@fuzdev/fuz_app 0.68.0 → 0.70.0

package/dist/testing/CLAUDE.md

@@ -219,15 +219,16 @@ test-only by construction.
 - `assert_schema_snapshots_equal(a, b, labels?)` — throws on drift with a fully-formatted diff message.
 - `SchemaDiff` — tagged-union per drift kind: `schema_version_only_in`, `schema_version_sequence_differs`, `table_only_in`, `column_only_in`, `column_field_differs`, `index_only_in`, `index_definition_differs`, `constraint_only_in`, `constraint_differs`, `sequence_only_in`, `sequence_data_type_differs`.
 
-**Cross-impl gate pattern** — consumers running two backends against a
-shared schema (zzz's `--backend=both`, fuz_app's cross-backend suite)
-bootstrap each impl against an isolated DB, snapshot, then compare:
+**Cross-impl gate pattern** — a dual-impl consumer running two backends
+(a TS Hono server and a Rust spine server) against a shared schema, plus
+fuz_app's own cross-backend suite, bootstrap each impl against an isolated
+DB, snapshot, then compare:
 
 ```ts
-await drop_recreate_db('zzz_test');
+await drop_recreate_db('app_test');
 await spawn_backend(deno_config);
 const snapshot_deno = await query_schema_snapshot(db);
-await drop_recreate_db('zzz_test');
+await drop_recreate_db('app_test');
 await spawn_backend(rust_config);
 const snapshot_rust = await query_schema_snapshot(db);
 assert_schema_snapshots_equal(snapshot_deno, snapshot_rust, {a: 'deno', b: 'rust'});
@@ -789,8 +790,8 @@ points:
 The standard test suites take a unified
 `{setup_test, surface_source, capabilities}` shape so the same suite bodies
 run against an in-process Hono harness today and against a spawned backend
-over real HTTP — either the Rust spine (`zzz_server`, `fuz_forge_server`, or
-the non-domain `testing_spine_stub`) or a **TS** spine binary built on the
+over real HTTP — either the Rust spine (`zzz_server`, another consumer's
+spine server, or the non-domain `testing_spine_stub`) or a **TS** spine binary built on the
 test-server core below (fuz_app's own domain-free `testing_spine_server`, run
 on Node + Deno + Bun). In-process is the fast feedback path; cross-process is the
 source of truth for wire-shape conformance.
@@ -846,7 +847,7 @@ source of truth for wire-shape conformance.
 
 - `testing/cross_backend/capabilities.ts` — `BackendCapabilities` vocabulary
   (`bearer_auth` / `trusted_proxy` / `login_rate_limit` / `ws` / `sse` /
-  `cell_crud` / `cell_relations` / `account_lifecycle` / `in_process_only`),
+  `cell_crud` / `cell_relations` / `account_lifecycle`),
   `test_if(cond, name, fn)`
   for capability-gated cases, and `in_process_capabilities` preset. `cell_crud`
   gates the CRUD parity suite, `cell_relations` the relation / ACL / audit
@@ -885,6 +886,50 @@ consumer needs partial opt-out, add the knob then.
 `bootstrap`, `rate_limiting_app_options`, `bootstrap_token`) — those drive
 the omitted suites.
 
+### `cross_backend/conformance_table.ts` + `conformance_case.ts` + `xfail.ts` — declarative behavioral/security cases
+
+The opinionated behavioral/security layer on top of the spec-derived
+auto-enumeration (`describe_rpc_round_trip_tests` /
+`describe_rpc_attack_surface_tests`). Where those assert wire-shape,
+conformance cases assert _expected behavior_ — the security negatives
+(must be refused / must not leak / found-vs-not-found same shape) a
+wire-shape check passes green on even when behavior is wrong.
+
+- `conformance_case.ts` — `ConformanceCase` Zod schema:
+  `{name, request: {method, params?, as, verb?}, expect: {status,
+error_reason?, fields?}, note?, xfail?}`. A case is **data** — `method`
+  resolves its `input`/`output` from the live registry (RPC) or `RouteSpec`
+  (the 6 REST auth routes), so the case never carries a schema. `as` is the
+  closed `ConformancePrincipal` enum (`keeper` / `daemon` / `token` /
+  `anonymous` / `fresh_non_admin` / `role_holder` / `wrong_role` /
+  `expired_session`) — fixture accessors, never inline credential minting.
+  `expired_session` is the keeper behind an expired server-side session
+  (`fixture.mint_expired_session()`: a backdated `auth_session` row behind a
+  still-valid signed cookie, so the DB-row expiry gate is what refuses it).
+  `error_reason` is the imported
+  `ERROR_*` constant (asserted against the RPC `error.data.reason` or the
+  REST flat-body `error`; the bare `unauthenticated()` 401 carries no
+  reason, so `status` pins that denial class).
+- `conformance_table.ts` — `describe_conformance_table_tests({cases,
+setup_test, surface_source, capabilities, rpc_endpoints, session_options,
+principals?, suite_name?})`. Same `{setup_test, surface_source,
+capabilities}` protocol every Tier 1 suite uses, so **one case array runs
+  both transports** — in-process (`gro test`) and cross-process (the gate,
+  each backend's real auth resolution). `resolve_principal` maps the five
+  always-available principals to fixture accessors; `role_holder` /
+  `wrong_role` read a seeded `extra_accounts` username named via
+  `options.principals`.
+- `xfail.ts` — `xfail_until(tracking_id, reason, name, fn)`, a thin
+  `test.fails` wrapper for deferred-by-design rows (visible + self-cleaning:
+  turns red when the gap closes, forcing marker removal). In-scope gaps fail
+  loud as a normal `test`, not via this marker. Sibling to `test_if` in
+  `capabilities.ts`.
+
+Wire from a `.db.test.ts` (in-process) and a `.cross.test.ts`
+(cross-process) with the same case array — fuz_app's own runner-proof is
+`../../test/cross_backend/conformance.{db,cross}.test.ts` sharing
+`conformance_proof_cases.ts`.
