@fuzdev/fuz_app 0.67.1 → 0.69.0

package/dist/testing/CLAUDE.md

@@ -149,7 +149,7 @@ Key module-scope values:
 
 - `stub_password_deps` — `PasswordHashDeps` hashing via `stub_hash_${password}` and verifying by equality. Deterministic, no Argon2 cost — use for every test not specifically exercising password hashing.
 - `TEST_COOKIE_SECRET` — 64-hex-char deterministic cookie secret. Produces a valid `Keyring` via `create_validated_keyring`. Never used in production — the stub guard plus fixed value is the contract.
-- `fallback_pglite_factory` — module-level PGlite factory `create_test_app_server` uses when no `db` is passed. Reuses the WASM cache via `create_pglite_factory`.
+- `fallback_pglite_factory` — module-level auth-only PGlite factory `create_test_app_server` uses when no `db` is passed. Reuses the WASM cache via `create_pglite_factory`. When `migration_namespaces` is supplied, a memoized sibling factory (keyed by namespace set) migrating `[auth_migration_ns, ...migration_namespaces]` is used instead — same shared WASM, extra tables.
 
 Two helpers share the "insert account + actor + roles + API token + session +
 cookie" flow, split by intent:
@@ -167,7 +167,7 @@ pre-keeper, lock unflipped), use `create_test_app_for_bootstrap` — pair with
 Types:
 
 - `TestAppServer extends AppBackend` — adds `account`, `actor`, `api_token`, `session_cookie`, `keyring`, `cleanup()`.
-- `TestAppServerOptions` — `session_options` (required), optional `db`, `db_type`, `password`, `username`, `password_value`, `roles`, `audit_factory`. The optional `audit_factory` defaults to `default_audit_factory` (no-listener `create_audit_emitter` over the test backend's `{db, log}`); pass a custom factory to compose `on_audit_event` / `audit_log_config`, wrap with `emit_decorator` (via `create_emit_ordering_audit_factory`), or otherwise replace the emitter. Mirrors `CreateAppBackendOptions` end-to-end — the previous `on_audit_event` / `audit_log_config` sugar was removed alongside the production rename.
+- `TestAppServerOptions` — `session_options` (required), optional `db`, `db_type`, `migration_namespaces`, `password`, `username`, `password_value`, `roles`, `audit_factory`. `migration_namespaces` runs extra namespaces after auth in the auto-created PGlite (mirrors `create_app_backend`); mutually exclusive with `db` (caller-migrated) — passing both throws. The optional `audit_factory` defaults to `default_audit_factory` (no-listener `create_audit_emitter` over the test backend's `{db, log}`); pass a custom factory to compose `on_audit_event` / `audit_log_config`, wrap with `emit_decorator` (via `create_emit_ordering_audit_factory`), or otherwise replace the emitter. Mirrors `CreateAppBackendOptions` end-to-end — the previous `on_audit_event` / `audit_log_config` sugar was removed alongside the production rename.
 - `CreateTestAppOptions extends TestAppServerOptions` — adds `create_route_specs` (required), `rpc_endpoints?: RpcEndpointsSuiteOption` (top-level only — single source of truth, symmetric with the suite-level option), `bootstrap?: BootstrapServerOptions` (top-level only — same precedent as `rpc_endpoints`), and `app_options?: SuiteAppOptions` (`Partial<AppServerOptions>` excluding the five fields the helper manages: `backend`, `session_options`, `create_route_specs`, `rpc_endpoints`, `bootstrap`).
 - `TestAccount` — `{account, actor, session_cookie, api_token, create_session_headers, create_bearer_headers}`.
 - `TestApp` — `{app, backend, surface_spec, surface, route_specs, create_session_headers, create_bearer_headers, create_daemon_token_headers, create_account, cleanup}`.
@@ -799,7 +799,11 @@ source of truth for wire-shape conformance.
 
 - `testing/cross_backend/setup.ts` — `SetupTest` / `TestFixture` /
   `TestAccountFixture` / `CreateTestAccountOptions` types,
-  `default_in_process_setup(options)` (wraps `create_test_app`), and
+  `default_in_process_setup(options)` (wraps `create_test_app`; pass
+  `migration_namespaces` for suites needing tables beyond the auth-only
+  default — the cell parity suite passes `[CELL_MIGRATION_NS]`, and
+  `create_test_app` provisions a per-test fresh db migrating
+  `[auth_migration_ns, ...migration_namespaces]`), and
   `default_in_process_suite_options(options)` (emits the full Tier 1 suite
   options bag: the `{setup_test, surface_source, capabilities}` triple plus
   `session_options` / `create_route_specs` / `rpc_endpoints` pass-through;
@@ -842,8 +846,16 @@ source of truth for wire-shape conformance.
 
 - `testing/cross_backend/capabilities.ts` — `BackendCapabilities` vocabulary
   (`bearer_auth` / `trusted_proxy` / `login_rate_limit` / `ws` / `sse` /
-  `in_process_only`), `test_if(cond, name, fn)` for capability-gated cases,
-  and `in_process_capabilities` preset.
+  `cell_crud` / `cell_relations` / `account_lifecycle`),
+  `test_if(cond, name, fn)`
+  for capability-gated cases, and `in_process_capabilities` preset. `cell_crud`
+  gates the CRUD parity suite, `cell_relations` the relation / ACL / audit
+  parity suite — both `true` on every backend that live-mounts the full cell
+  surface (TS spine binary, in-process app, Rust stub). A backend mounting only
+  plain CRUD would declare `cell_crud: true, cell_relations: false`.
+  `account_lifecycle` gates `describe_account_lifecycle_cross_tests` (the
+  `account_delete` / `account_undelete` / `account_purge` parity suite) — also
+  off the declared surface like cells, `true` on every spine.
 
