@fuzdev/fuz_app 0.68.0 → 0.69.0

package/dist/testing/cross_backend/xfail.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"xfail.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/xfail.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAyB9B;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,WAAW,GACvB,aAAa,MAAM,EACnB,QAAQ,MAAM,EACd,MAAM,MAAM,EACZ,IAAI,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAC5B,IAEF,CAAC"}

package/dist/testing/cross_backend/xfail.js

@@ -0,0 +1,37 @@
+import '../assert_dev_env.js';
+/**
+ * `xfail_until` — mark a deferred-by-design gap as an expected failure.
+ *
+ * A thin wrapper over vitest's `test.fails` that bakes a tracking id +
+ * reason into the test label. Two properties make it the right tool for
+ * declared gaps (distinct from in-scope gaps, which fail loud as a normal
+ * red `test`):
+ *
+ * - **Visible** — the case shows in the report as a distinct expected
+ *   failure, not a silent `.skip`, so a deferred gap never disappears from
+ *   view.
+ * - **Self-cleaning** — `test.fails` turns **red** the moment the body
+ *   stops throwing (i.e. the impl starts passing), forcing whoever closed
+ *   the gap to delete the marker. A `.skip` would rot silently; this can't.
+ *
+ * Sibling to `test_if` in `capabilities.ts`. No taxonomy — a one-line
+ * marker with a tracking id and a reason, nothing more.
+ *
+ * @module
+ */
+import { test } from 'vitest';
+/**
+ * Register `fn` as an expected-failure test. Passes while `fn` throws /
+ * rejects; **fails** once `fn` succeeds (signalling the gap closed and the
+ * marker should be removed).
+ *
+ * @param tracking_id - descriptive id of the tracked gap (e.g.
+ *   `'audit-log-sse-rust-spine'`) — a feature/behavior name, not a
+ *   process/milestone label.
+ * @param reason - why the case is deferred-by-design.
+ * @param name - the assertion / test label.
+ * @param fn - the test body (expected to throw/reject until the gap closes).
+ */
+export const xfail_until = (tracking_id, reason, name, fn) => {
+    test.fails(`${name} [xfail_until ${tracking_id}: ${reason}]`, fn);
+};

package/dist/testing/integration.d.ts

@@ -25,13 +25,12 @@ export interface StandardIntegrationTestOptions {
      * not the source the test runtime reads from.
      */
     surface_source: AppSurfaceSpec;
-    /** Backend capability declarations — companion to `fixture.in_process` narrowing. */
+    /** Backend capability declarations for capability-gated cases. */
     capabilities: BackendCapabilities;
     /**
      * Session config — needed to resolve factory-form `rpc_endpoints`
      * against a stub `AppServerContext` at setup time and to read
-     * `cookie_name` for manual cookie composition in the origin-verify
-     * cases.
+     * `cookie_name` for manual cookie composition in the session cases.
      */
     session_options: SessionOptions<string>;
     /**

package/dist/testing/integration.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"integration.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/integration.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAsB7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAO9D,OAAO,EAKN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAkB1B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAU,KAAK,mBAAmB,EAAC,MAAM,iCAAiC,CAAC;AAClF,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAGxD;;GAEG;AACH,MAAM,WAAW,8BAA8B;IAC9C;;;;OAIG;IACH,UAAU,EAAE,SAAS,CAAC;IACtB;;;;;;;;;OASG;IACH,cAAc,EAAE,cAAc,CAAC;IAC/B,qFAAqF;IACrF,YAAY,EAAE,mBAAmB,CAAC;IAClC;;;;;OAKG;IACH,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC;;;;;;;;;;;;OAYG;IACH,aAAa,EAAE,uBAAuB,CAAC;IACvC;;;;;;;OAOG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACH,eAAO,MAAM,mCAAmC,GAC/C,SAAS,8BAA8B,KACrC,IAy5CF,CAAC"}
+{"version":3,"file":"integration.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/integration.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAsB7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAM9D,OAAO,EAKN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAiB1B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAC,KAAK,mBAAmB,EAAC,MAAM,iCAAiC,CAAC;AACzE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAGxD;;GAEG;AACH,MAAM,WAAW,8BAA8B;IAC9C;;;;OAIG;IACH,UAAU,EAAE,SAAS,CAAC;IACtB;;;;;;;;;OASG;IACH,cAAc,EAAE,cAAc,CAAC;IAC/B,kEAAkE;IAClE,YAAY,EAAE,mBAAmB,CAAC;IAClC;;;;OAIG;IACH,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC;;;;;;;;;;;;OAYG;IACH,aAAa,EAAE,uBAAuB,CAAC;IACvC;;;;;;;OAOG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACH,eAAO,MAAM,mCAAmC,GAC/C,SAAS,8BAA8B,KACrC,IAyzCF,CAAC"}