+
 ### `cross_backend/ws_round_trip.ts` — `describe_cross_process_ws_tests`
 
 Real-upgrade WebSocket coverage of a spawned backend — the cross-process
@@ -933,9 +978,13 @@ _own_ sessions are revoked (`account_session_revoke_all`) so the audit guard
 drops the live stream (asserted via `SseTransport.wait_for_close`). The
 data-frame + close cases gate on `rpc_path` (they drive the standard
 account/admin actions); all cases gate on `capabilities.sse`. Cross-process
-only — wire from a `*.cross.test.ts`. fuz_app's own wiring is
+only — wire from a `*.cross.test.ts`. fuz*app's own wiring is
 `src/test/cross_backend/sse.cross.test.ts`; only the TS spines advertise
 `sse` (they wire `audit_log_sse`), so the Rust `spine_stub` cases `.skip`.
+That file also registers one `xfail_until` (only when `sse: false`) asserting
+the stream \_can't* open on a spine without SSE — a self-cleaning tripwire for
+the spine that should grow it, distinct from the consumer-legit capability
+skip the shared suite emits.
 
 ### `cross_backend/cell_crud.ts` + `cell_relations.ts` — cell parity suites
 
@@ -1046,13 +1095,52 @@ in-process legs (plain `gro test`) are `src/test/auth/cell_crud_parity.db.test.t
   same bootstrap-equivalent step (the only path for roles like
   `ROLE_KEEPER` whose `grant_paths` is bootstrap-only), refreshes
   `DaemonTokenState.keeper_account_id` to the new row, then fires the
-  consumer-supplied `reset_state` callback for domain-state reset. Auth
+  consumer-supplied `reset_state(db)` callback for domain-state reset —
+  passed the **transactional** `Db` the auth wipe ran on, so DB-domain
+  consumers (e.g. fuz_forge truncating its cell / fact / file tables) reset
+  on the same connection rather than a separately-pooled one that would
+  deadlock against this open transaction under PGlite. Auth
   gates on `credential_types: ['daemon_token']` — effectively keeper-only
   without forcing the `actor: 'required'` ⟺ `acting?: ActingActor`
   biconditional. No free-form runtime grant action exists — see the
   `testing_reset_actions.ts` TSDoc for the audit + WS fan-out rationale
   that rejected a `_testing_seed_role_grant` shape.
 
+  Same module also exports `create_testing_drain_effects_action()` — the
+  `_testing_drain_effects` RPC action (daemon-token-gated, like
+  `_testing_reset`). It awaits in-flight fire-and-forget audit writes so a
+  following `audit_log_list` is authoritative — the deterministic barrier a
+  cross-process audit assertion fires before reading (no poll/sleep). On the
+  TS spine it is **satisfied by construction** (the binary runs
+  `await_pending_effects: true`, so each mutation's emits land before its
+  response); the Rust spine does the real await in
+  `AuditEmitter::drain_inflight`. `create_testing_actions` bundles it
+  alongside `_testing_reset`; suites that mount their own endpoint (e.g. the
+  in-process `account_lifecycle_parity.db.test.ts`) add it directly so the
+  shared suite body can call the barrier on every backend uniformly.
+
+  Also bundled: `_testing_mint_session` — mints a backdated-expiry
+  `auth_session` row for an account (via `mint_test_session` in `app_server.ts`)
+  and returns its signed cookie value (future-dated payload). Backs the
+  `expired_session` conformance principal: the backdated DB row + valid cookie
+  payload isolate the authoritative server-side DB-row expiry gate
+  (`query_session_get_valid` — `expires_at > NOW()`), the gate the in-process
+  payload-expiry tests never reached. Daemon-token-gated like its siblings; the
+  Rust mirror is `fuz_testing::create_testing_mint_session_action_spec`.
+
+### Origin verification parity — `cross_backend/origin.ts`
+
+`describe_origin_cross_tests({setup_test, capabilities, rpc_path?})` — the
+imperative Origin-verification suite: disallowed `Origin` → 403 `forbidden_origin` (refused
+before dispatch), absent `Origin` → request passes (non-browser direct access).
+Imperative (not a conformance-table row) because origin rejection is
+middleware-level flat-REST, not the JSON-RPC envelope the table runner expects,
+and absent-Origin needs `fresh_transport({origin: null})`. Runs both legs (the
+in-process `auth/origin_parity.db.test.ts` + the cross-process
+`origin.cross.test.ts`). The promotion surfaced a twin-impl divergence — the
+Rust spine returned a plain-text body — now converged to the canonical TS
+`{error: "forbidden_origin"}` via `fuz_http::forbidden_origin_response()`.
+
 ### Building a TS test-server binary — `testing_server_core.ts` + adapters
 
 The reusable shape for standing up a **spawnable TS** cross-process test

package/dist/testing/app_server.d.ts

@@ -89,6 +89,40 @@ export declare const create_test_account_with_credentials: (options: CreateTestA
     api_token: string;
     session_cookie: string;
 }>;
+/** Options for `mint_test_session`. */
+export interface MintTestSessionOptions {
+    db: Db;
+    keyring: Keyring;
+    session_options: SessionOptions<string>;
+    /** Account the minted session belongs to. */
+    account_id: string;
+    /**
+     * Session lifetime offset in seconds applied to `NOW()` for the
+     * `auth_session.expires_at` row. A negative value backdates the row so
+     * the authoritative DB-row expiry gate (`query_session_get_valid` —
+     * `WHERE expires_at > NOW()`) rejects it, while the returned cookie's
+     * own signed payload stays valid (future). Resolution therefore passes
+     * the cookie-payload check in `parse_session` and is refused at the
+     * DB-row gate — the gate the in-process payload-expiry tests never
+     * reach and the one that structurally needs a server-side mint.
+     */
+    expires_in_seconds: number;
+}
+/**
+ * Mint a real `auth_session` row for an existing account and return a
+ * validly-signed session cookie value referencing it. Test-only — the
+ * forge behind the cross-backend expiry conformance cases (the
+ * `expired_session` principal): pass a negative `expires_in_seconds` to
+ * produce an *expired server-side session* whose signed cookie envelope is
+ * still well-formed. Both the TS `_testing_mint_session` action and the
+ * in-process `fixture.mint_expired_session()` seam call this so the write
+ * semantics match across transports.
