@fuzdev/fuz_app 0.67.1 → 0.69.0

package/dist/testing/cross_backend/default_spine_surface.js

@@ -37,12 +37,23 @@ import { create_test_app_surface_spec } from '../stubs.js';
  */
 export const spine_session_options = create_session_config('fuz_session');
 /**
- * Built-in roles only — the standard spine registers no app-defined role
- * specs. When the spine grows additional grantable roles, thread their
- * registry through `create_role_schema` here so the admin suite picks up
- * grant-path coverage.
+ * App role the role-shaped-`cell_grant` cross suite exercises. Registered
+ * with no grant path (`grant_paths: []`) so it stays a valid registry member
+ * without entering the admin / self-service grant flows — holders are seeded
+ * directly via `extra_accounts`. Must match the `cell_editor` entry in the
+ * Rust `testing_spine_stub`'s `known_roles` (cross-language test contract).
  */
-export const spine_roles = create_role_schema([]);
+export const SPINE_CELL_EDITOR_ROLE = 'cell_editor';
+/**
+ * The spine's closed role registry: built-ins plus `SPINE_CELL_EDITOR_ROLE`.
+ * Threaded into the cell spec set's role-validity gate; the Rust stub mirrors
+ * the same membership. When the spine grows additional grantable roles,
+ * thread their registry through `create_role_schema` here so the admin suite
+ * picks up grant-path coverage.
+ */
+export const spine_roles = create_role_schema([
+    { name: SPINE_CELL_EDITOR_ROLE, grant_paths: [] },
+]);
 /** RPC endpoint mount path — matches the binary's `/api/rpc`. */
 export const SPINE_RPC_PATH = '/api/rpc';
 /**
@@ -54,11 +65,10 @@ export const SPINE_RPC_PATH = '/api/rpc';
  */
 export const SPINE_SSE_PATH = '/api/admin/audit/stream';
 /**
- * Factory-form RPC endpoints so the `app_settings_update` handler closes
- * over the per-test `ctx.app_settings`. `create_app_server` (in the binary)
- * owns live dispatch; the surface builder invokes the factory once with a
- * stub ctx for setup-time path/method lookup, so the handler closures are
- * never called across the process boundary.
+ * Factory-form RPC endpoints over the per-test `ctx.deps`. `create_app_server`
+ * (in the binary) owns live dispatch; the surface builder invokes the factory
+ * once with a stub ctx for setup-time path/method lookup, so the handler
+ * closures are never called across the process boundary.
  *
  * Test binaries append their own `_testing_reset` action to this endpoint's
  * `actions` (see `testing_reset_actions.ts`); it is intentionally excluded
@@ -69,7 +79,6 @@ export const spine_rpc_endpoints = (ctx) => [
     {
         path: SPINE_RPC_PATH,
         actions: create_standard_rpc_actions(ctx.deps, {
-            app_settings: ctx.app_settings,
             roles: spine_roles,
         }),
     },
@@ -97,7 +106,6 @@ export const create_spine_route_specs = (ctx) => [
             session_options: spine_session_options,
             ip_rate_limiter: null,
             signup_account_rate_limiter: null,
-            app_settings: ctx.app_settings,
         }),
     ]),
     ...(ctx.audit_sse

package/dist/testing/cross_backend/origin.d.ts

@@ -0,0 +1,10 @@
+import '../assert_dev_env.js';
+import type { CellCrossTestOptions } from './cell_cross_helpers.js';
+/**
+ * Options for the origin parity suite. Shares the shape of the cell /
+ * account-lifecycle suites (`setup_test` / `capabilities` / `rpc_path`);
+ * reuses `CellCrossTestOptions` rather than minting a structural duplicate.
+ */
+export type OriginCrossTestOptions = CellCrossTestOptions;
+export declare const describe_origin_cross_tests: (options: OriginCrossTestOptions) => void;
+//# sourceMappingURL=origin.d.ts.map

package/dist/testing/cross_backend/origin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"origin.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/origin.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAkC9B,OAAO,KAAK,EAAC,oBAAoB,EAAC,MAAM,yBAAyB,CAAC;AAGlE;;;;GAIG;AACH,MAAM,MAAM,sBAAsB,GAAG,oBAAoB,CAAC;AAM1D,eAAO,MAAM,2BAA2B,GAAI,SAAS,sBAAsB,KAAG,IAwC7E,CAAC"}

