@fuzdev/fuz_app 0.67.1 → 0.69.0

package/dist/testing/cross_backend/cell_crud.js

@@ -0,0 +1,168 @@
+import '../assert_dev_env.js';
+/**
+ * Dedicated stateful cell-CRUD parity suite for the cross-backend harness.
+ *
+ * The generic `describe_rpc_round_trip_tests` can't cover cells: the verbs
+ * are stateful (update / delete / get-by-id need a real cell id threaded
+ * from a prior create) and `cell_get`'s input has a top-level `.refine()`.
+ * So cells stay off the standard declared surface (`create_spine_surface_spec`)
+ * — exactly like ws / sse — and this suite plus its sibling
+ * `describe_cell_relations_cross_tests` (grant / field / item / clone / audit)
+ * are the cell validators. This one gates on `capabilities.cell_crud`; it runs
+ * against any backend that live-mounts the cell surface (the TS spine binary,
+ * the in-process Hono app, and the Rust `testing_spine_stub`).
+ *
+ * Drives the full lifecycle (create → get → update → delete → list, threading
+ * the created id) plus the authz matrix the wire contract guarantees. Every
+ * success response is parsed against the verb's declared Zod **output** schema
+ * (`CellCreateOutput` / `CellGetOutput` / …), so a TS↔Rust envelope drift —
+ * not just a `CellJson` field drift — fails the suite:
+ *
+ * - owner does full CRUD; responses match the output schemas exactly;
+ * - anon sees `public` cells only — `private` is 404 (existence not leaked);
+ * - a non-owner non-admin editing / reading / deleting another's private cell
+ *   gets 404 (IDOR mask), never 403;
+ * - admin reaches any cell;
+ * - duplicate active `path` → 409 (`cell_path_taken`);
+ * - `path` write by a non-admin → 403 (`cell_path_admin_only`), on both create
+ *   and update (even by the owner);
+ * - `cell_get` with neither `id` nor `path` → `invalid_params`;
+ * - null-auth `cell_list` with `created_by` → `invalid_params`.
+ *
+ * The visibility-manage-tier 403 (`cell_visibility_manage_only`) needs a
+ * non-owner editor, which only a `cell_grant` can produce, so it lives in
+ * `describe_cell_relations_cross_tests` alongside the grant verbs rather than
+ * here.
+ *
+ * `$lib`-free by contract (relative specifiers only) so the suite can be
+ * imported from the spawnable cross-process test files.
+ *
+ * @module
+ */
+import { describe, assert } from 'vitest';
+import { CellCreateOutput, CellDeleteOutput, CellGetOutput, CellListOutput, CellUpdateOutput, } from '../../auth/cell_action_specs.js';
+import { test_if } from './capabilities.js';
+import { cross_rpc_call, error_reason, expect_output, } from './cell_cross_helpers.js';
+import { SPINE_RPC_PATH } from './default_spine_surface.js';
+export const describe_cell_crud_cross_tests = (options) => {
+    const { setup_test, capabilities } = options;
+    const rpc_path = options.rpc_path ?? SPINE_RPC_PATH;
+    describe('cell CRUD parity', () => {
+        test_if(capabilities.cell_crud, 'owner lifecycle: create → get → update → delete → list', async () => {
+            const fixture = await setup_test();
+            const owner = await fixture.create_account({ username: 'cell_owner' });
+            const t = fixture.fresh_transport();
+            const owner_headers = owner.create_session_headers();
+            // create — default visibility, owner-stamped, no grants
+            const created = expect_output(await cross_rpc_call(t, rpc_path, 'cell_create', { data: { kind: 'note', label: 'hi' } }, owner_headers), CellCreateOutput);
+            assert.strictEqual(created.cell.visibility, 'private');
+            assert.strictEqual(created.cell.created_by, owner.actor.id);
+            assert.strictEqual(created.cell.updated_by, null);
+            assert.strictEqual(created.cell.grant_count, 0);
+            const cell_id = created.cell.id;
+            // get by id — full CellGetOutput envelope; relations empty in the first cut
+            const got = expect_output(await cross_rpc_call(t, rpc_path, 'cell_get', { id: cell_id }, owner_headers), CellGetOutput);
+            assert.strictEqual(got.cell.id, cell_id);
+            assert.deepStrictEqual(got.fields, []);
+            assert.deepStrictEqual(got.items, []);
+            assert.strictEqual(got.fields_truncated, false);
+            assert.strictEqual(got.items_truncated, false);
+            assert.strictEqual(got.can_edit, true);
+            assert.strictEqual(got.can_grant, true); // owner is manage-tier
+            // update data + flip to public (owner is manage-tier, so visibility write is allowed)
+            const updated = expect_output(await cross_rpc_call(t, rpc_path, 'cell_update', { cell_id, data: { kind: 'note', label: 'hi2' }, visibility: 'public' }, owner_headers), CellUpdateOutput);
+            assert.strictEqual(updated.cell.visibility, 'public');
