@fuzdev/fuz_app 0.67.1 → 0.69.0

package/dist/testing/cross_backend/account_lifecycle.js

@@ -0,0 +1,144 @@
+import '../assert_dev_env.js';
+/**
+ * Cross-backend parity suite for the account-lifecycle admin verbs:
+ * `account_delete` (soft), `account_undelete` (reactivation), and
+ * `account_purge` (keeper hard-delete), plus the keeper guard.
+ *
+ * Like the cell suites, these verbs can't ride the generic
+ * `describe_rpc_round_trip_tests`: they're stateful and destructive (a
+ * generic round-trip would tombstone the bootstrapped keeper). They
+ * live-mount on every spine's RPC path but stay off the declared surface,
+ * so this dedicated suite is their cross-impl validator. Every success
+ * `result` is parsed against the verb's declared Zod **output** schema, so
+ * a TS↔Rust envelope drift fails the assertion.
+ *
+ * `$lib`-free by contract (relative specifiers only) so it can be imported
+ * from the spawnable cross-process test files.
+ *
+ * @module
+ */
+import { describe, assert } from 'vitest';
+import { AccountDeleteOutput, AccountUndeleteOutput, AccountPurgeOutput, AdminAccountListOutput, AuditLogListOutput, ERROR_CANNOT_DELETE_KEEPER, } from '../../auth/admin_action_specs.js';
+import { ERROR_ACCOUNT_NOT_FOUND, ERROR_AUTHENTICATION_REQUIRED } from '../../http/error_schemas.js';
+import { test_if } from './capabilities.js';
+import { cross_rpc_call, error_reason, expect_output, } from './cell_cross_helpers.js';
+import { SPINE_RPC_PATH } from './default_spine_surface.js';
+export const describe_account_lifecycle_cross_tests = (options) => {
+    const { setup_test, capabilities } = options;
+    const rpc_path = options.rpc_path ?? SPINE_RPC_PATH;
+    describe('account lifecycle parity', () => {
+        test_if(capabilities.account_lifecycle, 'soft-delete → undelete round-trip (admin)', async () => {
+            const fixture = await setup_test();
+            const victim = await fixture.create_account({ username: 'lifecycle_victim' });
+            const t = fixture.fresh_transport();
+            // Keeper account holds ROLE_ADMIN — its session is admin-capable.
+            const admin_headers = fixture.create_session_headers();
+            const deleted = expect_output(await cross_rpc_call(t, rpc_path, 'account_delete', { account_id: victim.account.id }, admin_headers), AccountDeleteOutput);
+            assert.strictEqual(deleted.deleted, true);
+            const undeleted = expect_output(await cross_rpc_call(t, rpc_path, 'account_undelete', { account_id: victim.account.id }, admin_headers), AccountUndeleteOutput);
+            assert.strictEqual(undeleted.undeleted, true);
+        });
+        test_if(capabilities.account_lifecycle, 'purge (keeper, confirmed)', async () => {
+            const fixture = await setup_test();
+            const victim = await fixture.create_account({ username: 'lifecycle_purge' });
+            const t = fixture.fresh_transport({ origin: null });
+            // Purge is keeper-gated: daemon-token credential, not a session.
+            const purged = expect_output(await cross_rpc_call(t, rpc_path, 'account_purge', { account_id: victim.account.id, confirm: true }, fixture.create_daemon_token_headers()), AccountPurgeOutput);
+            assert.strictEqual(purged.purged, true);
+        });
+        test_if(capabilities.account_lifecycle, 'keeper guard: delete + purge refuse the keeper account', async () => {
+            const fixture = await setup_test();
+            const t = fixture.fresh_transport();
+            const del = await cross_rpc_call(t, rpc_path, 'account_delete', { account_id: fixture.account.id }, fixture.create_session_headers());
+            assert.strictEqual(del.ok, false, 'delete of keeper account must be refused');
+            assert.strictEqual(error_reason(del), ERROR_CANNOT_DELETE_KEEPER);
+            const tp = fixture.fresh_transport({ origin: null });
+            const purge = await cross_rpc_call(tp, rpc_path, 'account_purge', { account_id: fixture.account.id, confirm: true }, fixture.create_daemon_token_headers());
+            assert.strictEqual(purge.ok, false, 'purge of keeper account must be refused');
+            assert.strictEqual(error_reason(purge), ERROR_CANNOT_DELETE_KEEPER);
+        });
+        test_if(capabilities.account_lifecycle, 'fail-closed: a soft-deleted account’s session + bearer credentials no longer authenticate', async () => {
+            const fixture = await setup_test();
+            const victim = await fixture.create_account({ username: 'lifecycle_failclosed' });
+            const admin_headers = fixture.create_session_headers();
+            // Sanity: the victim's session authenticates while active, so the
+            // post-deletion 401 is a real fail-closed transition, not a
+            // never-valid credential passing vacuously.
+            const before = await cross_rpc_call(fixture.fresh_transport(), rpc_path, 'account_verify', undefined, victim.create_session_headers());
+            assert.ok(before.ok, 'victim session authenticates before deletion');
+            const deleted = expect_output(await cross_rpc_call(fixture.fresh_transport(), rpc_path, 'account_delete', { account_id: victim.account.id }, admin_headers), AccountDeleteOutput);
+            assert.strictEqual(deleted.deleted, true);
+            // The tombstone blocks auth resolution (and the soft-delete
+            // revoked sessions/tokens) — the stale session credential must
+            // fail closed with a generic 401, not partially authenticate.
+            const session_probe = await cross_rpc_call(fixture.fresh_transport(), rpc_path, 'account_verify', undefined, victim.create_session_headers());
+            assert.strictEqual(session_probe.ok, false, 'soft-deleted account session must not authenticate');
