@fuzdev/fuz_app 0.65.0 → 0.66.0

package/dist/testing/admin_integration.d.ts

@@ -2,9 +2,9 @@ import './assert_dev_env.js';
 import type { SessionOptions } from '../auth/session_cookie.js';
 import { type RoleSchemaResult } from '../auth/role_schema.js';
 import { type RpcEndpointsSuiteOption } from './rpc_helpers.js';
+import type { AppSurfaceSpec } from '../http/surface.js';
 import type { BackendCapabilities } from './cross_backend/capabilities.js';
 import type { SetupTest } from './cross_backend/setup.js';
-import type { SurfaceSource } from './transports/surface_source.js';
 /**
  * Configuration for `describe_standard_admin_integration_tests`.
  */
@@ -16,11 +16,11 @@ export interface StandardAdminIntegrationTestOptions {
      */
     setup_test: SetupTest;
     /**
-     * Source of the app surface for route iteration and error-coverage
-     * scoping. Currently requires `kind: 'inline'` — the cross-process
-     * snapshot variant lands alongside the spawned-backend transport plumbing.
+     * App surface (with route specs + middleware specs) for route iteration
+     * and error-coverage scoping. Constructed in TS by the consumer (same
+     * shape for in-process and cross-process tests).
      */
-    surface_source: SurfaceSource;
+    surface_source: AppSurfaceSpec;
     /** Backend capability declarations. */
     capabilities: BackendCapabilities;
     /** Session config — needed for cookie_name + factory-form rpc_endpoints resolution. */

package/dist/testing/admin_integration.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"admin_integration.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/admin_integration.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAgC7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAA0B,KAAK,gBAAgB,EAAC,MAAM,wBAAwB,CAAC;AAWtF,OAAO,EAKN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAiB1B,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,iCAAiC,CAAC;AACzE,OAAO,KAAK,EAAC,SAAS,EAAc,MAAM,0BAA0B,CAAC;AACrE,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,gCAAgC,CAAC;AAElE;;GAEG;AACH,MAAM,WAAW,mCAAmC;IACnD;;;;OAIG;IACH,UAAU,EAAE,SAAS,CAAC;IACtB;;;;OAIG;IACH,cAAc,EAAE,aAAa,CAAC;IAC9B,uCAAuC;IACvC,YAAY,EAAE,mBAAmB,CAAC;IAClC,uFAAuF;IACvF,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,4GAA4G;IAC5G,KAAK,EAAE,gBAAgB,CAAC;IACxB;;;OAGG;IACH,aAAa,EAAE,uBAAuB,CAAC;IACvC;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;CACtB;AAiBD;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,yCAAyC,GACrD,SAAS,mCAAmC,KAC1C,IAqzBF,CAAC"}
+{"version":3,"file":"admin_integration.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/admin_integration.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAgC7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAa,KAAK,gBAAgB,EAAC,MAAM,wBAAwB,CAAC;AAUzE,OAAO,EAKN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAkB1B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACvD,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,iCAAiC,CAAC;AACzE,OAAO,KAAK,EAAC,SAAS,EAAc,MAAM,0BAA0B,CAAC;AAErE;;GAEG;AACH,MAAM,WAAW,mCAAmC;IACnD;;;;OAIG;IACH,UAAU,EAAE,SAAS,CAAC;IACtB;;;;OAIG;IACH,cAAc,EAAE,cAAc,CAAC;IAC/B,uCAAuC;IACvC,YAAY,EAAE,mBAAmB,CAAC;IAClC,uFAAuF;IACvF,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,4GAA4G;IAC5G,KAAK,EAAE,gBAAgB,CAAC;IACxB;;;OAGG;IACH,aAAa,EAAE,uBAAuB,CAAC;IACvC;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;CACtB;AAiBD;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,yCAAyC,GACrD,SAAS,mCAAmC,KAC1C,IAi3BF,CAAC"}