+            assert.strictEqual(updated.cell.updated_by, owner.actor.id);
+            // list includes it
+            const listed = expect_output(await cross_rpc_call(t, rpc_path, 'cell_list', {}, owner_headers), CellListOutput);
+            assert.ok(listed.cells.some((c) => c.id === cell_id), 'owner cell_list omitted the cell');
+            // delete → subsequent get is 404
+            const deleted = expect_output(await cross_rpc_call(t, rpc_path, 'cell_delete', { cell_id }, owner_headers), CellDeleteOutput);
+            assert.strictEqual(deleted.deleted, true);
+            const gone = await cross_rpc_call(t, rpc_path, 'cell_get', { id: cell_id }, owner_headers);
+            assert.ok(!gone.ok, 'deleted cell still readable');
+            assert.strictEqual(error_reason(gone), 'cell_not_found');
+        });
+        test_if(capabilities.cell_crud, 'anon sees public cells only; private is 404', async () => {
+            const fixture = await setup_test();
+            const owner = await fixture.create_account({ username: 'cell_anon_owner' });
+            const owner_headers = owner.create_session_headers();
+            const authed = fixture.fresh_transport();
+            const priv = expect_output(await cross_rpc_call(authed, rpc_path, 'cell_create', { data: { kind: 'note' }, visibility: 'private' }, owner_headers), CellCreateOutput).cell;
+            const pub = expect_output(await cross_rpc_call(authed, rpc_path, 'cell_create', { data: { kind: 'note' }, visibility: 'public' }, owner_headers), CellCreateOutput).cell;
+            const anon = fixture.fresh_transport({ origin: null });
+            const anon_pub = await cross_rpc_call(anon, rpc_path, 'cell_get', { id: pub.id }, {});
+            assert.ok(anon_pub.ok, `anon could not read public cell: ${JSON.stringify(anon_pub.error)}`);
+            const anon_priv = await cross_rpc_call(anon, rpc_path, 'cell_get', { id: priv.id }, {});
+            assert.ok(!anon_priv.ok, 'anon read a private cell');
+            assert.strictEqual(error_reason(anon_priv), 'cell_not_found');
+            const anon_list = expect_output(await cross_rpc_call(anon, rpc_path, 'cell_list', {}, {}), CellListOutput);
+            const anon_ids = anon_list.cells.map((c) => c.id);
+            assert.ok(anon_ids.includes(pub.id), 'anon list missing public cell');
+            assert.ok(!anon_ids.includes(priv.id), 'anon list leaked private cell');
+        });
+        test_if(capabilities.cell_crud, 'non-owner edit/read/delete of a private cell → 404 (IDOR mask)', async () => {
+            const fixture = await setup_test();
+            const owner = await fixture.create_account({ username: 'cell_idor_owner' });
+            const other = await fixture.create_account({ username: 'cell_idor_other' });
+            const t = fixture.fresh_transport();
+            const priv = expect_output(await cross_rpc_call(t, rpc_path, 'cell_create', { data: { kind: 'note' } }, owner.create_session_headers()), CellCreateOutput).cell;
+            const other_headers = other.create_session_headers();
+            const read = await cross_rpc_call(t, rpc_path, 'cell_get', { id: priv.id }, other_headers);
+            assert.strictEqual(error_reason(read), 'cell_not_found');
+            const edit = await cross_rpc_call(t, rpc_path, 'cell_update', { cell_id: priv.id, data: { kind: 'note', label: 'x' } }, other_headers);
+            assert.ok(!edit.ok, 'non-owner edited a private cell');
+            assert.strictEqual(error_reason(edit), 'cell_not_found');
+            const del = await cross_rpc_call(t, rpc_path, 'cell_delete', { cell_id: priv.id }, other_headers);
+            assert.ok(!del.ok, 'non-owner deleted a private cell');
+            assert.strictEqual(error_reason(del), 'cell_not_found');
+        });
+        test_if(capabilities.cell_crud, 'admin (keeper) reaches another actor’s private cell', async () => {
+            const fixture = await setup_test();
+            const owner = await fixture.create_account({ username: 'cell_admin_owner' });
+            const t = fixture.fresh_transport();
+            const priv = expect_output(await cross_rpc_call(t, rpc_path, 'cell_create', { data: { kind: 'note' } }, owner.create_session_headers()), CellCreateOutput).cell;
+            // `fixture` is the bootstrapped keeper (holds ROLE_ADMIN).
+            const admin_read = expect_output(await cross_rpc_call(t, rpc_path, 'cell_get', { id: priv.id }, fixture.create_session_headers()), CellGetOutput);
+            assert.strictEqual(admin_read.cell.id, priv.id);
+        });
+        test_if(capabilities.cell_crud, 'duplicate active path → 409 conflict', async () => {
+            const fixture = await setup_test();
+            const t = fixture.fresh_transport();
+            // `path` writes are admin-only; the keeper is admin.