package/dist/testing/cross_backend/origin.js

@@ -0,0 +1,73 @@
+import '../assert_dev_env.js';
+/**
+ * Cross-backend parity suite for Origin verification.
+ *
+ * Origin checking is middleware that runs *before* the RPC dispatcher and
+ * returns a flat REST `{error}` body — not a JSON-RPC envelope — so it
+ * doesn't fit the envelope-shaped conformance-table runner. This dedicated
+ * imperative suite drives raw transport calls instead, mirroring how the
+ * in-process origin tests were already hand-rolled. Two cases:
+ *
+ * - **disallowed `Origin` → 403** `forbidden_origin`, refused before any
+ *   handler runs (the allowlist rejects the cross-origin request even with
+ *   a valid session cookie attached).
+ * - **absent `Origin` → request passes** — non-browser / direct-access
+ *   clients (curl, CLI, server-to-server) carry no `Origin` and must not be
+ *   blocked; token auth is the control for those callers.
+ *
+ * Runs both legs via the shared `{setup_test, capabilities}` protocol: the
+ * in-process leg (`auth/origin_parity.db.test.ts`, plain `gro test`) and the
+ * cross-process leg (`cross_backend/origin.cross.test.ts`, the TS spine
+ * binaries + Rust `testing_spine_stub` over real HTTP). Origin middleware is
+ * on every spine, so the suite is ungated.
+ *
+ * `$lib`-free by contract (relative specifiers only), like the sibling
+ * cross-backend suites.
+ *
+ * @module
+ */
+import { describe, test, assert } from 'vitest';
+import { account_verify_action_spec } from '../../auth/account_action_specs.js';
+import { ERROR_FORBIDDEN_ORIGIN } from '../../http/error_schemas.js';
+import { SPINE_RPC_PATH } from './default_spine_surface.js';
+/** Build the JSON-RPC envelope body for a nullary `account_verify` call. */
+const verify_envelope = (id) => JSON.stringify({ jsonrpc: '2.0', method: account_verify_action_spec.method, id });
+export const describe_origin_cross_tests = (options) => {
+    const { setup_test } = options;
+    const rpc_path = options.rpc_path ?? SPINE_RPC_PATH;
+    describe('origin verification parity', () => {
+        test('disallowed Origin → 403 forbidden_origin (refused before dispatch)', async () => {
+            const fixture = await setup_test();
+            // Keeper session cookie attached + a rogue Origin header (overrides
+            // the transport's default allowed Origin). The allowlist must reject
+            // before the dispatcher, returning a flat REST error body.
+            const res = await fixture.transport(rpc_path, {
+                method: 'POST',
+                headers: {
+                    ...fixture.create_session_headers(),
+                    origin: 'http://evil.com',
+                    'content-type': 'application/json',
+                },
+                body: verify_envelope('evil-origin'),
+            });
+            assert.strictEqual(res.status, 403, 'disallowed Origin must be rejected with 403');
+            const body = (await res.json().catch(() => undefined));
+            assert.strictEqual(body?.error, ERROR_FORBIDDEN_ORIGIN);
+        });
+        test('absent Origin → request passes (non-browser direct access)', async () => {
+            const fixture = await setup_test();
+            // `origin: null` so no Origin header is sent at all (a header omission
+            // alone wouldn't suffice cross-process — the jar auto-adds the default
+            // allowed Origin). The keeper cookie rides via an explicit header.
+            const res = await fixture.fresh_transport({ origin: null })(rpc_path, {
+                method: 'POST',
+                headers: {
+                    ...fixture.create_session_headers(),
+                    'content-type': 'application/json',
+                },
+                body: verify_envelope('no-origin'),
+            });
+            assert.strictEqual(res.status, 200, 'absent Origin with a valid session must pass');
+        });
+    });
+};

package/dist/testing/cross_backend/setup.d.ts

@@ -1,10 +1,9 @@
 import '../assert_dev_env.js';
 import { Uuid } from '@fuzdev/fuz_util/id.js';
-import type { Keyring } from '../../auth/keyring.js';
 import type { RouteSpec } from '../../http/route_spec.js';
 import type { AppServerContext, BootstrapServerOptions } from '../../server/app_server.js';
 import type { SessionOptions } from '../../auth/session_cookie.js';
-import { type CreateTestAppOptions, type SuiteAppOptions, type TestAccount, type TestAppServer } from '../app_server.js';
+import { type CreateTestAppOptions, type SuiteAppOptions, type TestAccount } from '../app_server.js';
 import { type RpcEndpointsSuiteOption } from '../rpc_helpers.js';
 import { type BackendCapabilities } from './capabilities.js';
 import type { AppSurfaceSpec } from '../../http/surface.js';
@@ -140,49 +139,32 @@ export interface TestFixtureBase {
      * for suites that don't declare any.
      */
     readonly extra_accounts: Readonly<Record<string, ExtraAccountFixture>>;
+    /**
+     * Forge an *expired server-side session* for the keeper account and
+     * return the ready-to-send `Cookie` header value (`name=value`). The
+     * minted `auth_session` row is backdated while the signed cookie payload
+     * stays valid — so resolution clears the cookie-payload gate
+     * (`parse_session`) and is refused at the authoritative DB-row gate
+     * (`query_session_get_valid` — `WHERE expires_at > NOW()`). Backs the
+     * `expired_session` conformance principal. In-process mints directly via
+     * `mint_test_session`; cross-process drives the `_testing_mint_session`
+     * RPC over the keeper's daemon-token channel (the driver has no keyring).
+     */
+    readonly mint_expired_session: () => Promise<string>;
 }
 /**
  * The per-test bundle returned by `SetupTest`. Every Tier 1 suite body
- * reads exclusively from this shape — no `test_app.backend.*` reads
- * remain in the suite bodies.
+ * reads exclusively from this shape — no `test_app.backend.*` reads remain
+ * in the suite bodies.
  *
- * Discriminated by `in_process`: when `true`, `keyring` and
- * `backend_internals` are present (compile-time narrowed); when `false`,
- * they're absent and the suite body must either run via the public wire
- * (cross-process) or gate the test with
- * `test_if(capabilities.in_process_only, ...)`. The discriminant value
- * mirrors `BackendCapabilities.in_process_only` — both source from the
- * same producer (`default_in_process_setup` vs. cross-process variant).
- *
- * Suite bodies narrow with `assert(fixture.in_process)` after
- * `setup_test()`; sites that reach for `keyring` or `backend_internals`
- * are in-process-only by structure and the assertion surfaces a clear
- * failure if a future cross-process consumer reaches them without a
- * `test_if` gate.
+ * Transport-agnostic: in-process and cross-process producers return the
+ * same shape. Behaviors that once needed raw backend access (keyring for
+ * forging cookies) are reached through wire-shaped seams instead —
+ * `mint_expired_session()` mints over the `_testing_mint_session` channel
+ * cross-process and directly in-process, so suite bodies never branch on
+ * the transport.
  */
-export type TestFixture = (TestFixtureBase & {
-    readonly in_process: true;
-    /**
-     * Test-only keyring access — in-process only. Used for
-     * expired-cookie generation in `describe_standard_integration_tests`.
-     */
-    readonly keyring: Keyring;
-    /**
-     * Raw backend access (`deps.db`, etc.) — in-process only. Used
-     * by the origin-verification cookie-composition sites in
-     * `describe_standard_integration_tests`. Tests that need a
-     * direct DB role_grant seed at the in-process layer reach for
-     * `create_test_role_grant_direct` from `db_entities.ts`; that
-     * helper bypasses the consent flow on purpose for query-level
-     * (`*.db.test.ts`) tests and has no cross-process analog.
-     * Cross-process tests grant additional roles via
-     * `fixture.create_account({roles})` (offer/accept) or
-     * `extra_accounts` (bootstrap-time bypass).
-     */
-    readonly backend_internals: TestAppServer;
-}) | (TestFixtureBase & {
-    readonly in_process: false;
-});
+export type TestFixture = TestFixtureBase;
 /**
  * Per-test fixture-producing function. Invoked once inside every
  * `test()` body. The implementation captures factory inputs (in-process)