package/dist/testing/admin_integration.js

@@ -26,16 +26,15 @@ import './assert_dev_env.js';
  * @module
  */
 import { describe, test, assert, afterAll } from 'vitest';
-import { ROLE_KEEPER, ROLE_ADMIN } from '../auth/role_schema.js';
+import { ROLE_ADMIN } from '../auth/role_schema.js';
 import { GRANT_PATH_ADMIN } from '../auth/grant_path_schema.js';
-import {} from './app_server.js';
-import { create_test_role_grant_direct } from './db_entities.js';
+import { DEFAULT_TEST_PASSWORD } from './app_server.js';
 import { role_grant_offer_and_accept } from './role_grant_helpers.js';
 import { find_auth_route } from './integration_helpers.js';
 import { ErrorCoverageCollector, assert_error_coverage, DEFAULT_INTEGRATION_ERROR_COVERAGE, } from './error_coverage.js';
 import { rpc_call_for_spec, require_rpc_endpoint_path, resolve_rpc_endpoints_for_setup, } from './rpc_helpers.js';
 import { role_grant_offer_create_action_spec, role_grant_revoke_action_spec, } from '../auth/role_grant_offer_action_specs.js';
-import { admin_account_list_action_spec, admin_session_list_action_spec, admin_session_revoke_all_action_spec, admin_token_revoke_all_action_spec, audit_log_list_action_spec, audit_log_role_grant_history_action_spec, } from '../auth/admin_action_specs.js';
+import { admin_account_list_action_spec, ADMIN_ACCOUNT_LIST_LIMIT_MAX, admin_session_list_action_spec, admin_session_revoke_all_action_spec, admin_token_revoke_all_action_spec, audit_log_list_action_spec, audit_log_role_grant_history_action_spec, } from '../auth/admin_action_specs.js';
 import { account_token_create_action_spec, account_verify_action_spec, } from '../auth/account_action_specs.js';
 /**
  * Pick a role for admin-grant testing, preferring a non-admin app-defined
@@ -65,11 +64,7 @@ const pick_grantable_role = (role_specs) => {
  *   see a clear setup error rather than `method not found` mid-suite.
  */
 export const describe_standard_admin_integration_tests = (options) => {
-    if (options.surface_source.kind !== 'inline') {
-        throw new Error("describe_standard_admin_integration_tests requires surface_source.kind === 'inline' — " +
-            'the cross-process snapshot variant lands with the spawned-backend transport');
-    }
-    const route_specs = options.surface_source.spec.route_specs;
+    const route_specs = options.surface_source.route_specs;
     // Hard-fail early so consumers see a clear setup error instead of a
     // confusing test failure when `rpc_endpoints` is missing.
     const rpc_endpoints_for_setup = resolve_rpc_endpoints_for_setup(options.rpc_endpoints, options.session_options);
@@ -122,11 +117,19 @@ export const describe_standard_admin_integration_tests = (options) => {
             test('admin can list all accounts', async () => {
                 const fixture = await options.setup_test();
                 const user_two = await fixture.create_account({ username: 'user_two' });
+                // Request the max page size — cross-process the backend persists
+                // accounts across tests (`globalSetup` bootstraps once), so a
+                // long-running suite accumulates well past the default 50 and
+                // `user_two` (newest, `ORDER BY created_at ASC`) falls off the
+                // first page. The MAX (200) carries this suite as written; once
+                // the suite consistently grows past it, swap to an
+                // account-scoped admin RPC (search-by-id, ORDER BY DESC, etc.)
+                // rather than chase the limit upward.
                 const res = await rpc_call_for_spec({
                     app: { request: fixture.transport },
                     path: rpc_path,
                     spec: admin_account_list_action_spec,
-                    params: {},
+                    params: { limit: ADMIN_ACCOUNT_LIST_LIMIT_MAX },
                     headers: fixture.create_session_headers(),
                 });
                 assert.ok(res.ok, `admin_account_list failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
@@ -139,22 +142,47 @@ export const describe_standard_admin_integration_tests = (options) => {
             });
             test('non-admin cannot list accounts', async () => {
                 const fixture = await options.setup_test();
-                // Default keeper has both ROLE_KEEPER + ROLE_ADMIN; mint a fresh
-                // account with only ROLE_KEEPER (no admin) to probe the 403 path.
-                const keeper_only = await fixture.create_account({
-                    username: 'keeper_only',
-                    roles: [ROLE_KEEPER],
-                });
+                // Mint a fresh no-roles account — fresh signups default to no
+                // roles, so the per-test account is non-admin by construction.
+                const non_admin = await fixture.create_account({ username: 'non_admin_user' });
                 const res = await rpc_call_for_spec({
                     app: { request: fixture.transport },
                     path: rpc_path,
                     spec: admin_account_list_action_spec,
                     params: {},
-                    headers: keeper_only.create_session_headers(),
+                    headers: non_admin.create_session_headers(),
                 });
                 assert.ok(!res.ok, 'Expected admin_account_list to fail for non-admin');
                 assert.strictEqual(res.status, 403);
             });
+            // Probe the keeper-vs-admin separation specifically: a keeper-only
+            // account (no admin role) must still 403 on admin RPCs. ROLE_KEEPER
+            // is bootstrap-only-grantable, so the only way to seed this account
+            // is via `extra_accounts` at the test-binary bootstrap-equivalent
+            // step. Consumers that want this probe wire
+            // `extra_accounts: [{username: 'non_admin_keeper', roles: [ROLE_KEEPER]}]`
+            // into their `default_*_suite_options(...)` call; otherwise the
+            // test runtime-skips and the looser no-roles probe above carries
+            // the suite's "non-admin gets 403" assertion alone.
+            test('keeper-only account cannot list accounts (keeper ≠ admin)', async (ctx) => {
+                const fixture = await options.setup_test();
+                const non_admin_keeper = fixture.extra_accounts.non_admin_keeper;
+                if (!non_admin_keeper) {
+                    ctx.skip(`no \`extra_accounts['non_admin_keeper']\` declared on the fixture — wire ` +
+                        `\`extra_accounts: [{username: 'non_admin_keeper', roles: [ROLE_KEEPER]}]\` ` +
+                        `in the consumer's suite options to enable the keeper-vs-admin probe.`);
+                    return;
+                }
+                const res = await rpc_call_for_spec({
+                    app: { request: fixture.transport },
+                    path: rpc_path,
+                    spec: admin_account_list_action_spec,
+                    params: {},
+                    headers: non_admin_keeper.create_session_headers(),
+                });
+                assert.ok(!res.ok, 'Expected admin_account_list to fail for keeper-only account');
+                assert.strictEqual(res.status, 403);
+            });
         });
         // --- 2. Role grant create/revoke lifecycle ---
         // Role grant create/revoke are RPC-only (see `role_grant_offer_create` /
@@ -242,9 +270,14 @@ export const describe_standard_admin_integration_tests = (options) => {
             test('admin can revoke all tokens for another account', async () => {
                 const fixture = await options.setup_test();
                 const user_two = await fixture.create_account({ username: 'user_two' });
-                // Verify user_two's bearer token works via `account_verify` RPC
+                // Verify user_two's bearer token works via `account_verify` RPC.
+                // Fresh transport — admin's session cookie in `fixture.transport`'s
+                // jar would otherwise give a false 200 here, masking whether the
+                // bearer credential is the one being validated. `origin: null` so
+                // the transport doesn't auto-add a default Origin (which would
+                // discard the bearer as browser-context cross-process).