+            const admin_headers = fixture.create_session_headers();
+            expect_output(await cross_rpc_call(t, rpc_path, 'cell_create', { data: { kind: 'note' }, path: 'parity/dup' }, admin_headers), CellCreateOutput);
+            const dup = await cross_rpc_call(t, rpc_path, 'cell_create', { data: { kind: 'note' }, path: 'parity/dup' }, admin_headers);
+            assert.ok(!dup.ok, 'duplicate path was accepted');
+            assert.strictEqual(error_reason(dup), 'cell_path_taken');
+        });
+        test_if(capabilities.cell_crud, 'path write by non-admin → 403 (create and update)', async () => {
+            const fixture = await setup_test();
+            const owner = await fixture.create_account({ username: 'cell_path_owner' });
+            const t = fixture.fresh_transport();
+            const owner_headers = owner.create_session_headers();
+            const create_with_path = await cross_rpc_call(t, rpc_path, 'cell_create', { data: { kind: 'note' }, path: 'parity/forbidden' }, owner_headers);
+            assert.ok(!create_with_path.ok, 'non-admin set a path on create');
+            assert.strictEqual(error_reason(create_with_path), 'cell_path_admin_only');
+            // Even owning the cell, a non-admin cannot write `path` on update.
+            const owned = expect_output(await cross_rpc_call(t, rpc_path, 'cell_create', { data: { kind: 'note' } }, owner_headers), CellCreateOutput).cell;
+            const update_path = await cross_rpc_call(t, rpc_path, 'cell_update', { cell_id: owned.id, path: 'parity/owned' }, owner_headers);
+            assert.ok(!update_path.ok, 'non-admin set a path on update');
+            assert.strictEqual(error_reason(update_path), 'cell_path_admin_only');
+        });
+        test_if(capabilities.cell_crud, 'cell_get without id or path → invalid_params', async () => {
+            const fixture = await setup_test();
+            const bad = await cross_rpc_call(fixture.fresh_transport(), rpc_path, 'cell_get', {}, fixture.create_session_headers());
+            assert.ok(!bad.ok, 'cell_get with empty params succeeded');
+            // -32602 invalid_params (refine or handler guard).
+            assert.strictEqual(bad.error?.code, -32602);
+        });
+        test_if(capabilities.cell_crud, 'null-auth cell_list with created_by → invalid_params', async () => {
+            const fixture = await setup_test();
+            const anon = fixture.fresh_transport({ origin: null });
+            const bad = await cross_rpc_call(anon, rpc_path, 'cell_list', { created_by: fixture.actor.id }, {});
+            assert.ok(!bad.ok, 'anon created_by filter accepted');
+            assert.strictEqual(error_reason(bad), 'cell_list_created_by_requires_auth');
+        });
+    });
+};

package/dist/testing/cross_backend/cell_grant_role.d.ts

@@ -0,0 +1,8 @@
+import '../assert_dev_env.js';
+import { type CellCrossTestOptions } from './cell_cross_helpers.js';
+/** App role the holder is seeded with; matches the spine's registered role. */
+export declare const CELL_EDITOR_ROLE = "cell_editor";
+/** Username the fixture seeds (via `extra_accounts`) holding `CELL_EDITOR_ROLE`. */
+export declare const CELL_ROLE_HOLDER_USERNAME = "cell_role_holder";
+export declare const describe_cell_grant_role_cross_tests: (options: CellCrossTestOptions) => void;
+//# sourceMappingURL=cell_grant_role.d.ts.map

package/dist/testing/cross_backend/cell_grant_role.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cell_grant_role.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/cell_grant_role.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AA6C9B,OAAO,EACN,KAAK,oBAAoB,EAIzB,MAAM,yBAAyB,CAAC;AAGjC,+EAA+E;AAC/E,eAAO,MAAM,gBAAgB,gBAAyB,CAAC;AAEvD,oFAAoF;AACpF,eAAO,MAAM,yBAAyB,qBAAqB,CAAC;AAK5D,eAAO,MAAM,oCAAoC,GAAI,SAAS,oBAAoB,KAAG,IAuIpF,CAAC"}

package/dist/testing/cross_backend/cell_grant_role.js

@@ -0,0 +1,102 @@
+import '../assert_dev_env.js';
+/**
+ * Cross-backend parity suite for **role-shaped** `cell_grant`s.
+ *
+ * The cell CRUD / relations suites exercise only actor-shaped grant
+ * principals. This suite covers the role-shaped path and its closed-registry
+ * gate — the security-correctness property that the Rust spine previously
+ * lacked (it created inert grant rows for any role string). Both spines now
+ * validate the role against a closed registry at create.
+ *
+ * - **role grant admits a holder; excludes a non-holder** — an owner grants
+ *   `{role}` on a private cell; an account holding that role can `cell_get`
+ *   it (200), an account without it gets the IDOR-mask 404.
+ * - **unknown role rejected at create (security-correctness)** — granting a
+ *   role outside the registry is `invalid_params` / `cell_grant_unknown_role`,
+ *   not a silent inert row.
+ * - **editor-level role grant admits edit** — a holder of an `editor`-level
+ *   role grant can `cell_update` the cell's content.
+ *
+ * The holder is seeded via `extra_accounts` under `CELL_ROLE_HOLDER_USERNAME`
+ * holding `CELL_EDITOR_ROLE` (the role has no grant path, so it can't be
+ * offered — the bootstrap-cradle seed is the only path). Both legs configure
+ * that seed and register `CELL_EDITOR_ROLE` in their role registry; the Rust
+ * `testing_spine_stub` mirrors the same membership in its `known_roles`.