+            assert.strictEqual(error_reason(session_probe), ERROR_AUTHENTICATION_REQUIRED);
+            // The victim's bearer token must fail closed too.
+            const bearer_probe = await cross_rpc_call(fixture.fresh_transport({ origin: null }), rpc_path, 'account_verify', undefined, victim.create_bearer_headers());
+            assert.strictEqual(bearer_probe.ok, false, 'soft-deleted account bearer token must not authenticate');
+            assert.strictEqual(error_reason(bearer_probe), ERROR_AUTHENTICATION_REQUIRED);
+        });
+        test_if(capabilities.account_lifecycle, 'keeper guard emits a fail-loud failure-audit row (drained, cross-impl)', async () => {
+            const fixture = await setup_test();
+            const t = fixture.fresh_transport();
+            // Refused keeper self-delete — the guard fires before any mutation
+            // and emits a forensic `outcome: failure` audit row.
+            const del = await cross_rpc_call(t, rpc_path, 'account_delete', { account_id: fixture.account.id }, fixture.create_session_headers());
+            assert.strictEqual(error_reason(del), ERROR_CANNOT_DELETE_KEEPER);
+            // Deterministic barrier before reading: await in-flight
+            // fire-and-forget audit writes (the real await on the Rust spine;
+            // satisfied-by-construction on the TS spine via await_pending_effects).
+            const td = fixture.fresh_transport({ origin: null });
+            const drained = await cross_rpc_call(td, rpc_path, '_testing_drain_effects', undefined, fixture.create_daemon_token_headers());
+            assert.ok(drained.ok, `_testing_drain_effects failed: ${JSON.stringify(drained.error)}`);
+            // The failure row is now authoritative on both spines. `_testing_reset`
+            // wiped audit_log at setup, so the refused delete is the only
+            // account_delete event.
+            const listed = expect_output(await cross_rpc_call(t, rpc_path, 'audit_log_list', { event_type: 'account_delete' }, fixture.create_session_headers()), AuditLogListOutput);
+            const failure = listed.events.find((e) => e.outcome === 'failure' &&
+                e.metadata?.reason === ERROR_CANNOT_DELETE_KEEPER);
+            assert.ok(failure, 'keeper-removal guard must emit an account_delete outcome=failure audit row with reason cannot_delete_keeper');
+        });
+        test_if(capabilities.account_lifecycle, 'deterministic: double-undelete → second call is not_found', async () => {
+            const fixture = await setup_test();
+            const victim = await fixture.create_account({ username: 'lifecycle_double' });
+            const t = fixture.fresh_transport();
+            const admin_headers = fixture.create_session_headers();
+            const deleted = expect_output(await cross_rpc_call(t, rpc_path, 'account_delete', { account_id: victim.account.id }, admin_headers), AccountDeleteOutput);
+            assert.strictEqual(deleted.deleted, true);
+            // First undelete clears the tombstone.
+            const undeleted = expect_output(await cross_rpc_call(t, rpc_path, 'account_undelete', { account_id: victim.account.id }, admin_headers), AccountUndeleteOutput);
+            assert.strictEqual(undeleted.undeleted, true);
+            // Second undelete on the now-active account is a deterministic
+            // not_found — the query only matches soft-deleted rows, so the
+            // outcome is the same on both spines (no silent idempotent ok).
+            const again = await cross_rpc_call(t, rpc_path, 'account_undelete', { account_id: victim.account.id }, admin_headers);
+            assert.strictEqual(again.ok, false, 'double-undelete must not silently succeed');
+            assert.strictEqual(error_reason(again), ERROR_ACCOUNT_NOT_FOUND);
+        });
+        // The last-admin guard (`ERROR_CANNOT_DELETE_LAST_ADMIN`) is **not**
+        // cross-process-testable against this fixture: the per-test keeper
+        // permanently holds `ROLE_ADMIN` (bootstrap seeds `[ROLE_KEEPER,
+        // ROLE_ADMIN]` and there is no remove-admin-from-keeper path), so a
+        // non-keeper admin is never the *sole* active admin and the guard
+        // never fires here. Its logic is covered in-process by
+        // `src/test/auth/account_keeper_guard.db.test.ts`.
+        test_if(capabilities.account_lifecycle, 'admin_account_list include_deleted surfaces tombstoned rows with deleted_at set', async () => {
+            const fixture = await setup_test();
+            const victim = await fixture.create_account({ username: 'lifecycle_listed' });
+            const admin_headers = fixture.create_session_headers();
+            const t = fixture.fresh_transport();
+            const deleted = expect_output(await cross_rpc_call(t, rpc_path, 'account_delete', { account_id: victim.account.id }, admin_headers), AccountDeleteOutput);
+            assert.strictEqual(deleted.deleted, true);
+            // Default listing excludes the tombstone.
+            const active_only = expect_output(await cross_rpc_call(t, rpc_path, 'admin_account_list', {}, admin_headers), AdminAccountListOutput);
+            assert.ok(!active_only.accounts.some((a) => a.account.id === victim.account.id), 'default listing excludes the soft-deleted account');
+            // `include_deleted` surfaces it with `deleted_at` populated.
+            const with_deleted = expect_output(await cross_rpc_call(t, rpc_path, 'admin_account_list', { include_deleted: true }, admin_headers), AdminAccountListOutput);
+            const row = with_deleted.accounts.find((a) => a.account.id === victim.account.id);
+            assert.ok(row, 'include_deleted surfaces the tombstoned row');
+            assert.ok(row.account.deleted_at !== null, 'tombstoned row carries a non-null deleted_at on both spines');
+        });
+    });
+};

