@fuzdev/fuz_app 0.74.0 → 0.76.0

package/dist/server/serve_fact_route.js

@@ -1,38 +1,67 @@
 /**
- * `GET /api/facts/:hash` — content-addressed fact serving.
+ * Content-addressed fact serving — cell-scoped, per-reference reads.
  *
- * Resolves a fact hash to the bytes referenced by at least one viewable
- * cell. Embedded facts stream from the `facts.bytes` PG column;
- * external facts (filesystem-backed `file:<shard>/<rest>` URLs) either
- * return an `X-Accel-Redirect` header pointing into nginx's internal
- * facts location (production) or stream from disk via the filesystem
- * `FactExternalFetcher` (dev / tests). The runtime mode is selected by
- * the optional `x_accel_redirect_prefix` factory option — set in prod,
- * unset in dev.
+ * Two routes serve fact bytes from the PG-backed fact store:
+ *
+ * - `GET /api/cells/:cell_id/facts/:hash` — the **per-reference read**.
+ *   The request names the referencing cell. Authz is scoped to that one
+ *   reference: `can_view_cell(caller, cell) AND cell.refs includes hash`.
+ *   This is the path non-admin callers use, and the only path for
+ *   confidential content.
+ * - `GET /api/facts/:hash` — the **bare-hash read**, restricted to admins.
+ *
+ * Embedded facts stream from the `fact.bytes` PG column; external facts
+ * (filesystem-backed `file:<shard>/<rest>` URLs) either return an
+ * `X-Accel-Redirect` header pointing into nginx's internal facts location
+ * (production) or stream from disk via the filesystem `FactExternalFetcher`
+ * (dev / tests). The runtime mode is selected by the optional
+ * `x_accel_redirect_prefix` factory option — set in prod, unset in dev.
  *
  * REST, not RPC: binary responses don't fit the JSON-RPC envelope.
  *
- * ## Authorization
- *
- * Auth is `{account: 'none', actor: 'none'}` — the dispatcher's
- * authorization phase is skipped for pure-public routes, so this handler
- * builds the `RequestContext` itself from `c.var.account_id` (populated
- * by the `/api/*` session middleware) by resolving the caller's single
- * actor and loading their role_grants. Unauthed callers pass through
- * with `req_ctx: null`. Viewers are admitted via `can_view_cell` over
- * **every** active cell that references the hash. Multi-actor accounts
- * fall through with `req_ctx: null` — there's no `acting?` slot on a
- * pure-public route, so multi-actor callers are treated as anonymous
- * (admitted only by the public-visibility branch). A fact is viewable iff
- * at least one referencing cell admits the caller; unauthenticated callers
- * are admitted only via a referencing cell with `cell.visibility ===
- * 'public'`. Facts with no referencing active cell are unreachable here —
- * orphan-fact GC reaps them separately.
- *
- * 404 is the universal "not viewable" response: missing fact, missing
- * referencing cell, all referencing cells private to other actors. We
- * deliberately don't distinguish 403 from 404 — the existence of a
- * private hash should not leak through the public surface.
+ * ## Authorization — authz lives on the cell→fact edge, not the hash
+ *
+ * Facts are global, content-addressed, owner-less bytes: identical bytes
+ * from different owners dedup to **one** `fact` row. Keying access control
+ * on the bare hash therefore unions visibility across every owner that
+ * references it — A's private bytes leak the instant B references identical
+ * bytes from a public cell. The fix is to scope authz to the
+ * `(cell, hash)` edge: a caller reads a fact *through a specific cell it
+ * can view that references the hash*. Dedup becomes a pure storage
+ * optimization with zero authz consequence — whether two owners' bytes
+ * share a `fact` row is invisible to the read check.
+ *
+ * The cell-scoped route resolves the named cell, requires
+ * `can_view_cell(caller, cell)`, and requires `cell.refs` to include the
+ * hash. B publishing identical bytes from B's public cell makes them
+ * readable *via B's cell* — it never touches A's private reference.
+ *
+ * The bare-hash route is **admin-only**: an admin's reach already spans
+ * every cell, so serving by bare hash grants no escalation. Non-admin
+ * callers are rejected at the auth phase and never reach the handler.
+ * (Explicitly-public facts — a producer opting bytes into world-readable
+ * status — are a future refinement; there is no such concept today, so
+ * the bare-hash route stays strictly admin-gated.)
+ *
+ * Auth shape on the cell-scoped route is `{account: 'none', actor: 'none'}`
+ * — the dispatcher's authorization phase is skipped for pure-public routes,
+ * so the handler builds the `RequestContext` itself from `c.var.account_id`
+ * (populated by the `/api/*` session middleware) by resolving the caller's
+ * single actor and loading their role_grants. Unauthed callers pass through
+ * with `req_ctx: null` and are admitted only by a `cell.visibility ===
+ * 'public'` cell. Multi-actor accounts fall through with `req_ctx: null`
+ * — there's no `acting?` slot on a pure-public route, so multi-actor
+ * callers are treated as anonymous.
+ *
+ * 404 is the universal "not viewable" response: missing fact, missing or
+ * unviewable cell, or the cell doesn't reference the hash. We deliberately
+ * don't distinguish 403 from 404 — neither the existence of a fact nor the
+ * existence of a cell→fact edge should leak through the public surface.
+ *
+ * Content-addressed serving of inline `blake3:` images (a markdown doc cell
+ * with embedded image refs) works through this model: the referencing cell
+ * is the doc cell, so serving goes view-doc-cell → doc-cell-refs-include-hash
+ * → serve.