+ *
+ * Cites `security.md` §Authorization (role-shaped cell-grant validation).
+ * Runs both legs via the shared `{setup_test}` protocol: in-process
+ * (`auth/cell_grant_role_parity.db.test.ts`) + cross-process
+ * (`cross_backend/cell_grant_role.cross.test.ts`). Gated on
+ * `capabilities.cell_relations` (true on every spine, so it never skips).
+ *
+ * `$lib`-free by contract (relative specifiers only).
+ *
+ * @module
+ */
+import { describe, assert } from 'vitest';
+import { CellCreateOutput, CellGetOutput, CellUpdateOutput } from '../../auth/cell_action_specs.js';
+import { CellGrantCreateOutput, ERROR_CELL_GRANT_UNKNOWN_ROLE, } from '../../auth/cell_grant_action_specs.js';
+import { test_if } from './capabilities.js';
+import { cross_rpc_call, error_reason, expect_output, } from './cell_cross_helpers.js';
+import { SPINE_CELL_EDITOR_ROLE, SPINE_RPC_PATH } from './default_spine_surface.js';
+/** App role the holder is seeded with; matches the spine's registered role. */
+export const CELL_EDITOR_ROLE = SPINE_CELL_EDITOR_ROLE;
+/** Username the fixture seeds (via `extra_accounts`) holding `CELL_EDITOR_ROLE`. */
+export const CELL_ROLE_HOLDER_USERNAME = 'cell_role_holder';
+/** A role string deliberately absent from the registry. */
+const UNREGISTERED_ROLE = 'not_a_registered_role';
+export const describe_cell_grant_role_cross_tests = (options) => {
+    const { setup_test, capabilities } = options;
+    const rpc_path = options.rpc_path ?? SPINE_RPC_PATH;
+    describe('cell_grant role-shaped parity', () => {
+        test_if(capabilities.cell_relations, 'role grant admits a holder of the role and excludes a non-holder', async () => {
+            const fixture = await setup_test();
+            const t = fixture.transport;
+            const owner = await fixture.create_account({ username: 'cell_role_owner' });
+            const owner_h = owner.create_session_headers();
+            const holder = fixture.extra_accounts[CELL_ROLE_HOLDER_USERNAME];
+            assert.ok(holder, `fixture must seed the ${CELL_ROLE_HOLDER_USERNAME} extra account`);
+            const stranger = await fixture.create_account({ username: 'cell_role_stranger' });
+            // Owner creates a private cell (default visibility) and grants
+            // view access to anyone holding CELL_EDITOR_ROLE.
+            const created = expect_output(await cross_rpc_call(t, rpc_path, 'cell_create', { data: { kind: 'note' } }, owner_h), CellCreateOutput);
+            const cell_id = created.cell.id;
+            expect_output(await cross_rpc_call(t, rpc_path, 'cell_grant_create', { cell_id, level: 'viewer', principal: { kind: 'role', role: CELL_EDITOR_ROLE } }, owner_h), CellGrantCreateOutput);
+            // Holder of the role is admitted through the role-shaped grant.
+            const holder_view = expect_output(await cross_rpc_call(t, rpc_path, 'cell_get', { id: cell_id }, holder.create_session_headers()), CellGetOutput);
+            assert.strictEqual(holder_view.cell.id, cell_id, 'holder sees the granted cell');
+            // A non-holder sees the IDOR-mask 404 — the grant keys on the role,
+            // not mere authentication.