package/dist/testing/cross_backend/actor_lookup.d.ts

@@ -0,0 +1,10 @@
+import '../assert_dev_env.js';
+import type { CellCrossTestOptions } from './cell_cross_helpers.js';
+/**
+ * Options for the actor-lookup parity suite. Shares the shape of the cell /
+ * origin suites (`setup_test` / `capabilities` / `rpc_path`); reuses
+ * `CellCrossTestOptions` rather than minting a structural duplicate.
+ */
+export type ActorLookupCrossTestOptions = CellCrossTestOptions;
+export declare const describe_actor_lookup_cross_tests: (options: ActorLookupCrossTestOptions) => void;
+//# sourceMappingURL=actor_lookup.d.ts.map

package/dist/testing/cross_backend/actor_lookup.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"actor_lookup.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/actor_lookup.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAqC9B,OAAO,KAAK,EAAC,oBAAoB,EAAC,MAAM,yBAAyB,CAAC;AAGlE;;;;GAIG;AACH,MAAM,MAAM,2BAA2B,GAAG,oBAAoB,CAAC;AAS/D,eAAO,MAAM,iCAAiC,GAAI,SAAS,2BAA2B,KAAG,IAkDxF,CAAC"}

package/dist/testing/cross_backend/actor_lookup.js

@@ -0,0 +1,83 @@
+import '../assert_dev_env.js';
+/**
+ * Cross-backend parity suite for `actor_lookup`.
+ *
+ * `actor_lookup` is an opt-in batched id → label resolver
+ * (`{ids} → {actors: [{id, username, display_name?}]}`), not folded into the
+ * standard bundle. It's live-mounted on the spine RPC path but kept off the
+ * declared surface (`create_spine_surface_spec`) — like cells / ws / sse — so
+ * the standard cross suite's generic round-trip never drives it; this
+ * dedicated suite is its validator. Three cases over raw transport calls:
+ *
+ * - **anonymous → 401** — the account-grain auth gate refuses an
+ *   unauthenticated caller before the handler runs.
+ * - **keeper resolves own actor → 200** — the populated round trip: the
+ *   returned row carries the keeper's `id` + `username`, and **no**
+ *   `account_id` / `email` / timestamp / role field (the wire shape's
+ *   deliberate info-leak posture). This is the assertion that exercises the
+ *   Rust row→JSON mapping against the TS canonical shape.
+ * - **empty `ids` → 400** — the `min(1)` input bound is enforced on both
+ *   spines (TS Zod, Rust `parse_ids`).
+ *
+ * Runs both legs via the shared `{setup_test}` protocol: the in-process leg
+ * (`auth/actor_lookup_parity.db.test.ts`, plain `gro test`) and the
+ * cross-process leg (`cross_backend/actor_lookup.cross.test.ts`, the TS spine
+ * binaries + Rust `testing_spine_stub` over real HTTP). `actor_lookup` is
+ * mounted on every spine, so the suite is ungated.
+ *
+ * `$lib`-free by contract (relative specifiers only), like the sibling
+ * cross-backend suites.
+ *
+ * @module
+ */
+import { describe, test, assert } from 'vitest';
+import { actor_lookup_action_spec } from '../../auth/actor_lookup_action_specs.js';
+import { SPINE_RPC_PATH } from './default_spine_surface.js';
+/** Keys that must never appear on an `actor_lookup` result row. */
+const forbidden_row_keys = ['account_id', 'email', 'created_at', 'updated_at', 'role'];
+/** Build the JSON-RPC envelope body for an `actor_lookup` call. */
+const lookup_envelope = (ids, id) => JSON.stringify({ jsonrpc: '2.0', method: actor_lookup_action_spec.method, params: { ids }, id });
+export const describe_actor_lookup_cross_tests = (options) => {
+    const { setup_test } = options;
+    const rpc_path = options.rpc_path ?? SPINE_RPC_PATH;
+    describe('actor_lookup parity', () => {
+        test('anonymous → 401 (account-grain auth gate)', async () => {
+            const fixture = await setup_test();
+            const res = await fixture.fresh_transport()(rpc_path, {
+                method: 'POST',
+                headers: { 'content-type': 'application/json' },
+                body: lookup_envelope([fixture.actor.id], 'anon-lookup'),
+            });
+            assert.strictEqual(res.status, 401, 'unauthenticated actor_lookup must be refused');
+        });
+        test('keeper resolves own actor → 200 with id + username, no control fields', async () => {
+            const fixture = await setup_test();
+            const res = await fixture.transport(rpc_path, {
+                method: 'POST',
+                headers: { ...fixture.create_session_headers(), 'content-type': 'application/json' },
+                body: lookup_envelope([fixture.actor.id], 'keeper-lookup'),
+            });
+            assert.strictEqual(res.status, 200, 'authenticated actor_lookup must succeed');
+            const body = (await res.json());
+            const actors = body.result?.actors;
+            assert(Array.isArray(actors), 'response carries an actors array');
+            assert.strictEqual(actors.length, 1, 'the keeper actor resolves to exactly one row');
+            const row = actors[0];
+            assert(row !== undefined, 'the resolved row is present');
+            assert.strictEqual(row.id, fixture.actor.id, 'resolved row id matches the requested actor');
+            assert.strictEqual(row.username, fixture.account.username, 'resolved row carries the keeper username');
+            for (const key of forbidden_row_keys) {
+                assert(!(key in row), `actor_lookup row must not leak '${key}'`);
+            }
+        });
+        test('empty ids → 400 (min(1) input bound)', async () => {
+            const fixture = await setup_test();
+            const res = await fixture.transport(rpc_path, {
+                method: 'POST',
+                headers: { ...fixture.create_session_headers(), 'content-type': 'application/json' },
+                body: lookup_envelope([], 'empty-lookup'),
+            });
+            assert.strictEqual(res.status, 400, 'empty ids must fail input validation');
+        });
+    });
+};

