@fuzdev/fuz_app 0.68.0 → 0.70.0

package/dist/testing/cross_backend/app_settings.js

@@ -0,0 +1,95 @@
+import '../assert_dev_env.js';
+/**
+ * Cross-backend effect suite for the `open_signup` app setting.
+ *
+ * The declarative conformance table pins the admin gate on
+ * `app_settings_get` / `app_settings_update` (401 / 403 / 200). This suite
+ * pins the **behavioral effect** of the toggle end to end: an admin flips
+ * `open_signup` via `app_settings_update`, and a subsequent anonymous
+ * `POST /signup` observes the new value.
+ *
+ * - **toggle on → anonymous signup without an invite succeeds (200)** — with
+ *   `open_signup: true`, the invite gate is skipped.
+ * - **toggle off → anonymous signup is refused (403 `no_matching_invite`)** —
+ *   flipping it back restores the invite requirement, proving the gate keys
+ *   on the live value rather than a one-time read.
+ *
+ * The signup handler reads the toggle fresh from the database on every
+ * request, so the admin's write is visible to the next signup. This suite
+ * runs in a single process, so it validates the read-through *mechanism* —
+ * not multi-process consistency (which the fresh-read shape provides by
+ * construction but no single-binary test can observe).
+ *
+ * Cites `security.md` §Signup. Runs both legs via the shared `{setup_test}`
+ * protocol: in-process (`auth/app_settings_parity.db.test.ts`) +
+ * cross-process (`cross_backend/app_settings.cross.test.ts`, TS spine
+ * binaries + Rust `testing_spine_stub`). Mounted on every spine, so the
+ * suite is ungated.
+ *
+ * `$lib`-free by contract (relative specifiers only).
+ *
+ * @module
+ */
+import { describe, test, assert } from 'vitest';
+import { app_settings_update_action_spec } from '../../auth/admin_action_specs.js';
+import { ERROR_NO_MATCHING_INVITE } from '../../http/error_schemas.js';
+import { SPINE_RPC_PATH } from './default_spine_surface.js';
+/** REST signup path on the spine surface (`/api/account` prefix + `/signup`). */
+const SIGNUP_PATH = '/api/account/signup';
+/** A password that satisfies the creation-strength schema (min 12). */
+const SIGNUP_PASSWORD = 'securepassword123';
+/** Build the JSON-RPC envelope for an `app_settings_update` call. */
+const update_envelope = (open_signup, id) => JSON.stringify({
+    jsonrpc: '2.0',
+    method: app_settings_update_action_spec.method,
+    params: { open_signup },
+    id,
+});
+export const describe_app_settings_cross_tests = (options) => {
+    const { setup_test } = options;
+    const rpc_path = options.rpc_path ?? SPINE_RPC_PATH;
+    describe('app_settings open_signup effect', () => {
+        test('admin enables open_signup → anonymous signup without invite succeeds', async () => {
+            const fixture = await setup_test();
+            const enable = await fixture.transport(rpc_path, {
+                method: 'POST',
+                headers: { ...fixture.create_session_headers(), 'content-type': 'application/json' },
+                body: update_envelope(true, 'enable-open-signup'),
+            });
+            assert.strictEqual(enable.status, 200, 'admin app_settings_update must succeed');
+            const res = await fixture.fresh_transport()(SIGNUP_PATH, {
+                method: 'POST',
+                headers: { 'content-type': 'application/json' },
+                body: JSON.stringify({ username: 'open_signup_user', password: SIGNUP_PASSWORD }),
+            });
+            assert.strictEqual(res.status, 200, 'open signup must admit an anonymous account');
+            const body = (await res.json());
+            assert.strictEqual(body.ok, true, 'signup response reports success');
+        });
+        test('admin disables open_signup → anonymous signup is refused (no_matching_invite)', async () => {
+            const fixture = await setup_test();
+            // Enable then disable so the assertion proves the *flip back* takes
+            // effect, not merely the closed default.
+            const enable = await fixture.transport(rpc_path, {
+                method: 'POST',
+                headers: { ...fixture.create_session_headers(), 'content-type': 'application/json' },
+                body: update_envelope(true, 'enable-before-disable'),
+            });
+            assert.strictEqual(enable.status, 200, 'admin app_settings_update (enable) must succeed');
+            const disable = await fixture.transport(rpc_path, {
+                method: 'POST',
+                headers: { ...fixture.create_session_headers(), 'content-type': 'application/json' },
+                body: update_envelope(false, 'disable-open-signup'),
+            });
+            assert.strictEqual(disable.status, 200, 'admin app_settings_update (disable) must succeed');
+            const res = await fixture.fresh_transport()(SIGNUP_PATH, {
+                method: 'POST',
+                headers: { 'content-type': 'application/json' },
+                body: JSON.stringify({ username: 'closed_signup_user', password: SIGNUP_PASSWORD }),
+            });
+            assert.strictEqual(res.status, 403, 'closed signup must refuse a no-invite anonymous account');
+            const body = (await res.json());
+            assert.strictEqual(body.error, ERROR_NO_MATCHING_INVITE, 'rejection carries the no-matching-invite reason');
+        });
+    });
+};