+            const stranger_view = await cross_rpc_call(t, rpc_path, 'cell_get', { id: cell_id }, stranger.create_session_headers());
+            assert.ok(!stranger_view.ok, 'non-holder must not see the cell');
+            assert.strictEqual(error_reason(stranger_view), 'cell_not_found');
+        });
+        test_if(capabilities.cell_relations, 'role-shaped grant for an unregistered role is rejected at create', async () => {
+            const fixture = await setup_test();
+            const t = fixture.transport;
+            const owner = await fixture.create_account({ username: 'cell_unknown_role_owner' });
+            const owner_h = owner.create_session_headers();
+            const created = expect_output(await cross_rpc_call(t, rpc_path, 'cell_create', { data: { kind: 'note' } }, owner_h), CellCreateOutput);
+            const denied = await cross_rpc_call(t, rpc_path, 'cell_grant_create', {
+                cell_id: created.cell.id,
+                level: 'viewer',
+                principal: { kind: 'role', role: UNREGISTERED_ROLE },
+            }, owner_h);
+            assert.ok(!denied.ok, 'granting an unregistered role must fail');
+            assert.strictEqual(error_reason(denied), ERROR_CELL_GRANT_UNKNOWN_ROLE);
+        });
+        test_if(capabilities.cell_relations, 'editor-level role grant admits content edit', async () => {
+            const fixture = await setup_test();
+            const t = fixture.transport;
+            const owner = await fixture.create_account({ username: 'cell_role_edit_owner' });
+            const owner_h = owner.create_session_headers();
+            const holder = fixture.extra_accounts[CELL_ROLE_HOLDER_USERNAME];
+            assert.ok(holder, `fixture must seed the ${CELL_ROLE_HOLDER_USERNAME} extra account`);
+            const created = expect_output(await cross_rpc_call(t, rpc_path, 'cell_create', { data: { kind: 'note' } }, owner_h), CellCreateOutput);
+            const cell_id = created.cell.id;
+            expect_output(await cross_rpc_call(t, rpc_path, 'cell_grant_create', { cell_id, level: 'editor', principal: { kind: 'role', role: CELL_EDITOR_ROLE } }, owner_h), CellGrantCreateOutput);
+            const edited = expect_output(await cross_rpc_call(t, rpc_path, 'cell_update', { cell_id, data: { kind: 'note', label: 'by role editor' } }, holder.create_session_headers()), CellUpdateOutput);
+            assert.strictEqual(edited.cell.updated_by, holder.actor.id, 'edit attributed to the holder');
+        });
+    });
+};

package/dist/testing/cross_backend/cell_relations.d.ts

@@ -0,0 +1,4 @@
+import '../assert_dev_env.js';
+import { type CellCrossTestOptions } from './cell_cross_helpers.js';
+export declare const describe_cell_relations_cross_tests: (options: CellCrossTestOptions) => void;
+//# sourceMappingURL=cell_relations.d.ts.map

package/dist/testing/cross_backend/cell_relations.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cell_relations.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/cell_relations.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAkE9B,OAAO,EAIN,KAAK,oBAAoB,EACzB,MAAM,yBAAyB,CAAC;AAGjC,eAAO,MAAM,mCAAmC,GAAI,SAAS,oBAAoB,KAAG,IAsfnF,CAAC"}

package/dist/testing/cross_backend/cell_relations.js

@@ -0,0 +1,229 @@
+import '../assert_dev_env.js';
+/**
+ * Dedicated cell relation / ACL / audit parity suite for the cross-backend
+ * harness — the sibling of `describe_cell_crud_cross_tests` covering every
+ * cell verb beyond plain CRUD: `cell_grant_*`, `cell_field_*`,
+ * `cell_item_*`, `cell_clone`, and `cell_audit_list`.
+ *
+ * Like the CRUD suite (and ws / sse), these verbs are live-mounted on the
+ * spine RPC path but stay off the standard declared surface, so the generic
+ * `describe_rpc_round_trip_tests` never drives them. Every success response
+ * is parsed against the verb's declared Zod **output** schema, so a TS↔Rust
+ * envelope drift fails the suite — not just a payload-field drift.
+ *
+ * Coverage (gated on `capabilities.cell_relations`):
+ *
+ * - **grant lifecycle** — owner grants an actor-shaped editor; the grantee
+ *   gains edit (was 404 before the grant); `cell_grant_list` is manage-tier
+ *   (owner sees it, the editor gets the IDOR 404); revoke drops the edit path.
+ * - **`cell_visibility_manage_only`** — the editor-grant holder can edit
+ *   content but flipping `visibility` is 403 (the case the 5-verb CRUD cut
+ *   couldn't reach without a grant principal).
+ * - **fields** — `cell_field_set` UPSERT, forward + reverse `cell_field_list`,
+ *   idempotent `cell_field_delete`.
+ * - **items** — `cell_item_insert` at fractional-index positions, forward
+ *   (lex-ordered) + reverse `cell_item_list`, `cell_item_move`, idempotent
+ *   `cell_item_delete`.
+ * - **clone** — shallow copies item / field *edges* (shared `child_id` /
+ *   `target_id`); deep clones each viewable child into a fresh cell at the
+ *   same position. Both null `path` and stamp the caller as owner.
+ * - **audit** — `cell_audit_list` is manage-tier: the owner reads the cell's
+ *   timeline; a viewer-grant holder who can `cell_get` the cell still gets the
+ *   IDOR 404 on the timeline (D14).
+ *
+ * Only **actor-shaped** grants are exercised — role-shaped principals need a
+ * closed role registry the Rust spine deliberately lacks, so role-grant
+ * parity is out of scope here (the TS impl covers it in-process).
+ *
+ * `$lib`-free by contract (relative specifiers only) so the suite can be
+ * imported from the spawnable cross-process test files.