package/dist/testing/cross_backend/actor_search.d.ts

@@ -0,0 +1,6 @@
+import '../assert_dev_env.js';
+import type { CellCrossTestOptions } from './cell_cross_helpers.js';
+/** Options for the actor-search parity suite (shares the cell/origin shape). */
+export type ActorSearchCrossTestOptions = CellCrossTestOptions;
+export declare const describe_actor_search_cross_tests: (options: ActorSearchCrossTestOptions) => void;
+//# sourceMappingURL=actor_search.d.ts.map

package/dist/testing/cross_backend/actor_search.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"actor_search.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/actor_search.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AA2C9B,OAAO,KAAK,EAAC,oBAAoB,EAAC,MAAM,yBAAyB,CAAC;AAGlE,gFAAgF;AAChF,MAAM,MAAM,2BAA2B,GAAG,oBAAoB,CAAC;AAS/D,eAAO,MAAM,iCAAiC,GAAI,SAAS,2BAA2B,KAAG,IAyDxF,CAAC"}

package/dist/testing/cross_backend/actor_search.js

@@ -0,0 +1,92 @@
+import '../assert_dev_env.js';
+/**
+ * Cross-backend parity suite for `actor_search`.
+ *
+ * `actor_search` is an opt-in case-insensitive prefix search over
+ * `actor.name` (`{query, scope_ids?, limit?} → {actors: [{id, username,
+ * display_name?}]}`), not folded into the standard bundle. Like
+ * `actor_lookup` / cells, it's live-mounted on the spine RPC path but kept
+ * off the declared surface, so this dedicated suite is its validator. The
+ * security property under test is the **empty-`scope_ids` admin gate**:
+ *
+ * - **anonymous → 401** — the account-grain auth gate refuses an
+ *   unauthenticated caller before the handler runs.
+ * - **non-admin + no `scope_ids` → 400** `actor_search_scope_required` — an
+ *   unbounded global search is admin-only; a non-admin must scope the query.
+ *   This is the core security assertion, exercised against each impl's real
+ *   auth resolution.
+ * - **non-admin + `scope_ids` → 200** — passing a scope bypasses the admin
+ *   requirement (results are filtered to actors holding active role_grants on
+ *   those scopes); an unheld scope simply yields an empty result, not a
+ *   rejection — proving the gate keys on `scope_ids` presence, not identity.
+ * - **admin + no `scope_ids` → 200** — the admin path reaches the unbounded
+ *   search.
+ *
+ * Cites `security.md` §Authorization (the `actor_search` scope gate).
+ *
+ * Runs both legs via the shared `{setup_test}` protocol: in-process
+ * (`auth/actor_search_parity.db.test.ts`) + cross-process
+ * (`cross_backend/actor_search.cross.test.ts`, TS spine binaries + Rust
+ * `testing_spine_stub`). Mounted on every spine, so the suite is ungated.
+ *
+ * `$lib`-free by contract (relative specifiers only).
+ *
+ * @module
+ */
+import { describe, test, assert } from 'vitest';
+import { actor_search_action_spec, ERROR_ACTOR_SEARCH_SCOPE_REQUIRED, } from '../../auth/actor_search_action_specs.js';
+import { SPINE_RPC_PATH } from './default_spine_surface.js';
+/** Nil UUID — an unheld scope id (no actor holds a role_grant on it). */
+const NIL_UUID = '00000000-0000-0000-0000-000000000000';
+/** Build the JSON-RPC envelope body for an `actor_search` call. */
+const search_envelope = (params, id) => JSON.stringify({ jsonrpc: '2.0', method: actor_search_action_spec.method, params, id });
+export const describe_actor_search_cross_tests = (options) => {
+    const { setup_test } = options;
+    const rpc_path = options.rpc_path ?? SPINE_RPC_PATH;
+    describe('actor_search parity', () => {
+        test('anonymous → 401 (account-grain auth gate)', async () => {
