@fuzdev/fuz_app 0.67.1 → 0.69.0

package/dist/testing/cross_backend/conformance_case.d.ts

@@ -0,0 +1,144 @@
+import '../assert_dev_env.js';
+/**
+ * Declarative conformance-case schema for the cross-backend behavioral +
+ * security suite.
+ *
+ * A conformance case is a single request → expected-response assertion,
+ * carried as **data**. The case references a `method` (an RPC method name
+ * or a REST auth-route suffix); the runner
+ * (`describe_conformance_table_tests`) resolves the `input` / `output`
+ * Zod schemas from the live action-spec registry / `RouteSpec` — the case
+ * never carries a schema. This is the opinionated behavioral/security
+ * layer on top of the spec-derived auto-enumeration
+ * (`describe_rpc_round_trip_tests` / `describe_rpc_attack_surface_tests`):
+ * the same case definition runs in-process (fast, every `gro test`) and
+ * cross-process (the conformance gate) against each impl's real auth
+ * resolution.
+ *
+ * The table is for single-request matrices (credential-type ceiling,
+ * privilege gates, IDOR masks, enumeration-equivalence, validation).
+ * Multi-step flows stay imperative in their own `describe_*` suites,
+ * sharing assertion primitives — there is deliberately no declarative
+ * setup DSL.
+ *
+ * @module
+ */
+import { z } from 'zod';
+/**
+ * Closed enum of fixture-provisioned principals a case runs `as`. Each
+ * value maps to a `TestFixture` accessor (or a seeded `extra_accounts`
+ * entry) in the runner's `resolve_principal` — there is **no** inline
+ * credential minting in a case (that would be the setup-DSL trap).
+ *
+ * - `keeper` — the per-test bootstrapped keeper (holds `ROLE_KEEPER` +
+ *   `ROLE_ADMIN`), session credential.
+ * - `daemon` — the keeper authenticated via the daemon-token header.
+ * - `token` — the keeper authenticated via a bearer api-token (non-browser
+ *   context; the runner suppresses `Origin` so the token isn't discarded).
+ * - `anonymous` — no credential, fresh cookie jar.
+ * - `fresh_non_admin` — a freshly minted account with no roles, session
+ *   credential (via the production invite → signup → login flow).
+ * - `role_holder` — a seeded `extra_accounts` principal holding a specific
+ *   role; the runner reads it by the username named in
+ *   `ConformanceTableOptions.principals.role_holder`.
+ * - `wrong_role` — a seeded `extra_accounts` principal holding a role
+ *   other than the one a route requires; named via
+ *   `ConformanceTableOptions.principals.wrong_role`.
+ * - `expired_session` — the keeper account presented via an *expired
+ *   server-side session* cookie (minted by `fixture.mint_expired_session()`:
+ *   a backdated `auth_session` row behind a still-valid signed cookie
+ *   payload, so the authoritative DB-row expiry gate is what refuses it).
+ */
+export declare const ConformancePrincipal: z.ZodEnum<{
+    keeper: "keeper";
+    token: "token";
+    daemon: "daemon";
+    anonymous: "anonymous";
+    fresh_non_admin: "fresh_non_admin";
+    role_holder: "role_holder";
+    wrong_role: "wrong_role";
+    expired_session: "expired_session";
+}>;
+export type ConformancePrincipal = z.infer<typeof ConformancePrincipal>;
+/** The request a conformance case issues. */