package/dist/testing/cross_backend/backend_config.d.ts

@@ -106,7 +106,7 @@ export interface BackendConfig {
     /**
      * Capabilities this backend supports — drives `test_if(capabilities.X, ...)`
      * gating in suite bodies. See `capabilities.ts` for the vocabulary and
-     * existing flags. Cross-process backends set `in_process_only: false`.
+     * existing flags.
      */
     readonly capabilities: BackendCapabilities;
 }

package/dist/testing/cross_backend/capabilities.d.ts

@@ -66,15 +66,6 @@ export interface BackendCapabilities {
      * this flag opts a backend into the lifecycle parity coverage.
      */
     readonly account_lifecycle: boolean;
-    /**
-     * Test has direct access to backend-internal state (keyring for
-     * signing cookies, DB pool for FK-structural raw queries). Always
-     * `true` for in-process Hono via `default_in_process_setup`; always
-     * `false` cross-process. Gates the 3 keyring reads in
-     * `describe_standard_integration_tests` (expired-cookie generation)
-     * and the FK-structural raw query in `describe_audit_completeness_tests`.
-     */
-    readonly in_process_only: boolean;
 }
 /**
  * Capability declarations for the in-process Hono transport. Every flag

package/dist/testing/cross_backend/capabilities.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"capabilities.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/capabilities.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAmB9B;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IACnC;;;;OAIG;IACH,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;IAC9B;;;;OAIG;IACH,QAAQ,CAAC,aAAa,EAAE,OAAO,CAAC;IAChC;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC;IACnC;;;;OAIG;IACH,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;IACrB;;;;;OAKG;IACH,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC;IACtB;;;;;;;OAOG;IACH,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC;IAC5B;;;;;;;;;;OAUG;IACH,QAAQ,CAAC,cAAc,EAAE,OAAO,CAAC;IACjC;;;;;;;;OAQG;IACH,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;IACpC;;;;;;;OAOG;IACH,QAAQ,CAAC,eAAe,EAAE,OAAO,CAAC;CAClC;AAED;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,EAAE,mBAUpC,CAAC;AAEH;;;;;;;;GAQG;AACH,eAAO,MAAM,OAAO,GAAI,MAAM,OAAO,EAAE,MAAM,MAAM,EAAE,IAAI,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAG,IAMrF,CAAC"}
+{"version":3,"file":"capabilities.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/capabilities.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAmB9B;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IACnC;;;;OAIG;IACH,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;IAC9B;;;;OAIG;IACH,QAAQ,CAAC,aAAa,EAAE,OAAO,CAAC;IAChC;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC;IACnC;;;;OAIG;IACH,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;IACrB;;;;;OAKG;IACH,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC;IACtB;;;;;;;OAOG;IACH,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC;IAC5B;;;;;;;;;;OAUG;IACH,QAAQ,CAAC,cAAc,EAAE,OAAO,CAAC;IACjC;;;;;;;;OAQG;IACH,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;CACpC;AAED;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,EAAE,mBASpC,CAAC;AAEH;;;;;;;;GAQG;AACH,eAAO,MAAM,OAAO,GAAI,MAAM,OAAO,EAAE,MAAM,MAAM,EAAE,IAAI,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAG,IAMrF,CAAC"}

package/dist/testing/cross_backend/capabilities.js

@@ -29,7 +29,6 @@ export const in_process_capabilities = Object.freeze({
     cell_crud: true,
     cell_relations: true,
     account_lifecycle: true,
-    in_process_only: true,
 });
 /**
  * Conditional `test()` wrapper — registers a vitest case only when