+            const fixture = await setup_test();
+            const res = await fixture.fresh_transport()(rpc_path, {
+                method: 'POST',
+                headers: { 'content-type': 'application/json' },
+                body: search_envelope({ query: 'a' }, 'anon-search'),
+            });
+            assert.strictEqual(res.status, 401, 'unauthenticated actor_search must be refused');
+        });
+        test('non-admin + no scope_ids → 400 actor_search_scope_required', async () => {
+            const fixture = await setup_test();
+            const account = await fixture.create_account();
+            const res = await fixture.fresh_transport()(rpc_path, {
+                method: 'POST',
+                headers: { ...account.create_session_headers(), 'content-type': 'application/json' },
+                body: search_envelope({ query: 'a' }, 'nonadmin-noscope'),
+            });
+            assert.strictEqual(res.status, 400, 'non-admin unbounded search must be rejected');
+            const body = (await res.json());
+            assert.strictEqual(body.error?.data?.reason, ERROR_ACTOR_SEARCH_SCOPE_REQUIRED, 'rejection carries the scope-required reason');
+        });
+        test('non-admin + scope_ids → 200 (scope bypasses admin gate)', async () => {
+            const fixture = await setup_test();
+            const account = await fixture.create_account();
+            const res = await fixture.fresh_transport()(rpc_path, {
+                method: 'POST',
+                headers: { ...account.create_session_headers(), 'content-type': 'application/json' },
+                body: search_envelope({ query: 'a', scope_ids: [NIL_UUID] }, 'nonadmin-scope'),
+            });
+            assert.strictEqual(res.status, 200, 'non-admin with a scope filter is allowed');
+            const body = (await res.json());
+            assert(Array.isArray(body.result?.actors), 'response carries an actors array');
+        });
+        test('admin + no scope_ids → 200 (admin reaches unbounded search)', async () => {
+            const fixture = await setup_test();
+            const res = await fixture.transport(rpc_path, {
+                method: 'POST',
+                headers: { ...fixture.create_session_headers(), 'content-type': 'application/json' },
+                body: search_envelope({ query: 'a' }, 'admin-noscope'),
+            });
+            assert.strictEqual(res.status, 200, 'admin unbounded search is allowed');
+            const body = (await res.json());
+            assert(Array.isArray(body.result?.actors), 'response carries an actors array');
+        });
+    });
+};

package/dist/testing/cross_backend/app_settings.d.ts

@@ -0,0 +1,6 @@
+import '../assert_dev_env.js';
+import type { CellCrossTestOptions } from './cell_cross_helpers.js';
+/** Options for the app-settings effect suite (shares the cell/origin shape). */
+export type AppSettingsCrossTestOptions = CellCrossTestOptions;
+export declare const describe_app_settings_cross_tests: (options: AppSettingsCrossTestOptions) => void;
+//# sourceMappingURL=app_settings.d.ts.map

package/dist/testing/cross_backend/app_settings.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"app_settings.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/app_settings.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAsC9B,OAAO,KAAK,EAAC,oBAAoB,EAAC,MAAM,yBAAyB,CAAC;AAGlE,gFAAgF;AAChF,MAAM,MAAM,2BAA2B,GAAG,oBAAoB,CAAC;AAiB/D,eAAO,MAAM,iCAAiC,GAAI,SAAS,2BAA2B,KAAG,IA8DxF,CAAC"}