 ### `cross_backend/standard.ts` — `describe_standard_cross_process_tests`
 
@@ -873,6 +885,50 @@ consumer needs partial opt-out, add the knob then.
 `bootstrap`, `rate_limiting_app_options`, `bootstrap_token`) — those drive
 the omitted suites.
 
+### `cross_backend/conformance_table.ts` + `conformance_case.ts` + `xfail.ts` — declarative behavioral/security cases
+
+The opinionated behavioral/security layer on top of the spec-derived
+auto-enumeration (`describe_rpc_round_trip_tests` /
+`describe_rpc_attack_surface_tests`). Where those assert wire-shape,
+conformance cases assert _expected behavior_ — the security negatives
+(must be refused / must not leak / found-vs-not-found same shape) a
+wire-shape check passes green on even when behavior is wrong.
+
+- `conformance_case.ts` — `ConformanceCase` Zod schema:
+  `{name, request: {method, params?, as, verb?}, expect: {status,
+error_reason?, fields?}, note?, xfail?}`. A case is **data** — `method`
+  resolves its `input`/`output` from the live registry (RPC) or `RouteSpec`
+  (the 6 REST auth routes), so the case never carries a schema. `as` is the
+  closed `ConformancePrincipal` enum (`keeper` / `daemon` / `token` /
+  `anonymous` / `fresh_non_admin` / `role_holder` / `wrong_role` /
+  `expired_session`) — fixture accessors, never inline credential minting.
+  `expired_session` is the keeper behind an expired server-side session
+  (`fixture.mint_expired_session()`: a backdated `auth_session` row behind a
+  still-valid signed cookie, so the DB-row expiry gate is what refuses it).
+  `error_reason` is the imported
+  `ERROR_*` constant (asserted against the RPC `error.data.reason` or the
+  REST flat-body `error`; the bare `unauthenticated()` 401 carries no
+  reason, so `status` pins that denial class).
+- `conformance_table.ts` — `describe_conformance_table_tests({cases,
+setup_test, surface_source, capabilities, rpc_endpoints, session_options,
+principals?, suite_name?})`. Same `{setup_test, surface_source,
+capabilities}` protocol every Tier 1 suite uses, so **one case array runs
+  both transports** — in-process (`gro test`) and cross-process (the gate,
+  each backend's real auth resolution). `resolve_principal` maps the five
+  always-available principals to fixture accessors; `role_holder` /
+  `wrong_role` read a seeded `extra_accounts` username named via
+  `options.principals`.
+- `xfail.ts` — `xfail_until(tracking_id, reason, name, fn)`, a thin
+  `test.fails` wrapper for deferred-by-design rows (visible + self-cleaning:
+  turns red when the gap closes, forcing marker removal). In-scope gaps fail
+  loud as a normal `test`, not via this marker. Sibling to `test_if` in
+  `capabilities.ts`.
+
+Wire from a `.db.test.ts` (in-process) and a `.cross.test.ts`
+(cross-process) with the same case array — fuz_app's own runner-proof is
+`../../test/cross_backend/conformance.{db,cross}.test.ts` sharing
+`conformance_proof_cases.ts`.
+
 ### `cross_backend/ws_round_trip.ts` — `describe_cross_process_ws_tests`
 
 Real-upgrade WebSocket coverage of a spawned backend — the cross-process
@@ -921,9 +977,54 @@ _own_ sessions are revoked (`account_session_revoke_all`) so the audit guard
 drops the live stream (asserted via `SseTransport.wait_for_close`). The
 data-frame + close cases gate on `rpc_path` (they drive the standard
 account/admin actions); all cases gate on `capabilities.sse`. Cross-process
-only — wire from a `*.cross.test.ts`. fuz_app's own wiring is
+only — wire from a `*.cross.test.ts`. fuz*app's own wiring is
 `src/test/cross_backend/sse.cross.test.ts`; only the TS spines advertise
 `sse` (they wire `audit_log_sse`), so the Rust `spine_stub` cases `.skip`.
+That file also registers one `xfail_until` (only when `sse: false`) asserting
+the stream \_can't* open on a spine without SSE — a self-cleaning tripwire for
+the spine that should grow it, distinct from the consumer-legit capability
+skip the shared suite emits.
+
+### `cross_backend/cell_crud.ts` + `cell_relations.ts` — cell parity suites
+
+The cell-layer parity coverage is split across two sibling suites. Cells
+can't ride the generic `describe_rpc_round_trip_tests` (stateful verbs need a
+real id threaded across calls; `cell_get` has a top-level `.refine()`), so —
+like ws/sse — the full cell surface **live-mounts** on the spine RPC path but
+stays **off** `create_spine_surface_spec`, and these dedicated suites are the
+cell validators (`describe_standard_cross_process_tests`' generic round-trip
+never sees them). Both parse every success response against the verb's Zod
+**output** schema, so a TS↔Rust envelope drift fails the suite — not just a
+payload-field drift. Call-site primitives (`rpc_call` / `error_reason` /
+`expect_output` + the shared `CellCrossTestOptions`) live in
+`cross_backend/cell_cross_helpers.ts`.
+
+- **`describe_cell_crud_cross_tests`** (gates on `capabilities.cell_crud`) —
+  the create → get → update → delete → list lifecycle threading the id, plus
+  the CRUD authz matrix (owner CRUD; anon-public-only / private-404; non-owner
+  edit/read/delete → 404 IDOR mask; admin reaches any; dup active `path` → 409;
+  `path` write by non-admin → 403 on create + update; `cell_get` with no
+  id/path → `invalid_params`; null-auth `cell_list` `created_by` →
+  `invalid_params`).
+- **`describe_cell_relations_cross_tests`** (gates on
+  `capabilities.cell_relations`) — the verbs beyond CRUD: grant lifecycle
+  (actor-shaped editor grant enables edit, manage-tier `cell_grant_list`,
+  revoke), the now-reachable `cell_visibility_manage_only` 403 (editor-grant
+  holder can't flip visibility), field set / forward+reverse list / idempotent
+  delete, item insert / ordered forward+reverse list / move / idempotent
+  delete, clone shallow (shares edges) vs deep (clones children), and
+  manage-tier `cell_audit_list` (owner reads the timeline; a viewer-grant
+  holder who can `cell_get` still gets the IDOR 404). Only **actor-shaped**
+  grants are exercised — role-shaped principals need a closed role registry the
+  Rust spine deliberately lacks.
+
+Both gate `true` on TS + Rust (cells run on both, no `.skip`). Cross-process
+wiring is `src/test/cross_backend/cell.cross.test.ts` (both suites); the
+in-process legs (plain `gro test`) are `src/test/auth/cell_crud_parity.db.test.ts`
+
+- `cell_relations_parity.db.test.ts`, sharing the full-surface
+  `create_cell_parity_setup` (`cell_parity_helpers.ts`) which mounts every cell
+  verb and registers `cell_audit_events` through the audit factory.
 