  *
  * ## Defense-in-depth
  *
@@ -47,151 +76,223 @@ import { createReadStream } from 'node:fs';
 import { Readable } from 'node:stream';
 import { join } from 'node:path';
 import { FactHashSchema } from '@fuzdev/fuz_util/fact_hash.js';
+import { Uuid } from '@fuzdev/fuz_util/id.js';
 import { z } from 'zod';
-import { build_request_context } from '../auth/request_context.js';
+import { build_request_context, get_request_context, has_role, } from '../auth/request_context.js';
+import { ROLE_ADMIN } from '../auth/role_schema.js';
+import { ActingActor } from '../http/auth_shape.js';
 import { ACCOUNT_ID_KEY } from '../hono_context.js';
 import { query_actors_by_account } from '../auth/account_queries.js';
 import { get_route_params } from '../http/route_spec.js';
 import { ERROR_INVALID_ROUTE_PARAMS } from '../http/error_schemas.js';
 import { query_get_fact, query_get_fact_meta } from '../db/fact_queries.js';
-import { query_cell_list_by_ref } from '../db/cell_queries.js';
+import { query_cell_get } from '../db/cell_queries.js';
 import { query_cell_grant_list_for_cell } from '../db/cell_grant_queries.js';
 import { can_view_cell } from '../auth/cell_authorize.js';
 import { parse_file_fact_url } from './file_fact_url.js';
 /** `Cache-Control` for fact responses — 5 min revocation window. */
 const CACHE_CONTROL = 'private, max-age=300';
 /**
- * Path-param schema. Matching the canonical fact-hash form here pushes
- * malformed-hash 400s through the framework's standard params-validation
- * error shape (`ERROR_INVALID_ROUTE_PARAMS`), which the round-trip
- * validator expects.
+ * Path-param schema for the bare-hash route. Matching the canonical
+ * fact-hash form here pushes malformed-hash 400s through the framework's
+ * standard params-validation error shape (`ERROR_INVALID_ROUTE_PARAMS`),
+ * which the round-trip validator expects.
+ */
+const bare_hash_params_schema = z.strictObject({
+    hash: FactHashSchema,
+});
+/**
+ * Path-param schema for the cell-scoped route. `cell_id` validates as a
+ * `Uuid`; `hash` as the canonical fact-hash form. Malformed values 400 via
+ * the standard params-validation shape.
  */
-const params_schema = z.strictObject({
+const cell_fact_params_schema = z.strictObject({
+    cell_id: Uuid,
     hash: FactHashSchema,
 });
+/** Shared error-schema entry: tighten the auto-derived 400 to the literal emitted by params validation. */
+const params_400_error = {
+    400: z.looseObject({
+        error: z.literal(ERROR_INVALID_ROUTE_PARAMS),
+        issues: z.array(z.unknown()),
+    }),
+};
+/**
+ * Serve a fact's bytes by hash, after the caller has been authorized for it.
+ *
+ * This is the shared tail of both routes — it never re-checks authz, so it
+ * MUST only be called once the caller has been admitted (admin on the
+ * bare-hash route, viewable referencing cell on the cell-scoped route).
+ * Reuses the embedded-stream / `X-Accel-Redirect` / disk-stream logic.
+ *
+ * Returns 404 when the fact's metadata is missing or its embedded bytes
+ * have vanished (a race), so the response shape is identical whether the
+ * fact is genuinely absent or merely unviewable.
+ */
+const serve_fact_bytes = async (c, route, hash, config) => {
+    const { facts_dir, x_accel_redirect_prefix, log } = config;
+    const meta = await query_get_fact_meta({ db: route.db }, hash);
+    if (!meta) {
+        return c.body(null, 404);
+    }
+    const content_type = meta.content_type ?? 'application/octet-stream';
+    const size = String(meta.size);
+    if (meta.external_url === null) {
+        // Embedded — bytes live in the PG row.
+        const row = await query_get_fact({ db: route.db }, hash);
+        if (!row || row.bytes === null) {
+            // Race: meta said embedded but bytes vanished. Treat as not-found.
+            log.warn(`serve_fact: embedded bytes missing for ${hash} (meta said embedded, row=${row ? 'present' : 'null'})`);
+            return c.body(null, 404);
+        }
+        const bytes = to_uint8(row.bytes);
+        return c.body(bytes, 200, {
+            'Content-Type': content_type,
+            'Content-Length': size,
+            'Cache-Control': CACHE_CONTROL,
+        });
+    }
+    // External — defense-in-depth re-validate the URL before trusting it
+    // to address the filesystem.
+    const parsed = parse_file_fact_url(meta.external_url);
+    if (!parsed) {
+        log.error(`serve_fact: rejecting malformed external_url for ${hash}: ${meta.external_url}`);
+        return c.body(null, 404);
+    }
+    const { shard, rest } = parsed;
+    if (x_accel_redirect_prefix !== undefined) {
+        // Production: hand off to nginx via the internal facts location.
+        return c.body(null, 200, {
+            'Content-Type': content_type,
+            'Content-Length': size,
+            'Cache-Control': CACHE_CONTROL,
+            'X-Accel-Redirect': `${x_accel_redirect_prefix}${shard}/${rest}`,
+        });
+    }
+    // Dev / tests: stream from disk. `createReadStream` errors land on the
+    // returned ReadableStream, which Hono surfaces as a 500 to the client.
+    const file_path = join(facts_dir, shard, rest);
+    const node_stream = createReadStream(file_path);
+    const web_stream = Readable.toWeb(node_stream);
+    return c.body(web_stream, 200, {
+        'Content-Type': content_type,
+        'Content-Length': size,
+        'Cache-Control': CACHE_CONTROL,
+    });
+};
 /**
- * Build the `GET /api/facts/:hash` `RouteSpec`.