+ *
+ * @mutates `options.db` — inserts one `auth_session` row.
+ */
+export declare const mint_test_session: (options: MintTestSessionOptions) => Promise<{
+    session_cookie: string;
+}>;
 /**
  * Bootstrap the test-DB keeper. Direct-query shortcut for the default
  * `create_test_app` path — bootstrap is not what most tests exercise, so

package/dist/testing/app_server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"app_server.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/app_server.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAG/B,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAGjD,OAAO,EAA2B,KAAK,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAE1E,OAAO,KAAK,EAAC,EAAE,EAAE,MAAM,EAAC,MAAM,aAAa,CAAC;AAC5C,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAU1D,OAAO,EAA8B,KAAK,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC3F,OAAO,EAAiB,KAAK,kBAAkB,EAAC,MAAM,kBAAkB,CAAC;AAEzE,OAAO,EAAwB,KAAK,UAAU,EAAE,KAAK,YAAY,EAAC,MAAM,0BAA0B,CAAC;AACnG,OAAO,EAEN,KAAK,gBAAgB,EACrB,KAAK,gBAAgB,EACrB,KAAK,sBAAsB,EAC3B,KAAK,oBAAoB,EACzB,MAAM,yBAAyB,CAAC;AACjC,OAAO,KAAK,EAAC,UAAU,EAAE,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACnE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAOrD,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,kBAAkB,CAAC;AAE9D;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,EAAE,gBAIhC,CAAC;AAEF,gFAAgF;AAChF,eAAO,MAAM,kBAAkB,QAAiB,CAAC;AAEjD;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,qBAAqB,sBAAsB,CAAC;AA0CzD;;;;;GAKG;AACH,MAAM,WAAW,uCAAuC;IACvD,EAAE,EAAE,EAAE,CAAC;IACP,OAAO,EAAE,OAAO,CAAC;IACjB,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAED,2DAA2D;AAC3D,MAAM,MAAM,0BAA0B,GAAG,uCAAuC,CAAC;AAEjF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,oCAAoC,GAChD,SAAS,uCAAuC,KAC9C,OAAO,CAAC;IACV,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACvB,CAyCA,CAAC;AAEF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,qBAAqB,GACjC,SAAS,0BAA0B,KACjC,OAAO,CAAC;IACV,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACvB,CAQA,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,aAAc,SAAQ,UAAU;IAChD,gCAAgC;IAChC,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,uCAAuC;IACvC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,cAAc,EAAE,MAAM,CAAC;IACvB,+FAA+F;IAC/F,OAAO,EAAE,OAAO,CAAC;IACjB,4EAA4E;IAC5E,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,mDAAmD;IACnD,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kGAAkG;IAClG,EAAE,CAAC,EAAE,EAAE,CAAC;IACR,0FAA0F;IAC1F,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;;;;;;OASG;IACH,oBAAoB,CAAC,EAAE,aAAa,CAAC,kBAAkB,CAAC,CAAC;IACzD,yHAAyH;IACzH,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,kEAAkE;IAClE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,+EAA+E;IAC/E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gDAAgD;IAChD,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACtB;;;;;;;;;;;;;;OAcG;IACH,aAAa,CAAC,EAAE,YAAY,CAAC;CAC7B;AAuID,eAAO,MAAM,sBAAsB,GAClC,SAAS,oBAAoB,KAC3B,OAAO,CAAC,aAAa,CA2BvB,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,oBAAqB,SAAQ,oBAAoB;IACjE,yEAAyE;IACzE,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IACpE;;;;;;;OAOG;IACH,aAAa,CAAC,EAAE,uBAAuB,CAAC;IACxC;;;;;;;;;;;OAWG;IACH,SAAS,CAAC,EAAE,sBAAsB,CAAC;IACnC;;;;;OAKG;IACH,WAAW,CAAC,EAAE,eAAe,CAAC;CAC9B;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,eAAe,GAAG,OAAO,CACpC,IAAI,CACH,gBAAgB,EAChB,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,GAAG,eAAe,GAAG,WAAW,CACpF,CACD,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,WAAW;IAC3B,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,mCAAmC;IACnC,cAAc,EAAE,MAAM,CAAC;IACvB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,8DAA8D;IAC9D,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClF;AAED;;GAEG;AACH,MAAM,WAAW,OAAO;IACvB,GAAG,EAAE,IAAI,CAAC;IACV,OAAO,EAAE,aAAa,CAAC;IACvB,YAAY,EAAE,cAAc,CAAC;IAC7B,OAAO,EAAE,UAAU,CAAC;IACpB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,kEAAkE;IAClE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,gEAAgE;IAChE,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClF,iEAAiE;IACjE,2BAA2B,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxF,qDAAqD;IACrD,cAAc,EAAE,CAAC,OAAO,CAAC,EAAE;QAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;KACtB,KAAK,OAAO,CAAC,WAAW,CAAC,CAAC;IAC3B,8DAA8D;IAC9D,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,eAAe,GAAU,SAAS,oBAAoB,KAAG,OAAO,CAAC,OAAO,CAoGpF,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,WAAW,gCAAgC;IAChD,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IACpE,aAAa,CAAC,EAAE,uBAAuB,CAAC;IACxC,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B,8EAA8E;IAC9E,SAAS,EAAE,oBAAoB,CAAC;IAChC;;;;OAIG;IACH,eAAe,EAAE,MAAM,CAAC;IACxB,EAAE,CAAC,EAAE,EAAE,CAAC;IACR,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,aAAa,CAAC,EAAE,YAAY,CAAC;CAC7B;AAED;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IACnC,GAAG,EAAE,IAAI,CAAC;IACV,OAAO,EAAE,UAAU,CAAC;IACpB,YAAY,EAAE,cAAc,CAAC;IAC7B,OAAO,EAAE,UAAU,CAAC;IACpB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,0EAA0E;IAC1E,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,4EAA4E;IAC5E,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,6BAA6B,GACzC,SAAS,gCAAgC,KACvC,OAAO,CAAC,mBAAmB,CAuE7B,CAAC"}
