@fuzdev/fuz_app 0.74.0 → 0.76.0

package/dist/testing/cross_backend/standard.d.ts

@@ -43,7 +43,7 @@ import type { RoleSchemaResult } from '../../auth/role_schema.js';
 import type { AppSurfaceSpec } from '../../http/surface.js';
 import type { RpcEndpointsSuiteOption } from '../rpc_helpers.js';
 import type { BackendCapabilities } from './capabilities.js';
-import type { SetupTest } from './setup.js';
+import type { SetupTest, TestFixture } from './setup.js';
 /**
  * Configuration for `describe_standard_cross_process_tests`.
  *
@@ -94,6 +94,24 @@ export interface StandardCrossProcessTestOptions {
      * / `info/refs`) which stream git protocol bytes.
      */
     round_trip_skip_routes?: Array<string>;
+    /**
+     * Forwarded to `describe_rpc_round_trip_tests` as `success_fixtures`
+     * (method name → async params factory). Drives a populated **success**
+     * body for referential RPC reads (`*_get`, `*_log`) the nil-id round-trip
+     * can only ever error on, and validates it against the method's `output`
+     * schema on each backend — the success-shape parity check. See
+     * `RpcRoundTripTestOptions.success_fixtures`.
+     */
+    rpc_success_fixtures?: Map<string, (fixture: TestFixture) => Promise<Record<string, unknown>>>;
+    /**
+     * Forwarded to `describe_round_trip_validation` as `success_fixtures`
+     * (`'METHOD /path'` → async `{url?, body?}` factory) for referential REST
+     * routes. See `RoundTripTestOptions.success_fixtures`.
+     */
+    rest_success_fixtures?: Map<string, (fixture: TestFixture) => Promise<{
+        url?: string;
+        body?: Record<string, unknown>;
+    }>>;
 }
 /**
  * Run the cross-process standard test bundle — integration, admin (when

package/dist/testing/cross_backend/standard.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"standard.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/standard.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAEH,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,8BAA8B,CAAC;AACjE,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,2BAA2B,CAAC;AAChE,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,uBAAuB,CAAC;AAM1D,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,mBAAmB,CAAC;AAC3D,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,YAAY,CAAC;AAE1C;;;;;;GAMG;AACH,MAAM,WAAW,+BAA+B;IAC/C,2CAA2C;IAC3C,UAAU,EAAE,SAAS,CAAC;IACtB;;;OAGG;IACH,cAAc,EAAE,cAAc,CAAC;IAC/B,uCAAuC;IACvC,YAAY,EAAE,mBAAmB,CAAC;IAClC,uFAAuF;IACvF,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC;;;;;OAKG;IACH,aAAa,EAAE,uBAAuB,CAAC;IACvC;;;OAGG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;IACzB;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACvC;AAED;;;;GAIG;AACH,eAAO,MAAM,qCAAqC,GACjD,SAAS,+BAA+B,KACtC,IAsCF,CAAC"}
+{"version":3,"file":"standard.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/standard.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAEH,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,8BAA8B,CAAC;AACjE,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,2BAA2B,CAAC;AAChE,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,uBAAuB,CAAC;AAM1D,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,mBAAmB,CAAC;AAC3D,OAAO,KAAK,EAAC,SAAS,EAAE,WAAW,EAAC,MAAM,YAAY,CAAC;AAEvD;;;;;;GAMG;AACH,MAAM,WAAW,+BAA+B;IAC/C,2CAA2C;IAC3C,UAAU,EAAE,SAAS,CAAC;IACtB;;;OAGG;IACH,cAAc,EAAE,cAAc,CAAC;IAC/B,uCAAuC;IACvC,YAAY,EAAE,mBAAmB,CAAC;IAClC,uFAAuF;IACvF,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC;;;;;OAKG;IACH,aAAa,EAAE,uBAAuB,CAAC;IACvC;;;OAGG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;IACzB;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACvC;;;;;;;OAOG;IACH,oBAAoB,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,CAAC,OAAO,EAAE,WAAW,KAAK,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC;IAC/F;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,GAAG,CAC1B,MAAM,EACN,CAAC,OAAO,EAAE,WAAW,KAAK,OAAO,CAAC;QAAC,GAAG,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAC,CAAC,CACjF,CAAC;CACF;AAED;;;;GAIG;AACH,eAAO,MAAM,qCAAqC,GACjD,SAAS,+BAA+B,KACtC,IAwCF,CAAC"}

package/dist/testing/cross_backend/standard.js

@@ -23,6 +23,7 @@ export const describe_standard_cross_process_tests = (options) => {
         surface_source: options.surface_source,
         capabilities: options.capabilities,
         skip_routes: options.round_trip_skip_routes,
+        success_fixtures: options.rest_success_fixtures,
     });
     describe_rpc_round_trip_tests({
         setup_test: options.setup_test,
@@ -30,6 +31,7 @@ export const describe_standard_cross_process_tests = (options) => {
         capabilities: options.capabilities,
         session_options: options.session_options,
         rpc_endpoints: options.rpc_endpoints,
+        success_fixtures: options.rpc_success_fixtures,
     });
     describe_data_exposure_tests({
         setup_test: options.setup_test,