                 const before = await rpc_call_for_spec({
-                    app: { request: fixture.transport },
+                    app: { request: fixture.fresh_transport({ origin: null }) },
                     path: rpc_path,
                     spec: account_verify_action_spec,
                     params: undefined,
@@ -263,9 +296,10 @@ export const describe_standard_admin_integration_tests = (options) => {
                 assert.ok(res.ok, `admin_token_revoke_all failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
                 assert.strictEqual(res.result.ok, true);
                 assert.ok(res.result.count >= 1, 'Expected at least 1 revoked token');
-                // Verify user_two's bearer token no longer works
+                // Verify user_two's bearer token no longer works — fresh transport
+                // same reason as the `before` call above.
                 const after = await rpc_call_for_spec({
-                    app: { request: fixture.transport },
+                    app: { request: fixture.fresh_transport({ origin: null }) },
                     path: rpc_path,
                     spec: account_verify_action_spec,
                     params: undefined,
@@ -341,19 +375,26 @@ export const describe_standard_admin_integration_tests = (options) => {
         describe('admin audit trail', () => {
             test('role_grant revoke creates audit event', async () => {
                 const fixture = await options.setup_test();
-                assert(fixture.in_process, 'direct role_grant seed requires in-process db');
                 const user_two = await fixture.create_account({ username: 'user_two' });
-                const role_grant = await create_test_role_grant_direct(fixture.backend_internals.deps.db, {
-                    actor_id: user_two.actor.id,
+                // Drive the production consent flow so the role_grant exists
+                // via the same code path real users go through. The
+                // audit_log_list filter below pulls only `role_grant_revoke`
+                // events so the extra `role_grant_offer_create` /
+                // `role_grant_offer_accepted` audits emitted upstream don't
+                // affect the assertion.
+                const { role_grant_id } = await role_grant_offer_and_accept({
+                    app: { request: fixture.transport },
+                    rpc_path,
+                    grantor: fixture,
+                    recipient: user_two,
                     role: grantable_role,
-                    granted_by: fixture.actor.id,
                 });
                 // Revoke via RPC
                 const revoke_res = await rpc_call_for_spec({
                     app: { request: fixture.transport },
                     path: rpc_path,
                     spec: role_grant_revoke_action_spec,
-                    params: { actor_id: user_two.actor.id, role_grant_id: role_grant.id },
+                    params: { actor_id: user_two.actor.id, role_grant_id },
                     headers: fixture.create_session_headers(),
                 });
                 assert.ok(revoke_res.ok, `role_grant_revoke failed: ${revoke_res.ok ? '' : JSON.stringify(revoke_res.error)}`);
@@ -492,24 +533,36 @@ export const describe_standard_admin_integration_tests = (options) => {
                 if (!login_route || !logout_route || !password_route)
                     return;
                 const user_two = await fixture.create_account({ username: 'audit_user' });
-                // 1. login (user_two logs in)
-                const login_res = await fixture.transport(login_route.path, {
+                // 1. login (user_two logs in) — fresh transport because the per-test
+                // session cookie in `fixture.transport`'s jar would otherwise be sent
+                // alongside this unauthenticated login attempt, and the route can
+                // reject the "already-authed" cookie-collision case with 401.
+                // Read the actual username off the returned account — the fresh-DB
+                // contract makes the supplied literal `'audit_user'` survive
+                // unchanged, but reading from `.account.username` is structurally
+                // robust against any future username-mangling at the mint layer.
+                const login_res = await fixture.fresh_transport()(login_route.path, {
                     method: 'POST',
                     headers: {
                         host: 'localhost',
                         origin: 'http://localhost:5173',
                         'content-type': 'application/json',
                     },
-                    body: JSON.stringify({ username: 'audit_user', password: 'test-password-123' }),
+                    body: JSON.stringify({
+                        username: user_two.account.username,
+                        password: DEFAULT_TEST_PASSWORD,
+                    }),
                 });
                 assert.strictEqual(login_res.status, 200);
                 // extract user_two session cookie for logout
                 const set_cookie = login_res.headers.get('set-cookie');
                 const cookie_match = new RegExp(`${cookie_name}=([^;]+)`).exec(set_cookie ?? '');
                 const user_two_cookie = cookie_match?.[1];
-                // 2. logout (user_two logs out)
+                // 2. logout (user_two logs out) — fresh transport with the explicit
+                // user_two cookie, so the per-test session cookie can't interfere with
+                // the logout target.
                 if (user_two_cookie) {
-                    await fixture.transport(logout_route.path, {
+                    await fixture.fresh_transport()(logout_route.path, {
                         method: 'POST',
                         headers: {
                             host: 'localhost',
@@ -552,7 +605,7 @@ export const describe_standard_admin_integration_tests = (options) => {
                         'content-type': 'application/json',
                     }),
                     body: JSON.stringify({
-                        current_password: 'test-password-123',
+                        current_password: DEFAULT_TEST_PASSWORD,
                         new_password: 'new-audit-password-789',
                     }),
                 });
@@ -617,20 +670,23 @@ export const describe_standard_admin_integration_tests = (options) => {
                     username: 'admin_b_iso',
                     roles: ['admin'],
                 });
-                // Seed an active role_grant directly — the revoke IDOR check is the
-                // subject of this test, not the grant→accept cycle.
-                assert(fixture.in_process, 'direct role_grant seed requires in-process db');
-                const role_grant = await create_test_role_grant_direct(fixture.backend_internals.deps.db, {
-                    actor_id: admin_b.actor.id,
+                // Seed an active role_grant for admin B via the production
+                // consent flow. The revoke IDOR check is the subject of this
+                // test; the grant path is precondition setup, exercised
+                // via the same RPCs production drives.
+                const { role_grant_id } = await role_grant_offer_and_accept({
+                    app: { request: fixture.transport },
+                    rpc_path,
+                    grantor: fixture,
+                    recipient: admin_b,
                     role: grantable_role,
-                    granted_by: fixture.actor.id,
                 });
                 // Admin B revokes their own role_grant via RPC — should succeed
                 const revoke_res = await rpc_call_for_spec({
                     app: { request: fixture.transport },
                     path: rpc_path,
                     spec: role_grant_revoke_action_spec,
-                    params: { actor_id: admin_b.actor.id, role_grant_id: role_grant.id },
+                    params: { actor_id: admin_b.actor.id, role_grant_id },
                     headers: create_headers(admin_b.session_cookie),
                 });
                 assert.ok(revoke_res.ok, `role_grant_revoke failed: ${revoke_res.ok ? '' : JSON.stringify(revoke_res.error)}`);