package/dist/testing/cross_backend/cell_grant_role.d.ts

@@ -0,0 +1,8 @@
+import '../assert_dev_env.js';
+import { type CellCrossTestOptions } from './cell_cross_helpers.js';
+/** App role the holder is seeded with; matches the spine's registered role. */
+export declare const CELL_EDITOR_ROLE = "cell_editor";
+/** Username the fixture seeds (via `extra_accounts`) holding `CELL_EDITOR_ROLE`. */
+export declare const CELL_ROLE_HOLDER_USERNAME = "cell_role_holder";
+export declare const describe_cell_grant_role_cross_tests: (options: CellCrossTestOptions) => void;
+//# sourceMappingURL=cell_grant_role.d.ts.map

package/dist/testing/cross_backend/cell_grant_role.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cell_grant_role.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/cell_grant_role.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AA6C9B,OAAO,EACN,KAAK,oBAAoB,EAIzB,MAAM,yBAAyB,CAAC;AAGjC,+EAA+E;AAC/E,eAAO,MAAM,gBAAgB,gBAAyB,CAAC;AAEvD,oFAAoF;AACpF,eAAO,MAAM,yBAAyB,qBAAqB,CAAC;AAK5D,eAAO,MAAM,oCAAoC,GAAI,SAAS,oBAAoB,KAAG,IAuIpF,CAAC"}

