@fuzdev/fuz_app 0.75.0 → 0.77.0

package/dist/testing/cross_backend/role_grant_offer_notification_ws.js

@@ -0,0 +1,256 @@
+import '../assert_dev_env.js';
+/**
+ * Cross-process **role-grant-offer lifecycle WS notification** suite — the
+ * machinery proof for the consentful-role-grants notification fan-out across
+ * any spine backend. Covers all seven server-initiated notifications:
+ *
+ * - `role_grant_offer_received` → recipient (offer created)
+ * - `role_grant_offer_accepted` → grantor (recipient accepts)
+ * - `role_grant_offer_declined` → grantor (recipient declines)
+ * - `role_grant_offer_retracted` → recipient (grantor retracts)
+ * - `role_grant_revoke` (flat, omits `revoked_by`) → revokee (active grant revoked)
+ * - `role_grant_offer_supersede` → each superseded sibling's grantor, fired on
+ *   BOTH the accept-cascade (`reason: 'sibling_accepted'`) and the
+ *   revoke-cascade (`reason: 'role_grant_revoked'`)
+ *
+ * These exercise only spine primitives (accounts, role-grants, offers, WS
+ * notifications) — zero consumer domain — so the suite lives here and runs
+ * against any backend that wires the standard RPC actions' `notification_sender`
+ * and mounts a registered WS socket: fuz_app's own spine self-tests
+ * (`testing_spine_server` + the Rust `testing_spine_stub`) and downstream
+ * twin-impl consumers (the fuz_forge Deno/Hono + Rust `fuz_forge_server`
+ * backends) alike.
+ *
+ * Each case is a *targeted* server-initiated notification (vs the broadcast in
+ * a `repo_updated`-style suite), so it opens the affected counterparty's socket,
+ * drives the lifecycle RPC over HTTP, then asserts the frame lands on that
+ * socket and strict-parses against the canonical wire schema — the guard
+ * against serialization drift (field / null / datetime / the flat revoke shape /
+ * the supersede `reason` + `cause_id`).
+ *
+ * Sends are queued on the post-commit drain (handler-emit, not audit-derived),
+ * so a frame may land a beat after the RPC resolves — `WsClient.wait_for` polls
+ * already-received messages then waits, absorbing the fan-out latency without a
+ * sleep, and its method+predicate filter ignores unrelated frames (e.g. the
+ * `received` push the recipient also gets). `ROLE_ADMIN` is the only
+ * admin-grantable role; accounts that already hold it can still be offered it
+ * again (a fresh pending row — the prior accept is terminal, no already-granted
+ * guard), and accept stays idempotent on the role_grant while still superseding
+ * pending siblings. Gated on `capabilities.ws`.
+ *
+ * Cross-process only: `create_ws_transport` needs a real bound socket, so wire
+ * it from a `*.cross.test.ts` file, never an in-process setup. Authed cookies
+ * come from the per-account session minted by `fixture.create_account` /
+ * `fixture.create_session_headers`.
+ *
+ * @module
+ */
+import { assert, describe } from 'vitest';
+import { rpc_call } from '../rpc_helpers.js';
+import { create_ws_transport } from '../transports/ws_transport.js';
+import { is_notification_with } from '../transports/ws_client.js';
+import { ROLE_ADMIN } from '../../auth/role_schema.js';
+import { ROLE_GRANT_OFFER_RECEIVED_NOTIFICATION_METHOD, ROLE_GRANT_OFFER_ACCEPTED_NOTIFICATION_METHOD, ROLE_GRANT_OFFER_DECLINED_NOTIFICATION_METHOD, ROLE_GRANT_OFFER_RETRACTED_NOTIFICATION_METHOD, ROLE_GRANT_OFFER_SUPERSEDE_NOTIFICATION_METHOD, ROLE_GRANT_REVOKE_NOTIFICATION_METHOD, RoleGrantOfferReceivedParams, RoleGrantOfferAcceptedParams, RoleGrantOfferDeclinedParams, RoleGrantOfferRetractedParams, RoleGrantOfferSupersedeParams, RoleGrantRevokeParams, } from '../../auth/role_grant_offer_notifications.js';
+import { test_if } from './capabilities.js';
+/** JSON-RPC endpoint path — matches the spine's `/api/rpc` (and the forge's). */
+const RPC_PATH = '/api/rpc';
+/**
+ * Register the role-grant-offer WS notification suite — seven cases over a real
+ * upgrade, one per server-initiated notification (received / accepted /
+ * declined / retracted / revoke + supersede on both the accept and revoke
+ * cascades). Each opens the affected counterparty's socket, drives the
+ * lifecycle RPC, and strict-parses the delivered frame against its canonical
+ * params schema. Gated on `capabilities.ws`.