package/dist/testing/cross_backend/setup.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"setup.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/setup.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAuB9B,OAAO,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAE5C,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,uBAAuB,CAAC;AACnD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,0BAA0B,CAAC;AACxD,OAAO,KAAK,EAAC,gBAAgB,EAAE,sBAAsB,EAAC,MAAM,4BAA4B,CAAC;AACzF,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,8BAA8B,CAAC;AAIjE,OAAO,EAIN,KAAK,oBAAoB,EACzB,KAAK,eAAe,EACpB,KAAK,WAAW,EAChB,KAAK,aAAa,EAClB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EAGN,KAAK,uBAAuB,EAC5B,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAA0B,KAAK,mBAAmB,EAAC,MAAM,mBAAmB,CAAC;AACpF,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAyB,KAAK,cAAc,EAAC,MAAM,kCAAkC,CAAC;AAC7F,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,oBAAoB,CAAC;AAEtD;;;;;GAKG;AACH,MAAM,WAAW,wBAAwB;IACxC,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CAC/B;AAED;;;;;;GAMG;AACH,MAAM,MAAM,kBAAkB,GAAG,WAAW,CAAC;AAE7C;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,gBAAgB;IAChC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CACtC;AAED,sEAAsE;AACtE,MAAM,WAAW,mBAAmB;IACnC,QAAQ,CAAC,OAAO,EAAE;QAAC,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACjE,QAAQ,CAAC,KAAK,EAAE;QAAC,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IACpC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5F,QAAQ,CAAC,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC3F;AAoCD;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,eAAe;IAC/B;;;;;;OAMG;IACH,QAAQ,CAAC,SAAS,EAAE,cAAc,CAAC;IACnC;;;;;;;;;;;;;;;;;;;;;;;OAuBG;IACH,QAAQ,CAAC,eAAe,EAAE,CAAC,OAAO,CAAC,EAAE;QAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;KAAC,KAAK,cAAc,CAAC;IAC1F,+CAA+C;IAC/C,QAAQ,CAAC,OAAO,EAAE;QAAC,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACjE,8CAA8C;IAC9C,QAAQ,CAAC,KAAK,EAAE;QAAC,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IACpC,8DAA8D;IAC9D,QAAQ,CAAC,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5F,4DAA4D;IAC5D,QAAQ,CAAC,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC3F,iEAAiE;IACjE,QAAQ,CAAC,2BAA2B,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjG;;;;;OAKG;IACH,QAAQ,CAAC,cAAc,EAAE,CAAC,OAAO,CAAC,EAAE,wBAAwB,KAAK,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC7F;;;;;OAKG;IACH,QAAQ,CAAC,cAAc,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC,CAAC;CACvE;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,MAAM,WAAW,GACpB,CAAC,eAAe,GAAG;IACnB,QAAQ,CAAC,UAAU,EAAE,IAAI,CAAC;IAC1B;;;OAGG;IACH,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B;;;;;;;;;;;OAWG;IACH,QAAQ,CAAC,iBAAiB,EAAE,aAAa,CAAC;CACzC,CAAC,GACF,CAAC,eAAe,GAAG;IAAC,QAAQ,CAAC,UAAU,EAAE,KAAK,CAAA;CAAC,CAAC,CAAC;AAEpD;;;;;GAKG;AACH,MAAM,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,CAAC;AAenD;;;;;GAKG;AACH,MAAM,WAAW,qBAAsB,SAAQ,oBAAoB;IAClE;;;;;OAKG;IACH,QAAQ,CAAC,cAAc,CAAC,EAAE,aAAa,CAAC,gBAAgB,CAAC,CAAC;CAC1D;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,wBAAwB,GACnC,SAAS,qBAAqB,KAAG,SAwCjC,CAAC;AAEH;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,WAAW,yBAA0B,SAAQ,aAAa;IAC/D,iEAAiE;IACjE,QAAQ,CAAC,gBAAgB,EAAE,cAAc,CAAC;IAC1C,2DAA2D;IAC3D,QAAQ,CAAC,cAAc,EAAE;QAAC,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACxE,yDAAyD;IACzD,QAAQ,CAAC,YAAY,EAAE;QAAC,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAC3C,wGAAwG;IACxG,QAAQ,CAAC,cAAc,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAC/C;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,sCAAsC,GAAG,IAAI,CACxD,yBAAyB,EACzB,OAAO,GAAG,UAAU,CACpB,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,qCAAqC;IACrD,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC,QAAQ,CAAC,CAAC;IACzC,QAAQ,CAAC,YAAY,EAAE,aAAa,CAAC,cAAc,CAAC,CAAC;IACrD,QAAQ,CAAC,cAAc,EAAE,yBAAyB,CAAC,gBAAgB,CAAC,CAAC;IACrE,QAAQ,CAAC,YAAY,EAAE,yBAAyB,CAAC,cAAc,CAAC,CAAC;IACjE,QAAQ,CAAC,cAAc,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAC/C;AAED;;;GAGG;AACH,eAAO,MAAM,6BAA6B,GACzC,QAAQ,yBAAyB,KAC/B,qCAMD,CAAC;AAEH;;;;;;;GAOG;AACH,eAAO,MAAM,+BAA+B,GAC3C,YAAY,qCAAqC,KAC/C,sCAUD,CAAC;AAEH,iDAAiD;AACjD,MAAM,WAAW,wBAAwB;IACxC;;;;;;;;;;;;;;;;;;;OAmBG;IACH,QAAQ,CAAC,kBAAkB,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACpD;;;;;OAKG;IACH,QAAQ,CAAC,cAAc,CAAC,EAAE,aAAa,CAAC,gBAAgB,CAAC,CAAC;CAC1D;AA6WD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,eAAO,MAAM,2BAA2B,GACvC,QAAQ,sCAAsC,EAC9C,UAAU,wBAAwB,KAChC,SA2GF,CAAC;AAEF;;;;;GAKG;AACH,MAAM,WAAW,4BAA4B;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,aAAa,CAAC,EAAE,uBAAuB,CAAC;IACxC;;;;;OAKG;IACH,SAAS,CAAC,EAAE,sBAAsB,CAAC;IACnC,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B;;;;;;;;;;OAUG;IACH,kBAAkB,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACnC;;;;;;OAMG;IACH,cAAc,CAAC,EAAE,aAAa,CAAC,gBAAgB,CAAC,CAAC;IACjD;;;;;OAKG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;CAChC;AAWD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,eAAO,MAAM,gCAAgC,GAAI,KAAK,CAAC,CAAC,SAAS,4BAA4B,EAC5F,SAAS,CAAC,KACR;IACF,UAAU,EAAE,SAAS,CAAC;IACtB,cAAc,EAAE,cAAc,CAAC;IAC/B,YAAY,EAAE,mBAAmB,CAAC;IAClC,eAAe,EAAE,CAAC,CAAC,iBAAiB,CAAC,CAAC;IACtC,kBAAkB,EAAE,CAAC,CAAC,oBAAoB,CAAC,CAAC;IAC5C,aAAa,EAAE,CAAC,CAAC,eAAe,CAAC,CAAC;CA0BjC,CAAC"}