package/dist/testing/cross_backend/cell_grant_role.js

@@ -0,0 +1,102 @@
+import '../assert_dev_env.js';
+/**
+ * Cross-backend parity suite for **role-shaped** `cell_grant`s.
+ *
+ * The cell CRUD / relations suites exercise only actor-shaped grant
+ * principals. This suite covers the role-shaped path and its closed-registry
+ * gate — the security-correctness property that the Rust spine previously
+ * lacked (it created inert grant rows for any role string). Both spines now
+ * validate the role against a closed registry at create.
+ *
+ * - **role grant admits a holder; excludes a non-holder** — an owner grants
+ *   `{role}` on a private cell; an account holding that role can `cell_get`
+ *   it (200), an account without it gets the IDOR-mask 404.
+ * - **unknown role rejected at create (security-correctness)** — granting a
+ *   role outside the registry is `invalid_params` / `cell_grant_unknown_role`,
+ *   not a silent inert row.
+ * - **editor-level role grant admits edit** — a holder of an `editor`-level
+ *   role grant can `cell_update` the cell's content.
+ *
+ * The holder is seeded via `extra_accounts` under `CELL_ROLE_HOLDER_USERNAME`
+ * holding `CELL_EDITOR_ROLE` (the role has no grant path, so it can't be
+ * offered — the bootstrap-cradle seed is the only path). Both legs configure
+ * that seed and register `CELL_EDITOR_ROLE` in their role registry; the Rust
+ * `testing_spine_stub` mirrors the same membership in its `known_roles`.
+ *
+ * Cites `security.md` §Authorization (role-shaped cell-grant validation).
+ * Runs both legs via the shared `{setup_test}` protocol: in-process
+ * (`auth/cell_grant_role_parity.db.test.ts`) + cross-process
+ * (`cross_backend/cell_grant_role.cross.test.ts`). Gated on
+ * `capabilities.cell_relations` (true on every spine, so it never skips).
+ *
+ * `$lib`-free by contract (relative specifiers only).
+ *
+ * @module
+ */
+import { describe, assert } from 'vitest';
+import { CellCreateOutput, CellGetOutput, CellUpdateOutput } from '../../auth/cell_action_specs.js';
+import { CellGrantCreateOutput, ERROR_CELL_GRANT_UNKNOWN_ROLE, } from '../../auth/cell_grant_action_specs.js';
+import { test_if } from './capabilities.js';
+import { cross_rpc_call, error_reason, expect_output, } from './cell_cross_helpers.js';
+import { SPINE_CELL_EDITOR_ROLE, SPINE_RPC_PATH } from './default_spine_surface.js';
+/** App role the holder is seeded with; matches the spine's registered role. */
+export const CELL_EDITOR_ROLE = SPINE_CELL_EDITOR_ROLE;
+/** Username the fixture seeds (via `extra_accounts`) holding `CELL_EDITOR_ROLE`. */
+export const CELL_ROLE_HOLDER_USERNAME = 'cell_role_holder';
+/** A role string deliberately absent from the registry. */
+const UNREGISTERED_ROLE = 'not_a_registered_role';
+export const describe_cell_grant_role_cross_tests = (options) => {
+    const { setup_test, capabilities } = options;
+    const rpc_path = options.rpc_path ?? SPINE_RPC_PATH;
+    describe('cell_grant role-shaped parity', () => {
+        test_if(capabilities.cell_relations, 'role grant admits a holder of the role and excludes a non-holder', async () => {
+            const fixture = await setup_test();
+            const t = fixture.transport;
+            const owner = await fixture.create_account({ username: 'cell_role_owner' });
+            const owner_h = owner.create_session_headers();
+            const holder = fixture.extra_accounts[CELL_ROLE_HOLDER_USERNAME];
+            assert.ok(holder, `fixture must seed the ${CELL_ROLE_HOLDER_USERNAME} extra account`);
