@fuzdev/fuz_app 0.68.0 → 0.69.0

package/dist/testing/app_server.d.ts

@@ -89,6 +89,40 @@ export declare const create_test_account_with_credentials: (options: CreateTestA
     api_token: string;
     session_cookie: string;
 }>;
+/** Options for `mint_test_session`. */
+export interface MintTestSessionOptions {
+    db: Db;
+    keyring: Keyring;
+    session_options: SessionOptions<string>;
+    /** Account the minted session belongs to. */
+    account_id: string;
+    /**
+     * Session lifetime offset in seconds applied to `NOW()` for the
+     * `auth_session.expires_at` row. A negative value backdates the row so
+     * the authoritative DB-row expiry gate (`query_session_get_valid` —
+     * `WHERE expires_at > NOW()`) rejects it, while the returned cookie's
+     * own signed payload stays valid (future). Resolution therefore passes
+     * the cookie-payload check in `parse_session` and is refused at the
+     * DB-row gate — the gate the in-process payload-expiry tests never
+     * reach and the one that structurally needs a server-side mint.
+     */
+    expires_in_seconds: number;
+}
+/**
+ * Mint a real `auth_session` row for an existing account and return a
+ * validly-signed session cookie value referencing it. Test-only — the
+ * forge behind the cross-backend expiry conformance cases (the
+ * `expired_session` principal): pass a negative `expires_in_seconds` to
+ * produce an *expired server-side session* whose signed cookie envelope is
+ * still well-formed. Both the TS `_testing_mint_session` action and the
+ * in-process `fixture.mint_expired_session()` seam call this so the write
+ * semantics match across transports.
+ *
+ * @mutates `options.db` — inserts one `auth_session` row.
+ */
+export declare const mint_test_session: (options: MintTestSessionOptions) => Promise<{
+    session_cookie: string;
+}>;
 /**
  * Bootstrap the test-DB keeper. Direct-query shortcut for the default
  * `create_test_app` path — bootstrap is not what most tests exercise, so