package/dist/testing/app_server.d.ts

@@ -32,6 +32,21 @@ import type { RpcEndpointsSuiteOption } from './rpc_helpers.js';
 export declare const stub_password_deps: PasswordHashDeps;
 /** 64-hex-char test cookie secret — deterministic, never used in production. */
 export declare const TEST_COOKIE_SECRET: string;
+/**
+ * Default password for bootstrapped test accounts. Shared between the
+ * in-process keeper bootstrap (`bootstrap_test_keeper`,
+ * `create_test_account_with_credentials`, `create_test_app_server`,
+ * `TestApp.create_account`) and the cross-process bootstrap
+ * (`cross_backend/setup.ts`). The two paths MUST agree — when they
+ * diverged during the 3d cross-process lift, ~20 login tests 401'd
+ * silently against the cross-process backend because the per-test
+ * fixture minted accounts under a different default than the
+ * integration suite's hardcoded login bodies expected. Consumers
+ * hardcoding the literal string in test bodies should import this
+ * constant instead so a future divergence becomes a typecheck miss
+ * rather than a runtime password mismatch.
+ */
+export declare const DEFAULT_TEST_PASSWORD = "test-password-123";
 /**
  * Options for `bootstrap_test_keeper` and `create_test_account_with_credentials`.
  *
@@ -135,7 +150,7 @@ export interface TestAppServerOptions {
     password?: PasswordHashDeps;
     /** Username for the bootstrapped account. Default: `'keeper'`. */
     username?: string;
-    /** Password for the bootstrapped account. Default: `'test-password-123'`. */
+    /** Password for the bootstrapped account. Default: `DEFAULT_TEST_PASSWORD`. */
     password_value?: string;
     /** Roles to grant. Default: `[ROLE_KEEPER]`. */
     roles?: Array<string>;