+export declare const ConformanceCaseRequest: z.ZodObject<{
+    method: z.ZodString;
+    params: z.ZodOptional<z.ZodUnknown>;
+    as: z.ZodEnum<{
+        keeper: "keeper";
+        token: "token";
+        daemon: "daemon";
+        anonymous: "anonymous";
+        fresh_non_admin: "fresh_non_admin";
+        role_holder: "role_holder";
+        wrong_role: "wrong_role";
+        expired_session: "expired_session";
+    }>;
+    verb: z.ZodOptional<z.ZodEnum<{
+        GET: "GET";
+        POST: "POST";
+    }>>;
+}, z.core.$strict>;
+export type ConformanceCaseRequest = z.infer<typeof ConformanceCaseRequest>;
+/** The expected response shape a conformance case asserts. */
+export declare const ConformanceCaseExpectation: z.ZodObject<{
+    status: z.ZodNumber;
+    error_reason: z.ZodOptional<z.ZodString>;
+    fields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, z.core.$strict>;
+export type ConformanceCaseExpectation = z.infer<typeof ConformanceCaseExpectation>;
+/**
+ * Marks a case as a deferred-by-design gap. The runner routes it through
+ * `xfail_until` instead of a normal `test` — visible (distinct from pass)
+ * and self-cleaning (flips red when the impl starts passing, forcing the
+ * marker's removal). Use for declared gaps (e.g. facts), never for
+ * in-scope gaps (those fail loud as a red `test`).
+ */
+export declare const ConformanceCaseXfail: z.ZodObject<{
+    tracking_id: z.ZodString;
+    reason: z.ZodString;
+}, z.core.$strict>;
+export type ConformanceCaseXfail = z.infer<typeof ConformanceCaseXfail>;
+/**
+ * A single conformance case. `name` is the assertion; the optional
+ * free-text `note` is printed in the test label / failure output. A
+ * security case's `note` should reference a **public** fuz_app doc
+ * property (`security.md` / `architecture.md` / module TSDoc), since the
+ * table ships in a public package — not an internal planning doc. The note
+ * is documentation, not a gate: it stays free-text by design because a
+ * non-empty-string check never catches a *wrong* citation — the citation
+ * is verified in review.
+ */
+export declare const ConformanceCase: z.ZodObject<{
+    name: z.ZodString;
+    request: z.ZodObject<{
+        method: z.ZodString;
+        params: z.ZodOptional<z.ZodUnknown>;
+        as: z.ZodEnum<{
+            keeper: "keeper";
+            token: "token";
+            daemon: "daemon";
+            anonymous: "anonymous";
+            fresh_non_admin: "fresh_non_admin";
+            role_holder: "role_holder";
+            wrong_role: "wrong_role";
+            expired_session: "expired_session";
+        }>;
+        verb: z.ZodOptional<z.ZodEnum<{
+            GET: "GET";
+            POST: "POST";
+        }>>;
+    }, z.core.$strict>;
+    expect: z.ZodObject<{
+        status: z.ZodNumber;
+        error_reason: z.ZodOptional<z.ZodString>;
+        fields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, z.core.$strict>;
+    note: z.ZodOptional<z.ZodString>;
+    xfail: z.ZodOptional<z.ZodObject<{
+        tracking_id: z.ZodString;
+        reason: z.ZodString;
+    }, z.core.$strict>>;
+}, z.core.$strict>;
+export type ConformanceCase = z.infer<typeof ConformanceCase>;
+//# sourceMappingURL=conformance_case.d.ts.map