+{"version":3,"file":"setup.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/setup.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAuB9B,OAAO,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAE5C,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,0BAA0B,CAAC;AACxD,OAAO,KAAK,EAAC,gBAAgB,EAAE,sBAAsB,EAAC,MAAM,4BAA4B,CAAC;AACzF,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,8BAA8B,CAAC;AAIjE,OAAO,EAKN,KAAK,oBAAoB,EACzB,KAAK,eAAe,EACpB,KAAK,WAAW,EAChB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EAGN,KAAK,uBAAuB,EAC5B,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAA0B,KAAK,mBAAmB,EAAC,MAAM,mBAAmB,CAAC;AACpF,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAyB,KAAK,cAAc,EAAC,MAAM,kCAAkC,CAAC;AAC7F,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,oBAAoB,CAAC;AAEtD;;;;;GAKG;AACH,MAAM,WAAW,wBAAwB;IACxC,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CAC/B;AAED;;;;;;GAMG;AACH,MAAM,MAAM,kBAAkB,GAAG,WAAW,CAAC;AAE7C;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,gBAAgB;IAChC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CACtC;AAED,sEAAsE;AACtE,MAAM,WAAW,mBAAmB;IACnC,QAAQ,CAAC,OAAO,EAAE;QAAC,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACjE,QAAQ,CAAC,KAAK,EAAE;QAAC,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IACpC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5F,QAAQ,CAAC,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC3F;AAoCD;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,eAAe;IAC/B;;;;;;OAMG;IACH,QAAQ,CAAC,SAAS,EAAE,cAAc,CAAC;IACnC;;;;;;;;;;;;;;;;;;;;;;;OAuBG;IACH,QAAQ,CAAC,eAAe,EAAE,CAAC,OAAO,CAAC,EAAE;QAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;KAAC,KAAK,cAAc,CAAC;IAC1F,+CAA+C;IAC/C,QAAQ,CAAC,OAAO,EAAE;QAAC,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACjE,8CAA8C;IAC9C,QAAQ,CAAC,KAAK,EAAE;QAAC,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IACpC,8DAA8D;IAC9D,QAAQ,CAAC,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5F,4DAA4D;IAC5D,QAAQ,CAAC,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC3F,iEAAiE;IACjE,QAAQ,CAAC,2BAA2B,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjG;;;;;OAKG;IACH,QAAQ,CAAC,cAAc,EAAE,CAAC,OAAO,CAAC,EAAE,wBAAwB,KAAK,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC7F;;;;;OAKG;IACH,QAAQ,CAAC,cAAc,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC,CAAC;IACvE;;;;;;;;;;OAUG;IACH,QAAQ,CAAC,oBAAoB,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;CACrD;AAED;;;;;;;;;;;GAWG;AACH,MAAM,MAAM,WAAW,GAAG,eAAe,CAAC;AAE1C;;;;;GAKG;AACH,MAAM,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,CAAC;AAenD;;;;;GAKG;AACH,MAAM,WAAW,qBAAsB,SAAQ,oBAAoB;IAClE;;;;;OAKG;IACH,QAAQ,CAAC,cAAc,CAAC,EAAE,aAAa,CAAC,gBAAgB,CAAC,CAAC;CAC1D;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,wBAAwB,GACnC,SAAS,qBAAqB,KAAG,SAsDjC,CAAC;AAEH;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,WAAW,yBAA0B,SAAQ,aAAa;IAC/D,iEAAiE;IACjE,QAAQ,CAAC,gBAAgB,EAAE,cAAc,CAAC;IAC1C,2DAA2D;IAC3D,QAAQ,CAAC,cAAc,EAAE;QAAC,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACxE,yDAAyD;IACzD,QAAQ,CAAC,YAAY,EAAE;QAAC,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAC3C,wGAAwG;IACxG,QAAQ,CAAC,cAAc,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAC/C;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,sCAAsC,GAAG,IAAI,CACxD,yBAAyB,EACzB,OAAO,GAAG,UAAU,CACpB,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,qCAAqC;IACrD,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC,QAAQ,CAAC,CAAC;IACzC,QAAQ,CAAC,YAAY,EAAE,aAAa,CAAC,cAAc,CAAC,CAAC;IACrD,QAAQ,CAAC,cAAc,EAAE,yBAAyB,CAAC,gBAAgB,CAAC,CAAC;IACrE,QAAQ,CAAC,YAAY,EAAE,yBAAyB,CAAC,cAAc,CAAC,CAAC;IACjE,QAAQ,CAAC,cAAc,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAC/C;AAED;;;GAGG;AACH,eAAO,MAAM,6BAA6B,GACzC,QAAQ,yBAAyB,KAC/B,qCAMD,CAAC;AAEH;;;;;;;GAOG;AACH,eAAO,MAAM,+BAA+B,GAC3C,YAAY,qCAAqC,KAC/C,sCAUD,CAAC;AAEH,iDAAiD;AACjD,MAAM,WAAW,wBAAwB;IACxC;;;;;;;;;;;;;;;;;;;OAmBG;IACH,QAAQ,CAAC,kBAAkB,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACpD;;;;;OAKG;IACH,QAAQ,CAAC,cAAc,CAAC,EAAE,aAAa,CAAC,gBAAgB,CAAC,CAAC;CAC1D;AAwXD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,eAAO,MAAM,2BAA2B,GACvC,QAAQ,sCAAsC,EAC9C,UAAU,wBAAwB,KAChC,SA+HF,CAAC;AAEF;;;;;GAKG;AACH,MAAM,WAAW,4BAA4B;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,aAAa,CAAC,EAAE,uBAAuB,CAAC;IACxC;;;;;OAKG;IACH,SAAS,CAAC,EAAE,sBAAsB,CAAC;IACnC,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B;;;;;;;;;;OAUG;IACH,kBAAkB,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACnC;;;;;;OAMG;IACH,cAAc,CAAC,EAAE,aAAa,CAAC,gBAAgB,CAAC,CAAC;IACjD;;;;;OAKG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;CAChC;AAWD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,eAAO,MAAM,gCAAgC,GAAI,KAAK,CAAC,CAAC,SAAS,4BAA4B,EAC5F,SAAS,CAAC,KACR;IACF,UAAU,EAAE,SAAS,CAAC;IACtB,cAAc,EAAE,cAAc,CAAC;IAC/B,YAAY,EAAE,mBAAmB,CAAC;IAClC,eAAe,EAAE,CAAC,CAAC,iBAAiB,CAAC,CAAC;IACtC,kBAAkB,EAAE,CAAC,CAAC,oBAAoB,CAAC,CAAC;IAC5C,aAAa,EAAE,CAAC,CAAC,eAAe,CAAC,CAAC;CA0BjC,CAAC"}