+ */
+export const describe_role_grant_offer_notification_ws_tests = (options) => {
+    const { setup_test, capabilities, base_url, ws_path } = options;
+    // -- shared helpers -------------------------------------------------------
+    /** Open a WS transport for a single session cookie (`<name>=<value>`). */
+    const open_ws = (cookie) => {
+        assert.ok(cookie, 'expected a session cookie for the WS upgrade');
+        return create_ws_transport({ base_url, ws_path, cookies: [cookie], origin: base_url });
+    };
+    /** Drive a JSON-RPC call over the fixture's HTTP transport. */
+    const rpc = (fixture, method, params, headers) => rpc_call({ app: fixture.transport, path: RPC_PATH, method, params, headers });
+    /**
+     * Create a fresh pending `ROLE_ADMIN` offer from `grantor_headers` (defaults
+     * to the keeper) to `to_account_id`, returning the created offer.
+     */
+    const create_pending_offer = async (fixture, to_account_id, grantor_headers = fixture.create_session_headers()) => {
+        const res = await rpc(fixture, 'role_grant_offer_create', { to_account_id, role: ROLE_ADMIN }, grantor_headers);
+        if (!res.ok)
+            assert.fail(`offer create failed: ${JSON.stringify(res)}`);
+        return res.result.offer;
+    };
+    /**
+     * Materialize an active `ROLE_ADMIN` role_grant on `recipient` via a fresh
+     * keeper offer + recipient accept (idempotent on a grant the account already
+     * holds), returning its `role_grant_id` — the handle `role_grant_revoke`
+     * keys on.
+     */
+    const create_active_role_grant = async (fixture, recipient) => {
+        const offer = await create_pending_offer(fixture, recipient.account.id);
+        const accepted = await rpc(fixture, 'role_grant_offer_accept', { offer_id: offer.id }, recipient.create_session_headers());
+        if (!accepted.ok)
+            assert.fail(`accept failed: ${JSON.stringify(accepted)}`);
+        return accepted.result.role_grant_id;
+    };
+    // -- tests ----------------------------------------------------------------
+    describe('role_grant_offer WS notifications (cross-process)', () => {
+        test_if(capabilities.ws, 'an offer create delivers role_grant_offer_received to the recipient WS', async () => {
+            const fixture = await setup_test();
+            // Seed a second admin account — admin so it can open the
+            // ROLE_ADMIN-gated WS (forge); harmless on the auth-only spine.
+            // `create_account` rides the real offer/accept handlers (that
+            // earlier notification lands before the socket opens, so it's not
+            // the one we observe).
+            const recipient = await fixture.create_account({ roles: [ROLE_ADMIN] });
+            const recipient_ws = await open_ws(recipient.create_session_headers().cookie);
+            try {
+                // The keeper (grantor, holds ROLE_ADMIN) offers the recipient a
+                // role over RPC — fresh pending offer, emits the notification
+                // post-commit.
+                const created = await rpc(fixture, 'role_grant_offer_create', { to_account_id: recipient.account.id, role: ROLE_ADMIN }, fixture.create_session_headers());
+                assert.isTrue(created.ok, `offer create failed: ${JSON.stringify(created)}`);
+                const frame = await recipient_ws.wait_for(is_notification_with(ROLE_GRANT_OFFER_RECEIVED_NOTIFICATION_METHOD, (p) => p.offer.to_account_id === recipient.account.id), 5000);
+                // Params strict-parse against the canonical wire schema — guards
+                // the serialization against field/null/datetime drift.