package/dist/testing/integration.js

@@ -17,14 +17,13 @@ import './assert_dev_env.js';
  * @module
  */
 import { describe, test, assert, afterAll } from 'vitest';
-import { find_auth_route, assert_response_matches_spec, create_expired_test_cookie, assert_no_error_info_leakage, } from './integration_helpers.js';
+import { find_auth_route, assert_response_matches_spec, assert_no_error_info_leakage, } from './integration_helpers.js';
 import { find_rpc_action, rpc_call_for_spec, require_rpc_endpoint_path, resolve_rpc_endpoints_for_setup, } from './rpc_helpers.js';
 import { ErrorCoverageCollector, assert_error_coverage, DEFAULT_INTEGRATION_ERROR_COVERAGE, } from './error_coverage.js';
-import { ApiError, ERROR_FORBIDDEN_ORIGIN } from '../http/error_schemas.js';
 import { is_public_auth } from '../http/auth_shape.js';
 import { account_verify_action_spec, account_session_list_action_spec, account_session_revoke_action_spec, account_session_revoke_all_action_spec, account_token_create_action_spec, account_token_list_action_spec, account_token_revoke_action_spec, } from '../auth/account_action_specs.js';
 import { invite_create_action_spec } from '../auth/admin_action_specs.js';
-import { test_if } from './cross_backend/capabilities.js';
+import {} from './cross_backend/capabilities.js';
 import { DEFAULT_TEST_PASSWORD } from './app_server.js';
 /**
  * Standard integration test suite for fuz_app auth routes.
@@ -323,19 +322,12 @@ export const describe_standard_integration_tests = (options) => {
                 });
                 assert.strictEqual(res.status, 401);
             });
-            test_if(options.capabilities.in_process_only, 'expired cookie returns 401', async () => {
-                const fixture = await options.setup_test();
-                assert(fixture.in_process);
-                const expired_cookie = await create_expired_test_cookie(fixture.keyring, options.session_options);
-                const res = await rpc_call_for_spec({
-                    app: { request: fixture.transport },
-                    path: rpc_path,
-                    spec: account_verify_action_spec,
-                    params: undefined,
-                    headers: { cookie: `${cookie_name}=${expired_cookie}` },
-                });
-                assert.strictEqual(res.status, 401);
-            });
+            // Expired-session rejection promoted to the cross-backend conformance
+            // table (the `expired_session` principal, `conformance_expiry_cases.ts`) —
+            // it exercises the authoritative server-side DB-row expiry gate over
+            // real auth resolution on every spine, not the cookie-payload gate a
+            // backdated-payload forge hit here. The payload gate stays covered by
+            // `parse_session`'s own unit tests.
         });
         // --- 4. Session revocation ---
         describe('session revocation', () => {
@@ -486,29 +478,11 @@ export const describe_standard_integration_tests = (options) => {
         });
         // --- 5. Origin verification ---
         describe('origin verification', () => {
-            test_if(options.capabilities.in_process_only, 'evil origin is rejected with 403', async () => {
-                const fixture = await options.setup_test();
-                assert(fixture.in_process);
-                // `verify_request_source` runs before the RPC dispatcher and returns a
-                // plain REST `{error}` body — not a JSON-RPC envelope. Skip `rpc_call`.
-                const res = await fixture.transport(rpc_path, {
-                    method: 'POST',
-                    headers: {
-                        host: 'localhost',
-                        origin: 'http://evil.com',
-                        'content-type': 'application/json',
-                        cookie: `${cookie_name}=${fixture.backend_internals.session_cookie}`,
-                    },
-                    body: JSON.stringify({
-                        jsonrpc: '2.0',
-                        method: account_verify_action_spec.method,
-                        id: 'evil-origin',
-                    }),
-                });
-                assert.strictEqual(res.status, 403);
-                const body = ApiError.parse(await res.json());
-                assert.strictEqual(body.error, ERROR_FORBIDDEN_ORIGIN);
-            });
+            // Disallowed-Origin → 403 and absent-Origin → pass promoted to the
+            // dedicated cross-backend origin parity suite (`cross_backend/origin.ts`,
+            // both legs) — it drives raw transport calls against each spine's real
+            // origin middleware. This positive control stays here as a basic
+            // happy-path check in the consumer integration bundle.
             test('valid origin is accepted', async () => {
                 const fixture = await options.setup_test();
                 const res = await rpc_call_for_spec({
@@ -520,21 +494,6 @@ export const describe_standard_integration_tests = (options) => {
                 });
                 assert.strictEqual(res.status, 200);
             });
-            test_if(options.capabilities.in_process_only, 'no origin header is allowed (direct access)', async () => {
-                const fixture = await options.setup_test();
-                assert(fixture.in_process);
-                // Probe the "no Origin / no Referer" path; `suppress_default_origin`
-                // skips the default `origin` header.
-                const res = await rpc_call_for_spec({
-                    app: { request: fixture.transport },
-                    path: rpc_path,
-                    spec: account_verify_action_spec,
-                    params: undefined,
-                    headers: { cookie: `${cookie_name}=${fixture.backend_internals.session_cookie}` },
-                    suppress_default_origin: true,
-                });
-                assert.notStrictEqual(res.status, 403);
-            });
         });
         // --- 6. Bearer auth ---
         describe('bearer auth', () => {
@@ -938,37 +897,13 @@ export const describe_standard_integration_tests = (options) => {
             });
         });
         // --- 11. Expired credential rejection ---
-        describe('expired credential rejection', () => {
-            test_if(options.capabilities.in_process_only, 'expired session cookie returns 401', async () => {
-                const fixture = await options.setup_test();
-                assert(fixture.in_process);
-                const expired_cookie = await create_expired_test_cookie(fixture.keyring, options.session_options);
-                const res = await rpc_call_for_spec({
-                    app: { request: fixture.transport },
-                    path: rpc_path,
-                    spec: account_verify_action_spec,
-                    params: undefined,
-                    headers: { cookie: `${cookie_name}=${expired_cookie}` },
-                });
-                assert.strictEqual(res.status, 401, 'Expired session cookie should be rejected');
-            });
-            test_if(options.capabilities.in_process_only, 'expired session cookie returns 401 on mutation route', async () => {
-                const fixture = await options.setup_test();
-                assert(fixture.in_process);
-                const logout_route = find_auth_route(route_specs, '/logout', 'POST');
-                assert.ok(logout_route, 'Expected POST /logout route — ensure create_route_specs includes account routes');
-                const expired_cookie = await create_expired_test_cookie(fixture.keyring, options.session_options);
-                const res = await fixture.transport(logout_route.path, {
-                    method: 'POST',
-                    headers: {
-                        host: 'localhost',
-                        cookie: `${cookie_name}=${expired_cookie}`,
-                    },
-                });
-                assert.strictEqual(res.status, 401, 'Expired session cookie should be rejected on POST');
-                error_collector.record(route_specs, 'POST', logout_route.path, 401);
-            });
-        });
+        // Expired-credential rejection (read + mutation paths) promoted to the
+        // cross-backend conformance table (`conformance_expiry_cases.ts`, the
+        // `expired_session` principal) — it asserts the authoritative
+        // server-side DB-row expiry gate over real auth resolution on every
+        // spine. The two near-identical in-process skips this replaced (both an
+        // `account_verify` read) collapse into the single read row there; the
+        // `/logout` mutation path is the second row.
         // --- 12. Bearer token browser context on mutation routes ---
         describe('bearer token browser context silently discarded on mutations', () => {
             test('bearer token with Origin header discarded on POST logout', async () => {