 ### Cross-process plumbing (consumed by `*.cross.test.ts` suites)
 
@@ -1000,6 +1101,41 @@ only — wire from a `*.cross.test.ts`. fuz_app's own wiring is
   `testing_reset_actions.ts` TSDoc for the audit + WS fan-out rationale
   that rejected a `_testing_seed_role_grant` shape.
 
+  Same module also exports `create_testing_drain_effects_action()` — the
+  `_testing_drain_effects` RPC action (daemon-token-gated, like
+  `_testing_reset`). It awaits in-flight fire-and-forget audit writes so a
+  following `audit_log_list` is authoritative — the deterministic barrier a
+  cross-process audit assertion fires before reading (no poll/sleep). On the
+  TS spine it is **satisfied by construction** (the binary runs
+  `await_pending_effects: true`, so each mutation's emits land before its
+  response); the Rust spine does the real await in
+  `AuditEmitter::drain_inflight`. `create_testing_actions` bundles it
+  alongside `_testing_reset`; suites that mount their own endpoint (e.g. the
+  in-process `account_lifecycle_parity.db.test.ts`) add it directly so the
+  shared suite body can call the barrier on every backend uniformly.
+
+  Also bundled: `_testing_mint_session` — mints a backdated-expiry
+  `auth_session` row for an account (via `mint_test_session` in `app_server.ts`)
+  and returns its signed cookie value (future-dated payload). Backs the
+  `expired_session` conformance principal: the backdated DB row + valid cookie
+  payload isolate the authoritative server-side DB-row expiry gate
+  (`query_session_get_valid` — `expires_at > NOW()`), the gate the in-process
+  payload-expiry tests never reached. Daemon-token-gated like its siblings; the
+  Rust mirror is `fuz_testing::create_testing_mint_session_action_spec`.
+
+### Origin verification parity — `cross_backend/origin.ts`
+
+`describe_origin_cross_tests({setup_test, capabilities, rpc_path?})` — the
+imperative Origin-verification suite: disallowed `Origin` → 403 `forbidden_origin` (refused
+before dispatch), absent `Origin` → request passes (non-browser direct access).
+Imperative (not a conformance-table row) because origin rejection is
+middleware-level flat-REST, not the JSON-RPC envelope the table runner expects,
+and absent-Origin needs `fresh_transport({origin: null})`. Runs both legs (the
+in-process `auth/origin_parity.db.test.ts` + the cross-process
+`origin.cross.test.ts`). The promotion surfaced a twin-impl divergence — the
+Rust spine returned a plain-text body — now converged to the canonical TS
+`{error: "forbidden_origin"}` via `fuz_http::forbidden_origin_response()`.
+
 ### Building a TS test-server binary — `testing_server_core.ts` + adapters
 