package/dist/testing/cross_backend/app_settings.js

@@ -0,0 +1,95 @@
+import '../assert_dev_env.js';
+/**
+ * Cross-backend effect suite for the `open_signup` app setting.
+ *
+ * The declarative conformance table pins the admin gate on
+ * `app_settings_get` / `app_settings_update` (401 / 403 / 200). This suite
+ * pins the **behavioral effect** of the toggle end to end: an admin flips
+ * `open_signup` via `app_settings_update`, and a subsequent anonymous
+ * `POST /signup` observes the new value.
+ *
+ * - **toggle on → anonymous signup without an invite succeeds (200)** — with
+ *   `open_signup: true`, the invite gate is skipped.
+ * - **toggle off → anonymous signup is refused (403 `no_matching_invite`)** —
+ *   flipping it back restores the invite requirement, proving the gate keys
+ *   on the live value rather than a one-time read.
+ *
+ * The signup handler reads the toggle fresh from the database on every
+ * request, so the admin's write is visible to the next signup. This suite
+ * runs in a single process, so it validates the read-through *mechanism* —
+ * not multi-process consistency (which the fresh-read shape provides by
+ * construction but no single-binary test can observe).
+ *
+ * Cites `security.md` §Signup. Runs both legs via the shared `{setup_test}`
+ * protocol: in-process (`auth/app_settings_parity.db.test.ts`) +
+ * cross-process (`cross_backend/app_settings.cross.test.ts`, TS spine
+ * binaries + Rust `testing_spine_stub`). Mounted on every spine, so the
+ * suite is ungated.
+ *
+ * `$lib`-free by contract (relative specifiers only).
+ *
+ * @module
+ */
+import { describe, test, assert } from 'vitest';
+import { app_settings_update_action_spec } from '../../auth/admin_action_specs.js';
+import { ERROR_NO_MATCHING_INVITE } from '../../http/error_schemas.js';
+import { SPINE_RPC_PATH } from './default_spine_surface.js';
+/** REST signup path on the spine surface (`/api/account` prefix + `/signup`). */
+const SIGNUP_PATH = '/api/account/signup';
+/** A password that satisfies the creation-strength schema (min 12). */
+const SIGNUP_PASSWORD = 'securepassword123';
+/** Build the JSON-RPC envelope for an `app_settings_update` call. */
+const update_envelope = (open_signup, id) => JSON.stringify({
+    jsonrpc: '2.0',
+    method: app_settings_update_action_spec.method,
+    params: { open_signup },
+    id,
+});
+export const describe_app_settings_cross_tests = (options) => {
+    const { setup_test } = options;
+    const rpc_path = options.rpc_path ?? SPINE_RPC_PATH;
+    describe('app_settings open_signup effect', () => {
+        test('admin enables open_signup → anonymous signup without invite succeeds', async () => {
+            const fixture = await setup_test();
+            const enable = await fixture.transport(rpc_path, {
+                method: 'POST',
+                headers: { ...fixture.create_session_headers(), 'content-type': 'application/json' },
+                body: update_envelope(true, 'enable-open-signup'),
+            });
+            assert.strictEqual(enable.status, 200, 'admin app_settings_update must succeed');
+            const res = await fixture.fresh_transport()(SIGNUP_PATH, {
+                method: 'POST',
+                headers: { 'content-type': 'application/json' },
+                body: JSON.stringify({ username: 'open_signup_user', password: SIGNUP_PASSWORD }),
+            });
+            assert.strictEqual(res.status, 200, 'open signup must admit an anonymous account');
+            const body = (await res.json());
+            assert.strictEqual(body.ok, true, 'signup response reports success');
+        });
+        test('admin disables open_signup → anonymous signup is refused (no_matching_invite)', async () => {
+            const fixture = await setup_test();
+            // Enable then disable so the assertion proves the *flip back* takes
+            // effect, not merely the closed default.
+            const enable = await fixture.transport(rpc_path, {
+                method: 'POST',
+                headers: { ...fixture.create_session_headers(), 'content-type': 'application/json' },
+                body: update_envelope(true, 'enable-before-disable'),
+            });
+            assert.strictEqual(enable.status, 200, 'admin app_settings_update (enable) must succeed');
+            const disable = await fixture.transport(rpc_path, {
+                method: 'POST',
+                headers: { ...fixture.create_session_headers(), 'content-type': 'application/json' },
+                body: update_envelope(false, 'disable-open-signup'),
+            });
+            assert.strictEqual(disable.status, 200, 'admin app_settings_update (disable) must succeed');
+            const res = await fixture.fresh_transport()(SIGNUP_PATH, {
+                method: 'POST',
+                headers: { 'content-type': 'application/json' },
+                body: JSON.stringify({ username: 'closed_signup_user', password: SIGNUP_PASSWORD }),
+            });
+            assert.strictEqual(res.status, 403, 'closed signup must refuse a no-invite anonymous account');
+            const body = (await res.json());
+            assert.strictEqual(body.error, ERROR_NO_MATCHING_INVITE, 'rejection carries the no-matching-invite reason');
+        });
+    });
+};

package/dist/testing/cross_backend/backend_config.d.ts

@@ -106,7 +106,7 @@ export interface BackendConfig {
     /**
      * Capabilities this backend supports — drives `test_if(capabilities.X, ...)`
      * gating in suite bodies. See `capabilities.ts` for the vocabulary and
-     * existing flags. Cross-process backends set `in_process_only: false`.
+     * existing flags.
      */
     readonly capabilities: BackendCapabilities;
 }