package/dist/testing/rate_limiting.d.ts

@@ -32,7 +32,7 @@ export interface RateLimitingTestOptions {
      * Accepts either an array (eager) or a factory
      * `(ctx: AppServerContext) => Array<RpcEndpointSpec>` — the factory form
      * is required when action handlers must close over the per-test
-     * `ctx.app_settings` / `ctx.deps`. The factory must return the same
+     * `ctx.deps`. The factory must return the same
      * endpoint `path` regardless of ctx — it is invoked once at setup with
      * a stub ctx for path lookup and again per-test by `create_app_server`
      * for live dispatch.

package/dist/testing/rpc_helpers.d.ts

@@ -10,9 +10,9 @@ import type { SessionOptions } from '../auth/session_cookie.js';
  * Union accepted by the suite-level `rpc_endpoints` option — eager array or
  * a factory that takes an `AppServerContext` and returns endpoint specs. The
  * factory form is required when action handlers must close over the
- * per-test `ctx.app_settings` / `ctx.deps` (e.g. the canonical
- * `create_standard_rpc_actions(ctx.deps, {app_settings: ctx.app_settings})`
- * pattern). `create_app_server` resolves either shape natively; test helpers
+ * per-test `ctx.deps` (e.g. the canonical
+ * `create_standard_rpc_actions(ctx.deps)` pattern). `create_app_server`
+ * resolves either shape natively; test helpers
  * forward the raw value to the top-level `rpc_endpoints` slot on
  * `CreateTestAppOptions` for live dispatch.
  */

package/dist/testing/sse_round_trip.d.ts

@@ -57,7 +57,7 @@ export interface SseRouteTestOptions {
      * Accepts either an array (eager) or a factory
      * `(ctx: AppServerContext) => Array<RpcEndpointSpec>` — the factory form
      * is required when action handlers must close over the per-test
-     * `ctx.app_settings` / `ctx.deps`. The factory must return the same
+     * `ctx.deps`. The factory must return the same
      * endpoint `path` regardless of ctx — it is invoked once at setup with
      * a stub ctx for path lookup and again per-test by `create_app_server`
      * for live dispatch.