+{"version":3,"file":"app_server.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/app_server.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAG/B,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAGjD,OAAO,EAA2B,KAAK,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAE1E,OAAO,KAAK,EAAC,EAAE,EAAE,MAAM,EAAC,MAAM,aAAa,CAAC;AAC5C,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAU1D,OAAO,EAA8B,KAAK,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC3F,OAAO,EAAiB,KAAK,kBAAkB,EAAC,MAAM,kBAAkB,CAAC;AAEzE,OAAO,EAAwB,KAAK,UAAU,EAAE,KAAK,YAAY,EAAC,MAAM,0BAA0B,CAAC;AACnG,OAAO,EAEN,KAAK,gBAAgB,EACrB,KAAK,gBAAgB,EACrB,KAAK,sBAAsB,EAC3B,KAAK,oBAAoB,EACzB,MAAM,yBAAyB,CAAC;AACjC,OAAO,KAAK,EAAC,UAAU,EAAE,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACnE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAOrD,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,kBAAkB,CAAC;AAE9D;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,EAAE,gBAIhC,CAAC;AAEF,gFAAgF;AAChF,eAAO,MAAM,kBAAkB,QAAiB,CAAC;AAEjD;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,qBAAqB,sBAAsB,CAAC;AA0CzD;;;;;GAKG;AACH,MAAM,WAAW,uCAAuC;IACvD,EAAE,EAAE,EAAE,CAAC;IACP,OAAO,EAAE,OAAO,CAAC;IACjB,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAED,2DAA2D;AAC3D,MAAM,MAAM,0BAA0B,GAAG,uCAAuC,CAAC;AAEjF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,oCAAoC,GAChD,SAAS,uCAAuC,KAC9C,OAAO,CAAC;IACV,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACvB,CA4CA,CAAC;AAEF,uCAAuC;AACvC,MAAM,WAAW,sBAAsB;IACtC,EAAE,EAAE,EAAE,CAAC;IACP,OAAO,EAAE,OAAO,CAAC;IACjB,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,6CAA6C;IAC7C,UAAU,EAAE,MAAM,CAAC;IACnB;;;;;;;;;OASG;IACH,kBAAkB,EAAE,MAAM,CAAC;CAC3B;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,iBAAiB,GAC7B,SAAS,sBAAsB,KAC7B,OAAO,CAAC;IAAC,cAAc,EAAE,MAAM,CAAA;CAAC,CAQlC,CAAC;AAEF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,qBAAqB,GACjC,SAAS,0BAA0B,KACjC,OAAO,CAAC;IACV,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACvB,CAQA,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,aAAc,SAAQ,UAAU;IAChD,gCAAgC;IAChC,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,uCAAuC;IACvC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,cAAc,EAAE,MAAM,CAAC;IACvB,+FAA+F;IAC/F,OAAO,EAAE,OAAO,CAAC;IACjB,4EAA4E;IAC5E,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,mDAAmD;IACnD,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kGAAkG;IAClG,EAAE,CAAC,EAAE,EAAE,CAAC;IACR,0FAA0F;IAC1F,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;;;;;;OASG;IACH,oBAAoB,CAAC,EAAE,aAAa,CAAC,kBAAkB,CAAC,CAAC;IACzD,yHAAyH;IACzH,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,kEAAkE;IAClE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,+EAA+E;IAC/E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gDAAgD;IAChD,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACtB;;;;;;;;;;;;;;OAcG;IACH,aAAa,CAAC,EAAE,YAAY,CAAC;CAC7B;AAuID,eAAO,MAAM,sBAAsB,GAClC,SAAS,oBAAoB,KAC3B,OAAO,CAAC,aAAa,CA2BvB,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,oBAAqB,SAAQ,oBAAoB;IACjE,yEAAyE;IACzE,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IACpE;;;;;;;OAOG;IACH,aAAa,CAAC,EAAE,uBAAuB,CAAC;IACxC;;;;;;;;;;;OAWG;IACH,SAAS,CAAC,EAAE,sBAAsB,CAAC;IACnC;;;;;OAKG;IACH,WAAW,CAAC,EAAE,eAAe,CAAC;CAC9B;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,eAAe,GAAG,OAAO,CACpC,IAAI,CACH,gBAAgB,EAChB,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,GAAG,eAAe,GAAG,WAAW,CACpF,CACD,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,WAAW;IAC3B,OAAO,EAAE;QAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACtC,KAAK,EAAE;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAClB,mCAAmC;IACnC,cAAc,EAAE,MAAM,CAAC;IACvB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,8DAA8D;IAC9D,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClF;AAED;;GAEG;AACH,MAAM,WAAW,OAAO;IACvB,GAAG,EAAE,IAAI,CAAC;IACV,OAAO,EAAE,aAAa,CAAC;IACvB,YAAY,EAAE,cAAc,CAAC;IAC7B,OAAO,EAAE,UAAU,CAAC;IACpB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,kEAAkE;IAClE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,gEAAgE;IAChE,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClF,iEAAiE;IACjE,2BAA2B,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxF,qDAAqD;IACrD,cAAc,EAAE,CAAC,OAAO,CAAC,EAAE;QAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;KACtB,KAAK,OAAO,CAAC,WAAW,CAAC,CAAC;IAC3B,8DAA8D;IAC9D,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,eAAe,GAAU,SAAS,oBAAoB,KAAG,OAAO,CAAC,OAAO,CAoGpF,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,WAAW,gCAAgC;IAChD,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IACpE,aAAa,CAAC,EAAE,uBAAuB,CAAC;IACxC,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B,8EAA8E;IAC9E,SAAS,EAAE,oBAAoB,CAAC;IAChC;;;;OAIG;IACH,eAAe,EAAE,MAAM,CAAC;IACxB,EAAE,CAAC,EAAE,EAAE,CAAC;IACR,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,aAAa,CAAC,EAAE,YAAY,CAAC;CAC7B;AAED;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IACnC,GAAG,EAAE,IAAI,CAAC;IACV,OAAO,EAAE,UAAU,CAAC;IACpB,YAAY,EAAE,cAAc,CAAC;IAC7B,OAAO,EAAE,UAAU,CAAC;IACpB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,0EAA0E;IAC1E,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,4EAA4E;IAC5E,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,6BAA6B,GACzC,SAAS,gCAAgC,KACvC,OAAO,CAAC,mBAAmB,CAuE7B,CAAC"}

package/dist/testing/app_server.js

@@ -106,12 +106,16 @@ export const create_test_account_with_credentials = async (options) => {
     // Create API token (account-scoped — acting actor is per-request)
     const { token: api_token, id: token_id, token_hash } = generate_api_token();
     await query_create_api_token(deps, token_id, account.id, 'test-cli', token_hash);
-    // Create session (account-scoped — acting actor is per-request)
-    const session_token = generate_session_token();
-    const session_hash = hash_session_token(session_token);
-    const expires_at = new Date(Date.now() + AUTH_SESSION_LIFETIME_MS);
-    await query_create_session(deps, session_hash, account.id, expires_at);
-    const session_cookie = await create_session_cookie_value(keyring, session_token, session_options);
+    // Create session (account-scoped — acting actor is per-request).