+            const stranger = await fixture.create_account({ username: 'cell_role_stranger' });
+            // Owner creates a private cell (default visibility) and grants
+            // view access to anyone holding CELL_EDITOR_ROLE.
+            const created = expect_output(await cross_rpc_call(t, rpc_path, 'cell_create', { data: { kind: 'note' } }, owner_h), CellCreateOutput);
+            const cell_id = created.cell.id;
+            expect_output(await cross_rpc_call(t, rpc_path, 'cell_grant_create', { cell_id, level: 'viewer', principal: { kind: 'role', role: CELL_EDITOR_ROLE } }, owner_h), CellGrantCreateOutput);
+            // Holder of the role is admitted through the role-shaped grant.
+            const holder_view = expect_output(await cross_rpc_call(t, rpc_path, 'cell_get', { id: cell_id }, holder.create_session_headers()), CellGetOutput);
+            assert.strictEqual(holder_view.cell.id, cell_id, 'holder sees the granted cell');
+            // A non-holder sees the IDOR-mask 404 — the grant keys on the role,
+            // not mere authentication.
+            const stranger_view = await cross_rpc_call(t, rpc_path, 'cell_get', { id: cell_id }, stranger.create_session_headers());
+            assert.ok(!stranger_view.ok, 'non-holder must not see the cell');
+            assert.strictEqual(error_reason(stranger_view), 'cell_not_found');
+        });
+        test_if(capabilities.cell_relations, 'role-shaped grant for an unregistered role is rejected at create', async () => {
+            const fixture = await setup_test();
+            const t = fixture.transport;
+            const owner = await fixture.create_account({ username: 'cell_unknown_role_owner' });
+            const owner_h = owner.create_session_headers();
+            const created = expect_output(await cross_rpc_call(t, rpc_path, 'cell_create', { data: { kind: 'note' } }, owner_h), CellCreateOutput);
+            const denied = await cross_rpc_call(t, rpc_path, 'cell_grant_create', {
+                cell_id: created.cell.id,
+                level: 'viewer',
+                principal: { kind: 'role', role: UNREGISTERED_ROLE },
+            }, owner_h);
+            assert.ok(!denied.ok, 'granting an unregistered role must fail');
+            assert.strictEqual(error_reason(denied), ERROR_CELL_GRANT_UNKNOWN_ROLE);
+        });
+        test_if(capabilities.cell_relations, 'editor-level role grant admits content edit', async () => {
+            const fixture = await setup_test();
+            const t = fixture.transport;
+            const owner = await fixture.create_account({ username: 'cell_role_edit_owner' });
+            const owner_h = owner.create_session_headers();
+            const holder = fixture.extra_accounts[CELL_ROLE_HOLDER_USERNAME];
+            assert.ok(holder, `fixture must seed the ${CELL_ROLE_HOLDER_USERNAME} extra account`);
+            const created = expect_output(await cross_rpc_call(t, rpc_path, 'cell_create', { data: { kind: 'note' } }, owner_h), CellCreateOutput);
+            const cell_id = created.cell.id;
+            expect_output(await cross_rpc_call(t, rpc_path, 'cell_grant_create', { cell_id, level: 'editor', principal: { kind: 'role', role: CELL_EDITOR_ROLE } }, owner_h), CellGrantCreateOutput);
+            const edited = expect_output(await cross_rpc_call(t, rpc_path, 'cell_update', { cell_id, data: { kind: 'note', label: 'by role editor' } }, holder.create_session_headers()), CellUpdateOutput);
+            assert.strictEqual(edited.cell.updated_by, holder.actor.id, 'edit attributed to the holder');
+        });
+    });
+};