+ * Resolve the caller's `RequestContext` on a pure-public route from the
+ * session-middleware-set account id. Multi-actor accounts return `null`
+ * (no `acting?` slot on a public route to disambiguate); single-actor
+ * accounts resolve their actor and role_grants for owner / grant / admin
+ * admission paths. Unauthenticated callers return `null`.
+ */
+const build_public_request_context = async (c, route) => {
+    const account_id = c.get(ACCOUNT_ID_KEY);
+    if (!account_id)
+        return null;
+    const actors = await query_actors_by_account({ db: route.db }, account_id);
+    if (actors.length !== 1)
+        return null;
+    return build_request_context({ db: route.db }, account_id, actors[0].id);
+};
+/**
+ * Build the cell-scoped `GET /api/cells/:cell_id/facts/:hash` `RouteSpec`
+ * — the per-reference read.
+ *
+ * Resolves the named cell (404 if missing / soft-deleted), requires
+ * `can_view_cell(caller, cell)` AND `cell.refs` to include the hash
+ * (else 404, masked), then serves the bytes. Authz is scoped to this one
+ * `(cell, hash)` edge — never unioned across the fact's other referrers.
  *
  * Pure-public auth — the handler builds the per-request `RequestContext`
- * from `c.var.account_id` and enforces visibility per-fact via the
- * cell-walk above.
+ * from `c.var.account_id` and enforces visibility per-reference.
  */
-export const create_serve_fact_route_spec = (options) => {
+export const create_serve_cell_fact_route_spec = (options) => {
     const { facts_dir, x_accel_redirect_prefix, log } = options;
+    const config = { facts_dir, x_accel_redirect_prefix, log };
     return {
         method: 'GET',
-        path: '/api/facts/:hash',
+        path: '/api/cells/:cell_id/facts/:hash',
         auth: { account: 'none', actor: 'none' },
-        description: 'Serve content-addressed fact bytes. 404 unless at least one referencing cell admits the caller via can_view_cell.',
-        params: params_schema,
+        description: 'Serve content-addressed fact bytes through a named referencing cell. 404 unless the cell admits the caller via can_view_cell AND references the hash (per-reference, never union-of-referrers).',
+        params: cell_fact_params_schema,
         input: z.null(),
         // The body is a binary stream; no JSON output schema applies.
         output: z.null(),
-        errors: {
-            // Tighten the auto-derived 400 from `ApiError` (`error: string`) to
-            // the actual literal emitted by `create_params_validation`, so
-            // `assert_error_schema_tightness` reads the surface as specific
-            // rather than generic.
-            400: z.looseObject({
-                error: z.literal(ERROR_INVALID_ROUTE_PARAMS),
-                issues: z.array(z.unknown()),
-            }),
-        },
+        errors: params_400_error,
         handler: async (c, route) => {
-            const { hash } = get_route_params(c);
-            const meta = await query_get_fact_meta({ db: route.db }, hash);
-            if (!meta) {
+            const { cell_id, hash } = get_route_params(c);
+            // Resolve the named cell. Missing / soft-deleted → 404 (masked).
+            const cell = await query_cell_get({ db: route.db }, cell_id);
+            if (!cell) {
                 return c.body(null, 404);
             }
-            // Pure-public route — dispatcher skips the authorization phase, so
-            // build the `RequestContext` here from the session-middleware-set
-            // account id. Multi-actor accounts fall through with `null` (no
-            // `acting?` slot on a public route to disambiguate); single-actor
-            // accounts resolve their actor and role_grants for owner / grant /
-            // admin admission paths.
-            const account_id = c.get(ACCOUNT_ID_KEY);
-            let req_ctx = null;
-            if (account_id) {
-                const actors = await query_actors_by_account({ db: route.db }, account_id);
-                if (actors.length === 1) {
-                    req_ctx = await build_request_context({ db: route.db }, account_id, actors[0].id);
-                }
-            }
-            // `include_grant_count: false` — the authz walk only reads
-            // `can_view_cell`-relevant fields, so skip the per-row grant
-            // COUNT subquery. Cheap to begin with; even cheaper now.
-            const referencing_cells = await query_cell_list_by_ref({ db: route.db }, hash, {
-                include_grant_count: false,
-            });
-            // Sequential walk with early break on first admit — preserves
-            // the original `.some()` short-circuit. Unauthenticated callers
-            // skip the grant fetch entirely since no grant can admit a null
-            // req_ctx (the only admit path is the public-visibility branch
-            // in `can_view_cell`, which doesn't need grants). Authenticated
-            // callers eat one `cell_grant` lookup per referencing cell up
-            // to the first admit; acceptable at MVP fact-serve scale.
-            // TODO: if profiling shows this hot, batch grants in one query
-            // across all referencing cells, or push the predicate into SQL.
-            let viewable = false;
-            for (const cell of referencing_cells) {
-                const grants = req_ctx
-                    ? await query_cell_grant_list_for_cell({ db: route.db }, cell.id)
-                    : null;
-                if (can_view_cell(req_ctx, cell, grants)) {
-                    viewable = true;
-                    break;
-                }
-            }
-            if (!viewable) {
-                // 404 (not 403) so existence of private hashes doesn't leak
-                // through the public surface. Same response shape as a
-                // genuinely missing fact.
+            // The cell→fact edge: the cell must actually reference the hash.
+            // `cell.refs` is auto-derived from `data` on every write, so this is
+            // the authoritative "does this cell reference these bytes" check.
+            // Missing edge → 404 (masked), never "exists elsewhere".