package/dist/testing/app_server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"app_server.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/app_server.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAG/B,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAGjD,OAAO,EAA2B,KAAK,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAE1E,OAAO,KAAK,EAAC,EAAE,EAAE,MAAM,EAAC,MAAM,aAAa,CAAC;AAC5C,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAU1D,OAAO,EAA8B,KAAK,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC3F,OAAO,EAAiB,KAAK,kBAAkB,EAAC,MAAM,kBAAkB,CAAC;AAEzE,OAAO,EAAwB,KAAK,UAAU,EAAE,KAAK,YAAY,EAAC,MAAM,0BAA0B,CAAC;AACnG,OAAO,EAEN,KAAK,gBAAgB,EACrB,KAAK,gBAAgB,EACrB,KAAK,sBAAsB,EAC3B,KAAK,oBAAoB,EACzB,MAAM,yBAAyB,CAAC;AACjC,OAAO,KAAK,EAAC,UAAU,EAAE,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACnE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAOrD,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,kBAAkB,CAAC;AAE9D;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,EAAE,gBAIhC,CAAC;AAEF,gFAAgF;AAChF,eAAO,MAAM,kBAAkB,QAAiB,CAAC;AAEjD;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,qBAAqB,sBAAsB,CAAC;AA0CzD;;;;;GAKG;AACH,MAAM,WAAW,uCAAuC;IACvD,EAAE,EAAE,EAAE,CAAC;IACP,OAAO,EAAE,OAAO,CAAC;IACjB,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAED,2DAA2D;AAC3D,MAAM,MAAM,0BAA0B,GAAG,uCAAuC,CAAC;AAEjF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,oCAAoC,GAChD,SAAS,uCAAuC,KAC9C,OAAO,CAAC;IACV,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACvB,CAyCA,CAAC;AAEF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,qBAAqB,GACjC,SAAS,0BAA0B,KACjC,OAAO,CAAC;IACV,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACvB,CAQA,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,aAAc,SAAQ,UAAU;IAChD,gCAAgC;IAChC,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,uCAAuC;IACvC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,cAAc,EAAE,MAAM,CAAC;IACvB,+FAA+F;IAC/F,OAAO,EAAE,OAAO,CAAC;IACjB,4EAA4E;IAC5E,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,mDAAmD;IACnD,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kGAAkG;IAClG,EAAE,CAAC,EAAE,EAAE,CAAC;IACR,0FAA0F;IAC1F,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;;;;;;OASG;IACH,oBAAoB,CAAC,EAAE,aAAa,CAAC,kBAAkB,CAAC,CAAC;IACzD,yHAAyH;IACzH,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,kEAAkE;IAClE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,+EAA+E;IAC/E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gDAAgD;IAChD,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACtB;;;;;;;;;;;;;;OAcG;IACH,aAAa,CAAC,EAAE,YAAY,CAAC;CAC7B;AAuID,eAAO,MAAM,sBAAsB,GAClC,SAAS,oBAAoB,KAC3B,OAAO,CAAC,aAAa,CA2BvB,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,oBAAqB,SAAQ,oBAAoB;IACjE,yEAAyE;IACzE,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IACpE;;;;;;;OAOG;IACH,aAAa,CAAC,EAAE,uBAAuB,CAAC;IACxC;;;;;;;;;;;OAWG;IACH,SAAS,CAAC,EAAE,sBAAsB,CAAC;IACnC;;;;;OAKG;IACH,WAAW,CAAC,EAAE,eAAe,CAAC;CAC9B;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,eAAe,GAAG,OAAO,CACpC,IAAI,CACH,gBAAgB,EAChB,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,GAAG,eAAe,GAAG,WAAW,CACpF,CACD,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,WAAW;IAC3B,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,mCAAmC;IACnC,cAAc,EAAE,MAAM,CAAC;IACvB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,8DAA8D;IAC9D,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClF;AAED;;GAEG;AACH,MAAM,WAAW,OAAO;IACvB,GAAG,EAAE,IAAI,CAAC;IACV,OAAO,EAAE,aAAa,CAAC;IACvB,YAAY,EAAE,cAAc,CAAC;IAC7B,OAAO,EAAE,UAAU,CAAC;IACpB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,kEAAkE;IAClE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,gEAAgE;IAChE,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClF,iEAAiE;IACjE,2BAA2B,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxF,qDAAqD;IACrD,cAAc,EAAE,CAAC,OAAO,CAAC,EAAE;QAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;KACtB,KAAK,OAAO,CAAC,WAAW,CAAC,CAAC;IAC3B,8DAA8D;IAC9D,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,eAAe,GAAU,SAAS,oBAAoB,KAAG,OAAO,CAAC,OAAO,CAoGpF,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,WAAW,gCAAgC;IAChD,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IACpE,aAAa,CAAC,EAAE,uBAAuB,CAAC;IACxC,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B,8EAA8E;IAC9E,SAAS,EAAE,oBAAoB,CAAC;IAChC;;;;OAIG;IACH,eAAe,EAAE,MAAM,CAAC;IACxB,EAAE,CAAC,EAAE,EAAE,CAAC;IACR,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,aAAa,CAAC,EAAE,YAAY,CAAC;CAC7B;AAED;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IACnC,GAAG,EAAE,IAAI,CAAC;IACV,OAAO,EAAE,UAAU,CAAC;IACpB,YAAY,EAAE,cAAc,CAAC;IAC7B,OAAO,EAAE,UAAU,CAAC;IACpB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,0EAA0E;IAC1E,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,4EAA4E;IAC5E,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,6BAA6B,GACzC,SAAS,gCAAgC,KACvC,OAAO,CAAC,mBAAmB,CAuE7B,CAAC"}
+{"version":3,"file":"app_server.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/app_server.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAG/B,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAGjD,OAAO,EAA2B,KAAK,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAE1E,OAAO,KAAK,EAAC,EAAE,EAAE,MAAM,EAAC,MAAM,aAAa,CAAC;AAC5C,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAU1D,OAAO,EAA8B,KAAK,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC3F,OAAO,EAAiB,KAAK,kBAAkB,EAAC,MAAM,kBAAkB,CAAC;AAEzE,OAAO,EAAwB,KAAK,UAAU,EAAE,KAAK,YAAY,EAAC,MAAM,0BAA0B,CAAC;AACnG,OAAO,EAEN,KAAK,gBAAgB,EACrB,KAAK,gBAAgB,EACrB,KAAK,sBAAsB,EAC3B,KAAK,oBAAoB,EACzB,MAAM,yBAAyB,CAAC;AACjC,OAAO,KAAK,EAAC,UAAU,EAAE,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACnE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAOrD,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,kBAAkB,CAAC;AAE9D;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,EAAE,gBAIhC,CAAC;AAEF,gFAAgF;AAChF,eAAO,MAAM,kBAAkB,QAAiB,CAAC;AAEjD;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,qBAAqB,sBAAsB,CAAC;AA0CzD;;;;;GAKG;AACH,MAAM,WAAW,uCAAuC;IACvD,EAAE,EAAE,EAAE,CAAC;IACP,OAAO,EAAE,OAAO,CAAC;IACjB,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAED,2DAA2D;AAC3D,MAAM,MAAM,0BAA0B,GAAG,uCAAuC,CAAC;AAEjF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,oCAAoC,GAChD,SAAS,uCAAuC,KAC9C,OAAO,CAAC;IACV,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACvB,CA4CA,CAAC;AAEF,uCAAuC;AACvC,MAAM,WAAW,sBAAsB;IACtC,EAAE,EAAE,EAAE,CAAC;IACP,OAAO,EAAE,OAAO,CAAC;IACjB,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,6CAA6C;IAC7C,UAAU,EAAE,MAAM,CAAC;IACnB;;;;;;;;;OASG;IACH,kBAAkB,EAAE,MAAM,CAAC;CAC3B;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,iBAAiB,GAC7B,SAAS,sBAAsB,KAC7B,OAAO,CAAC;IAAC,cAAc,EAAE,MAAM,CAAA;CAAC,CAQlC,CAAC;AAEF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,qBAAqB,GACjC,SAAS,0BAA0B,KACjC,OAAO,CAAC;IACV,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACvB,CAQA,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,aAAc,SAAQ,UAAU;IAChD,gCAAgC;IAChC,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,uCAAuC;IACvC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,cAAc,EAAE,MAAM,CAAC;IACvB,+FAA+F;IAC/F,OAAO,EAAE,OAAO,CAAC;IACjB,4EAA4E;IAC5E,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,mDAAmD;IACnD,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kGAAkG;IAClG,EAAE,CAAC,EAAE,EAAE,CAAC;IACR,0FAA0F;IAC1F,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;;;;;;OASG;IACH,oBAAoB,CAAC,EAAE,aAAa,CAAC,kBAAkB,CAAC,CAAC;IACzD,yHAAyH;IACzH,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,kEAAkE;IAClE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,+EAA+E;IAC/E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gDAAgD;IAChD,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACtB;;;;;;;;;;;;;;OAcG;IACH,aAAa,CAAC,EAAE,YAAY,CAAC;CAC7B;AAuID,eAAO,MAAM,sBAAsB,GAClC,SAAS,oBAAoB,KAC3B,OAAO,CAAC,aAAa,CA2BvB,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,oBAAqB,SAAQ,oBAAoB;IACjE,yEAAyE;IACzE,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IACpE;;;;;;;OAOG;IACH,aAAa,CAAC,EAAE,uBAAuB,CAAC;IACxC;;;;;;;;;;;OAWG;IACH,SAAS,CAAC,EAAE,sBAAsB,CAAC;IACnC;;;;;OAKG;IACH,WAAW,CAAC,EAAE,eAAe,CAAC;CAC9B;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,eAAe,GAAG,OAAO,CACpC,IAAI,CACH,gBAAgB,EAChB,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,GAAG,eAAe,GAAG,WAAW,CACpF,CACD,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,WAAW;IAC3B,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,mCAAmC;IACnC,cAAc,EAAE,MAAM,CAAC;IACvB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,8DAA8D;IAC9D,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClF;AAED;;GAEG;AACH,MAAM,WAAW,OAAO;IACvB,GAAG,EAAE,IAAI,CAAC;IACV,OAAO,EAAE,aAAa,CAAC;IACvB,YAAY,EAAE,cAAc,CAAC;IAC7B,OAAO,EAAE,UAAU,CAAC;IACpB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,kEAAkE;IAClE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,gEAAgE;IAChE,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClF,iEAAiE;IACjE,2BAA2B,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxF,qDAAqD;IACrD,cAAc,EAAE,CAAC,OAAO,CAAC,EAAE;QAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;KACtB,KAAK,OAAO,CAAC,WAAW,CAAC,CAAC;IAC3B,8DAA8D;IAC9D,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,eAAe,GAAU,SAAS,oBAAoB,KAAG,OAAO,CAAC,OAAO,CAoGpF,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,WAAW,gCAAgC;IAChD,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IACpE,aAAa,CAAC,EAAE,uBAAuB,CAAC;IACxC,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B,8EAA8E;IAC9E,SAAS,EAAE,oBAAoB,CAAC;IAChC;;;;OAIG;IACH,eAAe,EAAE,MAAM,CAAC;IACxB,EAAE,CAAC,EAAE,EAAE,CAAC;IACR,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,aAAa,CAAC,EAAE,YAAY,CAAC;CAC7B;AAED;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IACnC,GAAG,EAAE,IAAI,CAAC;IACV,OAAO,EAAE,UAAU,CAAC;IACpB,YAAY,EAAE,cAAc,CAAC;IAC7B,OAAO,EAAE,UAAU,CAAC;IACpB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,0EAA0E;IAC1E,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,4EAA4E;IAC5E,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,6BAA6B,GACzC,SAAS,gCAAgC,KACvC,OAAO,CAAC,mBAAmB,CAuE7B,CAAC"}