package/dist/testing/app_server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"app_server.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/app_server.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAG/B,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAGjD,OAAO,EAA2B,KAAK,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAE1E,OAAO,KAAK,EAAC,EAAE,EAAE,MAAM,EAAC,MAAM,aAAa,CAAC;AAC5C,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAU1D,OAAO,EAA8B,KAAK,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAG3F,OAAO,EAAwB,KAAK,UAAU,EAAE,KAAK,YAAY,EAAC,MAAM,0BAA0B,CAAC;AACnG,OAAO,EAEN,KAAK,gBAAgB,EACrB,KAAK,gBAAgB,EACrB,KAAK,sBAAsB,EAC3B,KAAK,oBAAoB,EACzB,MAAM,yBAAyB,CAAC;AACjC,OAAO,KAAK,EAAC,UAAU,EAAE,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACnE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAOrD,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,kBAAkB,CAAC;AAE9D;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,EAAE,gBAIhC,CAAC;AAEF,gFAAgF;AAChF,eAAO,MAAM,kBAAkB,QAAiB,CAAC;AASjD;;;;;GAKG;AACH,MAAM,WAAW,uCAAuC;IACvD,EAAE,EAAE,EAAE,CAAC;IACP,OAAO,EAAE,OAAO,CAAC;IACjB,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAED,2DAA2D;AAC3D,MAAM,MAAM,0BAA0B,GAAG,uCAAuC,CAAC;AAEjF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,oCAAoC,GAChD,SAAS,uCAAuC,KAC9C,OAAO,CAAC;IACV,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACvB,CAyCA,CAAC;AAEF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,qBAAqB,GACjC,SAAS,0BAA0B,KACjC,OAAO,CAAC;IACV,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACvB,CAQA,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,aAAc,SAAQ,UAAU;IAChD,gCAAgC;IAChC,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,uCAAuC;IACvC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,cAAc,EAAE,MAAM,CAAC;IACvB,+FAA+F;IAC/F,OAAO,EAAE,OAAO,CAAC;IACjB,4EAA4E;IAC5E,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,mDAAmD;IACnD,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kGAAkG;IAClG,EAAE,CAAC,EAAE,EAAE,CAAC;IACR,0FAA0F;IAC1F,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,yHAAyH;IACzH,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,kEAAkE;IAClE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,6EAA6E;IAC7E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gDAAgD;IAChD,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACtB;;;;;;;;;;;;;;OAcG;IACH,aAAa,CAAC,EAAE,YAAY,CAAC;CAC7B;AA4HD,eAAO,MAAM,sBAAsB,GAClC,SAAS,oBAAoB,KAC3B,OAAO,CAAC,aAAa,CA2BvB,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,oBAAqB,SAAQ,oBAAoB;IACjE,yEAAyE;IACzE,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IACpE;;;;;;;OAOG;IACH,aAAa,CAAC,EAAE,uBAAuB,CAAC;IACxC;;;;;;;;;;;OAWG;IACH,SAAS,CAAC,EAAE,sBAAsB,CAAC;IACnC;;;;;OAKG;IACH,WAAW,CAAC,EAAE,eAAe,CAAC;CAC9B;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,eAAe,GAAG,OAAO,CACpC,IAAI,CACH,gBAAgB,EAChB,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,GAAG,eAAe,GAAG,WAAW,CACpF,CACD,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,WAAW;IAC3B,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,mCAAmC;IACnC,cAAc,EAAE,MAAM,CAAC;IACvB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,8DAA8D;IAC9D,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClF;AAED;;GAEG;AACH,MAAM,WAAW,OAAO;IACvB,GAAG,EAAE,IAAI,CAAC;IACV,OAAO,EAAE,aAAa,CAAC;IACvB,YAAY,EAAE,cAAc,CAAC;IAC7B,OAAO,EAAE,UAAU,CAAC;IACpB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,kEAAkE;IAClE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,gEAAgE;IAChE,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClF,iEAAiE;IACjE,2BAA2B,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxF,qDAAqD;IACrD,cAAc,EAAE,CAAC,OAAO,CAAC,EAAE;QAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;KACtB,KAAK,OAAO,CAAC,WAAW,CAAC,CAAC;IAC3B,8DAA8D;IAC9D,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,eAAe,GAAU,SAAS,oBAAoB,KAAG,OAAO,CAAC,OAAO,CAoGpF,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,WAAW,gCAAgC;IAChD,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IACpE,aAAa,CAAC,EAAE,uBAAuB,CAAC;IACxC,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B,8EAA8E;IAC9E,SAAS,EAAE,oBAAoB,CAAC;IAChC;;;;OAIG;IACH,eAAe,EAAE,MAAM,CAAC;IACxB,EAAE,CAAC,EAAE,EAAE,CAAC;IACR,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,aAAa,CAAC,EAAE,YAAY,CAAC;CAC7B;AAED;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IACnC,GAAG,EAAE,IAAI,CAAC;IACV,OAAO,EAAE,UAAU,CAAC;IACpB,YAAY,EAAE,cAAc,CAAC;IAC7B,OAAO,EAAE,UAAU,CAAC;IACpB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,0EAA0E;IAC1E,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,4EAA4E;IAC5E,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,6BAA6B,GACzC,SAAS,gCAAgC,KACvC,OAAO,CAAC,mBAAmB,CAuE7B,CAAC"}
+{"version":3,"file":"app_server.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/app_server.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAG/B,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAGjD,OAAO,EAA2B,KAAK,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAE1E,OAAO,KAAK,EAAC,EAAE,EAAE,MAAM,EAAC,MAAM,aAAa,CAAC;AAC5C,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAU1D,OAAO,EAA8B,KAAK,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAG3F,OAAO,EAAwB,KAAK,UAAU,EAAE,KAAK,YAAY,EAAC,MAAM,0BAA0B,CAAC;AACnG,OAAO,EAEN,KAAK,gBAAgB,EACrB,KAAK,gBAAgB,EACrB,KAAK,sBAAsB,EAC3B,KAAK,oBAAoB,EACzB,MAAM,yBAAyB,CAAC;AACjC,OAAO,KAAK,EAAC,UAAU,EAAE,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACnE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAOrD,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,kBAAkB,CAAC;AAE9D;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,EAAE,gBAIhC,CAAC;AAEF,gFAAgF;AAChF,eAAO,MAAM,kBAAkB,QAAiB,CAAC;AAEjD;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,qBAAqB,sBAAsB,CAAC;AASzD;;;;;GAKG;AACH,MAAM,WAAW,uCAAuC;IACvD,EAAE,EAAE,EAAE,CAAC;IACP,OAAO,EAAE,OAAO,CAAC;IACjB,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAED,2DAA2D;AAC3D,MAAM,MAAM,0BAA0B,GAAG,uCAAuC,CAAC;AAEjF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,oCAAoC,GAChD,SAAS,uCAAuC,KAC9C,OAAO,CAAC;IACV,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACvB,CAyCA,CAAC;AAEF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,qBAAqB,GACjC,SAAS,0BAA0B,KACjC,OAAO,CAAC;IACV,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACvB,CAQA,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,aAAc,SAAQ,UAAU;IAChD,gCAAgC;IAChC,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,uCAAuC;IACvC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,cAAc,EAAE,MAAM,CAAC;IACvB,+FAA+F;IAC/F,OAAO,EAAE,OAAO,CAAC;IACjB,4EAA4E;IAC5E,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,mDAAmD;IACnD,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kGAAkG;IAClG,EAAE,CAAC,EAAE,EAAE,CAAC;IACR,0FAA0F;IAC1F,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,yHAAyH;IACzH,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,kEAAkE;IAClE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,+EAA+E;IAC/E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gDAAgD;IAChD,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACtB;;;;;;;;;;;;;;OAcG;IACH,aAAa,CAAC,EAAE,YAAY,CAAC;CAC7B;AA4HD,eAAO,MAAM,sBAAsB,GAClC,SAAS,oBAAoB,KAC3B,OAAO,CAAC,aAAa,CA2BvB,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,oBAAqB,SAAQ,oBAAoB;IACjE,yEAAyE;IACzE,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IACpE;;;;;;;OAOG;IACH,aAAa,CAAC,EAAE,uBAAuB,CAAC;IACxC;;;;;;;;;;;OAWG;IACH,SAAS,CAAC,EAAE,sBAAsB,CAAC;IACnC;;;;;OAKG;IACH,WAAW,CAAC,EAAE,eAAe,CAAC;CAC9B;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,eAAe,GAAG,OAAO,CACpC,IAAI,CACH,gBAAgB,EAChB,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,GAAG,eAAe,GAAG,WAAW,CACpF,CACD,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,WAAW;IAC3B,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,mCAAmC;IACnC,cAAc,EAAE,MAAM,CAAC;IACvB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,8DAA8D;IAC9D,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClF;AAED;;GAEG;AACH,MAAM,WAAW,OAAO;IACvB,GAAG,EAAE,IAAI,CAAC;IACV,OAAO,EAAE,aAAa,CAAC;IACvB,YAAY,EAAE,cAAc,CAAC;IAC7B,OAAO,EAAE,UAAU,CAAC;IACpB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,kEAAkE;IAClE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,gEAAgE;IAChE,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClF,iEAAiE;IACjE,2BAA2B,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxF,qDAAqD;IACrD,cAAc,EAAE,CAAC,OAAO,CAAC,EAAE;QAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;KACtB,KAAK,OAAO,CAAC,WAAW,CAAC,CAAC;IAC3B,8DAA8D;IAC9D,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,eAAe,GAAU,SAAS,oBAAoB,KAAG,OAAO,CAAC,OAAO,CAoGpF,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,WAAW,gCAAgC;IAChD,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IACpE,aAAa,CAAC,EAAE,uBAAuB,CAAC;IACxC,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B,8EAA8E;IAC9E,SAAS,EAAE,oBAAoB,CAAC;IAChC;;;;OAIG;IACH,eAAe,EAAE,MAAM,CAAC;IACxB,EAAE,CAAC,EAAE,EAAE,CAAC;IACR,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,aAAa,CAAC,EAAE,YAAY,CAAC;CAC7B;AAED;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IACnC,GAAG,EAAE,IAAI,CAAC;IACV,OAAO,EAAE,UAAU,CAAC;IACpB,YAAY,EAAE,cAAc,CAAC;IAC7B,OAAO,EAAE,UAAU,CAAC;IACpB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,0EAA0E;IAC1E,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,4EAA4E;IAC5E,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,6BAA6B,GACzC,SAAS,gCAAgC,KACvC,OAAO,CAAC,mBAAmB,CAuE7B,CAAC"}