package/dist/testing/cross_backend/conformance_case.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"conformance_case.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/conformance_case.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,eAAO,MAAM,oBAAoB;;;;;;;;;EAS/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE,6CAA6C;AAC7C,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;kBAgBjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,8DAA8D;AAC9D,eAAO,MAAM,0BAA0B;;;;kBAqBrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB;;;kBAK/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE;;;;;;;;;GASG;AACH,eAAO,MAAM,eAAe;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAS1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC"}

package/dist/testing/cross_backend/conformance_case.js

@@ -0,0 +1,132 @@
+import '../assert_dev_env.js';
+/**
+ * Declarative conformance-case schema for the cross-backend behavioral +
+ * security suite.
+ *
+ * A conformance case is a single request → expected-response assertion,
+ * carried as **data**. The case references a `method` (an RPC method name
+ * or a REST auth-route suffix); the runner
+ * (`describe_conformance_table_tests`) resolves the `input` / `output`
+ * Zod schemas from the live action-spec registry / `RouteSpec` — the case
+ * never carries a schema. This is the opinionated behavioral/security
+ * layer on top of the spec-derived auto-enumeration
+ * (`describe_rpc_round_trip_tests` / `describe_rpc_attack_surface_tests`):
+ * the same case definition runs in-process (fast, every `gro test`) and
+ * cross-process (the conformance gate) against each impl's real auth
+ * resolution.
+ *
+ * The table is for single-request matrices (credential-type ceiling,
+ * privilege gates, IDOR masks, enumeration-equivalence, validation).
+ * Multi-step flows stay imperative in their own `describe_*` suites,
+ * sharing assertion primitives — there is deliberately no declarative
+ * setup DSL.
+ *
+ * @module
+ */
+import { z } from 'zod';
+/**
+ * Closed enum of fixture-provisioned principals a case runs `as`. Each
+ * value maps to a `TestFixture` accessor (or a seeded `extra_accounts`
+ * entry) in the runner's `resolve_principal` — there is **no** inline
+ * credential minting in a case (that would be the setup-DSL trap).
+ *
+ * - `keeper` — the per-test bootstrapped keeper (holds `ROLE_KEEPER` +
+ *   `ROLE_ADMIN`), session credential.
+ * - `daemon` — the keeper authenticated via the daemon-token header.
+ * - `token` — the keeper authenticated via a bearer api-token (non-browser
+ *   context; the runner suppresses `Origin` so the token isn't discarded).
+ * - `anonymous` — no credential, fresh cookie jar.
+ * - `fresh_non_admin` — a freshly minted account with no roles, session
+ *   credential (via the production invite → signup → login flow).
+ * - `role_holder` — a seeded `extra_accounts` principal holding a specific
+ *   role; the runner reads it by the username named in
+ *   `ConformanceTableOptions.principals.role_holder`.
+ * - `wrong_role` — a seeded `extra_accounts` principal holding a role
+ *   other than the one a route requires; named via
+ *   `ConformanceTableOptions.principals.wrong_role`.
+ * - `expired_session` — the keeper account presented via an *expired
+ *   server-side session* cookie (minted by `fixture.mint_expired_session()`:
+ *   a backdated `auth_session` row behind a still-valid signed cookie
+ *   payload, so the authoritative DB-row expiry gate is what refuses it).
+ */
+export const ConformancePrincipal = z.enum([
+    'keeper',
+    'daemon',
+    'token',
+    'anonymous',
+    'fresh_non_admin',
+    'role_holder',
+    'wrong_role',
+    'expired_session',
+]);
+/** The request a conformance case issues. */
+export const ConformanceCaseRequest = z.strictObject({
+    method: z.string().meta({
+        description: 'RPC method name (e.g. `admin_account_list`) or a REST auth-route suffix ' +
+            '(e.g. `/login`). A leading `/` selects the REST branch; otherwise the ' +
+            'runner resolves the RPC action from the spec registry.',
+    }),
+    params: z
+        .unknown()
+        .optional()
+        .meta({ description: 'Request params / body. Omit for nullary methods.' }),
+    as: ConformancePrincipal,
+    verb: z
+        .enum(['POST', 'GET'])
+        .optional()
+        .meta({ description: 'HTTP verb. Defaults to POST; use GET for `side_effects: false` reads.' }),
+});
+/** The expected response shape a conformance case asserts. */
+export const ConformanceCaseExpectation = z.strictObject({
+    status: z.number().int().meta({ description: 'Expected HTTP status code.' }),
+    error_reason: z
+        .string()
+        .optional()
+        .meta({
+        description: 'Expected error reason — pass the IMPORTED `ERROR_*` constant from ' +
+            '`http/error_schemas.ts`, never a string literal. Asserted against the RPC ' +
+            '`error.data.reason` (when the denial carries one) or the REST flat-body ' +
+            '`error` field. The pre-validation 401 carries `data.reason` too; a denial ' +
+            'that genuinely omits it falls back to the `status` assertion to pin the class.',
+    }),
+    fields: z
+        .record(z.string(), z.unknown())
+        .optional()
+        .meta({
+        description: 'Specific field-value assertions on the success `result` (2xx) or the error ' +
+            '`error.data` (non-2xx). Each key must deep-equal the corresponding response field.',
+    }),
+});
+/**
+ * Marks a case as a deferred-by-design gap. The runner routes it through
+ * `xfail_until` instead of a normal `test` — visible (distinct from pass)
+ * and self-cleaning (flips red when the impl starts passing, forcing the
+ * marker's removal). Use for declared gaps (e.g. facts), never for
+ * in-scope gaps (those fail loud as a red `test`).
+ */
+export const ConformanceCaseXfail = z.strictObject({
+    tracking_id: z
+        .string()
+        .meta({ description: 'Tracking id for the deferred gap (issue id or tracking slug).' }),
+    reason: z.string().meta({ description: 'Why this case is deferred-by-design.' }),
+});
+/**
+ * A single conformance case. `name` is the assertion; the optional
+ * free-text `note` is printed in the test label / failure output. A
+ * security case's `note` should reference a **public** fuz_app doc
+ * property (`security.md` / `architecture.md` / module TSDoc), since the
+ * table ships in a public package — not an internal planning doc. The note
+ * is documentation, not a gate: it stays free-text by design because a
+ * non-empty-string check never catches a *wrong* citation — the citation
+ * is verified in review.
+ */
+export const ConformanceCase = z.strictObject({
+    name: z.string().meta({ description: 'The assertion, used as the test label.' }),
+    request: ConformanceCaseRequest,
+    expect: ConformanceCaseExpectation,
+    note: z
+        .string()
+        .optional()
+        .meta({ description: 'Free-text note printed in the label / failure output.' }),
+    xfail: ConformanceCaseXfail.optional(),
+});