package/dist/testing/cross_backend/setup.js

@@ -23,7 +23,7 @@ import { Uuid } from '@fuzdev/fuz_util/id.js';
 import { ROLE_KEEPER } from '../../auth/role_schema.js';
 import { DAEMON_TOKEN_HEADER } from '../../auth/daemon_token.js';
 import { USERNAME_LENGTH_MAX } from '../../primitive_schemas.js';
-import { create_test_app, create_test_account_with_credentials, DEFAULT_TEST_PASSWORD, } from '../app_server.js';
+import { create_test_app, create_test_account_with_credentials, mint_test_session, DEFAULT_TEST_PASSWORD, } from '../app_server.js';
 import { create_test_app_surface_spec } from '../stubs.js';
 import { http_transport, } from '../rpc_helpers.js';
 import { in_process_capabilities } from './capabilities.js';
@@ -85,6 +85,11 @@ const in_process_fetch_transport = (app) => {
  * beyond what `create_test_app` already does.
  */
 export const default_in_process_setup = (options) => async () => {
+    // Per-test fresh db. When `options.migration_namespaces` is set,
+    // `create_test_app` provisions an auth+extras PGlite (e.g. the cell
+    // layer); otherwise the auth-only default. Either way the factory
+    // resets + re-migrates on each `create`, so the per-test keeper
+    // bootstrap below lands on a clean DB.
     const test_app = await create_test_app(options);
     // Seed bootstrap-time secondaries against the same DB the keeper
     // just landed on. Direct-insert is the only path for roles whose
@@ -105,7 +110,6 @@ export const default_in_process_setup = (options) => async () => {
         extra_accounts[spec.username] = build_extra_account_fixture(seeded, cookie_name);
     }
     return {
-        in_process: true,
         transport: in_process_fetch_transport(test_app.app),
         // In-process the wrapper is stateless and never auto-adds Origin —
         // `options` is accepted for API symmetry with cross-process but
@@ -118,8 +122,18 @@ export const default_in_process_setup = (options) => async () => {
         create_daemon_token_headers: test_app.create_daemon_token_headers,
         create_account: test_app.create_account,
         extra_accounts,
-        keyring: test_app.backend.keyring,
-        backend_internals: test_app.backend,
+        // Forge directly against the live backend's DB + keyring — no wire
+        // hop needed in-process.
+        mint_expired_session: async () => {
+            const { session_cookie } = await mint_test_session({
+                db: test_app.backend.deps.db,
+                keyring: test_app.backend.keyring,
+                session_options: options.session_options,
+                account_id: test_app.backend.account.id,
+                expires_in_seconds: EXPIRED_SESSION_OFFSET_SECONDS,
+            });
+            return `${cookie_name}=${session_cookie}`;
+        },
     };
 };
 /**
@@ -219,6 +233,15 @@ const rpc_via_transport = async (transport, rpc_path, method, params, backend_na
     }
     return raw.result;
 };
+/**
+ * Backdating offset (seconds) the `mint_expired_session` seam passes to
+ * `mint_test_session` / `_testing_mint_session`. A minute in the past is
+ * comfortably past `NOW()` for the DB-row expiry gate without depending on
+ * clock precision.
+ */
+const EXPIRED_SESSION_OFFSET_SECONDS = -60;
+/** Structural subset of `_testing_mint_session`'s output. */
+const MintSessionResponseShape = z.object({ session_cookie: z.string() });
 /** Structural subset of `_testing_reset`'s output. */
 const TestingResetResponseShape = z.object({
     account: z.object({ id: Uuid, username: z.string() }),
@@ -499,7 +522,6 @@ export const default_cross_process_setup = (handle, options) => {
             initial_cookies: [`${cookie_name}=${keeper.session_cookie}`],
         });
         return {
-            in_process: false,
             transport,
             fresh_transport: (fresh_options) => create_fetch_transport({
                 base_url: handle.config.base_url,
@@ -512,6 +534,18 @@ export const default_cross_process_setup = (handle, options) => {
             create_daemon_token_headers,
             create_account,
             extra_accounts,
+            // Forge over the wire — the cross-process driver has no keyring,
+            // so `_testing_mint_session` mints the backdated row + signs the
+            // cookie server-side over the keeper's daemon-token channel.
+            mint_expired_session: async () => {
+                const raw = await rpc_via_transport(refreshed_handle.keeper_transport, handle.config.rpc_path, '_testing_mint_session', { account_id: keeper.account.id, expires_in_seconds: EXPIRED_SESSION_OFFSET_SECONDS }, handle.config.name, { [DAEMON_TOKEN_HEADER]: handle.daemon_token });
+                const parsed = MintSessionResponseShape.safeParse(raw);
+                if (!parsed.success) {
+                    throw new Error(`_testing_mint_session(${handle.config.name}) returned unexpected result: ` +
+                        `${JSON.stringify(raw)} (${parsed.error.message})`);
+                }
+                return `${cookie_name}=${parsed.data.session_cookie}`;
+            },
         };
     };
 };