package/dist/testing/app_server.js

@@ -28,6 +28,21 @@ export const stub_password_deps = {
 };
 /** 64-hex-char test cookie secret — deterministic, never used in production. */
 export const TEST_COOKIE_SECRET = 'a'.repeat(64);
+/**
+ * Default password for bootstrapped test accounts. Shared between the
+ * in-process keeper bootstrap (`bootstrap_test_keeper`,
+ * `create_test_account_with_credentials`, `create_test_app_server`,
+ * `TestApp.create_account`) and the cross-process bootstrap
+ * (`cross_backend/setup.ts`). The two paths MUST agree — when they
+ * diverged during the 3d cross-process lift, ~20 login tests 401'd
+ * silently against the cross-process backend because the per-test
+ * fixture minted accounts under a different default than the
+ * integration suite's hardcoded login bodies expected. Consumers
+ * hardcoding the literal string in test bodies should import this
+ * constant instead so a future divergence becomes a typecheck miss
+ * rather than a runtime password mismatch.
+ */
+export const DEFAULT_TEST_PASSWORD = 'test-password-123';
 // Module-level PGlite factory for create_test_app_server when no db is provided.
 // Shares the WASM instance cache from test_db.ts, avoiding redundant cold starts
 // within the same vitest worker thread. Schema is reset on each create() call.
@@ -48,7 +63,7 @@ const fallback_pglite_factory = create_pglite_factory(async (db) => {
  *   `role_grant` (one per role), `api_token`, and `auth_session`.
  */
 export const create_test_account_with_credentials = async (options) => {
-    const { db, keyring, session_options, password, username = 'keeper', password_value = 'test-password-123', roles = [], } = options;
+    const { db, keyring, session_options, password, username = 'keeper', password_value = DEFAULT_TEST_PASSWORD, roles = [], } = options;
     const deps = { db };
     const password_hash = await password.hash_password(password_value);
     const { account, actor } = await query_create_account_with_actor(deps, {
@@ -166,7 +181,7 @@ const _build_test_backend = async (options) => {
     return { backend, keyring: keyring_result.keyring };
 };
 export const create_test_app_server = async (options) => {
-    const { session_options, password = stub_password_deps, username = 'keeper', password_value = 'test-password-123', roles = [ROLE_KEEPER], } = options;
+    const { session_options, password = stub_password_deps, username = 'keeper', password_value = DEFAULT_TEST_PASSWORD, roles = [ROLE_KEEPER], } = options;
     const { backend, keyring } = await _build_test_backend(options);
     const bootstrapped = await bootstrap_test_keeper({
         db: backend.deps.db,
@@ -253,7 +268,7 @@ export const create_test_app = async (options) => {
             session_options: options.session_options,
             password,
             username: account_options?.username ?? `test_user_${account_counter}`,
-            password_value: account_options?.password_value ?? 'test-password-123',
+            password_value: account_options?.password_value ?? DEFAULT_TEST_PASSWORD,
             roles: account_options?.roles ?? [],
         });
         return {

package/dist/testing/audit_completeness.d.ts

@@ -1,9 +1,9 @@
 import './assert_dev_env.js';
 import type { SessionOptions } from '../auth/session_cookie.js';
 import { type RpcEndpointsSuiteOption } from './rpc_helpers.js';
+import type { AppSurfaceSpec } from '../http/surface.js';
 import type { BackendCapabilities } from './cross_backend/capabilities.js';
 import type { SetupTest } from './cross_backend/setup.js';
-import type { SurfaceSource } from './transports/surface_source.js';
 /**
  * Configuration for `describe_audit_completeness_tests`.
  */
@@ -16,11 +16,13 @@ export interface AuditCompletenessTestOptions {
      */
     setup_test: SetupTest;
     /**
-     * Source of the app surface. Currently requires `kind: 'inline'` —
-     * the cross-process snapshot variant lands alongside the spawned-backend
-     * transport plumbing.
+     * App surface (with route specs). Constructed in TS by the consumer;
+     * same shape for in-process and cross-process tests. The audit suite is
+     * Tier 2 today (stays in-process per the cross-backend-integration
+     * design), but takes the same surface shape as Tier 1 suites for
+     * options uniformity.
      */
-    surface_source: SurfaceSource;
+    surface_source: AppSurfaceSpec;
     /** Backend capability declarations. */
     capabilities: BackendCapabilities;
     /** Session config — needed for factory-form rpc_endpoints resolution. */