package/dist/testing/cross_backend/capabilities.d.ts

@@ -36,14 +36,36 @@ export interface BackendCapabilities {
      */
     readonly sse: boolean;
     /**
-     * Test has direct access to backend-internal state (keyring for
-     * signing cookies, DB pool for FK-structural raw queries). Always
-     * `true` for in-process Hono via `default_in_process_setup`; always
-     * `false` cross-process. Gates the 3 keyring reads in
-     * `describe_standard_integration_tests` (expired-cookie generation)
-     * and the FK-structural raw query in `describe_audit_completeness_tests`.
+     * Cell CRUD verbs (`cell_create` / `cell_get` / `cell_update` /
+     * `cell_delete` / `cell_list`) are live-mounted on the backend's RPC
+     * path and its DB carries the `fuz_cell` migration namespace. Gates the
+     * dedicated `describe_cell_crud_cross_tests` suite. Like `ws` / `sse`,
+     * cells stay off the standard declared surface — only this flag opts a
+     * backend into the cell parity coverage.
      */
-    readonly in_process_only: boolean;
+    readonly cell_crud: boolean;
+    /**
+     * The relation / ACL / audit cell verbs beyond plain CRUD
+     * (`cell_grant_*` / `cell_field_*` / `cell_item_*` / `cell_clone` /
+     * `cell_audit_list`) are live-mounted on the backend's RPC path. Gates
+     * the dedicated `describe_cell_relations_cross_tests` suite — grant
+     * lifecycle, field / item bidirectional relations, clone shallow + deep,
+     * manage-tier audit gating, and the now-reachable
+     * `cell_visibility_manage_only` 403 (editor-grant principal). Like
+     * `cell_crud`, these stay off the standard declared surface; a backend
+     * mounting only plain CRUD declares `cell_crud: true, cell_relations: false`.
+     */
+    readonly cell_relations: boolean;
+    /**
+     * The account-lifecycle admin verbs (`account_delete` soft-delete,
+     * `account_undelete` reactivation, `account_purge` keeper hard-delete)
+     * are live-mounted on the backend's RPC path. Gates the dedicated
+     * `describe_account_lifecycle_cross_tests` suite. Like cells, these
+     * destructive/stateful verbs stay off the standard declared surface (the
+     * generic round-trip can't drive them — they delete the subject), so
+     * this flag opts a backend into the lifecycle parity coverage.
+     */
+    readonly account_lifecycle: boolean;
 }
 /**
  * Capability declarations for the in-process Hono transport. Every flag

package/dist/testing/cross_backend/capabilities.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"capabilities.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/capabilities.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAmB9B;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IACnC;;;;OAIG;IACH,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;IAC9B;;;;OAIG;IACH,QAAQ,CAAC,aAAa,EAAE,OAAO,CAAC;IAChC;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC;IACnC;;;;OAIG;IACH,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;IACrB;;;;;OAKG;IACH,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC;IACtB;;;;;;;OAOG;IACH,QAAQ,CAAC,eAAe,EAAE,OAAO,CAAC;CAClC;AAED;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,EAAE,mBAOpC,CAAC;AAEH;;;;;;;;GAQG;AACH,eAAO,MAAM,OAAO,GAAI,MAAM,OAAO,EAAE,MAAM,MAAM,EAAE,IAAI,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAG,IAMrF,CAAC"}
+{"version":3,"file":"capabilities.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/capabilities.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAmB9B;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IACnC;;;;OAIG;IACH,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;IAC9B;;;;OAIG;IACH,QAAQ,CAAC,aAAa,EAAE,OAAO,CAAC;IAChC;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC;IACnC;;;;OAIG;IACH,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;IACrB;;;;;OAKG;IACH,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC;IACtB;;;;;;;OAOG;IACH,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC;IAC5B;;;;;;;;;;OAUG;IACH,QAAQ,CAAC,cAAc,EAAE,OAAO,CAAC;IACjC;;;;;;;;OAQG;IACH,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;CACpC;AAED;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,EAAE,mBASpC,CAAC;AAEH;;;;;;;;GAQG;AACH,eAAO,MAAM,OAAO,GAAI,MAAM,OAAO,EAAE,MAAM,MAAM,EAAE,IAAI,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAG,IAMrF,CAAC"}

package/dist/testing/cross_backend/capabilities.js

@@ -26,7 +26,9 @@ export const in_process_capabilities = Object.freeze({
     login_rate_limit: true,
     ws: true,
     sse: true,
-    in_process_only: true,
+    cell_crud: true,
+    cell_relations: true,
+    account_lifecycle: true,
 });
 /**
  * Conditional `test()` wrapper — registers a vitest case only when

package/dist/testing/cross_backend/cell_cross_helpers.d.ts

@@ -0,0 +1,39 @@
+import '../assert_dev_env.js';
+import type { z } from 'zod';
+import type { FetchTransport } from '../transports/fetch_transport.js';
+import type { BackendCapabilities } from './capabilities.js';
+import type { SetupTest } from './setup.js';
+/** Shared options for the cell cross-backend parity suites. */
+export interface CellCrossTestOptions {
+    /** Per-test fixture-producing function (fresh keeper + db per call). */
+    readonly setup_test: SetupTest;
+    /** Backend capability declarations — each suite gates on its own flag. */
+    readonly capabilities: BackendCapabilities;
+    /** RPC endpoint path the cell verbs are mounted on. Default `/api/rpc`. */
+    readonly rpc_path?: string;
+}
+/** Minimal JSON-RPC envelope shape the suites read off responses. */
+export interface RpcResult {
+    readonly ok: boolean;
+    readonly result?: unknown;
+    readonly error?: {
+        readonly code: number;
+        readonly message: string;
+        readonly data?: unknown;
+    };
+}
+/**
+ * POST a JSON-RPC call over a cross-process `FetchTransport` with the given
+ * auth headers. Distinct from `rpc_helpers.ts`'s `app`-based `rpc_call`: this
+ * variant drives the cookie-jar `FetchTransport` the cross-backend harness
+ * spawns against, and returns the slim `RpcResult` the cell suites read.
+ */
+export declare const cross_rpc_call: (transport: FetchTransport, path: string, method: string, params: unknown, headers: Record<string, string>) => Promise<RpcResult>;
+/** Pull `error.data.reason` off an RPC error envelope (undefined if absent). */
+export declare const error_reason: (r: RpcResult) => unknown;
+/**
+ * Assert the call succeeded and the `result` matches the verb's declared
+ * output schema — the wire-shape parity gate. Returns the parsed output.
+ */
+export declare const expect_output: <T>(r: RpcResult, schema: z.ZodType<T>) => T;
+//# sourceMappingURL=cell_cross_helpers.d.ts.map