package/dist/testing/cross_backend/conformance_table.d.ts

@@ -0,0 +1,46 @@
+import '../assert_dev_env.js';
+import type { AppSurfaceSpec } from '../../http/surface.js';
+import type { SessionOptions } from '../../auth/session_cookie.js';
+import { type RpcEndpointsSuiteOption } from '../rpc_helpers.js';
+import { type ConformanceCase } from './conformance_case.js';
+import type { BackendCapabilities } from './capabilities.js';
+import type { SetupTest } from './setup.js';
+/**
+ * Names a seeded `extra_accounts` username for the `role_holder` /
+ * `wrong_role` principals — the only two that aren't backed by an
+ * always-available fixture accessor. Suites exercising those principals
+ * declare the matching `extra_accounts` at setup and name them here.
+ */
+export interface ConformancePrincipalConfig {
+    /** `extra_accounts` username for the `role_holder` principal. */
+    readonly role_holder?: string;
+    /** `extra_accounts` username for the `wrong_role` principal. */
+    readonly wrong_role?: string;
+}
+/** Options for `describe_conformance_table_tests`. */
+export interface ConformanceTableOptions {
+    /** The conformance cases to run, in order. */
+    readonly cases: ReadonlyArray<ConformanceCase>;
+    /** Per-test fixture producer (in-process or cross-process). */
+    readonly setup_test: SetupTest;
+    /** Surface spec — supplies the `RouteSpec`s for the REST branch. */
+    readonly surface_source: AppSurfaceSpec;
+    /** Declared backend capabilities (reserved for capability-gated rows). */
+    readonly capabilities: BackendCapabilities;
+    /** RPC endpoints — resolved to find each method's action spec. */
+    readonly rpc_endpoints: RpcEndpointsSuiteOption;
+    /** Session options — needed to resolve the `rpc_endpoints` factory form. */
+    readonly session_options: SessionOptions<string>;
+    /** Maps the `role_holder` / `wrong_role` principals to seeded usernames. */
+    readonly principals?: ConformancePrincipalConfig;
+    /** `describe` block label. Defaults to `'conformance table'`. */
+    readonly suite_name?: string;
+}
+/**
+ * Register a `describe` block running every `ConformanceCase` as a
+ * vitest `test` (or `xfail_until` for deferred-by-design rows). Drives
+ * either transport via the shared `{setup_test, surface_source,
+ * capabilities}` protocol.
+ */
+export declare const describe_conformance_table_tests: (options: ConformanceTableOptions) => void;
+//# sourceMappingURL=conformance_table.d.ts.map

package/dist/testing/cross_backend/conformance_table.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"conformance_table.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/conformance_table.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAwB9B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,uBAAuB,CAAC;AAE1D,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,8BAA8B,CAAC;AAMjE,OAAO,EAIN,KAAK,uBAAuB,EAC5B,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EAAC,KAAK,eAAe,EAA4B,MAAM,uBAAuB,CAAC;AACtF,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,mBAAmB,CAAC;AAC3D,OAAO,KAAK,EAAC,SAAS,EAAc,MAAM,YAAY,CAAC;AAGvD;;;;;GAKG;AACH,MAAM,WAAW,0BAA0B;IAC1C,iEAAiE;IACjE,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,gEAAgE;IAChE,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED,sDAAsD;AACtD,MAAM,WAAW,uBAAuB;IACvC,8CAA8C;IAC9C,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;IAC/C,+DAA+D;IAC/D,QAAQ,CAAC,UAAU,EAAE,SAAS,CAAC;IAC/B,oEAAoE;IACpE,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAC;IACxC,0EAA0E;IAC1E,QAAQ,CAAC,YAAY,EAAE,mBAAmB,CAAC;IAC3C,kEAAkE;IAClE,QAAQ,CAAC,aAAa,EAAE,uBAAuB,CAAC;IAChD,4EAA4E;IAC5E,QAAQ,CAAC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACjD,4EAA4E;IAC5E,QAAQ,CAAC,UAAU,CAAC,EAAE,0BAA0B,CAAC;IACjD,iEAAiE;IACjE,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;CAC7B;AAgOD;;;;;GAKG;AACH,eAAO,MAAM,gCAAgC,GAAI,SAAS,uBAAuB,KAAG,IAgBnF,CAAC"}