package/dist/testing/cross_backend/testing_reset_actions.d.ts

@@ -106,6 +106,16 @@ export declare const testing_reset_action_spec: {
             password_value: z.ZodOptional<z.ZodString>;
             roles: z.ZodArray<z.ZodString>;
         }, z.core.$strict>>>;
+        /**
+         * Additional actor names to seed on the **keeper** account, beyond
+         * its single bootstrap actor. Drives the multi-actor `acting`
+         * selector branches (omitted `acting` + >1 actor ⇒ `actor_required`
+         * with the `available[]` list) that are otherwise unreachable
+         * cross-process — account creation only ever mints one actor, and no
+         * production wire path adds a second. Bootstrap-cradle seeding, same
+         * rationale as `extra_accounts`.
+         */
+        extra_actors: z.ZodOptional<z.ZodArray<z.ZodString>>;
     }, z.core.$strict>;
     readonly output: z.ZodObject<{
         account: z.ZodObject<{
@@ -128,6 +138,10 @@ export declare const testing_reset_action_spec: {
             api_token: z.ZodString;
             session_cookie: z.ZodString;
         }, z.core.$strict>>;
+        extra_actors: z.ZodArray<z.ZodObject<{
+            id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            name: z.ZodString;
+        }, z.core.$strict>>;
     }, z.core.$strict>;
     readonly async: true;
     readonly description: "Test-binary only — wipe auth tables, re-bootstrap a fresh keeper (+ optional extras), fire the domain-state reset.";

package/dist/testing/cross_backend/testing_reset_actions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"testing_reset_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/testing_reset_actions.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0DG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,EAAa,KAAK,SAAS,EAAC,MAAM,6BAA6B,CAAC;AAEvE,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAChD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,8BAA8B,CAAC;AACjE,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,4BAA4B,CAAC;AACjE,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,gBAAgB,CAAC;AAkBvC;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAwBQ,CAAC;AAE/C;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,iCAAiC;;;;;;;;;;;;;;;;CAWA,CAAC;AAE/C;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;CAeC,CAAC;AAE/C;;;;;;GAMG;AACH,eAAO,MAAM,mCAAmC,QAAO,SACiB,CAAC;AAEzE;;;;;;;;;GASG;AACH,eAAO,MAAM,mCAAmC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWF,CAAC;AAE/C;;;;GAIG;AACH,eAAO,MAAM,qCAAqC,QAAO,SAGvD,CAAC;AAEH,4CAA4C;AAC5C,MAAM,WAAW,2BAA2B;IAC3C;;;;;OAKG;IACH,QAAQ,CAAC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACjD;;;;;OAKG;IACH,QAAQ,CAAC,kBAAkB,EAAE,gBAAgB,CAAC;IAC9C;;;;;;;;;;;OAWG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CACxD;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,OAAO,EACb,SAAS,2BAA2B,KAClC,KAAK,CAAC,SAAS,CA2GjB,CAAC;AAEF,0FAA0F;AAC1F,eAAO,MAAM,0BAA0B,UAAmC,CAAC"}
+{"version":3,"file":"testing_reset_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/testing_reset_actions.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0DG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,EAAa,KAAK,SAAS,EAAC,MAAM,6BAA6B,CAAC;AAEvE,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAChD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,8BAA8B,CAAC;AACjE,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,4BAA4B,CAAC;AACjE,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,gBAAgB,CAAC;AAmBvC;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;QAiBpC;;;;;;;;WAQG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWyC,CAAC;AAE/C;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,iCAAiC;;;;;;;;;;;;;;;;CAWA,CAAC;AAE/C;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;CAeC,CAAC;AAE/C;;;;;;GAMG;AACH,eAAO,MAAM,mCAAmC,QAAO,SACiB,CAAC;AAEzE;;;;;;;;;GASG;AACH,eAAO,MAAM,mCAAmC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWF,CAAC;AAE/C;;;;GAIG;AACH,eAAO,MAAM,qCAAqC,QAAO,SAGvD,CAAC;AAEH,4CAA4C;AAC5C,MAAM,WAAW,2BAA2B;IAC3C;;;;;OAKG;IACH,QAAQ,CAAC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACjD;;;;;OAKG;IACH,QAAQ,CAAC,kBAAkB,EAAE,gBAAgB,CAAC;IAC9C;;;;;;;;;;;OAWG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CACxD;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,OAAO,EACb,SAAS,2BAA2B,KAClC,KAAK,CAAC,SAAS,CAsHjB,CAAC;AAEF,0FAA0F;AAC1F,eAAO,MAAM,0BAA0B,UAAmC,CAAC"}