+ *
+ * @module
+ */
+import { describe, assert } from 'vitest';
+import { fractional_index_between } from '@fuzdev/fuz_util/fractional_index.js';
+import { CellCreateOutput, CellUpdateOutput, CellCloneOutput } from '../../auth/cell_action_specs.js';
+import { CellGrantCreateOutput, CellGrantListOutput, CellGrantRevokeOutput, } from '../../auth/cell_grant_action_specs.js';
+import { CellFieldDeleteOutput, CellFieldListOutput, CellFieldSetOutput, } from '../../auth/cell_field_action_specs.js';
+import { CellItemDeleteOutput, CellItemInsertOutput, CellItemListOutput, CellItemMoveOutput, } from '../../auth/cell_item_action_specs.js';
+import { CellAuditListOutput } from '../../auth/cell_audit_action_specs.js';
+import { test_if } from './capabilities.js';
+import { cross_rpc_call, error_reason, expect_output, } from './cell_cross_helpers.js';
+import { SPINE_RPC_PATH } from './default_spine_surface.js';
+export const describe_cell_relations_cross_tests = (options) => {
+    const { setup_test, capabilities } = options;
+    const rpc_path = options.rpc_path ?? SPINE_RPC_PATH;
+    describe('cell relations parity', () => {
+        test_if(capabilities.cell_relations, 'grant lifecycle: editor grant enables edit; grant_list is manage-tier; revoke drops it', async () => {
+            const fixture = await setup_test();
+            const owner = await fixture.create_account({ username: 'cell_grant_owner' });
+            const editor = await fixture.create_account({ username: 'cell_grant_editor' });
+            const t = fixture.fresh_transport();
+            const owner_h = owner.create_session_headers();
+            const editor_h = editor.create_session_headers();
+            const cell = expect_output(await cross_rpc_call(t, rpc_path, 'cell_create', { data: { kind: 'note' } }, owner_h), CellCreateOutput).cell;
+            // Before the grant the editor can't even see the private cell.
+            const pre = await cross_rpc_call(t, rpc_path, 'cell_update', { cell_id: cell.id, data: { kind: 'note', label: 'x' } }, editor_h);
+            assert.ok(!pre.ok, 'non-grantee edited a private cell');
+            assert.strictEqual(error_reason(pre), 'cell_not_found');
+            // Owner (manage-tier) grants the editor an actor-shaped editor grant.
+            const grant = expect_output(await cross_rpc_call(t, rpc_path, 'cell_grant_create', {
+                cell_id: cell.id,
+                level: 'editor',
+                principal: { kind: 'actor', actor_id: editor.actor.id },
+            }, owner_h), CellGrantCreateOutput).grant;
+            assert.strictEqual(grant.level, 'editor');
+            assert.strictEqual(grant.actor_id, editor.actor.id);
+            assert.strictEqual(grant.role, null);
+            // The editor can now edit content.
+            const edited = expect_output(await cross_rpc_call(t, rpc_path, 'cell_update', { cell_id: cell.id, data: { kind: 'note', label: 'by editor' } }, editor_h), CellUpdateOutput);
+            assert.strictEqual(edited.cell.updated_by, editor.actor.id);
+            // grant_list is manage-tier: owner sees the grant.
+            const owner_grants = expect_output(await cross_rpc_call(t, rpc_path, 'cell_grant_list', { cell_id: cell.id }, owner_h), CellGrantListOutput);
+            assert.ok(owner_grants.grants.some((g) => g.id === grant.id), 'owner grant_list omitted the grant');
+            // The editor (non-manage) gets the IDOR 404 on grant_list.
+            const editor_grants = await cross_rpc_call(t, rpc_path, 'cell_grant_list', { cell_id: cell.id }, editor_h);
+            assert.ok(!editor_grants.ok, 'editor read the grant list');
+            assert.strictEqual(error_reason(editor_grants), 'cell_not_found');
+            // Revoke and confirm the edit path is gone.
+            const revoked = expect_output(await cross_rpc_call(t, rpc_path, 'cell_grant_revoke', { grant_id: grant.id }, owner_h), CellGrantRevokeOutput);
+            assert.strictEqual(revoked.ok, true);
+            const post = await cross_rpc_call(t, rpc_path, 'cell_update', { cell_id: cell.id, data: { kind: 'note', label: 'y' } }, editor_h);
+            assert.ok(!post.ok, 'revoked editor still edited');
+            assert.strictEqual(error_reason(post), 'cell_not_found');
+        });
+        test_if(capabilities.cell_relations, 'editor-grant holder cannot flip visibility → cell_visibility_manage_only', async () => {
+            const fixture = await setup_test();
+            const owner = await fixture.create_account({ username: 'cell_vis_owner' });
+            const editor = await fixture.create_account({ username: 'cell_vis_editor' });
+            const t = fixture.fresh_transport();
+            const owner_h = owner.create_session_headers();
+            const editor_h = editor.create_session_headers();
+            const cell = expect_output(await cross_rpc_call(t, rpc_path, 'cell_create', { data: { kind: 'note' } }, owner_h), CellCreateOutput).cell;
+            expect_output(await cross_rpc_call(t, rpc_path, 'cell_grant_create', {
+                cell_id: cell.id,
+                level: 'editor',
+                principal: { kind: 'actor', actor_id: editor.actor.id },
+            }, owner_h), CellGrantCreateOutput);
+            // Content edits pass (editor tier); a visibility write is manage-tier.