package/dist/testing/stubs.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"stubs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/stubs.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAa7B,OAAO,KAAK,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAE3B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,4BAA4B,CAAC;AAE/D,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,iBAAiB,CAAC;AAC7C,OAAO,KAAK,EAAC,YAAY,EAAC,MAAM,0BAA0B,CAAC;AAE3D,OAAO,KAAK,EAAC,gBAAgB,EAAE,sBAAsB,EAAC,MAAM,yBAAyB,CAAC;AACtF,OAAO,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAC/B,OAAO,EAAqB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAGzE,OAAO,EAEN,KAAK,cAAc,EACnB,KAAK,eAAe,EACpB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,gCAAgC,CAAC;AACnE,OAAO,KAAK,EAAC,SAAS,EAAkB,MAAM,oBAAoB,CAAC;AACnE,OAAO,EAA8B,KAAK,WAAW,EAAC,MAAM,+BAA+B,CAAC;AAI5F;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,oBAAoB,GAAI,CAAC,GAAG,GAAG,EAAE,OAAO,MAAM,KAAG,CAqBtD,CAAC;AAET;;;;;;;;;GASG;AACH,eAAO,MAAM,gBAAgB,GAAI,CAAC,GAAG,GAAG,EAAE,QAAQ,MAAM,EAAE,YAAY,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAG,CAOxF,CAAC;AAET,iEAAiE;AACjE,eAAO,MAAM,IAAI,EAAE,GAAkC,CAAC;AAEtD;;;;;;;GAOG;AACH,eAAO,MAAM,cAAc,QAAO,EAI/B,CAAC;AAEJ,gDAAgD;AAChD,eAAO,MAAM,YAAY,QAAO,QAAgC,CAAC;AAEjE,2CAA2C;AAC3C,eAAO,MAAM,OAAO,GAAU,IAAI,GAAG,EAAE,MAAM,GAAG,KAAG,OAAO,CAAC,IAAI,CAAW,CAAC;AAI3E;;;;;;;;;;GAUG;AACH,eAAO,MAAM,yBAAyB,QAAO,YAM3C,CAAC;AAEH;;;;;;;;;GASG;AACH,eAAO,MAAM,qBAAqB,QAAO,WAUxC,CAAC;AAEF,2EAA2E;AAC3E,eAAO,MAAM,aAAa,EAAE,OAS3B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,oBAAoB,QAAO,OAStC,CAAC;AAEH,2FAA2F;AAC3F,eAAO,MAAM,0BAA0B,GAAI,UAAU;IACpD,iDAAiD;IACjD,oBAAoB,CAAC,EAAE,OAAO,CAAC;CAC/B,KAAG,KAAK,CAAC,cAAc,CAqBvB,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,8BAA8B,GAC1C,iBAAiB,cAAc,CAAC,MAAM,CAAC,KACrC,gBAqBF,CAAC;AAEF,kDAAkD;AAClD,MAAM,WAAW,+BAA+B;IAC/C,6DAA6D;IAC7D,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,qFAAqF;IACrF,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,oEAAoE;IACpE,UAAU,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC;IACzB,8CAA8C;IAC9C,WAAW,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC/B;;;;;;;;OAQG;IACH,aAAa,CAAC,EAAE,KAAK,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,eAAe,CAAC,CAAC,CAAC;IAC7F;;;;;;;;OAQG;IACH,YAAY,CAAC,EACV,aAAa,CAAC,cAAc,CAAC,GAC7B,CAAC,CAAC,GAAG,EAAE,gBAAgB,KAAK,aAAa,CAAC,cAAc,CAAC,CAAC,CAAC;IAC9D,mFAAmF;IACnF,oBAAoB,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC,cAAc,CAAC,KAAK,KAAK,CAAC,cAAc,CAAC,CAAC;IAC/E;;;;;;;;OAQG;IACH,SAAS,CAAC,EAAE,sBAAsB,CAAC;CACnC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,4BAA4B,GACxC,SAAS,+BAA+B,KACtC,cAwDF,CAAC"}
+{"version":3,"file":"stubs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/stubs.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAa7B,OAAO,KAAK,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAE3B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,4BAA4B,CAAC;AAE/D,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,iBAAiB,CAAC;AAC7C,OAAO,KAAK,EAAC,YAAY,EAAC,MAAM,0BAA0B,CAAC;AAE3D,OAAO,KAAK,EAAC,gBAAgB,EAAE,sBAAsB,EAAC,MAAM,yBAAyB,CAAC;AACtF,OAAO,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAC/B,OAAO,EAAqB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAGzE,OAAO,EAEN,KAAK,cAAc,EACnB,KAAK,eAAe,EACpB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,gCAAgC,CAAC;AACnE,OAAO,KAAK,EAAC,SAAS,EAAkB,MAAM,oBAAoB,CAAC;AACnE,OAAO,EAA8B,KAAK,WAAW,EAAC,MAAM,+BAA+B,CAAC;AAI5F;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,oBAAoB,GAAI,CAAC,GAAG,GAAG,EAAE,OAAO,MAAM,KAAG,CAqBtD,CAAC;AAET;;;;;;;;;GASG;AACH,eAAO,MAAM,gBAAgB,GAAI,CAAC,GAAG,GAAG,EAAE,QAAQ,MAAM,EAAE,YAAY,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAG,CAOxF,CAAC;AAET,iEAAiE;AACjE,eAAO,MAAM,IAAI,EAAE,GAAkC,CAAC;AAEtD;;;;;;;GAOG;AACH,eAAO,MAAM,cAAc,QAAO,EAI/B,CAAC;AAEJ,gDAAgD;AAChD,eAAO,MAAM,YAAY,QAAO,QAAgC,CAAC;AAEjE,2CAA2C;AAC3C,eAAO,MAAM,OAAO,GAAU,IAAI,GAAG,EAAE,MAAM,GAAG,KAAG,OAAO,CAAC,IAAI,CAAW,CAAC;AAI3E;;;;;;;;;;GAUG;AACH,eAAO,MAAM,yBAAyB,QAAO,YAM3C,CAAC;AAEH;;;;;;;;;GASG;AACH,eAAO,MAAM,qBAAqB,QAAO,WAUxC,CAAC;AAEF,2EAA2E;AAC3E,eAAO,MAAM,aAAa,EAAE,OAS3B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,oBAAoB,QAAO,OAStC,CAAC;AAEH,2FAA2F;AAC3F,eAAO,MAAM,0BAA0B,GAAI,UAAU;IACpD,iDAAiD;IACjD,oBAAoB,CAAC,EAAE,OAAO,CAAC;CAC/B,KAAG,KAAK,CAAC,cAAc,CAqBvB,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,8BAA8B,GAC1C,iBAAiB,cAAc,CAAC,MAAM,CAAC,KACrC,gBAoBF,CAAC;AAEF,kDAAkD;AAClD,MAAM,WAAW,+BAA+B;IAC/C,6DAA6D;IAC7D,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,qFAAqF;IACrF,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,oEAAoE;IACpE,UAAU,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC;IACzB,8CAA8C;IAC9C,WAAW,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC/B;;;;;;;;OAQG;IACH,aAAa,CAAC,EAAE,KAAK,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,eAAe,CAAC,CAAC,CAAC;IAC7F;;;;;;;;OAQG;IACH,YAAY,CAAC,EACV,aAAa,CAAC,cAAc,CAAC,GAC7B,CAAC,CAAC,GAAG,EAAE,gBAAgB,KAAK,aAAa,CAAC,cAAc,CAAC,CAAC,CAAC;IAC9D,mFAAmF;IACnF,oBAAoB,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC,cAAc,CAAC,KAAK,KAAK,CAAC,cAAc,CAAC,CAAC;IAC/E;;;;;;;;OAQG;IACH,SAAS,CAAC,EAAE,sBAAsB,CAAC;CACnC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,4BAA4B,GACxC,SAAS,+BAA+B,KACtC,cAwDF,CAAC"}