+            if (!cell.refs?.includes(hash)) {
                 return c.body(null, 404);
             }
-            const content_type = meta.content_type ?? 'application/octet-stream';
-            const size = String(meta.size);
-            if (meta.external_url === null) {
-                // Embedded — bytes live in the PG row.
-                const row = await query_get_fact({ db: route.db }, hash);
-                if (!row || row.bytes === null) {
-                    // Race: meta said embedded but bytes vanished. Treat as not-found.
-                    log.warn(`serve_fact: embedded bytes missing for ${hash} (meta said embedded, row=${row ? 'present' : 'null'})`);
-                    return c.body(null, 404);
-                }
-                const bytes = to_uint8(row.bytes);
-                return c.body(bytes, 200, {
-                    'Content-Type': content_type,
-                    'Content-Length': size,
-                    'Cache-Control': CACHE_CONTROL,
-                });
-            }
-            // External — defense-in-depth re-validate the URL before trusting it
-            // to address the filesystem.
-            const parsed = parse_file_fact_url(meta.external_url);
-            if (!parsed) {
-                log.error(`serve_fact: rejecting malformed external_url for ${hash}: ${meta.external_url}`);
+            // Per-reference view check — scoped to *this* cell only.
+            const req_ctx = await build_public_request_context(c, route);
+            // Unauthenticated callers skip the grant fetch entirely — no grant
+            // can admit a null req_ctx (the only admit path is the
+            // public-visibility branch in `can_view_cell`, which doesn't read
+            // grants).
+            const grants = req_ctx ? await query_cell_grant_list_for_cell({ db: route.db }, cell.id) : null;
+            if (!can_view_cell(req_ctx, cell, grants)) {
+                // 404 (not 403) so an unviewable cell→fact edge doesn't leak.
                 return c.body(null, 404);
             }
-            const { shard, rest } = parsed;
-            if (x_accel_redirect_prefix !== undefined) {
-                // Production: hand off to nginx via the internal facts location.
-                return c.body(null, 200, {
-                    'Content-Type': content_type,
-                    'Content-Length': size,
-                    'Cache-Control': CACHE_CONTROL,
-                    'X-Accel-Redirect': `${x_accel_redirect_prefix}${shard}/${rest}`,
-                });
+            return serve_fact_bytes(c, route, hash, config);
+        },
+    };
+};
+/**
+ * Build the admin-only bare-hash `GET /api/facts/:hash` `RouteSpec`.
+ *
+ * An admin's reach already spans every cell, so serving by bare hash grants
+ * no escalation — the union concern that made this route a cross-owner leak
+ * for non-admins is vacuous for an admin. Non-admin callers are rejected at
+ * the auth phase (403) and never reach the handler. Confidential non-admin
+ * reads always go through the cell-scoped route above.
+ *
+ * Auth is `{account: 'required', actor: 'required', roles: ['admin']}` —
+ * the dispatcher's authorization phase resolves the acting actor and the
+ * post-authorization guard enforces the admin role before the handler runs.
+ * The handler re-checks `has_role(_, admin)` as defense-in-depth so a future
+ * mounting/auth-shape regression fails closed rather than serving by bare
+ * hash to a non-admin.
+ */
+export const create_serve_fact_route_spec = (options) => {
+    const { facts_dir, x_accel_redirect_prefix, log } = options;
+    const config = { facts_dir, x_accel_redirect_prefix, log };
+    return {
+        method: 'GET',
+        path: '/api/facts/:hash',
+        auth: { account: 'required', actor: 'required', roles: [ROLE_ADMIN] },
+        description: 'Serve content-addressed fact bytes by bare hash — admin only. Non-admin reads go through GET /api/cells/:cell_id/facts/:hash (per-reference).',
+        params: bare_hash_params_schema,
+        // `actor: 'required'` (implied by the admin role gate) needs the
+        // authorization phase to resolve an acting actor — registry-time
+        // invariant 2 requires the `acting?` slot. On a GET it lives on
+        // `query` (a multi-actor admin disambiguates via `?acting=<actor>`).
+        query: z.strictObject({ acting: ActingActor }),
+        input: z.null(),
+        // The body is a binary stream; no JSON output schema applies.
+        output: z.null(),
+        errors: params_400_error,
+        handler: async (c, route) => {
+            const { hash } = get_route_params(c);
+            // Defense-in-depth: the auth phase already gated this on the admin
+            // role, but re-check the resolved context so a mounting/auth-shape
+            // regression fails closed instead of serving by bare hash.
+            if (!has_role(get_request_context(c), ROLE_ADMIN)) {
+                return c.body(null, 404);
             }
-            // Dev / tests: stream from disk. `createReadStream` errors land on the
-            // returned ReadableStream, which Hono surfaces as a 500 to the client.
-            const file_path = join(facts_dir, shard, rest);
-            const node_stream = createReadStream(file_path);
-            const web_stream = Readable.toWeb(node_stream);
-            return c.body(web_stream, 200, {
-                'Content-Type': content_type,
-                'Content-Length': size,
-                'Cache-Control': CACHE_CONTROL,
-            });
+            return serve_fact_bytes(c, route, hash, config);
         },
     };
 };

package/dist/testing/CLAUDE.md

@@ -574,7 +574,11 @@ auth-related routes (login/logout/verify/sessions/tokens/password/signup)
 and asserts `DEFAULT_INTEGRATION_ERROR_COVERAGE` (20%). Bootstrap is
 excluded because no describe block in this suite drives it — its declared
 codes would always be uncovered. Consumer-specific routes aren't exercised
-here either — they don't count against the baseline. Override with
+here either — they don't count against the baseline. 403 authorization
+denials (the credential-channel gate on `/logout` + `/password`, the invite
+gate on `/signup`) are likewise excluded via `ignore_statuses: [403]` — they're
+exercised by the conformance + attack-surface suites, not this lifecycle suite.