+            expect_output(await cross_rpc_call(t, rpc_path, 'cell_update', { cell_id: cell.id, data: { kind: 'note', label: 'ok' } }, editor_h), CellUpdateOutput);
+            const vis = await cross_rpc_call(t, rpc_path, 'cell_update', { cell_id: cell.id, visibility: 'public' }, editor_h);
+            assert.ok(!vis.ok, 'editor flipped visibility');
+            assert.strictEqual(error_reason(vis), 'cell_visibility_manage_only');
+        });
+        test_if(capabilities.cell_relations, 'field set → forward + reverse list → idempotent delete', async () => {
+            const fixture = await setup_test();
+            const owner = await fixture.create_account({ username: 'cell_field_owner' });
+            const t = fixture.fresh_transport();
+            const h = owner.create_session_headers();
+            const source = expect_output(await cross_rpc_call(t, rpc_path, 'cell_create', { data: { kind: 'note' } }, h), CellCreateOutput).cell;
+            const target = expect_output(await cross_rpc_call(t, rpc_path, 'cell_create', { data: { kind: 'note' } }, h), CellCreateOutput).cell;
+            const set = expect_output(await cross_rpc_call(t, rpc_path, 'cell_field_set', { source_id: source.id, name: 'cover', target_id: target.id }, h), CellFieldSetOutput);
+            assert.strictEqual(set.field.name, 'cover');
+            assert.strictEqual(set.field.source_id, source.id);
+            assert.strictEqual(set.field.target_id, target.id);
+            const forward = expect_output(await cross_rpc_call(t, rpc_path, 'cell_field_list', { source_id: source.id }, h), CellFieldListOutput);
+            assert.ok(forward.fields.some((f) => f.name === 'cover' && f.target_id === target.id), 'forward field_list missing the field');
+            const reverse = expect_output(await cross_rpc_call(t, rpc_path, 'cell_field_list', { target_id: target.id }, h), CellFieldListOutput);
+            assert.ok(reverse.fields.some((f) => f.source_id === source.id), 'reverse field_list missing the upfield');
+            const del = expect_output(await cross_rpc_call(t, rpc_path, 'cell_field_delete', { source_id: source.id, name: 'cover' }, h), CellFieldDeleteOutput);
+            assert.strictEqual(del.deleted, true);
+            const del2 = expect_output(await cross_rpc_call(t, rpc_path, 'cell_field_delete', { source_id: source.id, name: 'cover' }, h), CellFieldDeleteOutput);
+            assert.strictEqual(del2.deleted, false);
+        });
+        test_if(capabilities.cell_relations, 'item insert → ordered forward + reverse list → move → idempotent delete', async () => {
+            const fixture = await setup_test();
+            const owner = await fixture.create_account({ username: 'cell_item_owner' });
+            const t = fixture.fresh_transport();
+            const h = owner.create_session_headers();
+            const make = async () => expect_output(await cross_rpc_call(t, rpc_path, 'cell_create', { data: { kind: 'note' } }, h), CellCreateOutput).cell.id;
+            const parent = await make();
+            const child_a = await make();
+            const child_b = await make();
+            const pos_a = fractional_index_between(null, null);
+            const ins_a = expect_output(await cross_rpc_call(t, rpc_path, 'cell_item_insert', { parent_id: parent, child_id: child_a, position: pos_a }, h), CellItemInsertOutput);
+            assert.strictEqual(ins_a.item.child_id, child_a);
+            const pos_b = fractional_index_between(pos_a, null);
+            expect_output(await cross_rpc_call(t, rpc_path, 'cell_item_insert', { parent_id: parent, child_id: child_b, position: pos_b }, h), CellItemInsertOutput);
+            // Forward list is lex-ordered by position; child_a (pos_a < pos_b) first.
+            const forward = expect_output(await cross_rpc_call(t, rpc_path, 'cell_item_list', { parent_id: parent }, h), CellItemListOutput);
+            assert.strictEqual(forward.items.length, 2);
+            assert.strictEqual(forward.items[0].child_id, child_a);
+            assert.strictEqual(forward.items[1].child_id, child_b);
+            // Reverse list — which parents contain child_a.
+            const reverse = expect_output(await cross_rpc_call(t, rpc_path, 'cell_item_list', { child_id: child_a }, h), CellItemListOutput);
+            assert.ok(reverse.items.some((i) => i.parent_id === parent), 'reverse item_list missing the parent');
+            // Move child_b ahead of child_a.
+            const new_pos = fractional_index_between(null, pos_a);
+            const moved = expect_output(await cross_rpc_call(t, rpc_path, 'cell_item_move', { parent_id: parent, position: pos_b, new_position: new_pos }, h), CellItemMoveOutput);
+            assert.strictEqual(moved.item.position, new_pos);
+            assert.strictEqual(moved.item.child_id, child_b);
+            // Idempotent delete on the slot key.