package/dist/testing/stubs.js

@@ -201,7 +201,6 @@ export const create_stub_app_server_context = (session_options) => {
         signup_account_rate_limiter: null,
         action_ip_rate_limiter: null,
         action_account_rate_limiter: null,
-        app_settings: { open_signup: false, updated_at: null, updated_by: null },
         audit_sse: null,
     };
 };

package/dist/ui/AdminAccounts.svelte

@@ -50,21 +50,18 @@
 		</p>
 	{/if}
 
-	{#if admin_accounts.has_rpc}
-		<label class="row gap_xs font_size_sm">
-			<input
-				type="checkbox"
-				checked={admin_accounts.show_deleted}
-				onchange={(e) => admin_accounts.set_show_deleted(e.currentTarget.checked)}
-			/>
-			show deleted
-		</label>
-		<p class="text_50 font_size_sm">
-			“delete” is a reversible soft-delete (tombstone) — enable “show deleted” to reactivate an
-			account. Permanent hard-delete (purge) is keeper/CLI-only and intentionally not available
-			here.
-		</p>
-	{/if}
+	<label class="row gap_xs font_size_sm">
+		<input
+			type="checkbox"
+			checked={admin_accounts.show_deleted}
+			onchange={(e) => admin_accounts.set_show_deleted(e.currentTarget.checked)}
+		/>
+		show deleted
+	</label>
+	<p class="text_50 font_size_sm">
+		“delete” is a reversible soft-delete (tombstone) — enable “show deleted” to reactivate an
+		account. Permanent hard-delete (purge) is keeper/CLI-only and intentionally not available here.
+	</p>
 