+Override with
 `error_coverage_min?: number` (set to `0` to skip the assertion — useful for
 minimal route sets whose declared error codes outpace the suite's
 denial-path drivers).

package/dist/testing/cross_backend/setup.d.ts

@@ -140,6 +140,19 @@ export interface TestFixtureBase {
      * for suites that don't declare any.
      */
     readonly extra_accounts: Readonly<Record<string, ExtraAccountFixture>>;
+    /**
+     * Additional actors seeded on the **keeper** account (beyond its single
+     * bootstrap `actor`), in declaration order. Populated from the
+     * `extra_actors` option. Empty unless a suite declares any. Use to drive
+     * the multi-actor `acting`-selector branches: with `extra_actors` non-empty
+     * the keeper has >1 actor, so a keeper request omitting `acting` resolves
+     * to `actor_required` with these ids in its `available[]` list. Each id is
+     * a valid `acting` value the keeper can supply explicitly.
+     */
+    readonly extra_actors: ReadonlyArray<{
+        readonly id: Uuid;
+        readonly name: string;
+    }>;
     /**
      * Forge an *expired server-side session* for the keeper account and
      * return the ready-to-send `Cookie` header value (`name=value`). The
@@ -187,6 +200,13 @@ export interface InProcessSetupOptions extends CreateTestAppOptions {
      * `describe_standard_admin_integration_tests`) is the primary user.
      */
     readonly extra_accounts?: ReadonlyArray<ExtraAccountSpec>;
+    /**
+     * Additional actor names to seed on the bootstrapped keeper — exposed on
+     * `fixture.extra_actors`. See `CrossProcessSetupOptions.extra_actors` /
+     * `TestFixtureBase.extra_actors`. Seeded directly against the live backend
+     * DB (in-process has no wire hop).
+     */
+    readonly extra_actors?: ReadonlyArray<string>;
 }
 /**
  * Build a `SetupTest` that creates a fresh `TestApp` per call via
@@ -321,6 +341,14 @@ export interface CrossProcessSetupOptions {
      * transaction as the keeper.
      */
     readonly extra_accounts?: ReadonlyArray<ExtraAccountSpec>;
+    /**
+     * Additional actor names to seed on the keeper account, beyond its
+     * single bootstrap actor — exposed on `fixture.extra_actors`. Declare
+     * to put the keeper into a multi-actor state so the `actor_required` /
+     * explicit-`acting` branches are reachable cross-process. See
+     * `TestFixtureBase.extra_actors`.
+     */
+    readonly extra_actors?: ReadonlyArray<string>;
 }
 /**
  * Capture a backend's schema snapshot over the `_testing_schema_snapshot`
@@ -399,6 +427,11 @@ export interface DefaultInProcessSuiteOptions {
      * transport.
      */
     extra_accounts?: ReadonlyArray<ExtraAccountSpec>;
+    /**
+     * Additional actor names to seed on the bootstrapped keeper — exposed on
+     * `fixture.extra_actors`. See `TestFixtureBase.extra_actors`.
+     */
+    extra_actors?: ReadonlyArray<string>;
     /**
      * Pre-built `AppSurfaceSpec` — overrides the default which calls
      * `create_test_app_surface_spec` against the same factory inputs.

package/dist/testing/cross_backend/setup.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"setup.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/setup.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAuB9B,OAAO,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAE5C,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,0BAA0B,CAAC;AACxD,OAAO,KAAK,EAAC,gBAAgB,EAAE,sBAAsB,EAAC,MAAM,4BAA4B,CAAC;AACzF,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,8BAA8B,CAAC;AAIjE,OAAO,EAKN,KAAK,oBAAoB,EACzB,KAAK,eAAe,EACpB,KAAK,WAAW,EAChB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EAGN,KAAK,uBAAuB,EAC5B,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAA0B,KAAK,mBAAmB,EAAC,MAAM,mBAAmB,CAAC;AACpF,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAyB,KAAK,cAAc,EAAC,MAAM,kCAAkC,CAAC;AAC7F,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,yBAAyB,CAAC;AAC5D,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,oBAAoB,CAAC;AAEtD;;;;;GAKG;AACH,MAAM,WAAW,wBAAwB;IACxC,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CAC/B;AAED;;;;;;GAMG;AACH,MAAM,MAAM,kBAAkB,GAAG,WAAW,CAAC;AAE7C;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,gBAAgB;IAChC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CACtC;AAED,sEAAsE;AACtE,MAAM,WAAW,mBAAmB;IACnC,QAAQ,CAAC,OAAO,EAAE;QAAC,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACjE,QAAQ,CAAC,KAAK,EAAE;QAAC,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IACpC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5F,QAAQ,CAAC,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC3F;AAoCD;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