package/dist/testing/audit_completeness.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"audit_completeness.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/audit_completeness.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AA4B7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAS9D,OAAO,EAKN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAwB1B,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,iCAAiC,CAAC;AACzE,OAAO,KAAK,EAAC,SAAS,EAAc,MAAM,0BAA0B,CAAC;AACrE,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,gCAAgC,CAAC;AAElE;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC5C;;;;;OAKG;IACH,UAAU,EAAE,SAAS,CAAC;IACtB;;;;OAIG;IACH,cAAc,EAAE,aAAa,CAAC;IAC9B,uCAAuC;IACvC,YAAY,EAAE,mBAAmB,CAAC;IAClC,yEAAyE;IACzE,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC;;;OAGG;IACH,aAAa,EAAE,uBAAuB,CAAC;CACvC;AA8FD;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,iCAAiC,GAAI,SAAS,4BAA4B,KAAG,IA6hBzF,CAAC"}
+{"version":3,"file":"audit_completeness.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/audit_completeness.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AA4B7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAS9D,OAAO,EAKN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAwB1B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACvD,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,iCAAiC,CAAC;AACzE,OAAO,KAAK,EAAC,SAAS,EAAc,MAAM,0BAA0B,CAAC;AAErE;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC5C;;;;;OAKG;IACH,UAAU,EAAE,SAAS,CAAC;IACtB;;;;;;OAMG;IACH,cAAc,EAAE,cAAc,CAAC;IAC/B,uCAAuC;IACvC,YAAY,EAAE,mBAAmB,CAAC;IAClC,yEAAyE;IACzE,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC;;;OAGG;IACH,aAAa,EAAE,uBAAuB,CAAC;CACvC;AA8FD;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,iCAAiC,GAAI,SAAS,4BAA4B,KAAG,IAuhBzF,CAAC"}

package/dist/testing/audit_completeness.js

@@ -25,7 +25,7 @@ import './assert_dev_env.js';
 import { describe, test, assert } from 'vitest';
 import { ROLE_ADMIN } from '../auth/role_schema.js';
 import { AUDIT_EVENT_TYPES, } from '../auth/audit_log_schema.js';
-import {} from './app_server.js';
+import { DEFAULT_TEST_PASSWORD } from './app_server.js';
 import { find_auth_route } from './integration_helpers.js';
 import { rpc_call_for_spec, require_rpc_endpoint_path, resolve_rpc_endpoints_for_setup, } from './rpc_helpers.js';
 import { role_grant_offer_and_accept } from './role_grant_helpers.js';
@@ -106,11 +106,7 @@ const json_session_headers = (fixture, extra) => fixture.create_session_headers(
  *   `require_rpc_endpoint_path`.
  */
 export const describe_audit_completeness_tests = (options) => {
-    if (options.surface_source.kind !== 'inline') {
-        throw new Error("describe_audit_completeness_tests requires surface_source.kind === 'inline' — " +
-            'the cross-process snapshot variant lands with the spawned-backend transport');
-    }
-    const route_specs = options.surface_source.spec.route_specs;
+    const route_specs = options.surface_source.route_specs;
     // Hard-fail early so consumers see a clear setup error instead of a
     // confusing test failure when `rpc_endpoints` is missing.
     const rpc_endpoints_for_setup = resolve_rpc_endpoints_for_setup(options.rpc_endpoints, options.session_options);
@@ -129,7 +125,7 @@ export const describe_audit_completeness_tests = (options) => {
                     headers: UNAUTHENTICATED_JSON_HEADERS,
                     body: JSON.stringify({
                         username: fixture.account.username,
-                        password: 'test-password-123',
+                        password: DEFAULT_TEST_PASSWORD,
                     }),
                 });
                 assert.strictEqual(res.status, 200);
@@ -218,7 +214,7 @@ export const describe_audit_completeness_tests = (options) => {
                     headers: UNAUTHENTICATED_JSON_HEADERS,
                     body: JSON.stringify({
                         username: fixture.account.username,
-                        password: 'test-password-123',
+                        password: DEFAULT_TEST_PASSWORD,
                     }),
                 });
                 // get session IDs (newest first — `account_session_list` orders DESC
@@ -271,7 +267,7 @@ export const describe_audit_completeness_tests = (options) => {
                     method: 'POST',
                     headers: json_session_headers(fixture),
                     body: JSON.stringify({
-                        current_password: 'test-password-123',
+                        current_password: DEFAULT_TEST_PASSWORD,
                         new_password: 'new-password-456',
                     }),
                 });

package/dist/testing/bootstrap_success.js

@@ -7,8 +7,8 @@ import './assert_dev_env.js';
  * observable state — account exists, `bootstrap_lock.bootstrapped` is
  * true, audit row emitted, response body shape — rather than
  * `on_bootstrap` callback invocation, so the suite stays cross-impl
- * friendly when Phase 3 cross-process testing wires it against a
- * spawned Rust backend.
+ * friendly when cross-process testing wires it against a spawned
+ * Rust backend.
  *
  * Folded into `describe_standard_tests` with a `bootstrap.mode === 'live'`
  * silent-skip gate; consumers wiring live bootstrap pick up success-path