+    // Shares the mint primitive with `mint_test_session` / the
+    // `_testing_mint_session` action; here with the standard 30-day lifetime.
+    const { session_cookie } = await mint_test_session({
+        db,
+        keyring,
+        session_options,
+        account_id: account.id,
+        expires_in_seconds: AUTH_SESSION_LIFETIME_MS / 1000,
+    });
     return {
         account: { id: account.id, username: account.username },
         actor: { id: actor.id },
@@ -119,6 +123,27 @@ export const create_test_account_with_credentials = async (options) => {
         session_cookie,
     };
 };
+/**
+ * Mint a real `auth_session` row for an existing account and return a
+ * validly-signed session cookie value referencing it. Test-only — the
+ * forge behind the cross-backend expiry conformance cases (the
+ * `expired_session` principal): pass a negative `expires_in_seconds` to
+ * produce an *expired server-side session* whose signed cookie envelope is
+ * still well-formed. Both the TS `_testing_mint_session` action and the
+ * in-process `fixture.mint_expired_session()` seam call this so the write
+ * semantics match across transports.
+ *
+ * @mutates `options.db` — inserts one `auth_session` row.
+ */
+export const mint_test_session = async (options) => {
+    const { db, keyring, session_options, account_id, expires_in_seconds } = options;
+    const session_token = generate_session_token();
+    const session_hash = hash_session_token(session_token);
+    const expires_at = new Date(Date.now() + expires_in_seconds * 1000);
+    await query_create_session({ db }, session_hash, account_id, expires_at);
+    const session_cookie = await create_session_cookie_value(keyring, session_token, session_options);
+    return { session_cookie };
+};
 /**
  * Bootstrap the test-DB keeper. Direct-query shortcut for the default
  * `create_test_app` path — bootstrap is not what most tests exercise, so

package/dist/testing/cross_backend/account_lifecycle.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"account_lifecycle.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/account_lifecycle.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AA+B9B,OAAO,EAIN,KAAK,oBAAoB,EACzB,MAAM,yBAAyB,CAAC;AAGjC;;;;GAIG;AACH,MAAM,MAAM,gCAAgC,GAAG,oBAAoB,CAAC;AAEpE,eAAO,MAAM,sCAAsC,GAClD,SAAS,gCAAgC,KACvC,IA4IF,CAAC"}
+{"version":3,"file":"account_lifecycle.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/account_lifecycle.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAiC9B,OAAO,EAIN,KAAK,oBAAoB,EACzB,MAAM,yBAAyB,CAAC;AAGjC;;;;GAIG;AACH,MAAM,MAAM,gCAAgC,GAAG,oBAAoB,CAAC;AAEpE,eAAO,MAAM,sCAAsC,GAClD,SAAS,gCAAgC,KACvC,IA+TF,CAAC"}

package/dist/testing/cross_backend/account_lifecycle.js

@@ -18,7 +18,8 @@ import '../assert_dev_env.js';
  * @module
  */
 import { describe, assert } from 'vitest';
-import { AccountDeleteOutput, AccountUndeleteOutput, AccountPurgeOutput, AdminAccountListOutput, ERROR_CANNOT_DELETE_KEEPER, } from '../../auth/admin_action_specs.js';
+import { AccountDeleteOutput, AccountUndeleteOutput, AccountPurgeOutput, AdminAccountListOutput, AuditLogListOutput, ERROR_CANNOT_DELETE_KEEPER, } from '../../auth/admin_action_specs.js';
+import { ERROR_ACCOUNT_NOT_FOUND, ERROR_AUTHENTICATION_REQUIRED } from '../../http/error_schemas.js';
 import { test_if } from './capabilities.js';
 import { cross_rpc_call, error_reason, expect_output, } from './cell_cross_helpers.js';
 import { SPINE_RPC_PATH } from './default_spine_surface.js';
@@ -56,6 +57,73 @@ export const describe_account_lifecycle_cross_tests = (options) => {
             assert.strictEqual(purge.ok, false, 'purge of keeper account must be refused');
             assert.strictEqual(error_reason(purge), ERROR_CANNOT_DELETE_KEEPER);
         });
+        test_if(capabilities.account_lifecycle, 'fail-closed: a soft-deleted account’s session + bearer credentials no longer authenticate', async () => {
+            const fixture = await setup_test();
+            const victim = await fixture.create_account({ username: 'lifecycle_failclosed' });
+            const admin_headers = fixture.create_session_headers();
+            // Sanity: the victim's session authenticates while active, so the
+            // post-deletion 401 is a real fail-closed transition, not a
+            // never-valid credential passing vacuously.