package/dist/testing/cross_backend/conformance_case.d.ts

@@ -0,0 +1,144 @@
+import '../assert_dev_env.js';
+/**
+ * Declarative conformance-case schema for the cross-backend behavioral +
+ * security suite.
+ *
+ * A conformance case is a single request → expected-response assertion,
+ * carried as **data**. The case references a `method` (an RPC method name
+ * or a REST auth-route suffix); the runner
+ * (`describe_conformance_table_tests`) resolves the `input` / `output`
+ * Zod schemas from the live action-spec registry / `RouteSpec` — the case
+ * never carries a schema. This is the opinionated behavioral/security
+ * layer on top of the spec-derived auto-enumeration
+ * (`describe_rpc_round_trip_tests` / `describe_rpc_attack_surface_tests`):
+ * the same case definition runs in-process (fast, every `gro test`) and
+ * cross-process (the conformance gate) against each impl's real auth
+ * resolution.
+ *
+ * The table is for single-request matrices (credential-type ceiling,
+ * privilege gates, IDOR masks, enumeration-equivalence, validation).
+ * Multi-step flows stay imperative in their own `describe_*` suites,
+ * sharing assertion primitives — there is deliberately no declarative
+ * setup DSL.
+ *
+ * @module
+ */
+import { z } from 'zod';
+/**
+ * Closed enum of fixture-provisioned principals a case runs `as`. Each
+ * value maps to a `TestFixture` accessor (or a seeded `extra_accounts`
+ * entry) in the runner's `resolve_principal` — there is **no** inline
+ * credential minting in a case (that would be the setup-DSL trap).
+ *
+ * - `keeper` — the per-test bootstrapped keeper (holds `ROLE_KEEPER` +
+ *   `ROLE_ADMIN`), session credential.
+ * - `daemon` — the keeper authenticated via the daemon-token header.
+ * - `token` — the keeper authenticated via a bearer api-token (non-browser
+ *   context; the runner suppresses `Origin` so the token isn't discarded).
+ * - `anonymous` — no credential, fresh cookie jar.
+ * - `fresh_non_admin` — a freshly minted account with no roles, session
+ *   credential (via the production invite → signup → login flow).
+ * - `role_holder` — a seeded `extra_accounts` principal holding a specific
+ *   role; the runner reads it by the username named in
+ *   `ConformanceTableOptions.principals.role_holder`.
+ * - `wrong_role` — a seeded `extra_accounts` principal holding a role
+ *   other than the one a route requires; named via
+ *   `ConformanceTableOptions.principals.wrong_role`.
+ * - `expired_session` — the keeper account presented via an *expired
+ *   server-side session* cookie (minted by `fixture.mint_expired_session()`:
+ *   a backdated `auth_session` row behind a still-valid signed cookie
+ *   payload, so the authoritative DB-row expiry gate is what refuses it).
+ */
+export declare const ConformancePrincipal: z.ZodEnum<{
+    keeper: "keeper";
+    token: "token";
+    daemon: "daemon";
+    anonymous: "anonymous";
+    fresh_non_admin: "fresh_non_admin";
+    role_holder: "role_holder";
+    wrong_role: "wrong_role";
+    expired_session: "expired_session";
+}>;
+export type ConformancePrincipal = z.infer<typeof ConformancePrincipal>;
+/** The request a conformance case issues. */
+export declare const ConformanceCaseRequest: z.ZodObject<{
+    method: z.ZodString;
+    params: z.ZodOptional<z.ZodUnknown>;
+    as: z.ZodEnum<{
+        keeper: "keeper";
+        token: "token";
+        daemon: "daemon";
+        anonymous: "anonymous";
+        fresh_non_admin: "fresh_non_admin";
+        role_holder: "role_holder";
+        wrong_role: "wrong_role";
+        expired_session: "expired_session";
+    }>;
+    verb: z.ZodOptional<z.ZodEnum<{
+        GET: "GET";
+        POST: "POST";
+    }>>;
+}, z.core.$strict>;
+export type ConformanceCaseRequest = z.infer<typeof ConformanceCaseRequest>;
+/** The expected response shape a conformance case asserts. */
+export declare const ConformanceCaseExpectation: z.ZodObject<{
+    status: z.ZodNumber;
+    error_reason: z.ZodOptional<z.ZodString>;
+    fields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, z.core.$strict>;
+export type ConformanceCaseExpectation = z.infer<typeof ConformanceCaseExpectation>;
+/**
+ * Marks a case as a deferred-by-design gap. The runner routes it through
+ * `xfail_until` instead of a normal `test` — visible (distinct from pass)
+ * and self-cleaning (flips red when the impl starts passing, forcing the
+ * marker's removal). Use for declared gaps (e.g. facts), never for
+ * in-scope gaps (those fail loud as a red `test`).
+ */
+export declare const ConformanceCaseXfail: z.ZodObject<{
+    tracking_id: z.ZodString;
+    reason: z.ZodString;
+}, z.core.$strict>;
+export type ConformanceCaseXfail = z.infer<typeof ConformanceCaseXfail>;
+/**
+ * A single conformance case. `name` is the assertion; the optional
+ * free-text `note` is printed in the test label / failure output. A
+ * security case's `note` should reference a **public** fuz_app doc
+ * property (`security.md` / `architecture.md` / module TSDoc), since the
+ * table ships in a public package — not an internal planning doc. The note
+ * is documentation, not a gate: it stays free-text by design because a
+ * non-empty-string check never catches a *wrong* citation — the citation
+ * is verified in review.
+ */
+export declare const ConformanceCase: z.ZodObject<{
+    name: z.ZodString;
+    request: z.ZodObject<{
+        method: z.ZodString;
+        params: z.ZodOptional<z.ZodUnknown>;
+        as: z.ZodEnum<{
+            keeper: "keeper";
+            token: "token";
+            daemon: "daemon";
+            anonymous: "anonymous";
+            fresh_non_admin: "fresh_non_admin";
+            role_holder: "role_holder";
+            wrong_role: "wrong_role";
+            expired_session: "expired_session";
+        }>;
+        verb: z.ZodOptional<z.ZodEnum<{
+            GET: "GET";
+            POST: "POST";
+        }>>;
+    }, z.core.$strict>;
+    expect: z.ZodObject<{
+        status: z.ZodNumber;
+        error_reason: z.ZodOptional<z.ZodString>;
+        fields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, z.core.$strict>;
+    note: z.ZodOptional<z.ZodString>;
+    xfail: z.ZodOptional<z.ZodObject<{
+        tracking_id: z.ZodString;
+        reason: z.ZodString;
+    }, z.core.$strict>>;
+}, z.core.$strict>;
+export type ConformanceCase = z.infer<typeof ConformanceCase>;
+//# sourceMappingURL=conformance_case.d.ts.map