package/dist/testing/app_server.js

@@ -106,12 +106,16 @@ export const create_test_account_with_credentials = async (options) => {
     // Create API token (account-scoped — acting actor is per-request)
     const { token: api_token, id: token_id, token_hash } = generate_api_token();
     await query_create_api_token(deps, token_id, account.id, 'test-cli', token_hash);
-    // Create session (account-scoped — acting actor is per-request)
-    const session_token = generate_session_token();
-    const session_hash = hash_session_token(session_token);
-    const expires_at = new Date(Date.now() + AUTH_SESSION_LIFETIME_MS);
-    await query_create_session(deps, session_hash, account.id, expires_at);
-    const session_cookie = await create_session_cookie_value(keyring, session_token, session_options);
+    // Create session (account-scoped — acting actor is per-request).
+    // Shares the mint primitive with `mint_test_session` / the
+    // `_testing_mint_session` action; here with the standard 30-day lifetime.
+    const { session_cookie } = await mint_test_session({
+        db,
+        keyring,
+        session_options,
+        account_id: account.id,
+        expires_in_seconds: AUTH_SESSION_LIFETIME_MS / 1000,
+    });
     return {
         account: { id: account.id, username: account.username },
         actor: { id: actor.id },
@@ -119,6 +123,27 @@ export const create_test_account_with_credentials = async (options) => {
         session_cookie,
     };
 };
+/**
+ * Mint a real `auth_session` row for an existing account and return a
+ * validly-signed session cookie value referencing it. Test-only — the
+ * forge behind the cross-backend expiry conformance cases (the
+ * `expired_session` principal): pass a negative `expires_in_seconds` to
+ * produce an *expired server-side session* whose signed cookie envelope is
+ * still well-formed. Both the TS `_testing_mint_session` action and the
+ * in-process `fixture.mint_expired_session()` seam call this so the write
+ * semantics match across transports.
+ *
+ * @mutates `options.db` — inserts one `auth_session` row.
+ */
+export const mint_test_session = async (options) => {
+    const { db, keyring, session_options, account_id, expires_in_seconds } = options;
+    const session_token = generate_session_token();
+    const session_hash = hash_session_token(session_token);
+    const expires_at = new Date(Date.now() + expires_in_seconds * 1000);
+    await query_create_session({ db }, session_hash, account_id, expires_at);
+    const session_cookie = await create_session_cookie_value(keyring, session_token, session_options);
+    return { session_cookie };
+};
 /**
  * Bootstrap the test-DB keeper. Direct-query shortcut for the default
  * `create_test_app` path — bootstrap is not what most tests exercise, so

package/dist/testing/cross_backend/account_lifecycle.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"account_lifecycle.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/account_lifecycle.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AA+B9B,OAAO,EAIN,KAAK,oBAAoB,EACzB,MAAM,yBAAyB,CAAC;AAGjC;;;;GAIG;AACH,MAAM,MAAM,gCAAgC,GAAG,oBAAoB,CAAC;AAEpE,eAAO,MAAM,sCAAsC,GAClD,SAAS,gCAAgC,KACvC,IA4IF,CAAC"}
+{"version":3,"file":"account_lifecycle.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/account_lifecycle.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAiC9B,OAAO,EAIN,KAAK,oBAAoB,EACzB,MAAM,yBAAyB,CAAC;AAGjC;;;;GAIG;AACH,MAAM,MAAM,gCAAgC,GAAG,oBAAoB,CAAC;AAEpE,eAAO,MAAM,sCAAsC,GAClD,SAAS,gCAAgC,KACvC,IA+TF,CAAC"}