 The reusable shape for standing up a **spawnable TS** cross-process test

package/dist/testing/app_server.d.ts

@@ -18,6 +18,7 @@ import { type Keyring } from '../auth/keyring.js';
 import type { Db, DbType } from '../db/db.js';
 import type { PasswordHashDeps } from '../auth/password.js';
 import { type SessionOptions } from '../auth/session_cookie.js';
+import { type MigrationNamespace } from '../db/migrate.js';
 import { type AppBackend, type AuditFactory } from '../server/app_backend.js';
 import { type AppServerOptions, type AppServerContext, type BootstrapServerOptions, type BootstrapLiveOptions } from '../server/app_server.js';
 import type { AppSurface, AppSurfaceSpec } from '../http/surface.js';
@@ -88,6 +89,40 @@ export declare const create_test_account_with_credentials: (options: CreateTestA
     api_token: string;
     session_cookie: string;
 }>;
+/** Options for `mint_test_session`. */
+export interface MintTestSessionOptions {
+    db: Db;
+    keyring: Keyring;
+    session_options: SessionOptions<string>;
+    /** Account the minted session belongs to. */
+    account_id: string;
+    /**
+     * Session lifetime offset in seconds applied to `NOW()` for the
+     * `auth_session.expires_at` row. A negative value backdates the row so
+     * the authoritative DB-row expiry gate (`query_session_get_valid` —
+     * `WHERE expires_at > NOW()`) rejects it, while the returned cookie's
+     * own signed payload stays valid (future). Resolution therefore passes
+     * the cookie-payload check in `parse_session` and is refused at the
+     * DB-row gate — the gate the in-process payload-expiry tests never
+     * reach and the one that structurally needs a server-side mint.
+     */
+    expires_in_seconds: number;
+}
+/**
+ * Mint a real `auth_session` row for an existing account and return a
+ * validly-signed session cookie value referencing it. Test-only — the
+ * forge behind the cross-backend expiry conformance cases (the
+ * `expired_session` principal): pass a negative `expires_in_seconds` to
+ * produce an *expired server-side session* whose signed cookie envelope is
+ * still well-formed. Both the TS `_testing_mint_session` action and the
+ * in-process `fixture.mint_expired_session()` seam call this so the write
+ * semantics match across transports.
+ *
+ * @mutates `options.db` — inserts one `auth_session` row.
+ */
+export declare const mint_test_session: (options: MintTestSessionOptions) => Promise<{
+    session_cookie: string;
+}>;
 /**
  * Bootstrap the test-DB keeper. Direct-query shortcut for the default
  * `create_test_app` path — bootstrap is not what most tests exercise, so
@@ -146,6 +181,17 @@ export interface TestAppServerOptions {
     db?: Db;
     /** Database driver type — only used when `db` is provided. Default: `'pglite-memory'`. */
     db_type?: DbType;
+    /**
+     * Extra migration namespaces run after the builtin auth namespace in the
+     * auto-created in-memory PGlite, mirroring `create_app_backend`'s
+     * `migration_namespaces`. For suites whose backend needs tables beyond
+     * auth — the cell parity suite passes `[CELL_MIGRATION_NS]`. The harness
+     * builds + caches a fresh-per-test factory migrating
+     * `[auth_migration_ns, ...migration_namespaces]`; the reset-on-`create`
+     * gives the same fresh-db isolation as the auth-only default. Mutually
+     * exclusive with `db` (which assumes the caller already migrated).
+     */
+    migration_namespaces?: ReadonlyArray<MigrationNamespace>;
     /** Password implementation. Default: `stub_password_deps`. Pass `argon2_password_deps` for tests that exercise login. */
     password?: PasswordHashDeps;
     /** Username for the bootstrapped account. Default: `'keeper'`. */

