await options.setup_test();
+                const observer = await create_admin_observer(fixture);
+                const target = await fixture.create_account({ username: 'audit_revoke_target' });
+                // Offer + accept to materialize a role_grant we can revoke. The
+                // consent path itself is covered by the `offer + accept` test above;
+                // here we only need the role_grant to exist.
+                const { role_grant_id } = await role_grant_offer_and_accept({
+                    app: { request: fixture.transport },
+                    rpc_path,
+                    grantor: fixture,
+                    recipient: target,
+                    role: ROLE_ADMIN,
                 });
                 // Revoke via RPC.
                 const revoke_res = await rpc_call_for_spec({
-                    app: test_app.app,
+                    app: { request: fixture.transport },
                     path: rpc_path,
                     spec: role_grant_revoke_action_spec,
-                    params: { actor_id: target.actor.id, role_grant_id: accept_result.role_grant.id },
-                    headers: test_app.create_session_headers(),
+                    params: { actor_id: target.actor.id, role_grant_id },
+                    headers: fixture.create_session_headers(),
                 });
                 assert.ok(revoke_res.ok, `role_grant_revoke failed: ${revoke_res.ok ? '' : JSON.stringify(revoke_res.error)}`);
-                const events = await query_audit_events(test_app.backend.deps.db);
+                const events = await list_audit_events({ request: fixture.transport }, rpc_path, observer);
                 assert_has_event(events, 'role_grant_revoke', 'role_grant_revoke RPC');
                 // Audit envelope must populate both target columns —
                 // `role_grant_revoke` is the canonical actor-bound-subject event.
-                const revoke_rows = await test_app.backend.deps.db.query(`SELECT target_account_id, target_actor_id FROM audit_log
-					 WHERE event_type = 'role_grant_revoke' ORDER BY seq DESC LIMIT 1`);
-                const row = revoke_rows[0];
-                assert.strictEqual(row.target_account_id, target.account.id);
-                assert.strictEqual(row.target_actor_id, target.actor.id);
+                // RPC orders newest-first, so `.find` picks up the just-emitted row.
+                const revoke = events.find((e) => e.event_type === 'role_grant_revoke');
+                assert.ok(revoke, 'Expected role_grant_revoke audit event');
+                assert.strictEqual(revoke.target_account_id, target.account.id);
+                assert.strictEqual(revoke.target_actor_id, target.actor.id);
             });
             test('admin session revoke-all produces session_revoke_all event', async () => {
-                const test_app = await create_test_app(build_options(options, get_db()));
-                const target = await test_app.create_account({ username: 'audit_sessions_target' });
+                const fixture = await options.setup_test();
+                const observer = await create_admin_observer(fixture);
+                const target = await fixture.create_account({ username: 'audit_sessions_target' });
                 const res = await rpc_call_for_spec({
-                    app: test_app.app,
+                    app: { request: fixture.transport },
                     path: rpc_path,
                     spec: admin_session_revoke_all_action_spec,
                     params: { account_id: target.account.id },
-                    headers: test_app.create_session_headers(),
+                    headers: fixture.create_session_headers(),
                 });
                 assert.ok(res.ok, `admin_session_revoke_all failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
-                const events = await query_audit_events(test_app.backend.deps.db);
+                const events = await list_audit_events({ request: fixture.transport }, rpc_path, observer);
                 // admin session revoke-all also produces session_revoke_all
                 assert_has_event(events, 'session_revoke_all', 'admin_session_revoke_all RPC');
             });
             test('admin token revoke-all produces token_revoke_all event', async () => {
-                const test_app = await create_test_app(build_options(options, get_db()));
-                const target = await test_app.create_account({ username: 'audit_tokens_target' });
+                const fixture = await options.setup_test();
+                const observer = await create_admin_observer(fixture);
+                const target = await fixture.create_account({ username: 'audit_tokens_target' });
                 const res = await rpc_call_for_spec({
-                    app: test_app.app,
+                    app: { request: fixture.transport },
                     path: rpc_path,
                     spec: admin_token_revoke_all_action_spec,
                     params: { account_id: target.account.id },
-                    headers: test_app.create_session_headers(),
+                    headers: fixture.create_session_headers(),
                 });
                 assert.ok(res.ok, `admin_token_revoke_all failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
-                const events = await query_audit_events(test_app.backend.deps.db);
+                const events = await list_audit_events({ request: fixture.transport }, rpc_path, observer);
                 assert_has_event(events, 'token_revoke_all', 'admin_token_revoke_all RPC');
             });
         });
         // --- Invite RPC actions ---
         describe('invite mutation audit events', () => {
             test('invite create and delete produce audit events', async () => {
-                const test_app = await create_test_app(build_options(options, get_db()));
+                const fixture = await options.setup_test();
+                const observer = await create_admin_observer(fixture);
                 const create_res = await rpc_call_for_spec({
-                    app: test_app.app,
+                    app: { request: fixture.transport },
                     path: rpc_path,
                     spec: invite_create_action_spec,
                     params: { username: 'invited_user' },
-                    headers: test_app.create_session_headers(),
+                    headers: fixture.create_session_headers(),
                 });
                 assert.ok(create_res.ok, `invite_create failed: ${create_res.ok ? '' : JSON.stringify(create_res.error)}`);