package/dist/testing/cross_backend/account_lifecycle.js

@@ -18,7 +18,8 @@ import '../assert_dev_env.js';
  * @module
  */
 import { describe, assert } from 'vitest';
-import { AccountDeleteOutput, AccountUndeleteOutput, AccountPurgeOutput, AdminAccountListOutput, ERROR_CANNOT_DELETE_KEEPER, } from '../../auth/admin_action_specs.js';
+import { AccountDeleteOutput, AccountUndeleteOutput, AccountPurgeOutput, AdminAccountListOutput, AuditLogListOutput, ERROR_CANNOT_DELETE_KEEPER, } from '../../auth/admin_action_specs.js';
+import { ERROR_ACCOUNT_NOT_FOUND, ERROR_AUTHENTICATION_REQUIRED } from '../../http/error_schemas.js';
 import { test_if } from './capabilities.js';
 import { cross_rpc_call, error_reason, expect_output, } from './cell_cross_helpers.js';
 import { SPINE_RPC_PATH } from './default_spine_surface.js';
@@ -56,6 +57,73 @@ export const describe_account_lifecycle_cross_tests = (options) => {
             assert.strictEqual(purge.ok, false, 'purge of keeper account must be refused');
             assert.strictEqual(error_reason(purge), ERROR_CANNOT_DELETE_KEEPER);
         });
+        test_if(capabilities.account_lifecycle, 'fail-closed: a soft-deleted account’s session + bearer credentials no longer authenticate', async () => {
+            const fixture = await setup_test();
+            const victim = await fixture.create_account({ username: 'lifecycle_failclosed' });
+            const admin_headers = fixture.create_session_headers();
+            // Sanity: the victim's session authenticates while active, so the
+            // post-deletion 401 is a real fail-closed transition, not a
+            // never-valid credential passing vacuously.
+            const before = await cross_rpc_call(fixture.fresh_transport(), rpc_path, 'account_verify', undefined, victim.create_session_headers());
+            assert.ok(before.ok, 'victim session authenticates before deletion');
+            const deleted = expect_output(await cross_rpc_call(fixture.fresh_transport(), rpc_path, 'account_delete', { account_id: victim.account.id }, admin_headers), AccountDeleteOutput);
+            assert.strictEqual(deleted.deleted, true);
+            // The tombstone blocks auth resolution (and the soft-delete
+            // revoked sessions/tokens) — the stale session credential must
+            // fail closed with a generic 401, not partially authenticate.
+            const session_probe = await cross_rpc_call(fixture.fresh_transport(), rpc_path, 'account_verify', undefined, victim.create_session_headers());
+            assert.strictEqual(session_probe.ok, false, 'soft-deleted account session must not authenticate');
+            assert.strictEqual(error_reason(session_probe), ERROR_AUTHENTICATION_REQUIRED);
+            // The victim's bearer token must fail closed too.
+            const bearer_probe = await cross_rpc_call(fixture.fresh_transport({ origin: null }), rpc_path, 'account_verify', undefined, victim.create_bearer_headers());
+            assert.strictEqual(bearer_probe.ok, false, 'soft-deleted account bearer token must not authenticate');
+            assert.strictEqual(error_reason(bearer_probe), ERROR_AUTHENTICATION_REQUIRED);
+        });
+        test_if(capabilities.account_lifecycle, 'keeper guard emits a fail-loud failure-audit row (drained, cross-impl)', async () => {
+            const fixture = await setup_test();
+            const t = fixture.fresh_transport();
+            // Refused keeper self-delete — the guard fires before any mutation
+            // and emits a forensic `outcome: failure` audit row.
+            const del = await cross_rpc_call(t, rpc_path, 'account_delete', { account_id: fixture.account.id }, fixture.create_session_headers());
+            assert.strictEqual(error_reason(del), ERROR_CANNOT_DELETE_KEEPER);
+            // Deterministic barrier before reading: await in-flight
+            // fire-and-forget audit writes (the real await on the Rust spine;
+            // satisfied-by-construction on the TS spine via await_pending_effects).
+            const td = fixture.fresh_transport({ origin: null });
+            const drained = await cross_rpc_call(td, rpc_path, '_testing_drain_effects', undefined, fixture.create_daemon_token_headers());
+            assert.ok(drained.ok, `_testing_drain_effects failed: ${JSON.stringify(drained.error)}`);
+            // The failure row is now authoritative on both spines. `_testing_reset`
+            // wiped audit_log at setup, so the refused delete is the only
+            // account_delete event.
+            const listed = expect_output(await cross_rpc_call(t, rpc_path, 'audit_log_list', { event_type: 'account_delete' }, fixture.create_session_headers()), AuditLogListOutput);
+            const failure = listed.events.find((e) => e.outcome === 'failure' &&
+                e.metadata?.reason === ERROR_CANNOT_DELETE_KEEPER);
+            assert.ok(failure, 'keeper-removal guard must emit an account_delete outcome=failure audit row with reason cannot_delete_keeper');
+        });
+        test_if(capabilities.account_lifecycle, 'deterministic: double-undelete → second call is not_found', async () => {
+            const fixture = await setup_test();
+            const victim = await fixture.create_account({ username: 'lifecycle_double' });
+            const t = fixture.fresh_transport();
+            const admin_headers = fixture.create_session_headers();
+            const deleted = expect_output(await cross_rpc_call(t, rpc_path, 'account_delete', { account_id: victim.account.id }, admin_headers), AccountDeleteOutput);
+            assert.strictEqual(deleted.deleted, true);
+            // First undelete clears the tombstone.
+            const undeleted = expect_output(await cross_rpc_call(t, rpc_path, 'account_undelete', { account_id: victim.account.id }, admin_headers), AccountUndeleteOutput);
+            assert.strictEqual(undeleted.undeleted, true);
+            // Second undelete on the now-active account is a deterministic
+            // not_found — the query only matches soft-deleted rows, so the
+            // outcome is the same on both spines (no silent idempotent ok).
+            const again = await cross_rpc_call(t, rpc_path, 'account_undelete', { account_id: victim.account.id }, admin_headers);
+            assert.strictEqual(again.ok, false, 'double-undelete must not silently succeed');
+            assert.strictEqual(error_reason(again), ERROR_ACCOUNT_NOT_FOUND);
+        });
+        // The last-admin guard (`ERROR_CANNOT_DELETE_LAST_ADMIN`) is **not**
+        // cross-process-testable against this fixture: the per-test keeper
+        // permanently holds `ROLE_ADMIN` (bootstrap seeds `[ROLE_KEEPER,
+        // ROLE_ADMIN]` and there is no remove-admin-from-keeper path), so a
+        // non-keeper admin is never the *sole* active admin and the guard
+        // never fires here. Its logic is covered in-process by
+        // `src/test/auth/account_keeper_guard.db.test.ts`.
         test_if(capabilities.account_lifecycle, 'admin_account_list include_deleted surfaces tombstoned rows with deleted_at set', async () => {
             const fixture = await setup_test();
             const victim = await fixture.create_account({ username: 'lifecycle_listed' });