+            const before = await cross_rpc_call(fixture.fresh_transport(), rpc_path, 'account_verify', undefined, victim.create_session_headers());
+            assert.ok(before.ok, 'victim session authenticates before deletion');
+            const deleted = expect_output(await cross_rpc_call(fixture.fresh_transport(), rpc_path, 'account_delete', { account_id: victim.account.id }, admin_headers), AccountDeleteOutput);
+            assert.strictEqual(deleted.deleted, true);
+            // The tombstone blocks auth resolution (and the soft-delete
+            // revoked sessions/tokens) — the stale session credential must
+            // fail closed with a generic 401, not partially authenticate.
+            const session_probe = await cross_rpc_call(fixture.fresh_transport(), rpc_path, 'account_verify', undefined, victim.create_session_headers());
+            assert.strictEqual(session_probe.ok, false, 'soft-deleted account session must not authenticate');
+            assert.strictEqual(error_reason(session_probe), ERROR_AUTHENTICATION_REQUIRED);
+            // The victim's bearer token must fail closed too.
+            const bearer_probe = await cross_rpc_call(fixture.fresh_transport({ origin: null }), rpc_path, 'account_verify', undefined, victim.create_bearer_headers());
+            assert.strictEqual(bearer_probe.ok, false, 'soft-deleted account bearer token must not authenticate');
+            assert.strictEqual(error_reason(bearer_probe), ERROR_AUTHENTICATION_REQUIRED);
+        });
+        test_if(capabilities.account_lifecycle, 'keeper guard emits a fail-loud failure-audit row (drained, cross-impl)', async () => {
+            const fixture = await setup_test();
+            const t = fixture.fresh_transport();
+            // Refused keeper self-delete — the guard fires before any mutation
+            // and emits a forensic `outcome: failure` audit row.
+            const del = await cross_rpc_call(t, rpc_path, 'account_delete', { account_id: fixture.account.id }, fixture.create_session_headers());
+            assert.strictEqual(error_reason(del), ERROR_CANNOT_DELETE_KEEPER);
+            // Deterministic barrier before reading: await in-flight
+            // fire-and-forget audit writes (the real await on the Rust spine;
+            // satisfied-by-construction on the TS spine via await_pending_effects).
+            const td = fixture.fresh_transport({ origin: null });
+            const drained = await cross_rpc_call(td, rpc_path, '_testing_drain_effects', undefined, fixture.create_daemon_token_headers());
+            assert.ok(drained.ok, `_testing_drain_effects failed: ${JSON.stringify(drained.error)}`);
+            // The failure row is now authoritative on both spines. `_testing_reset`
+            // wiped audit_log at setup, so the refused delete is the only
+            // account_delete event.
+            const listed = expect_output(await cross_rpc_call(t, rpc_path, 'audit_log_list', { event_type: 'account_delete' }, fixture.create_session_headers()), AuditLogListOutput);
+            const failure = listed.events.find((e) => e.outcome === 'failure' &&
+                e.metadata?.reason === ERROR_CANNOT_DELETE_KEEPER);
+            assert.ok(failure, 'keeper-removal guard must emit an account_delete outcome=failure audit row with reason cannot_delete_keeper');
+        });
+        test_if(capabilities.account_lifecycle, 'deterministic: double-undelete → second call is not_found', async () => {
+            const fixture = await setup_test();
+            const victim = await fixture.create_account({ username: 'lifecycle_double' });
+            const t = fixture.fresh_transport();
+            const admin_headers = fixture.create_session_headers();
+            const deleted = expect_output(await cross_rpc_call(t, rpc_path, 'account_delete', { account_id: victim.account.id }, admin_headers), AccountDeleteOutput);
+            assert.strictEqual(deleted.deleted, true);
+            // First undelete clears the tombstone.
+            const undeleted = expect_output(await cross_rpc_call(t, rpc_path, 'account_undelete', { account_id: victim.account.id }, admin_headers), AccountUndeleteOutput);
+            assert.strictEqual(undeleted.undeleted, true);
+            // Second undelete on the now-active account is a deterministic
+            // not_found — the query only matches soft-deleted rows, so the
+            // outcome is the same on both spines (no silent idempotent ok).
+            const again = await cross_rpc_call(t, rpc_path, 'account_undelete', { account_id: victim.account.id }, admin_headers);
+            assert.strictEqual(again.ok, false, 'double-undelete must not silently succeed');
+            assert.strictEqual(error_reason(again), ERROR_ACCOUNT_NOT_FOUND);
+        });
+        // The last-admin guard (`ERROR_CANNOT_DELETE_LAST_ADMIN`) is **not**
+        // cross-process-testable against this fixture: the per-test keeper
+        // permanently holds `ROLE_ADMIN` (bootstrap seeds `[ROLE_KEEPER,
+        // ROLE_ADMIN]` and there is no remove-admin-from-keeper path), so a
+        // non-keeper admin is never the *sole* active admin and the guard
+        // never fires here. Its logic is covered in-process by
+        // `src/test/auth/account_keeper_guard.db.test.ts`.
         test_if(capabilities.account_lifecycle, 'admin_account_list include_deleted surfaces tombstoned rows with deleted_at set', async () => {
             const fixture = await setup_test();
             const victim = await fixture.create_account({ username: 'lifecycle_listed' });

package/dist/testing/cross_backend/actor_lookup.d.ts

@@ -0,0 +1,10 @@
+import '../assert_dev_env.js';
+import type { CellCrossTestOptions } from './cell_cross_helpers.js';
+/**
+ * Options for the actor-lookup parity suite. Shares the shape of the cell /
+ * origin suites (`setup_test` / `capabilities` / `rpc_path`); reuses
+ * `CellCrossTestOptions` rather than minting a structural duplicate.
+ */
+export type ActorLookupCrossTestOptions = CellCrossTestOptions;
+export declare const describe_actor_lookup_cross_tests: (options: ActorLookupCrossTestOptions) => void;
+//# sourceMappingURL=actor_lookup.d.ts.map

package/dist/testing/cross_backend/actor_lookup.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"actor_lookup.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/actor_lookup.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAqC9B,OAAO,KAAK,EAAC,oBAAoB,EAAC,MAAM,yBAAyB,CAAC;AAGlE;;;;GAIG;AACH,MAAM,MAAM,2BAA2B,GAAG,oBAAoB,CAAC;AAS/D,eAAO,MAAM,iCAAiC,GAAI,SAAS,2BAA2B,KAAG,IAkDxF,CAAC"}

package/dist/testing/cross_backend/actor_lookup.js

@@ -0,0 +1,83 @@
+import '../assert_dev_env.js';
+/**
+ * Cross-backend parity suite for `actor_lookup`.