package/dist/testing/cross_backend/testing_reset_actions.js

@@ -64,6 +64,7 @@ import { rpc_action } from '../../actions/action_rpc.js';
 import { ROLE_ADMIN, ROLE_KEEPER } from '../../auth/role_schema.js';
 import { auth_integration_truncate_tables } from '../db.js';
 import { query_schema_snapshot, SchemaSnapshot } from '../schema_introspect.js';
+import { query_create_actor } from '../../auth/account_queries.js';
 import { create_test_account_with_credentials, mint_test_session, DEFAULT_TEST_PASSWORD, } from '../app_server.js';
 /** Output shape for an individual seeded account (keeper or extra). */
 const SeededAccountShape = z.strictObject({
@@ -112,9 +113,21 @@ export const testing_reset_action_spec = {
             roles: z.array(z.string()),
         }))
             .optional(),
+        /**
+         * Additional actor names to seed on the **keeper** account, beyond
+         * its single bootstrap actor. Drives the multi-actor `acting`
+         * selector branches (omitted `acting` + >1 actor ⇒ `actor_required`
+         * with the `available[]` list) that are otherwise unreachable
+         * cross-process — account creation only ever mints one actor, and no
+         * production wire path adds a second. Bootstrap-cradle seeding, same
+         * rationale as `extra_accounts`.
+         */
+        extra_actors: z.array(z.string()).optional(),
     }),
     output: SeededAccountShape.extend({
         extra_accounts: z.array(SeededAccountShape),
+        /** The keeper's additional actors (from input `extra_actors`), in order. */
+        extra_actors: z.array(z.strictObject({ id: Uuid, name: z.string() })),
     }),
     async: true,
     description: 'Test-binary only — wipe auth tables, re-bootstrap a fresh keeper (+ optional extras), fire the domain-state reset.',
@@ -301,6 +314,16 @@ export const create_testing_actions = (deps, options) => {
                 });
                 extras.push(seeded);
             }
+            // 5b. Seed any additional keeper actors. Same bootstrap-cradle
+            //    bypass as extra_accounts — no production wire path mints a
+            //    second actor, so the multi-actor `acting` branches need this
+            //    direct insert. Order-preserving so the fixture can address
+            //    them positionally.
+            const extra_actors = [];
+            for (const name of input.extra_actors ?? []) {
+                const seeded_actor = await query_create_actor({ db: ctx.db }, keeper.account.id, name);
+                extra_actors.push({ id: seeded_actor.id, name: seeded_actor.name });
+            }
             // 6. Refresh the daemon-token cache so subsequent daemon-token
             //    requests resolve to the freshly seeded keeper. The
             //    middleware's lazy-refresh path only fires when the cached
@@ -314,7 +337,7 @@ export const create_testing_actions = (deps, options) => {
             //    against this open transaction under PGlite.
             if (reset_state)
                 await reset_state(ctx.db);
-            return { ...keeper, extra_accounts: extras };
+            return { ...keeper, extra_accounts: extras, extra_actors };
         }),
         rpc_action(testing_mint_session_action_spec, async (input, ctx) => {
             const { session_cookie } = await mint_test_session({

package/dist/testing/integration.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"integration.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/integration.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAsB7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAM9D,OAAO,EAKN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAiB1B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAC,KAAK,mBAAmB,EAAC,MAAM,iCAAiC,CAAC;AACzE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAGxD;;GAEG;AACH,MAAM,WAAW,8BAA8B;IAC9C;;;;OAIG;IACH,UAAU,EAAE,SAAS,CAAC;IACtB;;;;;;;;;OASG;IACH,cAAc,EAAE,cAAc,CAAC;IAC/B,kEAAkE;IAClE,YAAY,EAAE,mBAAmB,CAAC;IAClC;;;;OAIG;IACH,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC;;;;;;;;;;;;OAYG;IACH,aAAa,EAAE,uBAAuB,CAAC;IACvC;;;;;;;OAOG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACH,eAAO,MAAM,mCAAmC,GAC/C,SAAS,8BAA8B,KACrC,IA60CF,CAAC"}
+{"version":3,"file":"integration.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/integration.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAsB7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAM9D,OAAO,EAKN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAkB1B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAC,KAAK,mBAAmB,EAAC,MAAM,iCAAiC,CAAC;AACzE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAGxD;;GAEG;AACH,MAAM,WAAW,8BAA8B;IAC9C;;;;OAIG;IACH,UAAU,EAAE,SAAS,CAAC;IACtB;;;;;;;;;OASG;IACH,cAAc,EAAE,cAAc,CAAC;IAC/B,kEAAkE;IAClE,YAAY,EAAE,mBAAmB,CAAC;IAClC;;;;OAIG;IACH,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC;;;;;;;;;;;;OAYG;IACH,aAAa,EAAE,uBAAuB,CAAC;IACvC;;;;;;;OAOG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACH,eAAO,MAAM,mCAAmC,GAC/C,SAAS,8BAA8B,KACrC,IAw6CF,CAAC"}