package/dist/testing/cross_backend/actor_lookup.d.ts

@@ -0,0 +1,10 @@
+import '../assert_dev_env.js';
+import type { CellCrossTestOptions } from './cell_cross_helpers.js';
+/**
+ * Options for the actor-lookup parity suite. Shares the shape of the cell /
+ * origin suites (`setup_test` / `capabilities` / `rpc_path`); reuses
+ * `CellCrossTestOptions` rather than minting a structural duplicate.
+ */
+export type ActorLookupCrossTestOptions = CellCrossTestOptions;
+export declare const describe_actor_lookup_cross_tests: (options: ActorLookupCrossTestOptions) => void;
+//# sourceMappingURL=actor_lookup.d.ts.map

package/dist/testing/cross_backend/actor_lookup.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"actor_lookup.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/actor_lookup.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAqC9B,OAAO,KAAK,EAAC,oBAAoB,EAAC,MAAM,yBAAyB,CAAC;AAGlE;;;;GAIG;AACH,MAAM,MAAM,2BAA2B,GAAG,oBAAoB,CAAC;AAS/D,eAAO,MAAM,iCAAiC,GAAI,SAAS,2BAA2B,KAAG,IAkDxF,CAAC"}

package/dist/testing/cross_backend/actor_lookup.js

@@ -0,0 +1,83 @@
+import '../assert_dev_env.js';
+/**
+ * Cross-backend parity suite for `actor_lookup`.
+ *
+ * `actor_lookup` is an opt-in batched id → label resolver
+ * (`{ids} → {actors: [{id, username, display_name?}]}`), not folded into the
+ * standard bundle. It's live-mounted on the spine RPC path but kept off the
+ * declared surface (`create_spine_surface_spec`) — like cells / ws / sse — so
+ * the standard cross suite's generic round-trip never drives it; this
+ * dedicated suite is its validator. Three cases over raw transport calls:
+ *
+ * - **anonymous → 401** — the account-grain auth gate refuses an
+ *   unauthenticated caller before the handler runs.
+ * - **keeper resolves own actor → 200** — the populated round trip: the
+ *   returned row carries the keeper's `id` + `username`, and **no**
+ *   `account_id` / `email` / timestamp / role field (the wire shape's
+ *   deliberate info-leak posture). This is the assertion that exercises the
+ *   Rust row→JSON mapping against the TS canonical shape.
+ * - **empty `ids` → 400** — the `min(1)` input bound is enforced on both
+ *   spines (TS Zod, Rust `parse_ids`).
+ *
+ * Runs both legs via the shared `{setup_test}` protocol: the in-process leg
+ * (`auth/actor_lookup_parity.db.test.ts`, plain `gro test`) and the
+ * cross-process leg (`cross_backend/actor_lookup.cross.test.ts`, the TS spine
+ * binaries + Rust `testing_spine_stub` over real HTTP). `actor_lookup` is
+ * mounted on every spine, so the suite is ungated.
+ *
+ * `$lib`-free by contract (relative specifiers only), like the sibling
+ * cross-backend suites.
+ *
+ * @module
+ */
+import { describe, test, assert } from 'vitest';
+import { actor_lookup_action_spec } from '../../auth/actor_lookup_action_specs.js';
+import { SPINE_RPC_PATH } from './default_spine_surface.js';
+/** Keys that must never appear on an `actor_lookup` result row. */
+const forbidden_row_keys = ['account_id', 'email', 'created_at', 'updated_at', 'role'];
+/** Build the JSON-RPC envelope body for an `actor_lookup` call. */
+const lookup_envelope = (ids, id) => JSON.stringify({ jsonrpc: '2.0', method: actor_lookup_action_spec.method, params: { ids }, id });
+export const describe_actor_lookup_cross_tests = (options) => {
+    const { setup_test } = options;
+    const rpc_path = options.rpc_path ?? SPINE_RPC_PATH;
+    describe('actor_lookup parity', () => {
+        test('anonymous → 401 (account-grain auth gate)', async () => {
+            const fixture = await setup_test();
+            const res = await fixture.fresh_transport()(rpc_path, {
+                method: 'POST',
+                headers: { 'content-type': 'application/json' },
+                body: lookup_envelope([fixture.actor.id], 'anon-lookup'),
+            });
+            assert.strictEqual(res.status, 401, 'unauthenticated actor_lookup must be refused');
+        });
+        test('keeper resolves own actor → 200 with id + username, no control fields', async () => {
+            const fixture = await setup_test();
+            const res = await fixture.transport(rpc_path, {
+                method: 'POST',
+                headers: { ...fixture.create_session_headers(), 'content-type': 'application/json' },
+                body: lookup_envelope([fixture.actor.id], 'keeper-lookup'),
+            });
+            assert.strictEqual(res.status, 200, 'authenticated actor_lookup must succeed');
+            const body = (await res.json());
+            const actors = body.result?.actors;
+            assert(Array.isArray(actors), 'response carries an actors array');
+            assert.strictEqual(actors.length, 1, 'the keeper actor resolves to exactly one row');
+            const row = actors[0];
+            assert(row !== undefined, 'the resolved row is present');
+            assert.strictEqual(row.id, fixture.actor.id, 'resolved row id matches the requested actor');
+            assert.strictEqual(row.username, fixture.account.username, 'resolved row carries the keeper username');
+            for (const key of forbidden_row_keys) {
+                assert(!(key in row), `actor_lookup row must not leak '${key}'`);
+            }
+        });
+        test('empty ids → 400 (min(1) input bound)', async () => {
+            const fixture = await setup_test();
+            const res = await fixture.transport(rpc_path, {
+                method: 'POST',
+                headers: { ...fixture.create_session_headers(), 'content-type': 'application/json' },
+                body: lookup_envelope([], 'empty-lookup'),
+            });
+            assert.strictEqual(res.status, 400, 'empty ids must fail input validation');
+        });
+    });
+};