package/dist/testing/cross_backend/backend_config.d.ts

@@ -0,0 +1,113 @@
+import '../assert_dev_env.js';
+/**
+ * Cross-process backend configuration.
+ *
+ * `BackendConfig` describes a spawnable test binary — argv, mount paths,
+ * env vars, bootstrap credentials, daemon-token discovery path, declared
+ * capabilities. Consumer projects ship per-backend factories
+ * (`deno_backend_config()`, `rust_backend_config()`,
+ * `spine_stub_backend_config()`) that produce this shape; `spawn_backend`
+ * consumes it.
+ *
+ * fuz_app ships `spine_stub_backend_config()` as a convenience preset
+ * (operational dep on `testing_spine_stub` — path-based discovery, no
+ * `package.json` coupling to the stub's source package). Otherwise backend-specific
+ * knowledge (binary paths, port choices, env vars) is a consumer
+ * concern; fuz_app's testing library knows nothing about Deno, Cargo, or
+ * any specific runtime beyond that preset.
+ *
+ * @module
+ */
+import type { BackendCapabilities } from './capabilities.js';
+/**
+ * Auth-bootstrap configuration for a spawnable test binary. The runner
+ * writes `token` to `token_path` before launching the child, then POSTs
+ * `bootstrap_path` (default `/api/account/bootstrap`) with the token plus
+ * the `username` / `password` to mint the keeper account and capture the
+ * session cookie. After health-probe, the runner reads
+ * `daemon_token_path` to load the binary's deterministic daemon token,
+ * which `default_cross_process_setup` threads onto the per-test
+ * `TestFixture` for `_testing_reset` calls and other keeper-credential
+ * operations.
+ */
+export interface BackendBootstrapConfig {
+    /** Path the binary reads for the bootstrap token (env: `*_BOOTSTRAP_TOKEN_PATH`). */
+    readonly token_path: string;
+    /** Token text written to `token_path` before spawn. */
+    readonly token: string;
+    /** Username for the bootstrapped keeper. */
+    readonly username: string;
+    /** Password for the bootstrapped keeper. */
+    readonly password: string;
+    /**
+     * Path the test binary writes its daemon-token JSON to on boot
+     * (env: `*_DAEMON_TOKEN_PATH`). `spawn_backend` reads this file once
+     * after the health probe succeeds and threads the token onto
+     * `BackendHandle.daemon_token` for `_testing_reset` calls plus any
+     * other admin/keeper-gated cross-process tests.
+     */
+    readonly daemon_token_path: string;
+}
+/**
+ * Configuration for one spawnable test backend. Consumer factories
+ * (`deno_backend_config()`, `rust_backend_config()`) produce these and
+ * the runner consumes them through `spawn_backend`.
+ *
+ * Path defaults match the standard fuz_app surface — Deno + Rust spine
+ * (`zzz_server`, `fuz_forge_server`, `testing_spine_stub`) all converge on
+ * `/api/account/{bootstrap,login,logout,password}`,
+ * `/api/rpc`, `/api/ws`, `/health`. Override only when a backend
+ * deliberately diverges (which it shouldn't, per the contract).
+ */
+export interface BackendConfig {
+    /** Diagnostic label (`"deno"`, `"rust"`, `"spine_stub"`). Surfaces in test output. */
+    readonly name: string;
+    /** argv passed to the spawn. The first entry is the binary path. */
+    readonly start_command: ReadonlyArray<string>;
+    /** Base URL for HTTP requests, including port (e.g. `http://localhost:8788`). */
+    readonly base_url: string;
+    /** JSON-RPC endpoint mount point. Default `/api/rpc`. */
+    readonly rpc_path: string;
+    /** WebSocket endpoint mount point. Default `/api/ws`. */
+    readonly ws_path: string;
+    /**
+     * SSE stream mount point — drives the cross-process SSE suite's stream
+     * path. Optional: only backends advertising `capabilities.sse` serve a
+     * stream, and the suite defaults to `/api/admin/audit/stream` (the
+     * standard fuz_app audit-log stream) when omitted. Set it only when a
+     * backend mounts its stream elsewhere.
+     */
+    readonly sse_path?: string;
+    /** Readiness probe path. Default `/health`. */
+    readonly health_path: string;
+    /** Bootstrap POST path. Default `/api/account/bootstrap`. */
+    readonly bootstrap_path: string;
+    /**
+     * Session cookie name the backend issues. Default `fuz_session` per
+     * the ecosystem convergence; consumers using a custom session name
+     * (legacy `zzz_session`, etc.) override. `default_cross_process_setup`
+     * extracts the per-account session value from the transport jar by
+     * this name so the cross-process `TestAccount.session_cookie` matches
+     * the in-process shape.
+     */
+    readonly cookie_name: string;
+    /** How long to wait for the health probe (ms) before giving up. */
+    readonly startup_timeout_ms: number;
+    /**
+     * Env vars merged into the child process. Must include the binary's
+     * `*_BOOTSTRAP_TOKEN_PATH` + `*_DAEMON_TOKEN_PATH` env var names so
+     * the binary reads/writes the right files. Also must include the
+     * binary's `*_ALLOWED_ORIGINS` (typically
+     * `'http://localhost:*'` for cross-process tests).
+     */
+    readonly env: Readonly<Record<string, string>>;
+    /** Auth bootstrap details — see `BackendBootstrapConfig`. */
+    readonly bootstrap: BackendBootstrapConfig;
+    /**
+     * Capabilities this backend supports — drives `test_if(capabilities.X, ...)`
+     * gating in suite bodies. See `capabilities.ts` for the vocabulary and
+     * existing flags. Cross-process backends set `in_process_only: false`.
+     */
+    readonly capabilities: BackendCapabilities;
+}
+//# sourceMappingURL=backend_config.d.ts.map

package/dist/testing/cross_backend/backend_config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"backend_config.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/backend_config.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,mBAAmB,CAAC;AAE3D;;;;;;;;;;GAUG;AACH,MAAM,WAAW,sBAAsB;IACtC,qFAAqF;IACrF,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,uDAAuD;IACvD,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,4CAA4C;IAC5C,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,4CAA4C;IAC5C,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B;;;;;;OAMG;IACH,QAAQ,CAAC,iBAAiB,EAAE,MAAM,CAAC;CACnC;AAED;;;;;;;;;;GAUG;AACH,MAAM,WAAW,aAAa;IAC7B,sFAAsF;IACtF,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,oEAAoE;IACpE,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC9C,iFAAiF;IACjF,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,yDAAyD;IACzD,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,yDAAyD;IACzD,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB;;;;;;OAMG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,+CAA+C;IAC/C,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,6DAA6D;IAC7D,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC;;;;;;;OAOG;IACH,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,mEAAmE;IACnE,QAAQ,CAAC,kBAAkB,EAAE,MAAM,CAAC;IACpC;;;;;;OAMG;IACH,QAAQ,CAAC,GAAG,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IAC/C,6DAA6D;IAC7D,QAAQ,CAAC,SAAS,EAAE,sBAAsB,CAAC;IAC3C;;;;OAIG;IACH,QAAQ,CAAC,YAAY,EAAE,mBAAmB,CAAC;CAC3C"}

package/dist/testing/cross_backend/backend_config.js

@@ -0,0 +1 @@
+import '../assert_dev_env.js';