package/dist/testing/integration.js

@@ -23,6 +23,7 @@ import { ErrorCoverageCollector, assert_error_coverage, DEFAULT_INTEGRATION_ERRO
 import { is_public_auth } from '../http/auth_shape.js';
 import { account_verify_action_spec, account_session_list_action_spec, account_session_revoke_action_spec, account_session_revoke_all_action_spec, account_token_create_action_spec, account_token_list_action_spec, account_token_revoke_action_spec, } from '../auth/account_action_specs.js';
 import { invite_create_action_spec } from '../auth/admin_action_specs.js';
+import { LoginOutput, AccountStatusOutput } from '../auth/account_routes.js';
 import {} from './cross_backend/capabilities.js';
 import { DEFAULT_TEST_PASSWORD } from './app_server.js';
 /**
@@ -91,6 +92,14 @@ export const describe_standard_integration_tests = (options) => {
             });
             assert_error_coverage(error_collector, auth_routes.length > 0 ? auth_routes : route_specs, {
                 min_coverage: options.error_coverage_min ?? DEFAULT_INTEGRATION_ERROR_COVERAGE,
+                // Authorization denials (403) on these scoped auth routes — the
+                // credential-channel gate on /logout + /password, the invite gate on
+                // /signup — are exercised by the conformance + attack-surface suites,
+                // not this lifecycle suite. Drop 403 from this collector's denominator
+                // (same spirit as the [401, 403, 429] ignore in the attack-surface
+                // tightness defaults); otherwise #10 adding /logout's 403 to the spine
+                // surface tips the ratio under threshold here though the gate is tested.
+                ignore_statuses: [403],
             });
         });
         // --- 1. Login/logout lifecycle ---
@@ -269,6 +278,75 @@ export const describe_standard_integration_tests = (options) => {
                 assert.deepStrictEqual(wrong_pw_keys, no_user_keys, 'Response keys must be identical to prevent account enumeration');
                 assert.strictEqual(wrong_pw_body.error, no_user_body.error, 'Error codes must be identical');
             });
+            // Wire-shape gate: the successful `POST /login` body must strict-parse
+            // against `LoginOutput` (`{ok: true}`). `.strictObject` rejects any
+            // extra field, so a backend leaking `username` / `account_id` (the
+            // Rust spine's old shape) fails here on either impl.
+            test('successful login body strict-parses against LoginOutput', async () => {
+                const fixture = await options.setup_test();
+                const login_route = find_auth_route(route_specs, '/login', 'POST');
+                assert.ok(login_route, 'Expected POST /login route — ensure create_route_specs includes account routes');
+                const res = await fixture.transport(login_route.path, {
+                    method: 'POST',
+                    headers: {
+                        host: 'localhost',
+                        origin: 'http://localhost:5173',
+                        'content-type': 'application/json',
+                    },
+                    body: JSON.stringify({
+                        username: fixture.account.username,
+                        password: DEFAULT_TEST_PASSWORD,
+                    }),
+                });
+                assert.strictEqual(res.status, 200);
+                const body = await res.json();
+                // Throws on any extra or missing field — drift on either backend fails.
+                LoginOutput.parse(body);
+            });
+        });
+        // --- 1b. Account status body (strict schema) ---
+        describe('account status response body', () => {
+            // Wire-shape gate: the authenticated `GET /api/account/status` body
+            // must strict-parse against `AccountStatusOutput` — the full shape
+            // `{account: SessionAccountJson, actor: ActorSummaryJson | null,
+            // role_grants: RoleGrantSummaryJson[]}`. `.strictObject` rejects any
+            // extra or missing field on `account` / `actor` / each role_grant, so
+            // a backend returning the old narrow shape (Rust's `{account:{id,
+            // username}, role_grants:[{role}]}`) fails here on either impl. The
+            // fixture keeper is single-actor, so `actor` must be non-null and
+            // `role_grants` populated (keeper holds keeper + admin globally).
+            //
+            // `/status` is mounted at `create_app_server` time (it needs the
+            // `bootstrap_available` runtime state), not by `create_account_route_specs`
+            // and not listed in the declared surface, so we can't gate on `route_specs`.
+            // A backend that mounts only the account-route factory (e.g. a minimal
+            // in-process route set) doesn't serve it — probe at runtime and skip on
+            // 404. The full spine surfaces (in-process + cross-process) serve it, so
+            // the gate runs there. `find_auth_route` can't be used: `/status` isn't a
+            // `RestAuthRouteSuffix`.
+            test('authenticated status body strict-parses against AccountStatusOutput', async (ctx) => {
+                const fixture = await options.setup_test();
+                const login_route = find_auth_route(route_specs, '/login', 'POST');
+                assert.ok(login_route, 'Expected POST /login route — ensure create_route_specs includes account routes');
+                // `/status` is the sibling of `/login` under the same account prefix.
+                const status_path = login_route.path.replace(/\/login$/, '/status');
+                const res = await fixture.transport(status_path, {
+                    method: 'GET',
+                    headers: fixture.create_session_headers({ host: 'localhost' }),
+                });
+                if (res.status === 404) {
+                    // Backend doesn't mount /status (minimal route set) — nothing to gate.
+                    ctx.skip();
+                    return;
+                }
+                assert.strictEqual(res.status, 200);
+                const body = await res.json();
+                // Throws on any extra/missing field across account/actor/role_grants.
+                const parsed = AccountStatusOutput.parse(body);
+                // Single-actor keeper: actor resolved, role_grants populated.
+                assert.ok(parsed.actor, 'single-actor keeper must resolve a non-null actor');
+                assert.ok(parsed.role_grants.length > 0, 'single-actor keeper must have populated role_grants');
+            });
         });
         // --- 2. Cookie attributes ---
         describe('cookie attributes', () => {