package/dist/testing/cross_backend/actor_search.d.ts

@@ -0,0 +1,6 @@
+import '../assert_dev_env.js';
+import type { CellCrossTestOptions } from './cell_cross_helpers.js';
+/** Options for the actor-search parity suite (shares the cell/origin shape). */
+export type ActorSearchCrossTestOptions = CellCrossTestOptions;
+export declare const describe_actor_search_cross_tests: (options: ActorSearchCrossTestOptions) => void;
+//# sourceMappingURL=actor_search.d.ts.map

package/dist/testing/cross_backend/actor_search.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"actor_search.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/actor_search.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AA2C9B,OAAO,KAAK,EAAC,oBAAoB,EAAC,MAAM,yBAAyB,CAAC;AAGlE,gFAAgF;AAChF,MAAM,MAAM,2BAA2B,GAAG,oBAAoB,CAAC;AAS/D,eAAO,MAAM,iCAAiC,GAAI,SAAS,2BAA2B,KAAG,IAyDxF,CAAC"}

package/dist/testing/cross_backend/actor_search.js

@@ -0,0 +1,92 @@
+import '../assert_dev_env.js';
+/**
+ * Cross-backend parity suite for `actor_search`.
+ *
+ * `actor_search` is an opt-in case-insensitive prefix search over
+ * `actor.name` (`{query, scope_ids?, limit?} → {actors: [{id, username,
+ * display_name?}]}`), not folded into the standard bundle. Like
+ * `actor_lookup` / cells, it's live-mounted on the spine RPC path but kept
+ * off the declared surface, so this dedicated suite is its validator. The
+ * security property under test is the **empty-`scope_ids` admin gate**:
+ *
+ * - **anonymous → 401** — the account-grain auth gate refuses an
+ *   unauthenticated caller before the handler runs.
+ * - **non-admin + no `scope_ids` → 400** `actor_search_scope_required` — an
+ *   unbounded global search is admin-only; a non-admin must scope the query.
+ *   This is the core security assertion, exercised against each impl's real
+ *   auth resolution.
+ * - **non-admin + `scope_ids` → 200** — passing a scope bypasses the admin
+ *   requirement (results are filtered to actors holding active role_grants on
+ *   those scopes); an unheld scope simply yields an empty result, not a
+ *   rejection — proving the gate keys on `scope_ids` presence, not identity.
+ * - **admin + no `scope_ids` → 200** — the admin path reaches the unbounded
+ *   search.
+ *
+ * Cites `security.md` §Authorization (the `actor_search` scope gate).
+ *
+ * Runs both legs via the shared `{setup_test}` protocol: in-process
+ * (`auth/actor_search_parity.db.test.ts`) + cross-process
+ * (`cross_backend/actor_search.cross.test.ts`, TS spine binaries + Rust
+ * `testing_spine_stub`). Mounted on every spine, so the suite is ungated.
+ *
+ * `$lib`-free by contract (relative specifiers only).
+ *
+ * @module
+ */
+import { describe, test, assert } from 'vitest';
+import { actor_search_action_spec, ERROR_ACTOR_SEARCH_SCOPE_REQUIRED, } from '../../auth/actor_search_action_specs.js';
+import { SPINE_RPC_PATH } from './default_spine_surface.js';
+/** Nil UUID — an unheld scope id (no actor holds a role_grant on it). */
+const NIL_UUID = '00000000-0000-0000-0000-000000000000';
+/** Build the JSON-RPC envelope body for an `actor_search` call. */
+const search_envelope = (params, id) => JSON.stringify({ jsonrpc: '2.0', method: actor_search_action_spec.method, params, id });
+export const describe_actor_search_cross_tests = (options) => {
+    const { setup_test } = options;
+    const rpc_path = options.rpc_path ?? SPINE_RPC_PATH;
+    describe('actor_search parity', () => {
+        test('anonymous → 401 (account-grain auth gate)', async () => {
+            const fixture = await setup_test();
+            const res = await fixture.fresh_transport()(rpc_path, {
+                method: 'POST',
+                headers: { 'content-type': 'application/json' },
+                body: search_envelope({ query: 'a' }, 'anon-search'),
+            });
+            assert.strictEqual(res.status, 401, 'unauthenticated actor_search must be refused');
+        });
+        test('non-admin + no scope_ids → 400 actor_search_scope_required', async () => {
+            const fixture = await setup_test();
+            const account = await fixture.create_account();
+            const res = await fixture.fresh_transport()(rpc_path, {
+                method: 'POST',
+                headers: { ...account.create_session_headers(), 'content-type': 'application/json' },
+                body: search_envelope({ query: 'a' }, 'nonadmin-noscope'),
+            });
+            assert.strictEqual(res.status, 400, 'non-admin unbounded search must be rejected');
+            const body = (await res.json());
+            assert.strictEqual(body.error?.data?.reason, ERROR_ACTOR_SEARCH_SCOPE_REQUIRED, 'rejection carries the scope-required reason');
+        });
+        test('non-admin + scope_ids → 200 (scope bypasses admin gate)', async () => {
+            const fixture = await setup_test();
+            const account = await fixture.create_account();
+            const res = await fixture.fresh_transport()(rpc_path, {
+                method: 'POST',
+                headers: { ...account.create_session_headers(), 'content-type': 'application/json' },
+                body: search_envelope({ query: 'a', scope_ids: [NIL_UUID] }, 'nonadmin-scope'),
+            });
+            assert.strictEqual(res.status, 200, 'non-admin with a scope filter is allowed');
+            const body = (await res.json());
+            assert(Array.isArray(body.result?.actors), 'response carries an actors array');
+        });
+        test('admin + no scope_ids → 200 (admin reaches unbounded search)', async () => {
+            const fixture = await setup_test();
+            const res = await fixture.transport(rpc_path, {
+                method: 'POST',
+                headers: { ...fixture.create_session_headers(), 'content-type': 'application/json' },
+                body: search_envelope({ query: 'a' }, 'admin-noscope'),
+            });
+            assert.strictEqual(res.status, 200, 'admin unbounded search is allowed');
+            const body = (await res.json());
+            assert(Array.isArray(body.result?.actors), 'response carries an actors array');
+        });
+    });
+};