package/dist/testing/cross_backend/conformance_case.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"conformance_case.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/conformance_case.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,eAAO,MAAM,oBAAoB;;;;;;;;;EAS/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE,6CAA6C;AAC7C,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;kBAgBjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,8DAA8D;AAC9D,eAAO,MAAM,0BAA0B;;;;kBAqBrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB;;;kBAK/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE;;;;;;;;;GASG;AACH,eAAO,MAAM,eAAe;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAS1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC"}

package/dist/testing/cross_backend/conformance_case.js

@@ -0,0 +1,132 @@
+import '../assert_dev_env.js';
+/**
+ * Declarative conformance-case schema for the cross-backend behavioral +
+ * security suite.
+ *
+ * A conformance case is a single request → expected-response assertion,
+ * carried as **data**. The case references a `method` (an RPC method name
+ * or a REST auth-route suffix); the runner
+ * (`describe_conformance_table_tests`) resolves the `input` / `output`
+ * Zod schemas from the live action-spec registry / `RouteSpec` — the case
+ * never carries a schema. This is the opinionated behavioral/security
+ * layer on top of the spec-derived auto-enumeration
+ * (`describe_rpc_round_trip_tests` / `describe_rpc_attack_surface_tests`):
+ * the same case definition runs in-process (fast, every `gro test`) and
+ * cross-process (the conformance gate) against each impl's real auth
+ * resolution.
+ *
+ * The table is for single-request matrices (credential-type ceiling,
+ * privilege gates, IDOR masks, enumeration-equivalence, validation).
+ * Multi-step flows stay imperative in their own `describe_*` suites,
+ * sharing assertion primitives — there is deliberately no declarative
+ * setup DSL.
+ *
+ * @module
+ */
+import { z } from 'zod';
+/**
+ * Closed enum of fixture-provisioned principals a case runs `as`. Each
+ * value maps to a `TestFixture` accessor (or a seeded `extra_accounts`
+ * entry) in the runner's `resolve_principal` — there is **no** inline
+ * credential minting in a case (that would be the setup-DSL trap).
+ *
+ * - `keeper` — the per-test bootstrapped keeper (holds `ROLE_KEEPER` +
+ *   `ROLE_ADMIN`), session credential.
+ * - `daemon` — the keeper authenticated via the daemon-token header.
+ * - `token` — the keeper authenticated via a bearer api-token (non-browser
+ *   context; the runner suppresses `Origin` so the token isn't discarded).
+ * - `anonymous` — no credential, fresh cookie jar.
+ * - `fresh_non_admin` — a freshly minted account with no roles, session
+ *   credential (via the production invite → signup → login flow).
+ * - `role_holder` — a seeded `extra_accounts` principal holding a specific
+ *   role; the runner reads it by the username named in
+ *   `ConformanceTableOptions.principals.role_holder`.
+ * - `wrong_role` — a seeded `extra_accounts` principal holding a role
+ *   other than the one a route requires; named via
+ *   `ConformanceTableOptions.principals.wrong_role`.
+ * - `expired_session` — the keeper account presented via an *expired
+ *   server-side session* cookie (minted by `fixture.mint_expired_session()`:
+ *   a backdated `auth_session` row behind a still-valid signed cookie
+ *   payload, so the authoritative DB-row expiry gate is what refuses it).
+ */
+export const ConformancePrincipal = z.enum([
+    'keeper',
+    'daemon',
+    'token',
+    'anonymous',
+    'fresh_non_admin',
+    'role_holder',
+    'wrong_role',
+    'expired_session',
+]);
+/** The request a conformance case issues. */
+export const ConformanceCaseRequest = z.strictObject({
+    method: z.string().meta({
+        description: 'RPC method name (e.g. `admin_account_list`) or a REST auth-route suffix ' +
+            '(e.g. `/login`). A leading `/` selects the REST branch; otherwise the ' +
+            'runner resolves the RPC action from the spec registry.',
+    }),
+    params: z
+        .unknown()
+        .optional()
+        .meta({ description: 'Request params / body. Omit for nullary methods.' }),
+    as: ConformancePrincipal,
+    verb: z
+        .enum(['POST', 'GET'])
+        .optional()
+        .meta({ description: 'HTTP verb. Defaults to POST; use GET for `side_effects: false` reads.' }),
+});
+/** The expected response shape a conformance case asserts. */
+export const ConformanceCaseExpectation = z.strictObject({
+    status: z.number().int().meta({ description: 'Expected HTTP status code.' }),
+    error_reason: z
+        .string()
+        .optional()
+        .meta({
+        description: 'Expected error reason — pass the IMPORTED `ERROR_*` constant from ' +
+            '`http/error_schemas.ts`, never a string literal. Asserted against the RPC ' +
+            '`error.data.reason` (when the denial carries one) or the REST flat-body ' +
+            '`error` field. The pre-validation 401 carries `data.reason` too; a denial ' +
+            'that genuinely omits it falls back to the `status` assertion to pin the class.',
+    }),
+    fields: z
+        .record(z.string(), z.unknown())
+        .optional()
+        .meta({
+        description: 'Specific field-value assertions on the success `result` (2xx) or the error ' +
+            '`error.data` (non-2xx). Each key must deep-equal the corresponding response field.',
+    }),
+});
+/**
+ * Marks a case as a deferred-by-design gap. The runner routes it through
+ * `xfail_until` instead of a normal `test` — visible (distinct from pass)
+ * and self-cleaning (flips red when the impl starts passing, forcing the
+ * marker's removal). Use for declared gaps (e.g. facts), never for
+ * in-scope gaps (those fail loud as a red `test`).
+ */
+export const ConformanceCaseXfail = z.strictObject({
+    tracking_id: z
+        .string()
+        .meta({ description: 'Tracking id for the deferred gap (issue id or tracking slug).' }),
+    reason: z.string().meta({ description: 'Why this case is deferred-by-design.' }),
+});
+/**
+ * A single conformance case. `name` is the assertion; the optional
+ * free-text `note` is printed in the test label / failure output. A
+ * security case's `note` should reference a **public** fuz_app doc
+ * property (`security.md` / `architecture.md` / module TSDoc), since the
+ * table ships in a public package — not an internal planning doc. The note
+ * is documentation, not a gate: it stays free-text by design because a
+ * non-empty-string check never catches a *wrong* citation — the citation
+ * is verified in review.
+ */
+export const ConformanceCase = z.strictObject({
+    name: z.string().meta({ description: 'The assertion, used as the test label.' }),
+    request: ConformanceCaseRequest,
+    expect: ConformanceCaseExpectation,
+    note: z
+        .string()
+        .optional()
+        .meta({ description: 'Free-text note printed in the label / failure output.' }),
+    xfail: ConformanceCaseXfail.optional(),
+});