package/dist/testing/round_trip.d.ts

@@ -1,6 +1,6 @@
 import './assert_dev_env.js';
 import type { BackendCapabilities } from './cross_backend/capabilities.js';
-import type { SetupTest } from './cross_backend/setup.js';
+import type { SetupTest, TestFixture } from './cross_backend/setup.js';
 import type { AppSurfaceSpec } from '../http/surface.js';
 /** Options for `describe_round_trip_validation`. */
 export interface RoundTripTestOptions {
@@ -22,6 +22,24 @@ export interface RoundTripTestOptions {
     skip_routes?: Array<string>;
     /** Override generated bodies for specific routes (`'METHOD /path'` → body). */
     input_overrides?: Map<string, Record<string, unknown>>;
+    /**
+     * Success-case fixtures for routes whose **populated success body** the
+     * generic nil-id input can't reach — referential REST routes whose path
+     * params / body must point at existing rows. Maps `'METHOD /path'` to an
+     * async factory that receives the per-test `fixture` (so it can seed the
+     * referenced state) and returns `{url?, body?}`: an explicit resolved `url`
+     * (when the factory built it from the ids it just seeded) and/or a request
+     * `body`. Omit `url` to fall back to the generated valid path.
+     *
+     * Distinct from `input_overrides` (body-only, accepts a valid error
+     * envelope): a `success_fixtures` entry **asserts a 2xx response** and
+     * validates it against the route's `output` schema — the success-shape
+     * parity check the nil-id round-trip can't perform.
+     */
+    success_fixtures?: Map<string, (fixture: TestFixture) => Promise<{
+        url?: string;
+        body?: Record<string, unknown>;
+    }>>;
 }
 /**
  * Run schema-driven round-trip validation tests.

package/dist/testing/round_trip.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"round_trip.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/round_trip.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AA0B7B,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,iCAAiC,CAAC;AACzE,OAAO,KAAK,EAAC,SAAS,EAAc,MAAM,0BAA0B,CAAC;AACrE,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,oBAAoB,CAAC;AAEvD,oDAAoD;AACpD,MAAM,WAAW,oBAAoB;IACpC;;;;;OAKG;IACH,UAAU,EAAE,SAAS,CAAC;IACtB;;;OAGG;IACH,cAAc,EAAE,cAAc,CAAC;IAC/B,6EAA6E;IAC7E,YAAY,EAAE,mBAAmB,CAAC;IAClC,kDAAkD;IAClD,WAAW,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC5B,+EAA+E;IAC/E,eAAe,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;CACvD;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,8BAA8B,GAAI,SAAS,oBAAoB,KAAG,IA6D9E,CAAC"}
+{"version":3,"file":"round_trip.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/round_trip.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AA2B7B,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,iCAAiC,CAAC;AACzE,OAAO,KAAK,EAAC,SAAS,EAAE,WAAW,EAAC,MAAM,0BAA0B,CAAC;AACrE,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,oBAAoB,CAAC;AAGvD,oDAAoD;AACpD,MAAM,WAAW,oBAAoB;IACpC;;;;;OAKG;IACH,UAAU,EAAE,SAAS,CAAC;IACtB;;;OAGG;IACH,cAAc,EAAE,cAAc,CAAC;IAC/B,6EAA6E;IAC7E,YAAY,EAAE,mBAAmB,CAAC;IAClC,kDAAkD;IAClD,WAAW,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC5B,+EAA+E;IAC/E,eAAe,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;IACvD;;;;;;;;;;;;;OAaG;IACH,gBAAgB,CAAC,EAAE,GAAG,CACrB,MAAM,EACN,CAAC,OAAO,EAAE,WAAW,KAAK,OAAO,CAAC;QAAC,GAAG,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAC,CAAC,CACjF,CAAC;CACF;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,8BAA8B,GAAI,SAAS,oBAAoB,KAAG,IAyI9E,CAAC"}