package/dist/testing/app_server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"app_server.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/app_server.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAG/B,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAGjD,OAAO,EAA2B,KAAK,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAE1E,OAAO,KAAK,EAAC,EAAE,EAAE,MAAM,EAAC,MAAM,aAAa,CAAC;AAC5C,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAU1D,OAAO,EAA8B,KAAK,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAG3F,OAAO,EAAwB,KAAK,UAAU,EAAE,KAAK,YAAY,EAAC,MAAM,0BAA0B,CAAC;AACnG,OAAO,EAEN,KAAK,gBAAgB,EACrB,KAAK,gBAAgB,EACrB,KAAK,sBAAsB,EAC3B,KAAK,oBAAoB,EACzB,MAAM,yBAAyB,CAAC;AACjC,OAAO,KAAK,EAAC,UAAU,EAAE,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACnE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAOrD,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,kBAAkB,CAAC;AAE9D;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,EAAE,gBAIhC,CAAC;AAEF,gFAAgF;AAChF,eAAO,MAAM,kBAAkB,QAAiB,CAAC;AAEjD;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,qBAAqB,sBAAsB,CAAC;AASzD;;;;;GAKG;AACH,MAAM,WAAW,uCAAuC;IACvD,EAAE,EAAE,EAAE,CAAC;IACP,OAAO,EAAE,OAAO,CAAC;IACjB,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAED,2DAA2D;AAC3D,MAAM,MAAM,0BAA0B,GAAG,uCAAuC,CAAC;AAEjF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,oCAAoC,GAChD,SAAS,uCAAuC,KAC9C,OAAO,CAAC;IACV,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACvB,CAyCA,CAAC;AAEF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,qBAAqB,GACjC,SAAS,0BAA0B,KACjC,OAAO,CAAC;IACV,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACvB,CAQA,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,aAAc,SAAQ,UAAU;IAChD,gCAAgC;IAChC,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,uCAAuC;IACvC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,cAAc,EAAE,MAAM,CAAC;IACvB,+FAA+F;IAC/F,OAAO,EAAE,OAAO,CAAC;IACjB,4EAA4E;IAC5E,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,mDAAmD;IACnD,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kGAAkG;IAClG,EAAE,CAAC,EAAE,EAAE,CAAC;IACR,0FAA0F;IAC1F,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,yHAAyH;IACzH,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,kEAAkE;IAClE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,+EAA+E;IAC/E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gDAAgD;IAChD,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACtB;;;;;;;;;;;;;;OAcG;IACH,aAAa,CAAC,EAAE,YAAY,CAAC;CAC7B;AA4HD,eAAO,MAAM,sBAAsB,GAClC,SAAS,oBAAoB,KAC3B,OAAO,CAAC,aAAa,CA2BvB,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,oBAAqB,SAAQ,oBAAoB;IACjE,yEAAyE;IACzE,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IACpE;;;;;;;OAOG;IACH,aAAa,CAAC,EAAE,uBAAuB,CAAC;IACxC;;;;;;;;;;;OAWG;IACH,SAAS,CAAC,EAAE,sBAAsB,CAAC;IACnC;;;;;OAKG;IACH,WAAW,CAAC,EAAE,eAAe,CAAC;CAC9B;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,eAAe,GAAG,OAAO,CACpC,IAAI,CACH,gBAAgB,EAChB,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,GAAG,eAAe,GAAG,WAAW,CACpF,CACD,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,WAAW;IAC3B,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,mCAAmC;IACnC,cAAc,EAAE,MAAM,CAAC;IACvB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,8DAA8D;IAC9D,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClF;AAED;;GAEG;AACH,MAAM,WAAW,OAAO;IACvB,GAAG,EAAE,IAAI,CAAC;IACV,OAAO,EAAE,aAAa,CAAC;IACvB,YAAY,EAAE,cAAc,CAAC;IAC7B,OAAO,EAAE,UAAU,CAAC;IACpB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,kEAAkE;IAClE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,gEAAgE;IAChE,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClF,iEAAiE;IACjE,2BAA2B,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxF,qDAAqD;IACrD,cAAc,EAAE,CAAC,OAAO,CAAC,EAAE;QAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;KACtB,KAAK,OAAO,CAAC,WAAW,CAAC,CAAC;IAC3B,8DAA8D;IAC9D,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,eAAe,GAAU,SAAS,oBAAoB,KAAG,OAAO,CAAC,OAAO,CAoGpF,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,WAAW,gCAAgC;IAChD,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IACpE,aAAa,CAAC,EAAE,uBAAuB,CAAC;IACxC,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B,8EAA8E;IAC9E,SAAS,EAAE,oBAAoB,CAAC;IAChC;;;;OAIG;IACH,eAAe,EAAE,MAAM,CAAC;IACxB,EAAE,CAAC,EAAE,EAAE,CAAC;IACR,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,aAAa,CAAC,EAAE,YAAY,CAAC;CAC7B;AAED;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IACnC,GAAG,EAAE,IAAI,CAAC;IACV,OAAO,EAAE,UAAU,CAAC;IACpB,YAAY,EAAE,cAAc,CAAC;IAC7B,OAAO,EAAE,UAAU,CAAC;IACpB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,0EAA0E;IAC1E,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,4EAA4E;IAC5E,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,6BAA6B,GACzC,SAAS,gCAAgC,KACvC,OAAO,CAAC,mBAAmB,CAuE7B,CAAC"}