package/dist/testing/cross_backend/cell_cross_helpers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cell_cross_helpers.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/cell_cross_helpers.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAmB9B,OAAO,KAAK,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAG3B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,kCAAkC,CAAC;AACrE,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,mBAAmB,CAAC;AAC3D,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,YAAY,CAAC;AAE1C,+DAA+D;AAC/D,MAAM,WAAW,oBAAoB;IACpC,wEAAwE;IACxE,QAAQ,CAAC,UAAU,EAAE,SAAS,CAAC;IAC/B,0EAA0E;IAC1E,QAAQ,CAAC,YAAY,EAAE,mBAAmB,CAAC;IAC3C,2EAA2E;IAC3E,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,qEAAqE;AACrE,MAAM,WAAW,SAAS;IACzB,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;IACrB,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,KAAK,CAAC,EAAE;QAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAA;KAAC,CAAC;CAC5F;AAED;;;;;GAKG;AACH,eAAO,MAAM,cAAc,GAC1B,WAAW,cAAc,EACzB,MAAM,MAAM,EACZ,QAAQ,MAAM,EACd,QAAQ,OAAO,EACf,SAAS,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAC7B,OAAO,CAAC,SAAS,CAMnB,CAAC;AAEF,gFAAgF;AAChF,eAAO,MAAM,YAAY,GAAI,GAAG,SAAS,KAAG,OAG/B,CAAC;AAEd;;;GAGG;AACH,eAAO,MAAM,aAAa,GAAI,CAAC,EAAE,GAAG,SAAS,EAAE,QAAQ,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAG,CAQrE,CAAC"}

package/dist/testing/cross_backend/cell_cross_helpers.js

@@ -0,0 +1,45 @@
+import '../assert_dev_env.js';
+/**
+ * Shared call-site primitives for the cell cross-backend parity suites
+ * (`cell_crud.ts` + `cell_relations.ts`).
+ *
+ * The cell verbs are stateful and authz-shaped, so both suites POST raw
+ * JSON-RPC envelopes (threading ids + auth headers across calls) and parse
+ * every success `result` against the verb's declared Zod **output** schema —
+ * the wire-shape parity gate. A TS↔Rust envelope drift, not just a payload
+ * field drift, fails the assertion.
+ *
+ * `$lib`-free by contract (relative specifiers only) so the suites can be
+ * imported from the spawnable cross-process test files.
+ *
+ * @module
+ */
+import { assert } from 'vitest';
+import { create_rpc_post_init } from '../rpc_helpers.js';
+/**
+ * POST a JSON-RPC call over a cross-process `FetchTransport` with the given
+ * auth headers. Distinct from `rpc_helpers.ts`'s `app`-based `rpc_call`: this
+ * variant drives the cookie-jar `FetchTransport` the cross-backend harness
+ * spawns against, and returns the slim `RpcResult` the cell suites read.
+ */
+export const cross_rpc_call = async (transport, path, method, params, headers) => {
+    const init = create_rpc_post_init(method, params);
+    Object.assign(init.headers, headers);
+    const res = await transport(path, init);
+    const body = (await res.json());
+    return { ok: res.ok, result: body.result, error: body.error };
+};
+/** Pull `error.data.reason` off an RPC error envelope (undefined if absent). */
+export const error_reason = (r) => r.error && typeof r.error.data === 'object' && r.error.data !== null
+    ? r.error.data.reason
+    : undefined;
+/**
+ * Assert the call succeeded and the `result` matches the verb's declared
+ * output schema — the wire-shape parity gate. Returns the parsed output.
+ */
+export const expect_output = (r, schema) => {
+    assert.ok(r.ok, `expected success, got ${JSON.stringify(r.error)}`);
+    const parsed = schema.safeParse(r.result);
+    assert.ok(parsed.success, `result does not match output schema: ${parsed.success ? '' : JSON.stringify(parsed.error.issues)} (got ${JSON.stringify(r.result)})`);
+    return parsed.data;
+};

package/dist/testing/cross_backend/cell_crud.d.ts

@@ -0,0 +1,4 @@
+import '../assert_dev_env.js';
+import { type CellCrossTestOptions } from './cell_cross_helpers.js';
+export declare const describe_cell_crud_cross_tests: (options: CellCrossTestOptions) => void;
+//# sourceMappingURL=cell_crud.d.ts.map

package/dist/testing/cross_backend/cell_crud.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cell_crud.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/cell_crud.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAqD9B,OAAO,EAIN,KAAK,oBAAoB,EACzB,MAAM,yBAAyB,CAAC;AAGjC,eAAO,MAAM,8BAA8B,GAAI,SAAS,oBAAoB,KAAG,IAwS9E,CAAC"}