package/dist/testing/round_trip.js

@@ -16,8 +16,9 @@ import './assert_dev_env.js';
  *
  * @module
  */
-import { describe, test, beforeAll } from 'vitest';
+import { describe, test, beforeAll, assert } from 'vitest';
 import { ROLE_ADMIN } from '../auth/role_schema.js';
+import { is_public_auth, needs_actor, input_schema_declares_acting } from '../http/auth_shape.js';
 import { assert_response_matches_spec, pick_auth_headers } from './integration_helpers.js';
 import { resolve_valid_path, generate_valid_body } from './schema_generators.js';
 /**
@@ -54,14 +55,51 @@ export const describe_round_trip_validation = (options) => {
                 roles: [ROLE_ADMIN],
             });
         });
+        // Mirror `pick_auth_headers`' account selection to recover the actor id
+        // of whichever account it authed as — so an `actor: 'required'` route
+        // that declares `acting?: ActingActor` gets the matching actor supplied
+        // explicitly (its sole actor, here), rather than relying on implicit
+        // single-actor resolution. Keeps such routes drivable without a
+        // consumer skip-list entry. Returns `null` for public routes.
+        const pick_acting_actor_id = (spec) => {
+            const { auth } = spec;
+            if (is_public_auth(auth))
+                return null;
+            if (auth.credential_types?.includes('daemon_token'))
+                return fixture.actor.id;
+            if (auth.roles?.length) {
+                return auth.roles.includes(ROLE_ADMIN) ? admin_account.actor.id : fixture.actor.id;
+            }
+            return authed_account.actor.id;
+        };
         test.each(describe_time_specs)('$method $path produces schema-valid response', async (spec) => {
             const route_key = `${spec.method} ${spec.path}`;
             if (skip_set.has(route_key))
                 return;
+            // Raw-byte / streaming routes (git smart-HTTP, binary upload/download)
+            // can't be round-tripped — no meaningful body to synthesize, no JSON
+            // shape to assert. Auto-skip by the spec marker rather than making
+            // every consumer hand-list them in `skip_routes`.
+            if (spec.raw_body)
+                return;
             const url = resolve_valid_path(spec.path, spec.params);
             const override = options.input_overrides?.get(route_key);
-            const body = override ?? generate_valid_body(spec.input);
+            let body = override ?? generate_valid_body(spec.input);
             const headers = pick_auth_headers(spec, fixture, authed_account, admin_account);
+            // Auto-supply `acting` for actor-required routes that declare it. The
+            // `actor !== 'none' ⟺ acting declared` registry invariant means a
+            // route either declares `acting` in `query` (REST GET/body-less) or
+            // `input` — supply the picked account's actor in the matching channel.
+            let request_url = url;
+            const acting_id = needs_actor(spec.auth) ? pick_acting_actor_id(spec) : null;
+            if (acting_id !== null) {
+                if (spec.query && input_schema_declares_acting(spec.query)) {
+                    request_url = `${url}${url.includes('?') ? '&' : '?'}acting=${acting_id}`;
+                }
+                else if (input_schema_declares_acting(spec.input) && body) {
+                    body = { ...body, acting: acting_id };
+                }
+            }
             const request_init = {
                 method: spec.method,
                 headers: {
@@ -70,7 +108,7 @@ export const describe_round_trip_validation = (options) => {
                 },
                 ...(body ? { body: JSON.stringify(body) } : {}),
             };
-            const res = await fixture.transport(url, request_init);
+            const res = await fixture.transport(request_url, request_init);
             if (res.headers.get('Content-Type')?.includes('text/event-stream')) {
                 await res.body?.cancel();
                 return;
@@ -82,5 +120,39 @@ export const describe_round_trip_validation = (options) => {
                 throw new Error(`Round-trip validation failed for ${route_key} (status ${res.status}): ${e.message}`);
             }
         });
+        test('declared success fixtures produce schema-valid success bodies', async () => {
+            const success_fixtures = options.success_fixtures;
+            if (!success_fixtures || success_fixtures.size === 0)
+                return;
+            for (const [route_key, build] of success_fixtures) {
+                const space = route_key.indexOf(' ');
+                const method = route_key.slice(0, space);
+                const path = route_key.slice(space + 1);
+                const spec = describe_time_specs.find((s) => s.method === method && s.path === path);
+                assert.ok(spec, `success_fixtures references unknown route '${route_key}'`);
+                const seeded = await build(fixture);
+                const url = seeded.url ?? resolve_valid_path(spec.path, spec.params);
+                const body = seeded.body;
+                const headers = pick_auth_headers(spec, fixture, authed_account, admin_account);
+                const res = await fixture.transport(url, {
+                    method: spec.method,
+                    headers: {
+                        ...headers,
+                        ...(body ? { 'content-type': 'application/json' } : {}),
+                    },
+                    ...(body ? { body: JSON.stringify(body) } : {}),
+                });
+                try {
+                    assert.ok(res.ok, `success fixture expected a 2xx response, got status ${res.status}: ${await res
+                        .clone()
+                        .text()
+                        .catch(() => '<unreadable>')}`);
+                    await assert_response_matches_spec(describe_time_specs, spec.method, url, res);
+                }
+                catch (e) {
+                    throw new Error(`Round-trip success-fixture failed for ${route_key} (status ${res.status}): ${e.message}`);
+                }
+            }
+        });
     });
 };