package/dist/testing/cross_backend/conformance_table.js

@@ -0,0 +1,199 @@
+import '../assert_dev_env.js';
+/**
+ * Table runner for the declarative cross-backend conformance suite.
+ *
+ * `describe_conformance_table_tests` takes a list of `ConformanceCase`
+ * rows plus the standard `{setup_test, surface_source, capabilities}`
+ * fixture protocol every Tier 1 suite uses — so **one runner drives both
+ * transports**: in-process via `default_in_process_setup` (fast, every
+ * `gro test`) and cross-process via `default_cross_process_setup` (the
+ * conformance gate, exercising each impl's real auth resolution over real
+ * HTTP). Same case definition, transport-parameterized.
+ *
+ * Each row references a `method`; the runner resolves its `input` /
+ * `output` schema from the live spec registry (RPC) or `RouteSpec` (the 6
+ * REST auth routes) — the row never carries a schema. The principal the
+ * row runs `as` resolves to a `TestFixture` accessor via
+ * `resolve_principal` — no inline credential minting.
+ *
+ * @module
+ */
+import { assert, describe, test } from 'vitest';
+import { find_auth_route, rest_auth_route_suffixes, } from '../integration_helpers.js';
+import { find_rpc_action, rpc_call, resolve_rpc_endpoints_for_setup, } from '../rpc_helpers.js';
+import {} from './conformance_case.js';
+import { xfail_until } from './xfail.js';
+/**
+ * Map a `ConformancePrincipal` onto the transport + headers it
+ * authenticates with, reading exclusively from the per-test `TestFixture`.
+ *
+ * The five always-available principals resolve from fixture accessors;
+ * `role_holder` / `wrong_role` read a seeded `extra_accounts` entry named
+ * via `options.principals` (throws a clear setup error when unconfigured).
+ */
+const resolve_principal = async (fixture, as, principals) => {
+    switch (as) {
+        case 'keeper':
+            // Keeper carries its session cookie via `create_session_headers`
+            // (in-process the transport is stateless; cross-process the jar
+            // also holds it — the explicit header is the same value).
+            return { transport: fixture.transport, headers: fixture.create_session_headers() };
+        case 'daemon':
+            // Daemon-token is a non-browser credential — empty jar + no Origin.
+            return {
+                transport: fixture.fresh_transport({ origin: null }),
+                headers: fixture.create_daemon_token_headers(),
+                suppress_default_origin: true,
+            };
+        case 'token':
+            // Bearer is discarded in a browser context — empty jar + no Origin.
+            return {
+                transport: fixture.fresh_transport({ origin: null }),
+                headers: fixture.create_bearer_headers(),
+                suppress_default_origin: true,
+            };
+        case 'anonymous':
+            // Fresh jar so the keeper cookie (cross-process) can't leak in.
+            return { transport: fixture.fresh_transport(), headers: {} };
+        case 'fresh_non_admin': {
+            const account = await fixture.create_account();
+            return { transport: fixture.fresh_transport(), headers: account.create_session_headers() };
+        }
+        case 'expired_session': {
+            // The keeper presented via an expired server-side session — fresh
+            // jar so only the (expired) cookie this seam returns is sent. The
+            // minted cookie payload is valid; the backdated `auth_session` row
+            // is what the DB-row expiry gate refuses.
+            const cookie = await fixture.mint_expired_session();
+            return { transport: fixture.fresh_transport(), headers: { cookie } };
+        }
+        case 'role_holder':
+        case 'wrong_role': {
+            const username = principals?.[as];
+            if (!username) {
+                throw new Error(`conformance: principal '${as}' requires options.principals.${as} naming a seeded ` +
+                    `extra_accounts username (declare the account at setup via extra_accounts).`);
+            }
+            const extra = fixture.extra_accounts[username];
+            if (!extra) {
+                throw new Error(`conformance: extra_accounts['${username}'] not seeded for principal '${as}' — ` +
+                    `declare it in the suite's extra_accounts option.`);
+            }
+            return { transport: fixture.fresh_transport(), headers: extra.create_session_headers() };
+        }
+    }
+};
+/** Assert each expected field deep-equals the corresponding response field. */
+const assert_fields = (actual, fields, label) => {
+    assert.ok(actual !== null && typeof actual === 'object', `${label}: expected an object to read fields from, got ${JSON.stringify(actual)}`);
+    const record = actual;
+    for (const [key, expected] of Object.entries(fields)) {
+        assert.deepEqual(record[key], expected, `${label}: field '${key}'`);
+    }
+};
+const is_success_status = (status) => status >= 200 && status < 300;
+/**
+ * Run one conformance case end-to-end: resolve the principal, dispatch the
+ * request, and assert the expected status / reason / fields.
+ */