+ *
+ * `actor_lookup` is an opt-in batched id → label resolver
+ * (`{ids} → {actors: [{id, username, display_name?}]}`), not folded into the
+ * standard bundle. It's live-mounted on the spine RPC path but kept off the
+ * declared surface (`create_spine_surface_spec`) — like cells / ws / sse — so
+ * the standard cross suite's generic round-trip never drives it; this
+ * dedicated suite is its validator. Three cases over raw transport calls:
+ *
+ * - **anonymous → 401** — the account-grain auth gate refuses an
+ *   unauthenticated caller before the handler runs.
+ * - **keeper resolves own actor → 200** — the populated round trip: the
+ *   returned row carries the keeper's `id` + `username`, and **no**
+ *   `account_id` / `email` / timestamp / role field (the wire shape's
+ *   deliberate info-leak posture). This is the assertion that exercises the
+ *   Rust row→JSON mapping against the TS canonical shape.
+ * - **empty `ids` → 400** — the `min(1)` input bound is enforced on both
+ *   spines (TS Zod, Rust `parse_ids`).
+ *
+ * Runs both legs via the shared `{setup_test}` protocol: the in-process leg
+ * (`auth/actor_lookup_parity.db.test.ts`, plain `gro test`) and the
+ * cross-process leg (`cross_backend/actor_lookup.cross.test.ts`, the TS spine
+ * binaries + Rust `testing_spine_stub` over real HTTP). `actor_lookup` is
+ * mounted on every spine, so the suite is ungated.
+ *
+ * `$lib`-free by contract (relative specifiers only), like the sibling
+ * cross-backend suites.
+ *
+ * @module
+ */
+import { describe, test, assert } from 'vitest';
+import { actor_lookup_action_spec } from '../../auth/actor_lookup_action_specs.js';
+import { SPINE_RPC_PATH } from './default_spine_surface.js';
+/** Keys that must never appear on an `actor_lookup` result row. */
+const forbidden_row_keys = ['account_id', 'email', 'created_at', 'updated_at', 'role'];
+/** Build the JSON-RPC envelope body for an `actor_lookup` call. */
+const lookup_envelope = (ids, id) => JSON.stringify({ jsonrpc: '2.0', method: actor_lookup_action_spec.method, params: { ids }, id });
+export const describe_actor_lookup_cross_tests = (options) => {
+    const { setup_test } = options;
+    const rpc_path = options.rpc_path ?? SPINE_RPC_PATH;
+    describe('actor_lookup parity', () => {
+        test('anonymous → 401 (account-grain auth gate)', async () => {
+            const fixture = await setup_test();
+            const res = await fixture.fresh_transport()(rpc_path, {
+                method: 'POST',
+                headers: { 'content-type': 'application/json' },
+                body: lookup_envelope([fixture.actor.id], 'anon-lookup'),
+            });
+            assert.strictEqual(res.status, 401, 'unauthenticated actor_lookup must be refused');
+        });
+        test('keeper resolves own actor → 200 with id + username, no control fields', async () => {
+            const fixture = await setup_test();
+            const res = await fixture.transport(rpc_path, {
+                method: 'POST',
+                headers: { ...fixture.create_session_headers(), 'content-type': 'application/json' },
+                body: lookup_envelope([fixture.actor.id], 'keeper-lookup'),
+            });
+            assert.strictEqual(res.status, 200, 'authenticated actor_lookup must succeed');
+            const body = (await res.json());
+            const actors = body.result?.actors;
+            assert(Array.isArray(actors), 'response carries an actors array');
+            assert.strictEqual(actors.length, 1, 'the keeper actor resolves to exactly one row');
+            const row = actors[0];
+            assert(row !== undefined, 'the resolved row is present');
+            assert.strictEqual(row.id, fixture.actor.id, 'resolved row id matches the requested actor');
+            assert.strictEqual(row.username, fixture.account.username, 'resolved row carries the keeper username');
+            for (const key of forbidden_row_keys) {
+                assert(!(key in row), `actor_lookup row must not leak '${key}'`);
+            }
+        });
+        test('empty ids → 400 (min(1) input bound)', async () => {
+            const fixture = await setup_test();
+            const res = await fixture.transport(rpc_path, {
+                method: 'POST',
+                headers: { ...fixture.create_session_headers(), 'content-type': 'application/json' },
+                body: lookup_envelope([], 'empty-lookup'),
+            });
+            assert.strictEqual(res.status, 400, 'empty ids must fail input validation');
+        });
+    });
+};

package/dist/testing/cross_backend/actor_search.d.ts

@@ -0,0 +1,6 @@
+import '../assert_dev_env.js';
+import type { CellCrossTestOptions } from './cell_cross_helpers.js';
+/** Options for the actor-search parity suite (shares the cell/origin shape). */
+export type ActorSearchCrossTestOptions = CellCrossTestOptions;
+export declare const describe_actor_search_cross_tests: (options: ActorSearchCrossTestOptions) => void;
+//# sourceMappingURL=actor_search.d.ts.map

package/dist/testing/cross_backend/actor_search.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"actor_search.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/actor_search.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AA2C9B,OAAO,KAAK,EAAC,oBAAoB,EAAC,MAAM,yBAAyB,CAAC;AAGlE,gFAAgF;AAChF,MAAM,MAAM,2BAA2B,GAAG,oBAAoB,CAAC;AAS/D,eAAO,MAAM,iCAAiC,GAAI,SAAS,2BAA2B,KAAG,IAyDxF,CAAC"}

package/dist/testing/cross_backend/actor_search.js

@@ -0,0 +1,92 @@
+import '../assert_dev_env.js';
+/**
+ * Cross-backend parity suite for `actor_search`.