package/dist/testing/cross_backend/testing_reset_actions.d.ts

@@ -2,8 +2,14 @@ import '../assert_dev_env.js';
 /**
  * Test-binary RPC actions for cross-process integration tests.
  *
- * Single daemon-token-authed action: **`_testing_reset`** — full DB
- * wipe + keeper re-seed + optional secondary-account seeding. The
+ * Three daemon-token-authed actions, bundled by `create_testing_actions`:
+ * **`_testing_reset`** (DB wipe + keeper re-seed), **`_testing_drain_effects`**
+ * (audit barrier), and **`_testing_mint_session`** (forge an
+ * expired-by-construction server-side session for the expiry conformance
+ * cases).
+ *
+ * `_testing_reset` — full DB wipe + keeper re-seed + optional
+ * secondary-account seeding. The
  * handler wipes every auth-namespace row (no keeper-preserve filter),
  * flips `bootstrap_lock` back to its post-bootstrap shape, seeds a
  * fresh keeper account inline (reusing `create_test_account_with_credentials`
@@ -124,6 +130,88 @@ export declare const testing_reset_action_spec: {
     readonly async: true;
     readonly description: "Test-binary only — wipe auth tables, re-bootstrap a fresh keeper (+ optional extras), fire the domain-state reset.";
 };
+/**
+ * `_testing_drain_effects` — await in-flight fire-and-forget audit writes so
+ * a following `audit_log_list` is authoritative. The deterministic barrier
+ * the cross-backend conformance suite uses in place of a poll/sleep before
+ * asserting on audit rows.
+ *
+ * On the TS spine the barrier is **satisfied by construction**: the test
+ * binary runs `await_pending_effects: true`, so every mutation's fire-and-
+ * forget audit emits are awaited before its response returns — by the time
+ * a later drain call runs, prior emits are already durable. The action still
+ * exists so the cross-backend test body calls the same method on every
+ * backend; the Rust spine (whose audit writes are detached tokio tasks)
+ * does the real await in `AuditEmitter::drain_inflight`.
+ *
+ * `auth` gates on the daemon-token credential, matching `_testing_reset`.
+ */
+export declare const testing_drain_effects_action_spec: {
+    readonly method: "_testing_drain_effects";
+    readonly kind: "request_response";
+    readonly initiator: "frontend";
+    readonly auth: {
+        readonly account: "required";
+        readonly actor: "none";
+        readonly credential_types: readonly ["daemon_token"];
+    };
+    readonly side_effects: false;
+    readonly input: z.ZodVoid;
+    readonly output: z.ZodObject<{
+        ok: z.ZodBoolean;
+    }, z.core.$strict>;
+    readonly async: true;
+    readonly description: "Test-binary only — await in-flight fire-and-forget audit writes so a following audit_log_list read is authoritative.";
+};
+/**
+ * `_testing_mint_session` — mint an expired-by-construction server-side
+ * session for an existing account and return its signed cookie value.
+ *
+ * The minted `auth_session` row's `expires_at` is backdated (negative
+ * `expires_in_seconds`) while the returned cookie's own signed payload
+ * stays valid (future). Cross-process auth resolution therefore passes the
+ * cookie-payload gate (`parse_session`) and is refused by the authoritative
+ * DB-row gate (`query_session_get_valid` — `WHERE expires_at > NOW()`) —
+ * the gate the in-process payload-expiry tests never reach and the one that
+ * structurally needs a server-side mint (the cross-process driver has no
+ * keyring / DB access). The `expired_session` conformance principal drives
+ * this.
+ *
+ * `auth` gates on the daemon-token credential, matching `_testing_reset` —
+ * effectively keeper-only. Like its siblings the action is internally
+ * privileged (a direct `auth_session` insert the production wire never
+ * exposes); daemon-token auth is the structural fence and the module's
+ * `assert_dev_env` import (TS) plus the Rust `cargo xtask check-release`
+ * dep-graph audit keep the `_testing_` surface out of every shipped build.
+ */
+export declare const testing_mint_session_action_spec: {
+    readonly method: "_testing_mint_session";
+    readonly kind: "request_response";
+    readonly initiator: "frontend";
+    readonly auth: {
+        readonly account: "required";
+        readonly actor: "none";
+        readonly credential_types: readonly ["daemon_token"];
+    };
+    readonly side_effects: true;
+    readonly input: z.ZodObject<{
+        account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        expires_in_seconds: z.ZodNumber;
+    }, z.core.$strict>;
+    readonly output: z.ZodObject<{
+        session_cookie: z.ZodString;
+    }, z.core.$strict>;
+    readonly async: true;
+    readonly description: string;
+};
+/**
+ * Build the standalone `_testing_drain_effects` action. No deps — on TS the
+ * barrier is satisfied by `await_pending_effects` (see the spec doc), so the
+ * handler just returns `{ok: true}`. Mount it on any test endpoint whose
+ * suite asserts on audit rows (the spine binary bundles it via
+ * `create_testing_actions`; in-process suites mount it directly).
+ */
+export declare const create_testing_drain_effects_action: () => RpcAction;
 /** Options for `create_testing_actions`. */
 export interface CreateTestingActionsOptions {
     /**