+const run_case = async (c, options, resolved_rpc_endpoints) => {
+    const fixture = await options.setup_test();
+    const { transport, headers, suppress_default_origin } = await resolve_principal(fixture, c.request.as, options.principals);
+    if (c.request.method.startsWith('/')) {
+        await run_rest_case(c, options, transport, headers);
+        return;
+    }
+    await run_rpc_case(c, transport, headers, suppress_default_origin, resolved_rpc_endpoints);
+};
+/** Dispatch + assert a case targeting an RPC method. */
+const run_rpc_case = async (c, transport, headers, suppress_default_origin, resolved_rpc_endpoints) => {
+    const found = find_rpc_action(resolved_rpc_endpoints, c.request.method);
+    if (!found) {
+        throw new Error(`conformance: RPC method '${c.request.method}' not found on the surface — ` +
+            `check the method name or that the action is registered on rpc_endpoints.`);
+    }
+    const res = await rpc_call({
+        app: transport,
+        path: found.path,
+        method: c.request.method,
+        params: c.request.params,
+        headers,
+        ...(c.request.verb && { verb: c.request.verb }),
+        ...(suppress_default_origin && { suppress_default_origin: true }),
+    });
+    if (is_success_status(c.expect.status)) {
+        assert.ok(res.ok, `${c.name}: expected success (${c.expect.status}) but got error ${JSON.stringify(res.ok ? undefined : res.error)}`);
+        assert.strictEqual(res.status, c.expect.status, `${c.name}: status`);
+        const parsed = found.action.spec.output.safeParse(res.result);
+        assert.ok(parsed.success, `${c.name}: result does not match spec.output: ${JSON.stringify(parsed.success ? undefined : parsed.error.issues)}`);
+        if (c.expect.fields)
+            assert_fields(res.result, c.expect.fields, c.name);
+        return;
+    }
+    assert.ok(!res.ok, `${c.name}: expected error status ${c.expect.status} but got success`);
+    assert.strictEqual(res.status, c.expect.status, `${c.name}: error status`);
+    if (c.expect.error_reason !== undefined) {
+        const reason = res.error.data?.reason;
+        // Most RPC denials carry `error.data.reason` (incl. the pre-validation
+        // 401 now); a denial that genuinely omits it falls back to the status
+        // assertion above to pin the denial class.
+        if (reason !== undefined) {
+            assert.strictEqual(reason, c.expect.error_reason, `${c.name}: error.data.reason`);
+        }
+    }
+    if (c.expect.fields)
+        assert_fields(res.error.data, c.expect.fields, c.name);
+};
+/** Dispatch + assert a case targeting one of the 6 REST auth routes. */
+const run_rest_case = async (c, options, transport, headers) => {
+    const suffix = c.request.method;
+    if (!rest_auth_route_suffixes.includes(suffix)) {
+        throw new Error(`conformance: REST method '${c.request.method}' is not a known auth-route suffix ` +
+            `(${rest_auth_route_suffixes.join(', ')}). Use an RPC method name for RPC actions.`);
+    }
+    const verb = c.request.verb ?? 'POST';
+    const route = find_auth_route(options.surface_source.route_specs, suffix, verb);
+    if (!route) {
+        throw new Error(`conformance: no REST route spec for ${verb} ${suffix} on the surface.`);
+    }
+    const init = {
+        method: verb,
+        headers: { 'Content-Type': 'application/json', ...headers },
+        ...(verb !== 'GET' &&
+            c.request.params !== undefined && { body: JSON.stringify(c.request.params) }),
+    };
+    const response = await transport(route.path, init);
+    assert.strictEqual(response.status, c.expect.status, `${c.name}: status`);
+    const body = await response.json().catch(() => undefined);
+    if (is_success_status(c.expect.status)) {
+        const parsed = route.output.safeParse(body);
+        assert.ok(parsed.success, `${c.name}: body does not match route output: ${JSON.stringify(parsed.success ? undefined : parsed.error.issues)}`);
+    }
+    else if (c.expect.error_reason !== undefined) {
+        const error = body?.error;
+        assert.strictEqual(error, c.expect.error_reason, `${c.name}: body.error`);
+    }
+    if (c.expect.fields)
+        assert_fields(body, c.expect.fields, c.name);
+};
+/**
+ * Register a `describe` block running every `ConformanceCase` as a
+ * vitest `test` (or `xfail_until` for deferred-by-design rows). Drives
+ * either transport via the shared `{setup_test, surface_source,
+ * capabilities}` protocol.
+ */
+export const describe_conformance_table_tests = (options) => {
+    const resolved_rpc_endpoints = resolve_rpc_endpoints_for_setup(options.rpc_endpoints, options.session_options);
+    describe(options.suite_name ?? 'conformance table', () => {
+        for (const c of options.cases) {
+            const label = c.note ? `${c.name} — ${c.note}` : c.name;
+            const body = () => run_case(c, options, resolved_rpc_endpoints);
+            if (c.xfail) {
+                xfail_until(c.xfail.tracking_id, c.xfail.reason, label, body);
+            }
+            else {
+                test(label, body);
+            }
+        }
+    });
+};