 	{#if admin_accounts.list.loading}
 		<p class="text_50">loading accounts...</p>
@@ -111,7 +108,7 @@
 									expires {format_relative_time(role_grant.expires_at)}
 								</span>
 							{/if}
-							{#if admin_accounts.has_rpc && row.actor}
+							{#if row.actor}
 								{@const actor_id = row.actor.id}
 								{@const revoke_error = admin_accounts.revoke.error(role_grant.id)}
 								<ConfirmButton
@@ -129,6 +126,7 @@
 					{/each}
 					{#each row.pending_offers as offer (offer.id)}
 						{@const offer_scope = scope_label(offer.scope_id, offer.role)}
+						{@const retract_error = admin_accounts.retract.error(offer.id)}
 						<div class="row">
 							<span
 								class="chip"
@@ -141,18 +139,15 @@
 									{offer_scope}
 								</span>
 							{/if}
-							{#if admin_accounts.has_rpc}
-								{@const retract_error = admin_accounts.retract.error(offer.id)}
-								<ConfirmButton
-									onconfirm={() => admin_accounts.submit_retract(offer.id)}
-									title="retract offer"
-									class="sm"
-									label="retract"
-									pending={admin_accounts.retract.loading(offer.id)}
-								/>
-								{#if retract_error}
-									<span class="color_c_50 font_size_sm">{retract_error}</span>
-								{/if}
+							<ConfirmButton
+								onconfirm={() => admin_accounts.submit_retract(offer.id)}
+								title="retract offer"
+								class="sm"
+								label="retract"
+								pending={admin_accounts.retract.loading(offer.id)}
+							/>
+							{#if retract_error}
+								<span class="color_c_50 font_size_sm">{retract_error}</span>
 							{/if}
 						</div>
 					{/each}
@@ -160,70 +155,66 @@
 						<span class="text_50">none</span>
 					{/if}
 				{:else if column.key === 'actor'}
-					{#if admin_accounts.has_rpc}
-						{#each admin_accounts.grantable_roles as role (role)}
-							{@const key = grant_key(row.account.id, role)}
-							{@const grant_error = admin_accounts.grant.error(key)}
-							{#if !row.role_grants.some((p) => p.role === role) && !row.pending_offers.some((o) => o.role === role)}
-								<ConfirmButton
-									onconfirm={() => admin_accounts.submit_grant(row.account.id, role)}
-									title="offer {role}"
-									class="sm"
-									label={`+ ${role}`}
-									pending={admin_accounts.grant.loading(key)}
-								>
-									{#snippet popover_content(_popover, do_confirm)}
-										<button type="button" class="color_b bg_100" onclick={() => do_confirm()}>
-											<span class="py_sm">offer '{role}' to @{row.account.username}</span>
-										</button>
-									{/snippet}
-								</ConfirmButton>
-								{#if grant_error}
-									<span class="color_c_50 font_size_sm">{grant_error}</span>
-								{/if}
-							{/if}
-						{/each}
-					{/if}
-				{:else if column.key === 'pending_offers'}
-					{#if admin_accounts.has_rpc}
-						{#if row.account.deleted_at}
-							{@const undelete_error = admin_accounts.undelete.error(row.account.id)}
-							<span
-								class="chip font_size_sm color_c"
-								title={format_datetime_local(row.account.deleted_at)}
-							>
-								deleted {format_relative_time(row.account.deleted_at)}
-							</span>
-							<button
-								type="button"
-								class="sm"
-								disabled={admin_accounts.undelete.loading(row.account.id)}
-								onclick={() => admin_accounts.submit_undelete(row.account.id)}
-							>
-								reactivate
-							</button>
-							{#if undelete_error}
-								<span class="color_c_50 font_size_sm">{undelete_error}</span>
-							{/if}
-						{:else}
-							{@const delete_error = admin_accounts.soft_delete.error(row.account.id)}
+					{#each admin_accounts.grantable_roles as role (role)}
+						{@const key = grant_key(row.account.id, role)}
+						{@const grant_error = admin_accounts.grant.error(key)}
+						{#if !row.role_grants.some((p) => p.role === role) && !row.pending_offers.some((o) => o.role === role)}
 							<ConfirmButton
-								onconfirm={() => admin_accounts.submit_delete(row.account.id)}
-								title="soft-delete @{row.account.username}"
+								onconfirm={() => admin_accounts.submit_grant(row.account.id, role)}
+								title="offer {role}"
 								class="sm"
-								label="delete"
-								pending={admin_accounts.soft_delete.loading(row.account.id)}
+								label={`+ ${role}`}
+								pending={admin_accounts.grant.loading(key)}
 							>
 								{#snippet popover_content(_popover, do_confirm)}
-									<button type="button" class="color_c bg_100" onclick={() => do_confirm()}>
-										<span class="py_sm">soft-delete @{row.account.username} (reversible)</span>
+									<button type="button" class="color_b bg_100" onclick={() => do_confirm()}>
+										<span class="py_sm">offer '{role}' to @{row.account.username}</span>
 									</button>
 								{/snippet}
 							</ConfirmButton>
-							{#if delete_error}
-								<span class="color_c_50 font_size_sm">{delete_error}</span>
+							{#if grant_error}
+								<span class="color_c_50 font_size_sm">{grant_error}</span>
 							{/if}
 						{/if}
+					{/each}
+				{:else if column.key === 'pending_offers'}
+					{#if row.account.deleted_at}
+						{@const undelete_error = admin_accounts.undelete.error(row.account.id)}
+						<span
+							class="chip font_size_sm color_c"
+							title={format_datetime_local(row.account.deleted_at)}
+						>
+							deleted {format_relative_time(row.account.deleted_at)}
+						</span>
+						<button
+							type="button"
+							class="sm"
+							disabled={admin_accounts.undelete.loading(row.account.id)}
+							onclick={() => admin_accounts.submit_undelete(row.account.id)}
+						>
+							reactivate
+						</button>
+						{#if undelete_error}
+							<span class="color_c_50 font_size_sm">{undelete_error}</span>
+						{/if}
+					{:else}
+						{@const delete_error = admin_accounts.soft_delete.error(row.account.id)}
+						<ConfirmButton
+							onconfirm={() => admin_accounts.submit_delete(row.account.id)}
+							title="soft-delete @{row.account.username}"
+							class="sm"
+							label="delete"
+							pending={admin_accounts.soft_delete.loading(row.account.id)}
+						>
+							{#snippet popover_content(_popover, do_confirm)}
+								<button type="button" class="color_c bg_100" onclick={() => do_confirm()}>
+									<span class="py_sm">soft-delete @{row.account.username} (reversible)</span>
+								</button>
+							{/snippet}
+						</ConfirmButton>
+						{#if delete_error}
+							<span class="color_c_50 font_size_sm">{delete_error}</span>
+						{/if}
 					{/if}
 				{/if}
 			{/snippet}

package/dist/ui/AdminAccounts.svelte.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AdminAccounts.svelte.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/ui/AdminAccounts.svelte"],"names":[],"mappings":"AA2MA,QAAA,MAAM,aAAa,2DAAwC,CAAC;AAC5D,KAAK,aAAa,GAAG,UAAU,CAAC,OAAO,aAAa,CAAC,CAAC;AACtD,eAAe,aAAa,CAAC"}
+{"version":3,"file":"AdminAccounts.svelte.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/ui/AdminAccounts.svelte"],"names":[],"mappings":"AAkMA,QAAA,MAAM,aAAa,2DAAwC,CAAC;AAC5D,KAAK,aAAa,GAAG,UAAU,CAAC,OAAO,aAAa,CAAC,CAAC;AACtD,eAAe,aAAa,CAAC"}