package/dist/testing/rpc_round_trip.d.ts

@@ -2,7 +2,7 @@ import './assert_dev_env.js';
 import type { AppSurfaceSpec } from '../http/surface.js';
 import { type RpcEndpointsSuiteOption } from './rpc_helpers.js';
 import type { BackendCapabilities } from './cross_backend/capabilities.js';
-import type { SetupTest } from './cross_backend/setup.js';
+import type { SetupTest, TestFixture } from './cross_backend/setup.js';
 import type { SessionOptions } from '../auth/session_cookie.js';
 /** Options for `describe_rpc_round_trip_tests`. */
 export interface RpcRoundTripTestOptions {
@@ -34,6 +34,28 @@ export interface RpcRoundTripTestOptions {
     skip_methods?: Array<string>;
     /** Override generated params for specific methods (method name → params). */
     input_overrides?: Map<string, Record<string, unknown>>;
+    /**
+     * Success-case fixtures for methods whose **populated success body** the
+     * generic nil-id input can't reach — referential reads (`*_get`, `*_log`)
+     * whose required ids must point at existing rows. Maps method name to an
+     * async factory that receives the per-test `fixture` (so it can seed the
+     * referenced state — e.g. create a repo via `fixture.transport` +
+     * `fixture.create_session_headers()`) and returns the params that drive a
+     * **success** response.
+     *
+     * Distinct from `input_overrides`, which only swaps the request params; the
+     * response may still be a valid *error* envelope (missing-row `not_found`),
+     * which the generic loop accepts. A `success_fixtures` entry **asserts the
+     * response is `ok`** and validates `result` against the method's `output`
+     * schema — so a backend that drops a field, or errors where the other
+     * backend succeeds, fails loud. This is the success-shape parity check the
+     * nil-id round-trip structurally cannot perform (it only ever sees error
+     * envelopes for referential methods).
+     *
+     * Fired as POST. The factory runs against the shared per-describe fixture,
+     * so it must not assume a clean slate between entries (seed unique state).
+     */
+    success_fixtures?: Map<string, (fixture: TestFixture) => Promise<Record<string, unknown>>>;
 }
 /**
  * Run schema-driven round-trip validation for RPC endpoints.

package/dist/testing/rpc_round_trip.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"rpc_round_trip.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/rpc_round_trip.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAyB7B,OAAO,KAAK,EAAC,cAAc,EAAsB,MAAM,oBAAoB,CAAC;AAE5E,OAAO,EAMN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAE1B,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,iCAAiC,CAAC;AACzE,OAAO,KAAK,EAAC,SAAS,EAAc,MAAM,0BAA0B,CAAC;AACrE,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAE9D,mDAAmD;AACnD,MAAM,WAAW,uBAAuB;IACvC,kEAAkE;IAClE,UAAU,EAAE,SAAS,CAAC;IACtB;;;;OAIG;IACH,cAAc,EAAE,cAAc,CAAC;IAC/B,uCAAuC;IACvC,YAAY,EAAE,mBAAmB,CAAC;IAClC;;;;;OAKG;IACH,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC;;;;;OAKG;IACH,aAAa,EAAE,uBAAuB,CAAC;IACvC,qDAAqD;IACrD,YAAY,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC7B,6EAA6E;IAC7E,eAAe,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;CACvD;AAoDD;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,6BAA6B,GAAI,SAAS,uBAAuB,KAAG,IAoHhF,CAAC"}
+{"version":3,"file":"rpc_round_trip.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/rpc_round_trip.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAyB7B,OAAO,KAAK,EAAC,cAAc,EAAsB,MAAM,oBAAoB,CAAC;AAE5E,OAAO,EAQN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAE1B,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,iCAAiC,CAAC;AACzE,OAAO,KAAK,EAAC,SAAS,EAAE,WAAW,EAAC,MAAM,0BAA0B,CAAC;AACrE,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAE9D,mDAAmD;AACnD,MAAM,WAAW,uBAAuB;IACvC,kEAAkE;IAClE,UAAU,EAAE,SAAS,CAAC;IACtB;;;;OAIG;IACH,cAAc,EAAE,cAAc,CAAC;IAC/B,uCAAuC;IACvC,YAAY,EAAE,mBAAmB,CAAC;IAClC;;;;;OAKG;IACH,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC;;;;;OAKG;IACH,aAAa,EAAE,uBAAuB,CAAC;IACvC,qDAAqD;IACrD,YAAY,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC7B,6EAA6E;IAC7E,eAAe,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;IACvD;;;;;;;;;;;;;;;;;;;;OAoBG;IACH,gBAAgB,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,CAAC,OAAO,EAAE,WAAW,KAAK,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC;CAC3F;AAoDD;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,6BAA6B,GAAI,SAAS,uBAAuB,KAAG,IAwJhF,CAAC"}