package/dist/testing/cross_backend/conformance_table.d.ts

@@ -0,0 +1,46 @@
+import '../assert_dev_env.js';
+import type { AppSurfaceSpec } from '../../http/surface.js';
+import type { SessionOptions } from '../../auth/session_cookie.js';
+import { type RpcEndpointsSuiteOption } from '../rpc_helpers.js';
+import { type ConformanceCase } from './conformance_case.js';
+import type { BackendCapabilities } from './capabilities.js';
+import type { SetupTest } from './setup.js';
+/**
+ * Names a seeded `extra_accounts` username for the `role_holder` /
+ * `wrong_role` principals — the only two that aren't backed by an
+ * always-available fixture accessor. Suites exercising those principals
+ * declare the matching `extra_accounts` at setup and name them here.
+ */
+export interface ConformancePrincipalConfig {
+    /** `extra_accounts` username for the `role_holder` principal. */
+    readonly role_holder?: string;
+    /** `extra_accounts` username for the `wrong_role` principal. */
+    readonly wrong_role?: string;
+}
+/** Options for `describe_conformance_table_tests`. */
+export interface ConformanceTableOptions {
+    /** The conformance cases to run, in order. */
+    readonly cases: ReadonlyArray<ConformanceCase>;
+    /** Per-test fixture producer (in-process or cross-process). */
+    readonly setup_test: SetupTest;
+    /** Surface spec — supplies the `RouteSpec`s for the REST branch. */
+    readonly surface_source: AppSurfaceSpec;
+    /** Declared backend capabilities (reserved for capability-gated rows). */
+    readonly capabilities: BackendCapabilities;
+    /** RPC endpoints — resolved to find each method's action spec. */
+    readonly rpc_endpoints: RpcEndpointsSuiteOption;
+    /** Session options — needed to resolve the `rpc_endpoints` factory form. */
+    readonly session_options: SessionOptions<string>;
+    /** Maps the `role_holder` / `wrong_role` principals to seeded usernames. */
+    readonly principals?: ConformancePrincipalConfig;
+    /** `describe` block label. Defaults to `'conformance table'`. */
+    readonly suite_name?: string;
+}
+/**
+ * Register a `describe` block running every `ConformanceCase` as a
+ * vitest `test` (or `xfail_until` for deferred-by-design rows). Drives
+ * either transport via the shared `{setup_test, surface_source,
+ * capabilities}` protocol.
+ */
+export declare const describe_conformance_table_tests: (options: ConformanceTableOptions) => void;
+//# sourceMappingURL=conformance_table.d.ts.map

package/dist/testing/cross_backend/conformance_table.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"conformance_table.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/conformance_table.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAwB9B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,uBAAuB,CAAC;AAE1D,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,8BAA8B,CAAC;AAMjE,OAAO,EAIN,KAAK,uBAAuB,EAC5B,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EAAC,KAAK,eAAe,EAA4B,MAAM,uBAAuB,CAAC;AACtF,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,mBAAmB,CAAC;AAC3D,OAAO,KAAK,EAAC,SAAS,EAAc,MAAM,YAAY,CAAC;AAGvD;;;;;GAKG;AACH,MAAM,WAAW,0BAA0B;IAC1C,iEAAiE;IACjE,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,gEAAgE;IAChE,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED,sDAAsD;AACtD,MAAM,WAAW,uBAAuB;IACvC,8CAA8C;IAC9C,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;IAC/C,+DAA+D;IAC/D,QAAQ,CAAC,UAAU,EAAE,SAAS,CAAC;IAC/B,oEAAoE;IACpE,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAC;IACxC,0EAA0E;IAC1E,QAAQ,CAAC,YAAY,EAAE,mBAAmB,CAAC;IAC3C,kEAAkE;IAClE,QAAQ,CAAC,aAAa,EAAE,uBAAuB,CAAC;IAChD,4EAA4E;IAC5E,QAAQ,CAAC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACjD,4EAA4E;IAC5E,QAAQ,CAAC,UAAU,CAAC,EAAE,0BAA0B,CAAC;IACjD,iEAAiE;IACjE,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;CAC7B;AAgOD;;;;;GAKG;AACH,eAAO,MAAM,gCAAgC,GAAI,SAAS,uBAAuB,KAAG,IAgBnF,CAAC"}