,eAAe;IAC/B;;;;;;OAMG;IACH,QAAQ,CAAC,SAAS,EAAE,cAAc,CAAC;IACnC;;;;;;;;;;;;;;;;;;;;;;;OAuBG;IACH,QAAQ,CAAC,eAAe,EAAE,CAAC,OAAO,CAAC,EAAE;QAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;KAAC,KAAK,cAAc,CAAC;IAC1F,+CAA+C;IAC/C,QAAQ,CAAC,OAAO,EAAE;QAAC,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACjE,8CAA8C;IAC9C,QAAQ,CAAC,KAAK,EAAE;QAAC,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IACpC,8DAA8D;IAC9D,QAAQ,CAAC,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5F,4DAA4D;IAC5D,QAAQ,CAAC,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC3F,iEAAiE;IACjE,QAAQ,CAAC,2BAA2B,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjG;;;;;OAKG;IACH,QAAQ,CAAC,cAAc,EAAE,CAAC,OAAO,CAAC,EAAE,wBAAwB,KAAK,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC7F;;;;;OAKG;IACH,QAAQ,CAAC,cAAc,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC,CAAC;IACvE;;;;;;;;;;OAUG;IACH,QAAQ,CAAC,oBAAoB,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;CACrD;AAED;;;;;;;;;;;GAWG;AACH,MAAM,MAAM,WAAW,GAAG,eAAe,CAAC;AAE1C;;;;;GAKG;AACH,MAAM,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,CAAC;AAenD;;;;;GAKG;AACH,MAAM,WAAW,qBAAsB,SAAQ,oBAAoB;IAClE;;;;;OAKG;IACH,QAAQ,CAAC,cAAc,CAAC,EAAE,aAAa,CAAC,gBAAgB,CAAC,CAAC;CAC1D;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,wBAAwB,GACnC,SAAS,qBAAqB,KAAG,SAsDjC,CAAC;AAEH;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,WAAW,yBAA0B,SAAQ,aAAa;IAC/D,iEAAiE;IACjE,QAAQ,CAAC,gBAAgB,EAAE,cAAc,CAAC;IAC1C,2DAA2D;IAC3D,QAAQ,CAAC,cAAc,EAAE;QAAC,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACxE,yDAAyD;IACzD,QAAQ,CAAC,YAAY,EAAE;QAAC,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAC3C,wGAAwG;IACxG,QAAQ,CAAC,cAAc,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAC/C;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,sCAAsC,GAAG,IAAI,CACxD,yBAAyB,EACzB,OAAO,GAAG,UAAU,CACpB,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,qCAAqC;IACrD,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC,QAAQ,CAAC,CAAC;IACzC,QAAQ,CAAC,YAAY,EAAE,aAAa,CAAC,cAAc,CAAC,CAAC;IACrD,QAAQ,CAAC,cAAc,EAAE,yBAAyB,CAAC,gBAAgB,CAAC,CAAC;IACrE,QAAQ,CAAC,YAAY,EAAE,yBAAyB,CAAC,cAAc,CAAC,CAAC;IACjE,QAAQ,CAAC,cAAc,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAC/C;AAED;;;GAGG;AACH,eAAO,MAAM,6BAA6B,GACzC,QAAQ,yBAAyB,KAC/B,qCAMD,CAAC;AAEH;;;;;;;GAOG;AACH,eAAO,MAAM,+BAA+B,GAC3C,YAAY,qCAAqC,KAC/C,sCAUD,CAAC;AAEH,iDAAiD;AACjD,MAAM,WAAW,wBAAwB;IACxC;;;;;;;;;;;;;;;;;;;OAmBG;IACH,QAAQ,CAAC,kBAAkB,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACpD;;;;;OAKG;IACH,QAAQ,CAAC,cAAc,CAAC,EAAE,aAAa,CAAC,gBAAgB,CAAC,CAAC;CAC1D;AAqFD;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,uBAAuB,GACnC,QAAQ,sCAAsC,EAC9C,UAAS;IAAC,cAAc,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAA;CAAM,KACpD,OAAO,CAAC,cAAc,CAUxB,CAAC;AAqSF;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,eAAO,MAAM,2BAA2B,GACvC,QAAQ,sCAAsC,EAC9C,UAAU,wBAAwB,KAChC,SA+HF,CAAC;AAEF;;;;;GAKG;AACH,MAAM,WAAW,4BAA4B;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,aAAa,CAAC,EAAE,uBAAuB,CAAC;IACxC;;;;;OAKG;IACH,SAAS,CAAC,EAAE,sBAAsB,CAAC;IACnC,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B;;;;;;;;;;OAUG;IACH,kBAAkB,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACnC;;;;;;OAMG;IACH,cAAc,CAAC,EAAE,aAAa,CAAC,gBAAgB,CAAC,CAAC;IACjD;;;;;OAKG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;CAChC;AAWD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,eAAO,MAAM,gCAAgC,GAAI,KAAK,CAAC,CAAC,SAAS,4BAA4B,EAC5F,SAAS,CAAC,KACR;IACF,UAAU,EAAE,SAAS,CAAC;IACtB,cAAc,EAAE,cAAc,CAAC;IAC/B,YAAY,EAAE,mBAAmB,CAAC;IAClC,eAAe,EAAE,CAAC,CAAC,iBAAiB,CAAC,CAAC;IACtC,kBAAkB,EAAE,CAAC,CAAC,oBAAoB,CAAC,CAAC;IAC5C,aAAa,EAAE,CAAC,CAAC,eAAe,CAAC,CAAC;CA0BjC,CAAC"}
+{"version":3,"file":"setup.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/setup.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAuB9B,OAAO,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAE5C,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,0BAA0B,CAAC;AACxD,OAAO,KAAK,EAAC,gBAAgB,EAAE,sBAAsB,EAAC,MAAM,4BAA4B,CAAC;AACzF,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,8BAA8B,CAAC;AAKjE,OAAO,EAKN,KAAK,oBAAoB,EACzB,KAAK,eAAe,EACpB,KAAK,WAAW,EAChB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EAGN,KAAK,uBAAuB,EAC5B,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAA0B,KAAK,mBAAmB,EAAC,MAAM,mBAAmB,CAAC;AACpF,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAyB,KAAK,cAAc,EAAC,MAAM,kCAAkC,CAAC;AAC7F,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,yBAAyB,CAAC;AAC5D,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,oBAAoB,CAAC;AAEtD;;;;;GAKG;AACH,MAAM,WAAW,wBAAwB;IACxC,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