package/dist/testing/cross_backend/default_backend_configs.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"default_backend_configs.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/default_backend_configs.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,OAAO,KAAK,EAAC,sBAAsB,EAAE,aAAa,EAAC,MAAM,qBAAqB,CAAC;AAC/E,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EAA2B,KAAK,gBAAgB,EAAC,MAAM,+BAA+B,CAAC;AAQ9F;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,EAAE,mBAOpC,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,yBAAyB,EAAE,mBAOtC,CAAC;AAeH,MAAM,WAAW,iCAAiC;IACjD,gFAAgF;IAChF,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,sCAAsC;IACtC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,4DAA4D;IAC5D,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC9C,oDAAoD;IACpD,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,iEAAiE;IACjE,QAAQ,CAAC,SAAS,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACtD,6CAA6C;IAC7C,QAAQ,CAAC,YAAY,CAAC,EAAE,mBAAmB,CAAC;IAC5C,wEAAwE;IACxE,QAAQ,CAAC,KAAK,CAAC,EAAE,gBAAgB,CAAC;IAClC,sEAAsE;IACtE,QAAQ,CAAC,mBAAmB,CAAC,EAAE,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAC/D;;;;OAIG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED;;;;;GAKG;AACH,eAAO,MAAM,8BAA8B,GAC1C,MAAM,iCAAiC,KACrC,aAmCF,CAAC;AAEF,MAAM,WAAW,mCAAmC;IACnD,gFAAgF;IAChF,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,sCAAsC;IACtC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,4DAA4D;IAC5D,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC9C;;;;OAIG;IACH,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,iEAAiE;IACjE,QAAQ,CAAC,SAAS,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACtD,+CAA+C;IAC/C,QAAQ,CAAC,YAAY,CAAC,EAAE,mBAAmB,CAAC;IAC5C,wEAAwE;IACxE,QAAQ,CAAC,KAAK,CAAC,EAAE,gBAAgB,CAAC;IAClC,sEAAsE;IACtE,QAAQ,CAAC,mBAAmB,CAAC,EAAE,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAC/D;;;;OAIG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B;;;;OAIG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED;;;;;GAKG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,mCAAmC,KACvC,aA2CF,CAAC"}
+{"version":3,"file":"default_backend_configs.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/default_backend_configs.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,OAAO,KAAK,EAAC,sBAAsB,EAAE,aAAa,EAAC,MAAM,qBAAqB,CAAC;AAC/E,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EAA2B,KAAK,gBAAgB,EAAC,MAAM,+BAA+B,CAAC;AAQ9F;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,EAAE,mBASpC,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,yBAAyB,EAAE,mBAStC,CAAC;AAeH,MAAM,WAAW,iCAAiC;IACjD,gFAAgF;IAChF,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,sCAAsC;IACtC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,4DAA4D;IAC5D,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC9C,oDAAoD;IACpD,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,iEAAiE;IACjE,QAAQ,CAAC,SAAS,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACtD,6CAA6C;IAC7C,QAAQ,CAAC,YAAY,CAAC,EAAE,mBAAmB,CAAC;IAC5C,wEAAwE;IACxE,QAAQ,CAAC,KAAK,CAAC,EAAE,gBAAgB,CAAC;IAClC,sEAAsE;IACtE,QAAQ,CAAC,mBAAmB,CAAC,EAAE,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAC/D;;;;OAIG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED;;;;;GAKG;AACH,eAAO,MAAM,8BAA8B,GAC1C,MAAM,iCAAiC,KACrC,aAmCF,CAAC;AAEF,MAAM,WAAW,mCAAmC;IACnD,gFAAgF;IAChF,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,sCAAsC;IACtC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,4DAA4D;IAC5D,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC9C;;;;OAIG;IACH,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,iEAAiE;IACjE,QAAQ,CAAC,SAAS,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACtD,+CAA+C;IAC/C,QAAQ,CAAC,YAAY,CAAC,EAAE,mBAAmB,CAAC;IAC5C,wEAAwE;IACxE,QAAQ,CAAC,KAAK,CAAC,EAAE,gBAAgB,CAAC;IAClC,sEAAsE;IACtE,QAAQ,CAAC,mBAAmB,CAAC,EAAE,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAC/D;;;;OAIG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B;;;;OAIG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED;;;;;GAKG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,mCAAmC,KACvC,aA2CF,CAAC"}