package/dist/testing/cross_backend/testing_reset_actions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"testing_reset_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/testing_reset_actions.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmDG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,EAAa,KAAK,SAAS,EAAC,MAAM,6BAA6B,CAAC;AAEvE,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAChD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,8BAA8B,CAAC;AACjE,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,4BAA4B,CAAC;AAajE;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAwBQ,CAAC;AAE/C,4CAA4C;AAC5C,MAAM,WAAW,2BAA2B;IAC3C;;;;;OAKG;IACH,QAAQ,CAAC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACjD;;;;;OAKG;IACH,QAAQ,CAAC,kBAAkB,EAAE,gBAAgB,CAAC;IAC9C;;;;;;;;OAQG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CAClD;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,OAAO,EACb,SAAS,2BAA2B,KAClC,KAAK,CAAC,SAAS,CA4FjB,CAAC;AAEF,0FAA0F;AAC1F,eAAO,MAAM,0BAA0B,UAAmC,CAAC"}
+{"version":3,"file":"testing_reset_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/testing_reset_actions.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyDG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,EAAa,KAAK,SAAS,EAAC,MAAM,6BAA6B,CAAC;AAEvE,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAChD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,8BAA8B,CAAC;AACjE,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,4BAA4B,CAAC;AAiBjE;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAwBQ,CAAC;AAE/C;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,iCAAiC;;;;;;;;;;;;;;;;CAWA,CAAC;AAE/C;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;CAeC,CAAC;AAE/C;;;;;;GAMG;AACH,eAAO,MAAM,mCAAmC,QAAO,SACiB,CAAC;AAEzE,4CAA4C;AAC5C,MAAM,WAAW,2BAA2B;IAC3C;;;;;OAKG;IACH,QAAQ,CAAC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACjD;;;;;OAKG;IACH,QAAQ,CAAC,kBAAkB,EAAE,gBAAgB,CAAC;IAC9C;;;;;;;;OAQG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CAClD;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,OAAO,EACb,SAAS,2BAA2B,KAClC,KAAK,CAAC,SAAS,CAuGjB,CAAC;AAEF,0FAA0F;AAC1F,eAAO,MAAM,0BAA0B,UAAmC,CAAC"}

package/dist/testing/cross_backend/testing_reset_actions.js

@@ -2,8 +2,14 @@ import '../assert_dev_env.js';
 /**
  * Test-binary RPC actions for cross-process integration tests.
  *
- * Single daemon-token-authed action: **`_testing_reset`** — full DB
- * wipe + keeper re-seed + optional secondary-account seeding. The
+ * Three daemon-token-authed actions, bundled by `create_testing_actions`:
+ * **`_testing_reset`** (DB wipe + keeper re-seed), **`_testing_drain_effects`**
+ * (audit barrier), and **`_testing_mint_session`** (forge an
+ * expired-by-construction server-side session for the expiry conformance
+ * cases).
+ *
+ * `_testing_reset` — full DB wipe + keeper re-seed + optional
+ * secondary-account seeding. The
  * handler wipes every auth-namespace row (no keeper-preserve filter),
  * flips `bootstrap_lock` back to its post-bootstrap shape, seeds a
  * fresh keeper account inline (reusing `create_test_account_with_credentials`
@@ -56,7 +62,7 @@ import { Uuid } from '@fuzdev/fuz_util/id.js';
 import { rpc_action } from '../../actions/action_rpc.js';
 import { ROLE_ADMIN, ROLE_KEEPER } from '../../auth/role_schema.js';
 import { auth_integration_truncate_tables } from '../db.js';
-import { create_test_account_with_credentials, DEFAULT_TEST_PASSWORD } from '../app_server.js';
+import { create_test_account_with_credentials, mint_test_session, DEFAULT_TEST_PASSWORD, } from '../app_server.js';
 /** Output shape for an individual seeded account (keeper or extra). */
 const SeededAccountShape = z.strictObject({
     account: z.strictObject({ id: Uuid, username: z.string() }),
@@ -111,6 +117,77 @@ export const testing_reset_action_spec = {
     async: true,
     description: 'Test-binary only — wipe auth tables, re-bootstrap a fresh keeper (+ optional extras), fire the domain-state reset.',
 };
+/**
+ * `_testing_drain_effects` — await in-flight fire-and-forget audit writes so
+ * a following `audit_log_list` is authoritative. The deterministic barrier
+ * the cross-backend conformance suite uses in place of a poll/sleep before
+ * asserting on audit rows.
+ *
+ * On the TS spine the barrier is **satisfied by construction**: the test
+ * binary runs `await_pending_effects: true`, so every mutation's fire-and-
+ * forget audit emits are awaited before its response returns — by the time
+ * a later drain call runs, prior emits are already durable. The action still
+ * exists so the cross-backend test body calls the same method on every
+ * backend; the Rust spine (whose audit writes are detached tokio tasks)
+ * does the real await in `AuditEmitter::drain_inflight`.
+ *
+ * `auth` gates on the daemon-token credential, matching `_testing_reset`.
+ */
+export const testing_drain_effects_action_spec = {
+    method: '_testing_drain_effects',
+    kind: 'request_response',
+    initiator: 'frontend',
+    auth: { account: 'required', actor: 'none', credential_types: ['daemon_token'] },
+    side_effects: false,
+    input: z.void(),
+    output: z.strictObject({ ok: z.boolean() }),
+    async: true,
+    description: 'Test-binary only — await in-flight fire-and-forget audit writes so a following audit_log_list read is authoritative.',
+};
+/**
+ * `_testing_mint_session` — mint an expired-by-construction server-side
+ * session for an existing account and return its signed cookie value.
+ *
+ * The minted `auth_session` row's `expires_at` is backdated (negative
+ * `expires_in_seconds`) while the returned cookie's own signed payload
+ * stays valid (future). Cross-process auth resolution therefore passes the
+ * cookie-payload gate (`parse_session`) and is refused by the authoritative
+ * DB-row gate (`query_session_get_valid` — `WHERE expires_at > NOW()`) —
+ * the gate the in-process payload-expiry tests never reach and the one that
+ * structurally needs a server-side mint (the cross-process driver has no
+ * keyring / DB access). The `expired_session` conformance principal drives
+ * this.
+ *
+ * `auth` gates on the daemon-token credential, matching `_testing_reset` —
+ * effectively keeper-only. Like its siblings the action is internally
+ * privileged (a direct `auth_session` insert the production wire never
+ * exposes); daemon-token auth is the structural fence and the module's
+ * `assert_dev_env` import (TS) plus the Rust `cargo xtask check-release`
+ * dep-graph audit keep the `_testing_` surface out of every shipped build.
+ */
+export const testing_mint_session_action_spec = {
+    method: '_testing_mint_session',
+    kind: 'request_response',
+    initiator: 'frontend',
+    auth: { account: 'required', actor: 'none', credential_types: ['daemon_token'] },
+    side_effects: true,
+    input: z.strictObject({
+        account_id: Uuid,
+        expires_in_seconds: z.number().int(),
+    }),
+    output: z.strictObject({ session_cookie: z.string() }),
+    async: true,
+    description: 'Test-binary only — mint a backdated-expiry auth_session row for an account and return its ' +
+        'signed cookie value (exercises the authoritative server-side DB-row expiry gate).',
+};
+/**
+ * Build the standalone `_testing_drain_effects` action. No deps — on TS the
+ * barrier is satisfied by `await_pending_effects` (see the spec doc), so the
+ * handler just returns `{ok: true}`. Mount it on any test endpoint whose
+ * suite asserts on audit rows (the spine binary bundles it via
+ * `create_testing_actions`; in-process suites mount it directly).
+ */
+export const create_testing_drain_effects_action = () => rpc_action(testing_drain_effects_action_spec, async () => ({ ok: true }));
 /**
  * Build the testing RPC actions for a test binary's registry.
  *
@@ -207,6 +284,17 @@ export const create_testing_actions = (deps, options) => {
                 await reset_state();
             return { ...keeper, extra_accounts: extras };
         }),
+        rpc_action(testing_mint_session_action_spec, async (input, ctx) => {
+            const { session_cookie } = await mint_test_session({
+                db: ctx.db,
+                keyring: deps.keyring,
+                session_options,
+                account_id: input.account_id,
+                expires_in_seconds: input.expires_in_seconds,
+            });
+            return { session_cookie };
+        }),
+        create_testing_drain_effects_action(),
     ];
 };
 /** Set of auth-namespace tables `_testing_reset` wipes. Mirrored by the coverage test. */