package/dist/ui/AdminSessions.svelte

@@ -62,29 +62,27 @@
 						{format_relative_time(row.expires_at)}
 					</span>
 				{:else if column.key === 'account_id'}
-					{#if admin_sessions.has_rpc}
-						{@const revoke_sessions_error = admin_sessions.revoke_sessions.error(row.account_id)}
-						{@const revoke_tokens_error = admin_sessions.revoke_tokens.error(row.account_id)}
-						<ConfirmButton
-							onconfirm={() => admin_sessions.submit_revoke_sessions(row.account_id)}
-							title="revoke all sessions for {row.username}"
-							class="sm"
-							label="revoke sessions"
-							pending={admin_sessions.revoke_sessions.loading(row.account_id)}
-						/>
-						{#if revoke_sessions_error}
-							<span class="color_c_50 font_size_sm">{revoke_sessions_error}</span>
-						{/if}
-						<ConfirmButton
-							onconfirm={() => admin_sessions.submit_revoke_tokens(row.account_id)}
-							title="revoke all tokens for {row.username}"
-							class="sm"
-							label="revoke tokens"
-							pending={admin_sessions.revoke_tokens.loading(row.account_id)}
-						/>
-						{#if revoke_tokens_error}
-							<span class="color_c_50 font_size_sm">{revoke_tokens_error}</span>
-						{/if}
+					{@const revoke_sessions_error = admin_sessions.revoke_sessions.error(row.account_id)}
+					{@const revoke_tokens_error = admin_sessions.revoke_tokens.error(row.account_id)}
+					<ConfirmButton
+						onconfirm={() => admin_sessions.submit_revoke_sessions(row.account_id)}
+						title="revoke all sessions for {row.username}"
+						class="sm"
+						label="revoke sessions"
+						pending={admin_sessions.revoke_sessions.loading(row.account_id)}
+					/>
+					{#if revoke_sessions_error}
+						<span class="color_c_50 font_size_sm">{revoke_sessions_error}</span>
+					{/if}
+					<ConfirmButton
+						onconfirm={() => admin_sessions.submit_revoke_tokens(row.account_id)}
+						title="revoke all tokens for {row.username}"
+						class="sm"
+						label="revoke tokens"
+						pending={admin_sessions.revoke_tokens.loading(row.account_id)}
+					/>
+					{#if revoke_tokens_error}
+						<span class="color_c_50 font_size_sm">{revoke_tokens_error}</span>
 					{/if}
 				{:else if column.format}
 					{column.format(row[column.key], row)}

package/dist/ui/AdminSessions.svelte.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AdminSessions.svelte.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/ui/AdminSessions.svelte"],"names":[],"mappings":"AAoGA,UAAU,kCAAkC,CAAC,KAAK,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,GAAG,EAAE,MAAM,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,GAAG,EAAE,KAAK,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,GAAG,EAAE,OAAO,GAAG,EAAE,EAAE,QAAQ,GAAG,MAAM;IACpM,KAAK,OAAO,EAAE,OAAO,QAAQ,EAAE,2BAA2B,CAAC,KAAK,CAAC,GAAG,OAAO,QAAQ,EAAE,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,GAAG;QAAE,UAAU,CAAC,EAAE,QAAQ,CAAA;KAAE,GAAG,OAAO,CAAC;IACjK,CAAC,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,KAAK,CAAA;KAAC,GAAG,OAAO,GAAG;QAAE,IAAI,CAAC,EAAE,GAAG,CAAC;QAAC,GAAG,CAAC,EAAE,GAAG,CAAA;KAAE,CAAC;IACtG,YAAY,CAAC,EAAE,QAAQ,CAAC;CAC3B;AAKD,QAAA,MAAM,aAAa;;kBAA+E,CAAC;AACjF,KAAK,aAAa,GAAG,YAAY,CAAC,OAAO,aAAa,CAAC,CAAC;AAC1D,eAAe,aAAa,CAAC"}
+{"version":3,"file":"AdminSessions.svelte.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/ui/AdminSessions.svelte"],"names":[],"mappings":"AAkGA,UAAU,kCAAkC,CAAC,KAAK,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,GAAG,EAAE,MAAM,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,GAAG,EAAE,KAAK,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,GAAG,EAAE,OAAO,GAAG,EAAE,EAAE,QAAQ,GAAG,MAAM;IACpM,KAAK,OAAO,EAAE,OAAO,QAAQ,EAAE,2BAA2B,CAAC,KAAK,CAAC,GAAG,OAAO,QAAQ,EAAE,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,GAAG;QAAE,UAAU,CAAC,EAAE,QAAQ,CAAA;KAAE,GAAG,OAAO,CAAC;IACjK,CAAC,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,KAAK,CAAA;KAAC,GAAG,OAAO,GAAG;QAAE,IAAI,CAAC,EAAE,GAAG,CAAC;QAAC,GAAG,CAAC,EAAE,GAAG,CAAA;KAAE,CAAC;IACtG,YAAY,CAAC,EAAE,QAAQ,CAAC;CAC3B;AAKD,QAAA,MAAM,aAAa;;kBAA+E,CAAC;AACjF,KAAK,aAAa,GAAG,YAAY,CAAC,OAAO,aAAa,CAAC,CAAC;AAC1D,eAAe,aAAa,CAAC"}

package/dist/ui/CLAUDE.md

@@ -18,16 +18,17 @@ file is a reference, not a tutorial.
 