package/dist/testing/cross_backend/app_settings.d.ts

@@ -0,0 +1,6 @@
+import '../assert_dev_env.js';
+import type { CellCrossTestOptions } from './cell_cross_helpers.js';
+/** Options for the app-settings effect suite (shares the cell/origin shape). */
+export type AppSettingsCrossTestOptions = CellCrossTestOptions;
+export declare const describe_app_settings_cross_tests: (options: AppSettingsCrossTestOptions) => void;
+//# sourceMappingURL=app_settings.d.ts.map

package/dist/testing/cross_backend/app_settings.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"app_settings.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/app_settings.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAsC9B,OAAO,KAAK,EAAC,oBAAoB,EAAC,MAAM,yBAAyB,CAAC;AAGlE,gFAAgF;AAChF,MAAM,MAAM,2BAA2B,GAAG,oBAAoB,CAAC;AAiB/D,eAAO,MAAM,iCAAiC,GAAI,SAAS,2BAA2B,KAAG,IA8DxF,CAAC"}

package/dist/testing/cross_backend/app_settings.js

@@ -0,0 +1,95 @@
+import '../assert_dev_env.js';
+/**
+ * Cross-backend effect suite for the `open_signup` app setting.
+ *
+ * The declarative conformance table pins the admin gate on
+ * `app_settings_get` / `app_settings_update` (401 / 403 / 200). This suite
+ * pins the **behavioral effect** of the toggle end to end: an admin flips
+ * `open_signup` via `app_settings_update`, and a subsequent anonymous
+ * `POST /signup` observes the new value.
+ *
+ * - **toggle on → anonymous signup without an invite succeeds (200)** — with
+ *   `open_signup: true`, the invite gate is skipped.
+ * - **toggle off → anonymous signup is refused (403 `no_matching_invite`)** —
+ *   flipping it back restores the invite requirement, proving the gate keys
+ *   on the live value rather than a one-time read.
+ *
+ * The signup handler reads the toggle fresh from the database on every
+ * request, so the admin's write is visible to the next signup. This suite
+ * runs in a single process, so it validates the read-through *mechanism* —
+ * not multi-process consistency (which the fresh-read shape provides by
+ * construction but no single-binary test can observe).
+ *
+ * Cites `security.md` §Signup. Runs both legs via the shared `{setup_test}`
+ * protocol: in-process (`auth/app_settings_parity.db.test.ts`) +
+ * cross-process (`cross_backend/app_settings.cross.test.ts`, TS spine
+ * binaries + Rust `testing_spine_stub`). Mounted on every spine, so the
+ * suite is ungated.
+ *
+ * `$lib`-free by contract (relative specifiers only).
+ *
+ * @module
+ */
+import { describe, test, assert } from 'vitest';
+import { app_settings_update_action_spec } from '../../auth/admin_action_specs.js';
+import { ERROR_NO_MATCHING_INVITE } from '../../http/error_schemas.js';
+import { SPINE_RPC_PATH } from './default_spine_surface.js';
+/** REST signup path on the spine surface (`/api/account` prefix + `/signup`). */
+const SIGNUP_PATH = '/api/account/signup';
+/** A password that satisfies the creation-strength schema (min 12). */
+const SIGNUP_PASSWORD = 'securepassword123';
+/** Build the JSON-RPC envelope for an `app_settings_update` call. */
+const update_envelope = (open_signup, id) => JSON.stringify({
+    jsonrpc: '2.0',
+    method: app_settings_update_action_spec.method,
+    params: { open_signup },
+    id,
+});
+export const describe_app_settings_cross_tests = (options) => {
+    const { setup_test } = options;
+    const rpc_path = options.rpc_path ?? SPINE_RPC_PATH;
+    describe('app_settings open_signup effect', () => {
+        test('admin enables open_signup → anonymous signup without invite succeeds', async () => {
+            const fixture = await setup_test();
+            const enable = await fixture.transport(rpc_path, {
+                method: 'POST',
+                headers: { ...fixture.create_session_headers(), 'content-type': 'application/json' },
+                body: update_envelope(true, 'enable-open-signup'),
+            });
+            assert.strictEqual(enable.status, 200, 'admin app_settings_update must succeed');
+            const res = await fixture.fresh_transport()(SIGNUP_PATH, {
+                method: 'POST',
+                headers: { 'content-type': 'application/json' },
+                body: JSON.stringify({ username: 'open_signup_user', password: SIGNUP_PASSWORD }),
+            });
+            assert.strictEqual(res.status, 200, 'open signup must admit an anonymous account');
+            const body = (await res.json());
+            assert.strictEqual(body.ok, true, 'signup response reports success');
+        });
+        test('admin disables open_signup → anonymous signup is refused (no_matching_invite)', async () => {
+            const fixture = await setup_test();
+            // Enable then disable so the assertion proves the *flip back* takes
+            // effect, not merely the closed default.
+            const enable = await fixture.transport(rpc_path, {
+                method: 'POST',
+                headers: { ...fixture.create_session_headers(), 'content-type': 'application/json' },
+                body: update_envelope(true, 'enable-before-disable'),
+            });
+            assert.strictEqual(enable.status, 200, 'admin app_settings_update (enable) must succeed');
+            const disable = await fixture.transport(rpc_path, {
+                method: 'POST',
+                headers: { ...fixture.create_session_headers(), 'content-type': 'application/json' },
+                body: update_envelope(false, 'disable-open-signup'),
+            });
+            assert.strictEqual(disable.status, 200, 'admin app_settings_update (disable) must succeed');
+            const res = await fixture.fresh_transport()(SIGNUP_PATH, {
+                method: 'POST',
+                headers: { 'content-type': 'application/json' },
+                body: JSON.stringify({ username: 'closed_signup_user', password: SIGNUP_PASSWORD }),
+            });
+            assert.strictEqual(res.status, 403, 'closed signup must refuse a no-invite anonymous account');
+            const body = (await res.json());
+            assert.strictEqual(body.error, ERROR_NO_MATCHING_INVITE, 'rejection carries the no-matching-invite reason');
+        });
+    });
+};