+{"version":3,"file":"app_server.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/app_server.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAG/B,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAGjD,OAAO,EAA2B,KAAK,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAE1E,OAAO,KAAK,EAAC,EAAE,EAAE,MAAM,EAAC,MAAM,aAAa,CAAC;AAC5C,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAU1D,OAAO,EAA8B,KAAK,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC3F,OAAO,EAAiB,KAAK,kBAAkB,EAAC,MAAM,kBAAkB,CAAC;AAEzE,OAAO,EAAwB,KAAK,UAAU,EAAE,KAAK,YAAY,EAAC,MAAM,0BAA0B,CAAC;AACnG,OAAO,EAEN,KAAK,gBAAgB,EACrB,KAAK,gBAAgB,EACrB,KAAK,sBAAsB,EAC3B,KAAK,oBAAoB,EACzB,MAAM,yBAAyB,CAAC;AACjC,OAAO,KAAK,EAAC,UAAU,EAAE,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACnE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAOrD,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,kBAAkB,CAAC;AAE9D;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,EAAE,gBAIhC,CAAC;AAEF,gFAAgF;AAChF,eAAO,MAAM,kBAAkB,QAAiB,CAAC;AAEjD;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,qBAAqB,sBAAsB,CAAC;AA0CzD;;;;;GAKG;AACH,MAAM,WAAW,uCAAuC;IACvD,EAAE,EAAE,EAAE,CAAC;IACP,OAAO,EAAE,OAAO,CAAC;IACjB,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAED,2DAA2D;AAC3D,MAAM,MAAM,0BAA0B,GAAG,uCAAuC,CAAC;AAEjF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,oCAAoC,GAChD,SAAS,uCAAuC,KAC9C,OAAO,CAAC;IACV,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACvB,CA4CA,CAAC;AAEF,uCAAuC;AACvC,MAAM,WAAW,sBAAsB;IACtC,EAAE,EAAE,EAAE,CAAC;IACP,OAAO,EAAE,OAAO,CAAC;IACjB,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,6CAA6C;IAC7C,UAAU,EAAE,MAAM,CAAC;IACnB;;;;;;;;;OASG;IACH,kBAAkB,EAAE,MAAM,CAAC;CAC3B;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,iBAAiB,GAC7B,SAAS,sBAAsB,KAC7B,OAAO,CAAC;IAAC,cAAc,EAAE,MAAM,CAAA;CAAC,CAQlC,CAAC;AAEF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,qBAAqB,GACjC,SAAS,0BAA0B,KACjC,OAAO,CAAC;IACV,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACvB,CAQA,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,aAAc,SAAQ,UAAU;IAChD,gCAAgC;IAChC,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,uCAAuC;IACvC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,cAAc,EAAE,MAAM,CAAC;IACvB,+FAA+F;IAC/F,OAAO,EAAE,OAAO,CAAC;IACjB,4EAA4E;IAC5E,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,mDAAmD;IACnD,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kGAAkG;IAClG,EAAE,CAAC,EAAE,EAAE,CAAC;IACR,0FAA0F;IAC1F,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;;;;;;OASG;IACH,oBAAoB,CAAC,EAAE,aAAa,CAAC,kBAAkB,CAAC,CAAC;IACzD,yHAAyH;IACzH,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,kEAAkE;IAClE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,+EAA+E;IAC/E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gDAAgD;IAChD,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACtB;;;;;;;;;;;;;;OAcG;IACH,aAAa,CAAC,EAAE,YAAY,CAAC;CAC7B;AAuID,eAAO,MAAM,sBAAsB,GAClC,SAAS,oBAAoB,KAC3B,OAAO,CAAC,aAAa,CA2BvB,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,oBAAqB,SAAQ,oBAAoB;IACjE,yEAAyE;IACzE,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IACpE;;;;;;;OAOG;IACH,aAAa,CAAC,EAAE,uBAAuB,CAAC;IACxC;;;;;;;;;;;OAWG;IACH,SAAS,CAAC,EAAE,sBAAsB,CAAC;IACnC;;;;;OAKG;IACH,WAAW,CAAC,EAAE,eAAe,CAAC;CAC9B;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,eAAe,GAAG,OAAO,CACpC,IAAI,CACH,gBAAgB,EAChB,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,GAAG,eAAe,GAAG,WAAW,CACpF,CACD,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,WAAW;IAC3B,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,mCAAmC;IACnC,cAAc,EAAE,MAAM,CAAC;IACvB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,8DAA8D;IAC9D,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClF;AAED;;GAEG;AACH,MAAM,WAAW,OAAO;IACvB,GAAG,EAAE,IAAI,CAAC;IACV,OAAO,EAAE,aAAa,CAAC;IACvB,YAAY,EAAE,cAAc,CAAC;IAC7B,OAAO,EAAE,UAAU,CAAC;IACpB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,kEAAkE;IAClE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,gEAAgE;IAChE,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClF,iEAAiE;IACjE,2BAA2B,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxF,qDAAqD;IACrD,cAAc,EAAE,CAAC,OAAO,CAAC,EAAE;QAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;KACtB,KAAK,OAAO,CAAC,WAAW,CAAC,CAAC;IAC3B,8DAA8D;IAC9D,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,eAAe,GAAU,SAAS,oBAAoB,KAAG,OAAO,CAAC,OAAO,CAoGpF,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,WAAW,gCAAgC;IAChD,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IACpE,aAAa,CAAC,EAAE,uBAAuB,CAAC;IACxC,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B,8EAA8E;IAC9E,SAAS,EAAE,oBAAoB,CAAC;IAChC;;;;OAIG;IACH,eAAe,EAAE,MAAM,CAAC;IACxB,EAAE,CAAC,EAAE,EAAE,CAAC;IACR,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,aAAa,CAAC,EAAE,YAAY,CAAC;CAC7B;AAED;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IACnC,GAAG,EAAE,IAAI,CAAC;IACV,OAAO,EAAE,UAAU,CAAC;IACpB,YAAY,EAAE,cAAc,CAAC;IAC7B,OAAO,EAAE,UAAU,CAAC;IACpB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,0EAA0E;IAC1E,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,4EAA4E;IAC5E,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,6BAA6B,GACzC,SAAS,gCAAgC,KACvC,OAAO,CAAC,mBAAmB,CAuE7B,CAAC"}