                 const { invite } = create_res.result;
                 const delete_res = await rpc_call_for_spec({
-                    app: test_app.app,
+                    app: { request: fixture.transport },
                     path: rpc_path,
                     spec: invite_delete_action_spec,
                     params: { invite_id: invite.id },
-                    headers: test_app.create_session_headers(),
+                    headers: fixture.create_session_headers(),
                 });
                 assert.ok(delete_res.ok, `invite_delete failed: ${delete_res.ok ? '' : JSON.stringify(delete_res.error)}`);
-                const events = await query_audit_events(test_app.backend.deps.db);
+                const events = await list_audit_events({ request: fixture.transport }, rpc_path, observer);
                 assert_has_event(events, 'invite_create', 'invite_create RPC');
                 assert_has_event(events, 'invite_delete', 'invite_delete RPC');
             });
@@ -372,36 +404,42 @@ export const describe_audit_completeness_tests = (options) => {
         // --- App settings RPC action ---
         describe('app settings mutation audit events', () => {
             test('settings update produces app_settings_update event', async () => {
-                const test_app = await create_test_app(build_options(options, get_db()));
+                const fixture = await options.setup_test();
+                const observer = await create_admin_observer(fixture);
                 const res = await rpc_call_for_spec({
-                    app: test_app.app,
+                    app: { request: fixture.transport },
                     path: rpc_path,
                     spec: app_settings_update_action_spec,
                     params: { open_signup: true },
-                    headers: test_app.create_session_headers(),
+                    headers: fixture.create_session_headers(),
                 });
                 assert.ok(res.ok, `app_settings_update failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
-                const events = await query_audit_events(test_app.backend.deps.db);
+                const events = await list_audit_events({ request: fixture.transport }, rpc_path, observer);
                 assert_has_event(events, 'app_settings_update', 'app_settings_update RPC');
             });
         });
         // --- Signup route ---
         describe('signup audit events', () => {
             test('signup produces signup event', async () => {
-                const test_app = await create_test_app(build_options(options, get_db()));
+                const fixture = await options.setup_test();
+                // signup is optional — consumers that don't wire `POST /signup` (e.g.
+                // admin-only apps) skip this audit check; signup completeness for
+                // surfaces that DO wire it is still asserted by COVERED_EVENT_TYPES
+                // below. Mirrors `integration.ts`'s signup-block presence-gate.
+                const signup_route = find_auth_route(route_specs, '/signup', 'POST');
+                if (!signup_route)
+                    return;
+                const observer = await create_admin_observer(fixture);
                 // enable open signup via RPC
                 const settings_res = await rpc_call_for_spec({
-                    app: test_app.app,
+                    app: { request: fixture.transport },
                     path: rpc_path,
                     spec: app_settings_update_action_spec,
                     params: { open_signup: true },
-                    headers: test_app.create_session_headers(),
+                    headers: fixture.create_session_headers(),
                 });
                 assert.ok(settings_res.ok, `app_settings_update failed: ${settings_res.ok ? '' : JSON.stringify(settings_res.error)}`);
-                // signup
-                const signup_route = find_auth_route(test_app.route_specs, '/signup', 'POST');
-                assert.ok(signup_route, 'Expected POST /signup route');
-                const res = await test_app.app.request(signup_route.path, {
+                const res = await fixture.transport(signup_route.path, {
                     method: 'POST',
                     headers: UNAUTHENTICATED_JSON_HEADERS,
                     body: JSON.stringify({
@@ -410,7 +448,7 @@ export const describe_audit_completeness_tests = (options) => {
                     }),
                 });
                 assert.strictEqual(res.status, 200);
-                const events = await query_audit_events(test_app.backend.deps.db);
+                const events = await list_audit_events({ request: fixture.transport }, rpc_path, observer);
                 assert_has_event(events, 'signup', 'POST /signup');
             });
         });
@@ -431,6 +469,7 @@ export const describe_audit_completeness_tests = (options) => {
                 'token_revoke',
                 'token_revoke_all',
                 'role_grant_offer_create',
+                'role_grant_offer_accept',
                 'role_grant_create',
                 'role_grant_revoke',
                 'invite_create',
@@ -440,8 +479,9 @@ export const describe_audit_completeness_tests = (options) => {
             /** Event types excluded with justification. */
             const EXCLUDED_EVENT_TYPES = new Set([
                 'bootstrap', // requires filesystem token — tested in bootstrap_account.db.test.ts
-                // The remaining `role_grant_offer_*` events fire only via the RPC
-                // endpoint or via downstream effects of `role_grant_revoke`. Direct
+                // The remaining `role_grant_offer_*` events fire only via terminal
+                // transitions (decline, retract) or downstream effects (supersede on
+                // accept of a sibling, or as a fan-out of `role_grant_revoke`). Direct
                 // coverage lives in `role_grant_offer_queries.db.test.ts`,
                 // `role_grant_offer_actions.db.test.ts`,
                 // `role_grant_offer_actions.notifications.db.test.ts`, and
@@ -449,7 +489,6 @@ export const describe_audit_completeness_tests = (options) => {
                 // `role_grant_offer_expire` fires from the cleanup sweep
                 // (`cleanup_expired_role_grant_offers` in `auth/cleanup.ts`) —
                 // covered in `cleanup.db.test.ts`.
-                'role_grant_offer_accept',
                 'role_grant_offer_decline',
                 'role_grant_offer_retract',
                 'role_grant_offer_expire',