package/dist/testing/cross_backend/backend_config.d.ts

@@ -106,7 +106,7 @@ export interface BackendConfig {
     /**
      * Capabilities this backend supports — drives `test_if(capabilities.X, ...)`
      * gating in suite bodies. See `capabilities.ts` for the vocabulary and
-     * existing flags. Cross-process backends set `in_process_only: false`.
+     * existing flags.
      */
     readonly capabilities: BackendCapabilities;
 }

package/dist/testing/cross_backend/capabilities.d.ts

@@ -66,15 +66,6 @@ export interface BackendCapabilities {
      * this flag opts a backend into the lifecycle parity coverage.
      */
     readonly account_lifecycle: boolean;
-    /**
-     * Test has direct access to backend-internal state (keyring for
-     * signing cookies, DB pool for FK-structural raw queries). Always
-     * `true` for in-process Hono via `default_in_process_setup`; always
-     * `false` cross-process. Gates the 3 keyring reads in
-     * `describe_standard_integration_tests` (expired-cookie generation)
-     * and the FK-structural raw query in `describe_audit_completeness_tests`.
-     */
-    readonly in_process_only: boolean;
 }
 /**
  * Capability declarations for the in-process Hono transport. Every flag

package/dist/testing/cross_backend/capabilities.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"capabilities.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/capabilities.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAmB9B;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IACnC;;;;OAIG;IACH,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;IAC9B;;;;OAIG;IACH,QAAQ,CAAC,aAAa,EAAE,OAAO,CAAC;IAChC;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC;IACnC;;;;OAIG;IACH,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;IACrB;;;;;OAKG;IACH,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC;IACtB;;;;;;;OAOG;IACH,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC;IAC5B;;;;;;;;;;OAUG;IACH,QAAQ,CAAC,cAAc,EAAE,OAAO,CAAC;IACjC;;;;;;;;OAQG;IACH,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;IACpC;;;;;;;OAOG;IACH,QAAQ,CAAC,eAAe,EAAE,OAAO,CAAC;CAClC;AAED;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,EAAE,mBAUpC,CAAC;AAEH;;;;;;;;GAQG;AACH,eAAO,MAAM,OAAO,GAAI,MAAM,OAAO,EAAE,MAAM,MAAM,EAAE,IAAI,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAG,IAMrF,CAAC"}
+{"version":3,"file":"capabilities.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/capabilities.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAmB9B;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IACnC;;;;OAIG;IACH,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;IAC9B;;;;OAIG;IACH,QAAQ,CAAC,aAAa,EAAE,OAAO,CAAC;IAChC;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC;IACnC;;;;OAIG;IACH,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;IACrB;;;;;OAKG;IACH,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC;IACtB;;;;;;;OAOG;IACH,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC;IAC5B;;;;;;;;;;OAUG;IACH,QAAQ,CAAC,cAAc,EAAE,OAAO,CAAC;IACjC;;;;;;;;OAQG;IACH,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;CACpC;AAED;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,EAAE,mBASpC,CAAC;AAEH;;;;;;;;GAQG;AACH,eAAO,MAAM,OAAO,GAAI,MAAM,OAAO,EAAE,MAAM,MAAM,EAAE,IAAI,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAG,IAMrF,CAAC"}

package/dist/testing/cross_backend/capabilities.js

@@ -29,7 +29,6 @@ export const in_process_capabilities = Object.freeze({
     cell_crud: true,
     cell_relations: true,
     account_lifecycle: true,
-    in_process_only: true,
 });
 /**
  * Conditional `test()` wrapper — registers a vitest case only when

package/dist/testing/cross_backend/cell_grant_role.d.ts

@@ -0,0 +1,8 @@
+import '../assert_dev_env.js';
+import { type CellCrossTestOptions } from './cell_cross_helpers.js';
+/** App role the holder is seeded with; matches the spine's registered role. */
+export declare const CELL_EDITOR_ROLE = "cell_editor";
+/** Username the fixture seeds (via `extra_accounts`) holding `CELL_EDITOR_ROLE`. */
+export declare const CELL_ROLE_HOLDER_USERNAME = "cell_role_holder";
+export declare const describe_cell_grant_role_cross_tests: (options: CellCrossTestOptions) => void;
+//# sourceMappingURL=cell_grant_role.d.ts.map

package/dist/testing/cross_backend/cell_grant_role.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cell_grant_role.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/cell_grant_role.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AA6C9B,OAAO,EACN,KAAK,oBAAoB,EAIzB,MAAM,yBAAyB,CAAC;AAGjC,+EAA+E;AAC/E,eAAO,MAAM,gBAAgB,gBAAyB,CAAC;AAEvD,oFAAoF;AACpF,eAAO,MAAM,yBAAyB,qBAAqB,CAAC;AAK5D,eAAO,MAAM,oCAAoC,GAAI,SAAS,oBAAoB,KAAG,IAuIpF,CAAC"}