package/dist/testing/cross_backend/default_backend_configs.js

@@ -13,7 +13,9 @@ export const ts_default_capabilities = Object.freeze({
     login_rate_limit: false,
     ws: true,
     sse: false,
-    in_process_only: false,
+    cell_crud: true,
+    cell_relations: true,
+    account_lifecycle: true,
 });
 /**
  * Capabilities for the Rust family. Adds `trusted_proxy: true` (the
@@ -27,7 +29,9 @@ export const rust_default_capabilities = Object.freeze({
     login_rate_limit: true,
     ws: true,
     sse: false,
-    in_process_only: false,
+    cell_crud: true,
+    cell_relations: true,
+    account_lifecycle: true,
 });
 /** Bootstrap block built from the default secrets + supplied paths. */
 const build_default_bootstrap = (paths, overrides) => ({

package/dist/testing/cross_backend/default_spine_surface.d.ts

@@ -10,10 +10,19 @@ import type { AppServerContext } from '../../server/app_server.js';
  */
 export declare const spine_session_options: SessionOptions<string>;
 /**
- * Built-in roles only — the standard spine registers no app-defined role
- * specs. When the spine grows additional grantable roles, thread their
- * registry through `create_role_schema` here so the admin suite picks up
- * grant-path coverage.
+ * App role the role-shaped-`cell_grant` cross suite exercises. Registered
+ * with no grant path (`grant_paths: []`) so it stays a valid registry member
+ * without entering the admin / self-service grant flows — holders are seeded
+ * directly via `extra_accounts`. Must match the `cell_editor` entry in the
+ * Rust `testing_spine_stub`'s `known_roles` (cross-language test contract).
+ */
+export declare const SPINE_CELL_EDITOR_ROLE = "cell_editor";
+/**
+ * The spine's closed role registry: built-ins plus `SPINE_CELL_EDITOR_ROLE`.
+ * Threaded into the cell spec set's role-validity gate; the Rust stub mirrors
+ * the same membership. When the spine grows additional grantable roles,
+ * thread their registry through `create_role_schema` here so the admin suite
+ * picks up grant-path coverage.
  */
 export declare const spine_roles: RoleSchemaResult;
 /** RPC endpoint mount path — matches the binary's `/api/rpc`. */
@@ -27,11 +36,10 @@ export declare const SPINE_RPC_PATH = "/api/rpc";
  */
 export declare const SPINE_SSE_PATH = "/api/admin/audit/stream";
 /**
- * Factory-form RPC endpoints so the `app_settings_update` handler closes
- * over the per-test `ctx.app_settings`. `create_app_server` (in the binary)
- * owns live dispatch; the surface builder invokes the factory once with a
- * stub ctx for setup-time path/method lookup, so the handler closures are
- * never called across the process boundary.
+ * Factory-form RPC endpoints over the per-test `ctx.deps`. `create_app_server`
+ * (in the binary) owns live dispatch; the surface builder invokes the factory
+ * once with a stub ctx for setup-time path/method lookup, so the handler
+ * closures are never called across the process boundary.
  *
  * Test binaries append their own `_testing_reset` action to this endpoint's
  * `actions` (see `testing_reset_actions.ts`); it is intentionally excluded

package/dist/testing/cross_backend/default_spine_surface.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"default_spine_surface.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/default_spine_surface.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AA6B9B,OAAO,EAAqB,KAAK,gBAAgB,EAAC,MAAM,2BAA2B,CAAC;AACpF,OAAO,EAAwB,KAAK,cAAc,EAAC,MAAM,8BAA8B,CAAC;AAGxF,OAAO,EAAqB,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAC5E,OAAO,KAAK,EAAC,cAAc,EAAE,eAAe,EAAC,MAAM,uBAAuB,CAAC;AAC3E,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,4BAA4B,CAAC;AAGjE;;;GAGG;AACH,eAAO,MAAM,qBAAqB,EAAE,cAAc,CAAC,MAAM,CAAwC,CAAC;AAElG;;;;;GAKG;AACH,eAAO,MAAM,WAAW,EAAE,gBAAyC,CAAC;AAEpE,iEAAiE;AACjE,eAAO,MAAM,cAAc,aAAa,CAAC;AAEzC;;;;;;GAMG;AACH,eAAO,MAAM,cAAc,4BAA4B,CAAC;AAExD;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,mBAAmB,GAAI,KAAK,gBAAgB,KAAG,KAAK,CAAC,eAAe,CAQhF,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,wBAAwB,GAAI,KAAK,gBAAgB,KAAG,KAAK,CAAC,SAAS,CAkB/E,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,yBAAyB,QAAO,cAM1C,CAAC"}
+{"version":3,"file":"default_spine_surface.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/default_spine_surface.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AA6B9B,OAAO,EAAqB,KAAK,gBAAgB,EAAC,MAAM,2BAA2B,CAAC;AACpF,OAAO,EAAwB,KAAK,cAAc,EAAC,MAAM,8BAA8B,CAAC;AAGxF,OAAO,EAAqB,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAC5E,OAAO,KAAK,EAAC,cAAc,EAAE,eAAe,EAAC,MAAM,uBAAuB,CAAC;AAC3E,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,4BAA4B,CAAC;AAGjE;;;GAGG;AACH,eAAO,MAAM,qBAAqB,EAAE,cAAc,CAAC,MAAM,CAAwC,CAAC;AAElG;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB,gBAAgB,CAAC;AAEpD;;;;;;GAMG;AACH,eAAO,MAAM,WAAW,EAAE,gBAExB,CAAC;AAEH,iEAAiE;AACjE,eAAO,MAAM,cAAc,aAAa,CAAC;AAEzC;;;;;;GAMG;AACH,eAAO,MAAM,cAAc,4BAA4B,CAAC;AAExD;;;;;;;;;;GAUG;AACH,eAAO,MAAM,mBAAmB,GAAI,KAAK,gBAAgB,KAAG,KAAK,CAAC,eAAe,CAOhF,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,wBAAwB,GAAI,KAAK,gBAAgB,KAAG,KAAK,CAAC,SAAS,CAiB/E,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,yBAAyB,QAAO,cAM1C,CAAC"}