package/dist/testing/rpc_round_trip.js

@@ -20,7 +20,7 @@ import { ROLE_ADMIN } from '../auth/role_schema.js';
 import { JSONRPC_METHOD_NOT_FOUND, JsonrpcErrorResponse } from '../http/jsonrpc.js';
 import { generate_valid_body } from './schema_generators.js';
 import { is_public_auth } from '../http/auth_shape.js';
-import { create_rpc_post_init, create_rpc_get_url, assert_jsonrpc_error_response, assert_jsonrpc_success_response, resolve_rpc_endpoints_for_setup, } from './rpc_helpers.js';
+import { create_rpc_post_init, create_rpc_get_url, assert_jsonrpc_error_response, assert_jsonrpc_success_response, resolve_rpc_endpoints_for_setup, find_rpc_action, find_rpc_method, } from './rpc_helpers.js';
 /**
  * Pick auth headers matching an RPC method's auth requirement. Accepts
  * any `KeeperHeaderProvider` — both `TestApp` (in-process) and
@@ -170,5 +170,30 @@ export const describe_rpc_round_trip_tests = (options) => {
                 }
             }
         });
+        test('declared success fixtures produce schema-valid success bodies', async () => {
+            const success_fixtures = options.success_fixtures;
+            if (!success_fixtures || success_fixtures.size === 0)
+                return;
+            for (const [method, build] of success_fixtures) {
+                const located = find_rpc_action(rpc_endpoints_for_setup, method);
+                assert.ok(located, `success_fixtures references unknown RPC method '${method}'`);
+                const surface = find_rpc_method(surface_rpc_endpoints, method);
+                assert.ok(surface, `success_fixtures method '${method}' missing from generated surface`);
+                const params = await build(fixture);
+                const headers = pick_rpc_auth_headers(surface.method_spec, fixture, authed_account, admin_account);
+                const init = create_rpc_post_init(method, params);
+                Object.assign(init.headers, headers);
+                const res = await fixture.transport(located.path, init);
+                const body = await res.json();
+                try {
+                    assert_method_implemented(method, body);
+                    assert.ok(res.ok, `success fixture expected a success response, got status ${res.status}: ${JSON.stringify(body)}`);
+                    assert_jsonrpc_success_response(body, located.action.spec.output);
+                }
+                catch (e) {
+                    throw new Error(`RPC success-fixture failed for ${method} (status ${res.status}): ${e.message}`);
+                }
+            }
+        });
     });
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fuzdev/fuz_app",
-  "version": "0.74.0",
+  "version": "0.76.0",
   "description": "fullstack app library",
   "glyph": "🗝",
   "logo": "logo.svg",
@@ -63,12 +63,12 @@
   },
   "devDependencies": {
     "@electric-sql/pglite": "^0.4.5",
-    "@fuzdev/blake3_wasm": "^0.1.0",
+    "@fuzdev/blake3_wasm": "^0.1.1",
     "@fuzdev/fuz_code": "^0.45.1",
-    "@fuzdev/fuz_css": "^0.60.0",
-    "@fuzdev/fuz_ui": "^0.195.1",
-    "@fuzdev/fuz_util": "^0.62.0",
-    "@fuzdev/gro": "^0.199.1",
+    "@fuzdev/fuz_css": "^0.61.1",
+    "@fuzdev/fuz_ui": "^0.197.0",
+    "@fuzdev/fuz_util": "^0.63.0",
+    "@fuzdev/gro": "^0.200.0",
     "@hono/node-server": "^1.19.14",
     "@hono/node-ws": "^1.3.1",
     "@jridgewell/trace-mapping": "^0.3.31",
@@ -94,7 +94,7 @@
     "prettier-plugin-svelte": "^3.5.1",
     "svelte": "^5.56.0",
     "svelte-check": "^4.4.5",
-    "svelte-docinfo": "^0.1.0",
+    "svelte-docinfo": "^0.2.1",
     "svelte2tsx": "^0.7.52",
     "tslib": "^2.8.1",
     "typescript": "^5.9.3",