CAC/B;AAED;;;;;;GAMG;AACH,MAAM,MAAM,kBAAkB,GAAG,WAAW,CAAC;AAE7C;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,gBAAgB;IAChC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CACtC;AAED,sEAAsE;AACtE,MAAM,WAAW,mBAAmB;IACnC,QAAQ,CAAC,OAAO,EAAE;QAAC,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACjE,QAAQ,CAAC,KAAK,EAAE;QAAC,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IACpC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5F,QAAQ,CAAC,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC3F;AAoCD;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,eAAe;IAC/B;;;;;;OAMG;IACH,QAAQ,CAAC,SAAS,EAAE,cAAc,CAAC;IACnC;;;;;;;;;;;;;;;;;;;;;;;OAuBG;IACH,QAAQ,CAAC,eAAe,EAAE,CAAC,OAAO,CAAC,EAAE;QAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;KAAC,KAAK,cAAc,CAAC;IAC1F,+CAA+C;IAC/C,QAAQ,CAAC,OAAO,EAAE;QAAC,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACjE,8CAA8C;IAC9C,QAAQ,CAAC,KAAK,EAAE;QAAC,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IACpC,8DAA8D;IAC9D,QAAQ,CAAC,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5F,4DAA4D;IAC5D,QAAQ,CAAC,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC3F,iEAAiE;IACjE,QAAQ,CAAC,2BAA2B,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjG;;;;;OAKG;IACH,QAAQ,CAAC,cAAc,EAAE,CAAC,OAAO,CAAC,EAAE,wBAAwB,KAAK,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC7F;;;;;OAKG;IACH,QAAQ,CAAC,cAAc,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC,CAAC;IACvE;;;;;;;;OAQG;IACH,QAAQ,CAAC,YAAY,EAAE,aAAa,CAAC;QAAC,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAA;KAAC,CAAC,CAAC;IACjF;;;;;;;;;;OAUG;IACH,QAAQ,CAAC,oBAAoB,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;CACrD;AAED;;;;;;;;;;;GAWG;AACH,MAAM,MAAM,WAAW,GAAG,eAAe,CAAC;AAE1C;;;;;GAKG;AACH,MAAM,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,CAAC;AAenD;;;;;GAKG;AACH,MAAM,WAAW,qBAAsB,SAAQ,oBAAoB;IAClE;;;;;OAKG;IACH,QAAQ,CAAC,cAAc,CAAC,EAAE,aAAa,CAAC,gBAAgB,CAAC,CAAC;IAC1D;;;;;OAKG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAC9C;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,wBAAwB,GACnC,SAAS,qBAAqB,KAAG,SAqEjC,CAAC;AAEH;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,WAAW,yBAA0B,SAAQ,aAAa;IAC/D,iEAAiE;IACjE,QAAQ,CAAC,gBAAgB,EAAE,cAAc,CAAC;IAC1C,2DAA2D;IAC3D,QAAQ,CAAC,cAAc,EAAE;QAAC,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;QAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACxE,yDAAyD;IACzD,QAAQ,CAAC,YAAY,EAAE;QAAC,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC;IAC3C,wGAAwG;IACxG,QAAQ,CAAC,cAAc,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAC/C;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,sCAAsC,GAAG,IAAI,CACxD,yBAAyB,EACzB,OAAO,GAAG,UAAU,CACpB,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,qCAAqC;IACrD,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC,QAAQ,CAAC,CAAC;IACzC,QAAQ,CAAC,YAAY,EAAE,aAAa,CAAC,cAAc,CAAC,CAAC;IACrD,QAAQ,CAAC,cAAc,EAAE,yBAAyB,CAAC,gBAAgB,CAAC,CAAC;IACrE,QAAQ,CAAC,YAAY,EAAE,yBAAyB,CAAC,cAAc,CAAC,CAAC;IACjE,QAAQ,CAAC,cAAc,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAC/C;AAED;;;GAGG;AACH,eAAO,MAAM,6BAA6B,GACzC,QAAQ,yBAAyB,KAC/B,qCAMD,CAAC;AAEH;;;;;;;GAOG;AACH,eAAO,MAAM,+BAA+B,GAC3C,YAAY,qCAAqC,KAC/C,sCAUD,CAAC;AAEH,iDAAiD;AACjD,MAAM,WAAW,wBAAwB;IACxC;;;;;;;;;;;;;;;;;;;OAmBG;IACH,QAAQ,CAAC,kBAAkB,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACpD;;;;;OAKG;IACH,QAAQ,CAAC,cAAc,CAAC,EAAE,aAAa,CAAC,gBAAgB,CAAC,CAAC;IAC1D;;;;;;OAMG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAC9C;AAqFD;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,uBAAuB,GACnC,QAAQ,sCAAsC,EAC9C,UAAS;IAAC,cAAc,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAA;CAAM,KACpD,OAAO,CAAC,cAAc,CAUxB,CAAC;AA0SF;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,eAAO,MAAM,2BAA2B,GACvC,QAAQ,sCAAsC,EAC9C,UAAU,wBAAwB,KAChC,SAsIF,CAAC;AAEF;;;;;GAKG;AACH,MAAM,WAAW,4BAA4B;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,aAAa,CAAC,EAAE,uBAAuB,CAAC;IACxC;;;;;OAKG;IACH,SAAS,CAAC,EAAE,sBAAsB,CAAC;IACnC,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B;;;;;;;;;;OAUG;IACH,kBAAkB,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACnC;;;;;;OAMG;IACH,cAAc,CAAC,EAAE,aAAa,CAAC,gBAAgB,CAAC,CAAC;IACjD;;;OAGG;IACH,YAAY,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACrC;;;;;OAKG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;CAChC;AAWD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,eAAO,MAAM,gCAAgC,GAAI,KAAK,CAAC,CAAC,SAAS,4BAA4B,EAC5F,SAAS,CAAC,KACR;IACF,UAAU,EAAE,SAAS,CAAC;IACtB,cAAc,EAAE,cAAc,CAAC;IAC/B,YAAY,EAAE,mBAAmB,CAAC;IAClC,eAAe,EAAE,CAAC,CAAC,iBAAiB,CAAC,CAAC;IACtC,kBAAkB,EAAE,CAAC,CAAC,oBAAoB,CAAC,CAAC;IAC5C,aAAa,EAAE,CAAC,CAAC,eAAe,CAAC,CAAC;CA2BjC,CAAC"}