package/dist/testing/app_server.js

@@ -49,6 +49,35 @@ export const DEFAULT_TEST_PASSWORD = 'test-password-123';
 const fallback_pglite_factory = create_pglite_factory(async (db) => {
     await run_migrations(db, [auth_migration_ns]);
 });
+// Auto-created PGlite factories keyed by extra-namespace identity. Suites
+// whose backend needs tables beyond auth (e.g. the cell layer) share one
+// factory per distinct namespace set — and the worker-cached WASM instance —
+// rather than each hand-building its own. The cell parity suite is the first
+// user.
+const fallback_factories_by_namespaces = new Map();
+/**
+ * Resolve the no-`db` PGlite factory for the requested extra migration
+ * namespaces. Empty / omitted → the shared auth-only `fallback_pglite_factory`;
+ * otherwise a memoized factory whose `init` runs
+ * `[auth_migration_ns, ...migration_namespaces]` on each reset. The
+ * reset-on-`create` gives the same fresh-db-per-test isolation as the
+ * auth-only default. Mirrors `create_app_backend`'s `migration_namespaces`
+ * seam at the test layer.
+ */
+const resolve_fallback_factory = (migration_namespaces) => {
+    if (!migration_namespaces || migration_namespaces.length === 0) {
+        return fallback_pglite_factory;
+    }
+    const key = migration_namespaces.map((ns) => ns.namespace).join(',');
+    let factory = fallback_factories_by_namespaces.get(key);
+    if (!factory) {
+        factory = create_pglite_factory(async (db) => {
+            await run_migrations(db, [auth_migration_ns, ...migration_namespaces]);
+        });
+        fallback_factories_by_namespaces.set(key, factory);
+    }
+    return factory;
+};
 /**
  * Create a test account with credentials. Use for additional accounts
  * minted alongside the keeper (e.g. `TestApp.create_account` for
@@ -77,12 +106,16 @@ export const create_test_account_with_credentials = async (options) => {
     // Create API token (account-scoped — acting actor is per-request)
     const { token: api_token, id: token_id, token_hash } = generate_api_token();
     await query_create_api_token(deps, token_id, account.id, 'test-cli', token_hash);
-    // Create session (account-scoped — acting actor is per-request)
-    const session_token = generate_session_token();
-    const session_hash = hash_session_token(session_token);
-    const expires_at = new Date(Date.now() + AUTH_SESSION_LIFETIME_MS);
-    await query_create_session(deps, session_hash, account.id, expires_at);
-    const session_cookie = await create_session_cookie_value(keyring, session_token, session_options);
+    // Create session (account-scoped — acting actor is per-request).
+    // Shares the mint primitive with `mint_test_session` / the
+    // `_testing_mint_session` action; here with the standard 30-day lifetime.
+    const { session_cookie } = await mint_test_session({
+        db,
+        keyring,
+        session_options,
+        account_id: account.id,
+        expires_in_seconds: AUTH_SESSION_LIFETIME_MS / 1000,
+    });
     return {
         account: { id: account.id, username: account.username },
         actor: { id: actor.id },
@@ -90,6 +123,27 @@ export const create_test_account_with_credentials = async (options) => {
         session_cookie,
     };
 };
+/**
+ * Mint a real `auth_session` row for an existing account and return a
+ * validly-signed session cookie value referencing it. Test-only — the
+ * forge behind the cross-backend expiry conformance cases (the
+ * `expired_session` principal): pass a negative `expires_in_seconds` to
+ * produce an *expired server-side session* whose signed cookie envelope is
+ * still well-formed. Both the TS `_testing_mint_session` action and the
+ * in-process `fixture.mint_expired_session()` seam call this so the write
+ * semantics match across transports.
+ *
+ * @mutates `options.db` — inserts one `auth_session` row.
+ */
+export const mint_test_session = async (options) => {
+    const { db, keyring, session_options, account_id, expires_in_seconds } = options;
+    const session_token = generate_session_token();
+    const session_hash = hash_session_token(session_token);
+    const expires_at = new Date(Date.now() + expires_in_seconds * 1000);
+    await query_create_session({ db }, session_hash, account_id, expires_at);
+    const session_cookie = await create_session_cookie_value(keyring, session_token, session_options);
+    return { session_cookie };
+};
 /**
  * Bootstrap the test-DB keeper. Direct-query shortcut for the default
  * `create_test_app` path — bootstrap is not what most tests exercise, so
@@ -132,7 +186,11 @@ const default_test_fs_stubs = {
  * resets it to false before this runs).
  */
 const _build_test_backend = async (options) => {
-    const { db: existing_db, db_type = 'pglite-memory', password = stub_password_deps, audit_factory = default_audit_factory, fs_stubs = default_test_fs_stubs, } = options;
+    const { db: existing_db, db_type = 'pglite-memory', password = stub_password_deps, audit_factory = default_audit_factory, fs_stubs = default_test_fs_stubs, migration_namespaces, } = options;
+    if (existing_db && migration_namespaces && migration_namespaces.length > 0) {
+        throw new Error('test app setup: pass either `db` (caller owns migrations) or `migration_namespaces` ' +
+            '(harness migrates), not both');
+    }
     const keyring_result = create_validated_keyring(TEST_COOKIE_SECRET);
     if (!keyring_result.ok) {
         throw new Error(`Test keyring failed: ${keyring_result.errors.join(', ')}`);
@@ -161,7 +219,8 @@ const _build_test_backend = async (options) => {
         // In-memory PGlite via cached factory — reuses the WASM instance from test_db.ts
         // instead of creating a new PGlite each time. Schema is reset and migrations re-run
         // on each call, but the expensive WASM cold start only happens once per worker thread.
-        const db = await fallback_pglite_factory.create();
+        // `migration_namespaces` selects an auth+extras factory; auth-only is the default.
+        const db = await resolve_fallback_factory(migration_namespaces).create();
         const audit = audit_factory({ db, log: test_log });
         backend = {
             db_type: 'pglite-memory',

package/dist/testing/audit_completeness.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"audit_completeness.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/audit_completeness.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AA4B7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAS9D,OAAO,EAKN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAwB1B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACvD,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,iCAAiC,CAAC;AACzE,OAAO,KAAK,EAAC,SAAS,EAAc,MAAM,0BAA0B,CAAC;AAErE;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC5C;;;;;OAKG;IACH,UAAU,EAAE,SAAS,CAAC;IACtB;;;;;;OAMG;IACH,cAAc,EAAE,cAAc,CAAC;IAC/B,uCAAuC;IACvC,YAAY,EAAE,mBAAmB,CAAC;IAClC,yEAAyE;IACzE,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC;;;OAGG;IACH,aAAa,EAAE,uBAAuB,CAAC;CACvC;AA8FD;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,iCAAiC,GAAI,SAAS,4BAA4B,KAAG,IAuhBzF,CAAC"}
+{"version":3,"file":"audit_completeness.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/audit_completeness.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AA4B7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAS9D,OAAO,EAKN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AA2B1B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACvD,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,iCAAiC,CAAC;AACzE,OAAO,KAAK,EAAC,SAAS,EAAc,MAAM,0BAA0B,CAAC;AAErE;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC5C;;;;;OAKG;IACH,UAAU,EAAE,SAAS,CAAC;IACtB;;;;;;OAMG;IACH,cAAc,EAAE,cAAc,CAAC;IAC/B,uCAAuC;IACvC,YAAY,EAAE,mBAAmB,CAAC;IAClC,yEAAyE;IACzE,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC;;;OAGG;IACH,aAAa,EAAE,uBAAuB,CAAC;CACvC;AA8FD;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,iCAAiC,GAAI,SAAS,4BAA4B,KAAG,IAomBzF,CAAC"}