 ## Key patterns
 
-### RPC adapter contexts with `() => null` fallback
+### RPC adapter contexts (required, no fallback)
 
 Five narrow RPC adapter contexts — `admin_accounts_rpc_context`,
 `admin_invites_rpc_context`, `audit_log_rpc_context`,
 `app_settings_rpc_context`, `account_sessions_rpc_context` — carry a
-reactive `() => Rpc | null` accessor. All five declare a `() => () => null`
-default so components mounted without a provisioner render the "rpc adapter
-not wired" state instead of crashing. (`role_grant_offers_state_context` carries
-a `RoleGrantOffersState` directly, not an RPC accessor, and isn't counted
-here.) The standard consumer shape:
+reactive `() => Rpc` accessor. None declares a fallback, so `get()` throws
+when a component mounts without a provisioner above it — the adapter is
+required, and a missing wire fails loudly at mount rather than degrading
+silently. (`role_grant_offers_state_context` carries a `RoleGrantOffersState`
+directly, not an RPC accessor, and isn't counted here.) The standard consumer
+shape:
 
 ```ts
 const get_rpc = admin_accounts_rpc_context.get();
@@ -45,14 +46,6 @@ The provisioner calls `context.set(() => rpc)` once at the admin route
 shell. Every admin component plus `OpenSignupToggle.svelte` consumes the
 context — RPC adapters are never threaded through props.
 
-### `has_rpc` gates fetch and mutations
-
-Every state class backed by a narrow RPC interface exposes a `has_rpc`
-getter. When `false`, `fetch()`, mutations, and `subscribe` no-op and
-set `error` to `'rpc adapter not wired'`. `AdminSessionsState`'s listing
-plus mutations all run through the shared `AdminAccountsRpc`, so
-`has_rpc` gates the whole surface.
-
 ### `$state.raw` Map keyed by id + `$derived` views
 
 `RoleGrantOffersState` maintains a single `Map<string, RoleGrantOfferJson>` in
@@ -159,7 +152,7 @@ destructive actions.
   `/api/surface` (REST) and delegates to `SurfaceExplorer`.
 - `OpenSignupToggle.svelte` — single checkbox bound to
   `AppSettingsState.settings.open_signup`. Consumes
-  `app_settings_rpc_context`; hides gracefully when `has_rpc` is `false`.
+  `app_settings_rpc_context`.
 - `SurfaceExplorer.svelte` — reads-only `AppSurface` renderer. Props:
   `surface: AppSurface`. Filter routes by auth type; expand a row to
   dump `params`/`query`/`input`/`output`/`errors` schemas as JSON.
@@ -317,8 +310,7 @@ the `submit_*` prefix where the verb collides with a slot name.
   (`list_sessions` wraps `admin_session_list`) and the two revoke-all
   mutations. Slots: `list` (AsyncSlot), `revoke_sessions` /
   `revoke_tokens` (`KeyedAsyncSlot<Uuid, void>` keyed by
-  `account_id`). `has_rpc` gates the listing + both revoke controls.
-  Methods: `fetch`, `submit_revoke_sessions`, `submit_revoke_tokens`.
+  `account_id`). Methods: `fetch`, `submit_revoke_sessions`, `submit_revoke_tokens`.
 - `app_settings_state.svelte.ts` — `AppSettingsState` +
   `app_settings_rpc_context` + narrow `AppSettingsRpc` (`get`,
   `update`). Slots: `list`, `update`. Field: `settings`. Single
@@ -337,23 +329,22 @@ the `submit_*` prefix where the verb collides with a slot name.
 
 ## RPC adapter contexts
 
-All five RPC-carrying contexts have a `() => () => null` default and
-share the same `has_rpc`-gated state-class shape; consumers wire a typed
-RPC client to each narrow interface. See "Key patterns" above for the
-provisioner pattern.
+All five RPC-carrying contexts are required (no fallback) — `get()` throws
+when unprovisioned; consumers wire a typed RPC client to each narrow
+interface. See "Key patterns" above for the provisioner pattern.
 
 - `auth_state_context` — carries `AuthState` directly (not an RPC
   accessor). Used by every auth form, `AdminOverview`,
   `AdminSettings`, `AccountSessions`, `LogoutButton`.
-- `admin_accounts_rpc_context` — `() => AdminAccountsRpc | null`.
+- `admin_accounts_rpc_context` — `() => AdminAccountsRpc`.
   Consumed by `AdminAccounts`, `AdminSessions`, `AdminOverview`.
-- `admin_invites_rpc_context` — `() => AdminInvitesRpc | null`.
+- `admin_invites_rpc_context` — `() => AdminInvitesRpc`.
   Consumed by `AdminInvites`, `AdminOverview`.
-- `audit_log_rpc_context` — `() => AuditLogRpc | null`. Consumed by
+- `audit_log_rpc_context` — `() => AuditLogRpc`. Consumed by
   `AdminAuditLog`, `AdminRoleGrantHistory`, `AdminOverview`.
-- `app_settings_rpc_context` — `() => AppSettingsRpc | null`.
+- `app_settings_rpc_context` — `() => AppSettingsRpc`.
   Consumed by `OpenSignupToggle`, `AdminOverview`.
-- `account_sessions_rpc_context` — `() => AccountSessionsRpc | null`.
+- `account_sessions_rpc_context` — `() => AccountSessionsRpc`.
   Consumed by `AccountSessions`.
 - `role_grant_offers_state_context` — carries `RoleGrantOffersState`
   directly. Consumed by `RoleGrantOfferInbox`, `RoleGrantOfferForm`,