package/dist/testing/cross_backend/setup.js

@@ -21,6 +21,7 @@ import '../assert_dev_env.js';
 import { z } from 'zod';
 import { Uuid } from '@fuzdev/fuz_util/id.js';
 import { ROLE_KEEPER } from '../../auth/role_schema.js';
+import { query_create_actor } from '../../auth/account_queries.js';
 import { DAEMON_TOKEN_HEADER } from '../../auth/daemon_token.js';
 import { USERNAME_LENGTH_MAX } from '../../primitive_schemas.js';
 import { create_test_app, create_test_account_with_credentials, mint_test_session, DEFAULT_TEST_PASSWORD, } from '../app_server.js';
@@ -109,6 +110,15 @@ export const default_in_process_setup = (options) => async () => {
         });
         extra_accounts[spec.username] = build_extra_account_fixture(seeded, cookie_name);
     }
+    // Seed additional keeper actors directly against the same DB. Mirrors
+    // the cross-process `_testing_reset` `extra_actors` path; no production
+    // wire mints a second actor, so this bootstrap-cradle insert is the
+    // only way into a multi-actor keeper state.
+    const extra_actors = [];
+    for (const name of options.extra_actors ?? []) {
+        const seeded_actor = await query_create_actor({ db: test_app.backend.deps.db }, test_app.backend.account.id, name);
+        extra_actors.push({ id: seeded_actor.id, name: seeded_actor.name });
+    }
     return {
         transport: in_process_fetch_transport(test_app.app),
         // In-process the wrapper is stateless and never auto-adds Origin —
@@ -122,6 +132,7 @@ export const default_in_process_setup = (options) => async () => {
         create_daemon_token_headers: test_app.create_daemon_token_headers,
         create_account: test_app.create_account,
         extra_accounts,
+        extra_actors,
         // Forge directly against the live backend's DB + keyring — no wire
         // hop needed in-process.
         mint_expired_session: async () => {
@@ -270,6 +281,7 @@ const TestingResetResponseShape = z.object({
         api_token: z.string(),
         session_cookie: z.string(),
     })),
+    extra_actors: z.array(z.object({ id: Uuid, name: z.string() })),
 });
 /**
  * Fire the `_testing_reset` RPC action over the keeper's daemon-token
@@ -286,6 +298,7 @@ const fire_testing_reset = async (handle, options) => {
             ...(spec.password_value !== undefined && { password_value: spec.password_value }),
             roles: [...spec.roles],
         })),
+        extra_actors: [...(options.extra_actors ?? [])],
     }, handle.config.name, { [DAEMON_TOKEN_HEADER]: handle.daemon_token });
     const parsed = TestingResetResponseShape.safeParse(raw);
     if (!parsed.success) {
@@ -299,6 +312,7 @@ const fire_testing_reset = async (handle, options) => {
             session_cookie: parsed.data.session_cookie,
         },
         extra_accounts: parsed.data.extra_accounts,
+        extra_actors: parsed.data.extra_actors,
     };
 };
 /**
@@ -463,11 +477,13 @@ const create_keeper_transport = (handle, cookie_name, session_cookie) => create_
 export const default_cross_process_setup = (handle, options) => {
     const extra_keeper_roles = options?.extra_keeper_roles ?? [];
     const extra_account_specs = options?.extra_accounts ?? [];
+    const extra_actor_names = options?.extra_actors ?? [];
     const { cookie_name } = handle.config;
     return async () => {
-        const { keeper, extra_accounts: seeded_extras } = await fire_testing_reset(handle, {
+        const { keeper, extra_accounts: seeded_extras, extra_actors, } = await fire_testing_reset(handle, {
             extra_keeper_roles,
             extra_accounts: extra_account_specs,
+            extra_actors: extra_actor_names,
         });
         // Rebuild the keeper transport with the new session cookie — the
         // reset action wiped the `globalSetup` keeper's auth_session row,
@@ -550,6 +566,7 @@ export const default_cross_process_setup = (handle, options) => {
             create_daemon_token_headers,
             create_account,
             extra_accounts,
+            extra_actors,
             // Forge over the wire — the cross-process driver has no keyring,
             // so `_testing_mint_session` mints the backdated row + signs the
             // cookie server-side over the keeper's daemon-token channel.
@@ -613,6 +630,7 @@ export const default_in_process_suite_options = (options) => ({
         app_options: options.app_options,
         roles: [ROLE_KEEPER, ...(options.extra_keeper_roles ?? [])],
         extra_accounts: options.extra_accounts,
+        extra_actors: options.extra_actors,
     }),
     surface_source: options.surface_source ??
         create_test_app_surface_spec({