+            const del = expect_output(await cross_rpc_call(t, rpc_path, 'cell_item_delete', { parent_id: parent, position: pos_a }, h), CellItemDeleteOutput);
+            assert.strictEqual(del.deleted, true);
+            const del2 = expect_output(await cross_rpc_call(t, rpc_path, 'cell_item_delete', { parent_id: parent, position: pos_a }, h), CellItemDeleteOutput);
+            assert.strictEqual(del2.deleted, false);
+        });
+        test_if(capabilities.cell_relations, 'clone: shallow shares edges; deep clones children', async () => {
+            const fixture = await setup_test();
+            const owner = await fixture.create_account({ username: 'cell_clone_owner' });
+            const t = fixture.fresh_transport();
+            const h = owner.create_session_headers();
+            const make = async (label) => expect_output(await cross_rpc_call(t, rpc_path, 'cell_create', { data: { kind: 'note', ...(label === undefined ? {} : { label }) } }, h), CellCreateOutput).cell.id;
+            const source = await make('orig');
+            const child = await make('child');
+            const field_target = await make('target');
+            const child_pos = fractional_index_between(null, null);
+            expect_output(await cross_rpc_call(t, rpc_path, 'cell_item_insert', { parent_id: source, child_id: child, position: child_pos }, h), CellItemInsertOutput);
+            expect_output(await cross_rpc_call(t, rpc_path, 'cell_field_set', { source_id: source, name: 'link', target_id: field_target }, h), CellFieldSetOutput);
+            // Shallow clone: new owned cell, path nulled, item edge shares the
+            // same child_id, field edge shares the same target_id.
+            const shallow = expect_output(await cross_rpc_call(t, rpc_path, 'cell_clone', { source_id: source }, h), CellCloneOutput).cell;
+            assert.notStrictEqual(shallow.id, source);
+            assert.strictEqual(shallow.created_by, owner.actor.id);
+            assert.strictEqual(shallow.path, null);
+            const shallow_items = expect_output(await cross_rpc_call(t, rpc_path, 'cell_item_list', { parent_id: shallow.id }, h), CellItemListOutput);
+            assert.strictEqual(shallow_items.items.length, 1);
+            assert.strictEqual(shallow_items.items[0].child_id, child, 'shallow clone re-pointed the child');
+            const shallow_fields = expect_output(await cross_rpc_call(t, rpc_path, 'cell_field_list', { source_id: shallow.id }, h), CellFieldListOutput);
+            assert.strictEqual(shallow_fields.fields.length, 1);
+            assert.strictEqual(shallow_fields.fields[0].target_id, field_target);
+            // Deep clone: the child edge points at a NEW cloned cell, not the
+            // original child; the field edge still shares the target.
+            const deep = expect_output(await cross_rpc_call(t, rpc_path, 'cell_clone', { source_id: source, deep: true }, h), CellCloneOutput).cell;
+            const deep_items = expect_output(await cross_rpc_call(t, rpc_path, 'cell_item_list', { parent_id: deep.id }, h), CellItemListOutput);
+            assert.strictEqual(deep_items.items.length, 1);
+            assert.notStrictEqual(deep_items.items[0].child_id, child, 'deep clone reused the original child');
+            const deep_fields = expect_output(await cross_rpc_call(t, rpc_path, 'cell_field_list', { source_id: deep.id }, h), CellFieldListOutput);
+            assert.strictEqual(deep_fields.fields.length, 1);
+            assert.strictEqual(deep_fields.fields[0].target_id, field_target);
+        });
+        test_if(capabilities.cell_relations, 'audit_list is manage-tier: owner reads the timeline; viewer-grant gets 404', async () => {
+            const fixture = await setup_test();
+            const owner = await fixture.create_account({ username: 'cell_audit_owner' });
+            const viewer = await fixture.create_account({ username: 'cell_audit_viewer' });
+            const t = fixture.fresh_transport();
+            const owner_h = owner.create_session_headers();
+            const viewer_h = viewer.create_session_headers();
+            const cell = expect_output(await cross_rpc_call(t, rpc_path, 'cell_create', { data: { kind: 'note' } }, owner_h), CellCreateOutput).cell;
+            // A mutation so the timeline has at least the create + update events.
+            expect_output(await cross_rpc_call(t, rpc_path, 'cell_update', { cell_id: cell.id, data: { kind: 'note', label: 'v2' } }, owner_h), CellUpdateOutput);
+            // Owner (manage-tier) reads the timeline.
+            const timeline = expect_output(await cross_rpc_call(t, rpc_path, 'cell_audit_list', { cell_id: cell.id }, owner_h), CellAuditListOutput);
+            assert.ok(timeline.events.length > 0, 'owner audit timeline empty');
+            assert.ok(timeline.events.some((e) => e.event_type === 'cell_create'), 'audit timeline missing the create event');
+            // Grant the viewer a view-only grant: they can read the cell …
+            expect_output(await cross_rpc_call(t, rpc_path, 'cell_grant_create', {
+                cell_id: cell.id,
+                level: 'viewer',
+                principal: { kind: 'actor', actor_id: viewer.actor.id },
+            }, owner_h), CellGrantCreateOutput);
+            const can_read = await cross_rpc_call(t, rpc_path, 'cell_get', { id: cell.id }, viewer_h);
+            assert.ok(can_read.ok, 'viewer-grant holder could not read the cell');
+            // … but the timeline is manage-tier, so they get the IDOR 404.
+            const denied = await cross_rpc_call(t, rpc_path, 'cell_audit_list', { cell_id: cell.id }, viewer_h);
+            assert.ok(!denied.ok, 'viewer read the audit timeline');
+            assert.strictEqual(error_reason(denied), 'cell_not_found');
+        });
+    });
+};