+ *
+ * `actor_search` is an opt-in case-insensitive prefix search over
+ * `actor.name` (`{query, scope_ids?, limit?} → {actors: [{id, username,
+ * display_name?}]}`), not folded into the standard bundle. Like
+ * `actor_lookup` / cells, it's live-mounted on the spine RPC path but kept
+ * off the declared surface, so this dedicated suite is its validator. The
+ * security property under test is the **empty-`scope_ids` admin gate**:
+ *
+ * - **anonymous → 401** — the account-grain auth gate refuses an
+ *   unauthenticated caller before the handler runs.
+ * - **non-admin + no `scope_ids` → 400** `actor_search_scope_required` — an
+ *   unbounded global search is admin-only; a non-admin must scope the query.
+ *   This is the core security assertion, exercised against each impl's real
+ *   auth resolution.
+ * - **non-admin + `scope_ids` → 200** — passing a scope bypasses the admin
+ *   requirement (results are filtered to actors holding active role_grants on
+ *   those scopes); an unheld scope simply yields an empty result, not a
+ *   rejection — proving the gate keys on `scope_ids` presence, not identity.
+ * - **admin + no `scope_ids` → 200** — the admin path reaches the unbounded
+ *   search.
+ *
+ * Cites `security.md` §Authorization (the `actor_search` scope gate).
+ *
+ * Runs both legs via the shared `{setup_test}` protocol: in-process
+ * (`auth/actor_search_parity.db.test.ts`) + cross-process
+ * (`cross_backend/actor_search.cross.test.ts`, TS spine binaries + Rust
+ * `testing_spine_stub`). Mounted on every spine, so the suite is ungated.
+ *
+ * `$lib`-free by contract (relative specifiers only).
+ *
+ * @module
+ */
+import { describe, test, assert } from 'vitest';
+import { actor_search_action_spec, ERROR_ACTOR_SEARCH_SCOPE_REQUIRED, } from '../../auth/actor_search_action_specs.js';
+import { SPINE_RPC_PATH } from './default_spine_surface.js';
+/** Nil UUID — an unheld scope id (no actor holds a role_grant on it). */
+const NIL_UUID = '00000000-0000-0000-0000-000000000000';
+/** Build the JSON-RPC envelope body for an `actor_search` call. */
+const search_envelope = (params, id) => JSON.stringify({ jsonrpc: '2.0', method: actor_search_action_spec.method, params, id });
+export const describe_actor_search_cross_tests = (options) => {
+    const { setup_test } = options;
+    const rpc_path = options.rpc_path ?? SPINE_RPC_PATH;
+    describe('actor_search parity', () => {
+        test('anonymous → 401 (account-grain auth gate)', async () => {
+            const fixture = await setup_test();
+            const res = await fixture.fresh_transport()(rpc_path, {
+                method: 'POST',
+                headers: { 'content-type': 'application/json' },
+                body: search_envelope({ query: 'a' }, 'anon-search'),
+            });
+            assert.strictEqual(res.status, 401, 'unauthenticated actor_search must be refused');
+        });
+        test('non-admin + no scope_ids → 400 actor_search_scope_required', async () => {
+            const fixture = await setup_test();
+            const account = await fixture.create_account();
+            const res = await fixture.fresh_transport()(rpc_path, {
+                method: 'POST',
+                headers: { ...account.create_session_headers(), 'content-type': 'application/json' },
+                body: search_envelope({ query: 'a' }, 'nonadmin-noscope'),
+            });
+            assert.strictEqual(res.status, 400, 'non-admin unbounded search must be rejected');
+            const body = (await res.json());
+            assert.strictEqual(body.error?.data?.reason, ERROR_ACTOR_SEARCH_SCOPE_REQUIRED, 'rejection carries the scope-required reason');
+        });
+        test('non-admin + scope_ids → 200 (scope bypasses admin gate)', async () => {
+            const fixture = await setup_test();
+            const account = await fixture.create_account();
+            const res = await fixture.fresh_transport()(rpc_path, {
+                method: 'POST',
+                headers: { ...account.create_session_headers(), 'content-type': 'application/json' },
+                body: search_envelope({ query: 'a', scope_ids: [NIL_UUID] }, 'nonadmin-scope'),
+            });
+            assert.strictEqual(res.status, 200, 'non-admin with a scope filter is allowed');
+            const body = (await res.json());
+            assert(Array.isArray(body.result?.actors), 'response carries an actors array');
+        });
+        test('admin + no scope_ids → 200 (admin reaches unbounded search)', async () => {
+            const fixture = await setup_test();
+            const res = await fixture.transport(rpc_path, {
+                method: 'POST',
+                headers: { ...fixture.create_session_headers(), 'content-type': 'application/json' },
+                body: search_envelope({ query: 'a' }, 'admin-noscope'),
+            });
+            assert.strictEqual(res.status, 200, 'admin unbounded search is allowed');
+            const body = (await res.json());
+            assert(Array.isArray(body.result?.actors), 'response carries an actors array');
+        });
+    });
+};

package/dist/testing/cross_backend/app_settings.d.ts

@@ -0,0 +1,6 @@
+import '../assert_dev_env.js';
+import type { CellCrossTestOptions } from './cell_cross_helpers.js';
+/** Options for the app-settings effect suite (shares the cell/origin shape). */
+export type AppSettingsCrossTestOptions = CellCrossTestOptions;
+export declare const describe_app_settings_cross_tests: (options: AppSettingsCrossTestOptions) => void;
+//# sourceMappingURL=app_settings.d.ts.map

package/dist/testing/cross_backend/app_settings.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"app_settings.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/app_settings.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAsC9B,OAAO,KAAK,EAAC,oBAAoB,EAAC,MAAM,yBAAyB,CAAC;AAGlE,gFAAgF;AAChF,MAAM,MAAM,2BAA2B,GAAG,oBAAoB,CAAC;AAiB/D,eAAO,MAAM,iCAAiC,GAAI,SAAS,2BAA2B,KAAG,IA8DxF,CAAC"}