package/dist/testing/cross_backend/xfail.d.ts

@@ -0,0 +1,15 @@
+import '../assert_dev_env.js';
+/**
+ * Register `fn` as an expected-failure test. Passes while `fn` throws /
+ * rejects; **fails** once `fn` succeeds (signalling the gap closed and the
+ * marker should be removed).
+ *
+ * @param tracking_id - descriptive id of the tracked gap (e.g.
+ *   `'audit-log-sse-rust-spine'`) — a feature/behavior name, not a
+ *   process/milestone label.
+ * @param reason - why the case is deferred-by-design.
+ * @param name - the assertion / test label.
+ * @param fn - the test body (expected to throw/reject until the gap closes).
+ */
+export declare const xfail_until: (tracking_id: string, reason: string, name: string, fn: () => void | Promise<void>) => void;
+//# sourceMappingURL=xfail.d.ts.map

package/dist/testing/cross_backend/xfail.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"xfail.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/xfail.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAyB9B;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,WAAW,GACvB,aAAa,MAAM,EACnB,QAAQ,MAAM,EACd,MAAM,MAAM,EACZ,IAAI,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAC5B,IAEF,CAAC"}

package/dist/testing/cross_backend/xfail.js

@@ -0,0 +1,37 @@
+import '../assert_dev_env.js';
+/**
+ * `xfail_until` — mark a deferred-by-design gap as an expected failure.
+ *
+ * A thin wrapper over vitest's `test.fails` that bakes a tracking id +
+ * reason into the test label. Two properties make it the right tool for
+ * declared gaps (distinct from in-scope gaps, which fail loud as a normal
+ * red `test`):
+ *
+ * - **Visible** — the case shows in the report as a distinct expected
+ *   failure, not a silent `.skip`, so a deferred gap never disappears from
+ *   view.
+ * - **Self-cleaning** — `test.fails` turns **red** the moment the body
+ *   stops throwing (i.e. the impl starts passing), forcing whoever closed
+ *   the gap to delete the marker. A `.skip` would rot silently; this can't.
+ *
+ * Sibling to `test_if` in `capabilities.ts`. No taxonomy — a one-line
+ * marker with a tracking id and a reason, nothing more.
+ *
+ * @module
+ */
+import { test } from 'vitest';
+/**
+ * Register `fn` as an expected-failure test. Passes while `fn` throws /
+ * rejects; **fails** once `fn` succeeds (signalling the gap closed and the
+ * marker should be removed).
+ *
+ * @param tracking_id - descriptive id of the tracked gap (e.g.
+ *   `'audit-log-sse-rust-spine'`) — a feature/behavior name, not a
+ *   process/milestone label.
+ * @param reason - why the case is deferred-by-design.
+ * @param name - the assertion / test label.
+ * @param fn - the test body (expected to throw/reject until the gap closes).
+ */
+export const xfail_until = (tracking_id, reason, name, fn) => {
+    test.fails(`${name} [xfail_until ${tracking_id}: ${reason}]`, fn);
+};