package/dist/testing/audit_completeness.js

@@ -30,7 +30,7 @@ import { find_auth_route } from './integration_helpers.js';
 import { rpc_call_for_spec, require_rpc_endpoint_path, resolve_rpc_endpoints_for_setup, } from './rpc_helpers.js';
 import { role_grant_offer_and_accept } from './role_grant_helpers.js';
 import { role_grant_offer_accept_action_spec, role_grant_offer_create_action_spec, role_grant_revoke_action_spec, } from '../auth/role_grant_offer_action_specs.js';
-import { admin_session_revoke_all_action_spec, admin_token_revoke_all_action_spec, app_settings_update_action_spec, audit_log_list_action_spec, AUDIT_LOG_LIST_LIMIT_MAX, invite_create_action_spec, invite_delete_action_spec, } from '../auth/admin_action_specs.js';
+import { account_delete_action_spec, account_purge_action_spec, account_undelete_action_spec, admin_session_revoke_all_action_spec, admin_token_revoke_all_action_spec, app_settings_update_action_spec, audit_log_list_action_spec, AUDIT_LOG_LIST_LIMIT_MAX, invite_create_action_spec, invite_delete_action_spec, } from '../auth/admin_action_specs.js';
 import { account_session_list_action_spec, account_session_revoke_action_spec, account_session_revoke_all_action_spec, account_token_create_action_spec, account_token_list_action_spec, account_token_revoke_action_spec, } from '../auth/account_action_specs.js';
 /**
  * Mint a dedicated admin account whose sole job is to read the audit log
@@ -418,6 +418,66 @@ export const describe_audit_completeness_tests = (options) => {
                 assert_has_event(events, 'app_settings_update', 'app_settings_update RPC');
             });
         });
+        // --- Account deletion RPC actions ---
+        describe('account deletion audit events', () => {
+            test('account_delete (admin) produces account_delete + actor_delete events', async () => {
+                const fixture = await options.setup_test();
+                const observer = await create_admin_observer(fixture);
+                const target = await fixture.create_account({ username: 'audit_delete_target' });
+                const res = await rpc_call_for_spec({
+                    app: { request: fixture.transport },
+                    path: rpc_path,
+                    spec: account_delete_action_spec,
+                    params: { account_id: target.account.id },
+                    headers: fixture.create_session_headers(),
+                });
+                assert.ok(res.ok, `account_delete failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
+                const events = await list_audit_events({ request: fixture.transport }, rpc_path, observer);
+                assert_has_event(events, 'account_delete', 'account_delete RPC');
+                assert_has_event(events, 'actor_delete', 'account_delete RPC (per-actor cascade)');
+            });
+            test('account_purge (keeper) produces account_purge + actor_purge events', async () => {
+                const fixture = await options.setup_test();
+                const observer = await create_admin_observer(fixture);
+                const target = await fixture.create_account({ username: 'audit_purge_target' });
+                const res = await rpc_call_for_spec({
+                    app: { request: fixture.transport },
+                    path: rpc_path,
+                    spec: account_purge_action_spec,
+                    params: { account_id: target.account.id, confirm: true },
+                    // Keeper-gated: daemon-token credential, not a session.
+                    headers: fixture.create_daemon_token_headers(),
+                });
+                assert.ok(res.ok, `account_purge failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
+                const events = await list_audit_events({ request: fixture.transport }, rpc_path, observer);
+                assert_has_event(events, 'account_purge', 'account_purge RPC');
+                assert_has_event(events, 'actor_purge', 'account_purge RPC (per-actor cascade)');
+            });
+            test('account_undelete (admin) produces account_undelete + actor_undelete events', async () => {
+                const fixture = await options.setup_test();
+                const observer = await create_admin_observer(fixture);
+                const target = await fixture.create_account({ username: 'audit_undelete_target' });
+                const del = await rpc_call_for_spec({
+                    app: { request: fixture.transport },
+                    path: rpc_path,
+                    spec: account_delete_action_spec,
+                    params: { account_id: target.account.id },
+                    headers: fixture.create_session_headers(),
+                });
+                assert.ok(del.ok, `account_delete failed: ${del.ok ? '' : JSON.stringify(del.error)}`);
+                const res = await rpc_call_for_spec({
+                    app: { request: fixture.transport },
+                    path: rpc_path,
+                    spec: account_undelete_action_spec,
+                    params: { account_id: target.account.id },
+                    headers: fixture.create_session_headers(),
+                });
+                assert.ok(res.ok, `account_undelete failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
+                const events = await list_audit_events({ request: fixture.transport }, rpc_path, observer);
+                assert_has_event(events, 'account_undelete', 'account_undelete RPC');
+                assert_has_event(events, 'actor_undelete', 'account_undelete RPC (per-actor cascade)');
+            });
+        });
         // --- Signup route ---
         describe('signup audit events', () => {
             test('signup produces signup event', async () => {
@@ -474,6 +534,12 @@ export const describe_audit_completeness_tests = (options) => {
                 'role_grant_revoke',
                 'invite_create',
                 'invite_delete',
+                'account_delete',
+                'account_purge',
+                'account_undelete',
+                'actor_delete',
+                'actor_purge',
+                'actor_undelete',
                 'app_settings_update',
             ]);
             /** Event types excluded with justification. */

package/dist/testing/cross_backend/account_lifecycle.d.ts

@@ -0,0 +1,10 @@
+import '../assert_dev_env.js';
+import { type CellCrossTestOptions } from './cell_cross_helpers.js';
+/**
+ * Options for the account-lifecycle parity suite. Shares the shape of the
+ * cell suites (`setup_test` / `capabilities` / `rpc_path`); reuses
+ * `CellCrossTestOptions` rather than minting a structural duplicate.
+ */
+export type AccountLifecycleCrossTestOptions = CellCrossTestOptions;
+export declare const describe_account_lifecycle_cross_tests: (options: AccountLifecycleCrossTestOptions) => void;
+//# sourceMappingURL=account_lifecycle.d.ts.map

package/dist/testing/cross_backend/account_lifecycle.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"account_lifecycle.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/account_lifecycle.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAiC9B,OAAO,EAIN,KAAK,oBAAoB,EACzB,MAAM,yBAAyB,CAAC;AAGjC;;;;GAIG;AACH,MAAM,MAAM,gCAAgC,GAAG,oBAAoB,CAAC;AAEpE,eAAO,MAAM,sCAAsC,GAClD,SAAS,gCAAgC,KACvC,IA+TF,CAAC"}