+                const params = RoleGrantOfferReceivedParams.parse(frame.params);
+                assert.strictEqual(params.offer.to_account_id, recipient.account.id);
+                assert.strictEqual(params.offer.role, ROLE_ADMIN);
+            }
+            finally {
+                await recipient_ws.close();
+            }
+        });
+        test_if(capabilities.ws, 'accept delivers role_grant_offer_accepted to the grantor WS', async () => {
+            const fixture = await setup_test();
+            const recipient = await fixture.create_account({ roles: [ROLE_ADMIN] });
+            // Grantor = keeper; open its socket BEFORE the recipient accepts.
+            const grantor = await open_ws(fixture.create_session_headers().cookie);
+            try {
+                const offer = await create_pending_offer(fixture, recipient.account.id);
+                const accepted = await rpc(fixture, 'role_grant_offer_accept', { offer_id: offer.id }, recipient.create_session_headers());
+                assert.isTrue(accepted.ok, `accept failed: ${JSON.stringify(accepted)}`);
+                const frame = await grantor.wait_for(is_notification_with(ROLE_GRANT_OFFER_ACCEPTED_NOTIFICATION_METHOD, (p) => p.offer.id === offer.id), 5000);
+                const params = RoleGrantOfferAcceptedParams.parse(frame.params);
+                assert.strictEqual(params.offer.id, offer.id);
+                assert.isNotNull(params.offer.accepted_at);
+            }
+            finally {
+                await grantor.close();
+            }
+        });
+        test_if(capabilities.ws, 'decline delivers role_grant_offer_declined to the grantor WS', async () => {
+            const fixture = await setup_test();
+            const recipient = await fixture.create_account({ roles: [ROLE_ADMIN] });
+            const grantor = await open_ws(fixture.create_session_headers().cookie);
+            try {
+                const offer = await create_pending_offer(fixture, recipient.account.id);
+                const declined = await rpc(fixture, 'role_grant_offer_decline', { offer_id: offer.id, reason: 'no thanks' }, recipient.create_session_headers());
+                assert.isTrue(declined.ok, `decline failed: ${JSON.stringify(declined)}`);
+                const frame = await grantor.wait_for(is_notification_with(ROLE_GRANT_OFFER_DECLINED_NOTIFICATION_METHOD, (p) => p.offer.id === offer.id), 5000);
+                const params = RoleGrantOfferDeclinedParams.parse(frame.params);
+                assert.strictEqual(params.offer.id, offer.id);
+                // Decline reason rides inside the offer row, not a sibling field.
+                assert.strictEqual(params.offer.decline_reason, 'no thanks');
+            }
+            finally {
+                await grantor.close();
+            }
+        });
+        test_if(capabilities.ws, 'retract delivers role_grant_offer_retracted to the recipient WS', async () => {
+            const fixture = await setup_test();
+            const recipient = await fixture.create_account({ roles: [ROLE_ADMIN] });
+            // Recipient learns their pending offer was pulled — open its socket.
+            const recipient_ws = await open_ws(recipient.create_session_headers().cookie);
+            try {
+                const offer = await create_pending_offer(fixture, recipient.account.id);
+                const retracted = await rpc(fixture, 'role_grant_offer_retract', { offer_id: offer.id }, fixture.create_session_headers());
+                assert.isTrue(retracted.ok, `retract failed: ${JSON.stringify(retracted)}`);
+                const frame = await recipient_ws.wait_for(is_notification_with(ROLE_GRANT_OFFER_RETRACTED_NOTIFICATION_METHOD, (p) => p.offer.id === offer.id), 5000);
+                const params = RoleGrantOfferRetractedParams.parse(frame.params);
+                assert.strictEqual(params.offer.id, offer.id);
+                assert.strictEqual(params.offer.to_account_id, recipient.account.id);
+                assert.isNotNull(params.offer.retracted_at);
+            }
+            finally {
+                await recipient_ws.close();
+            }
+        });
+        test_if(capabilities.ws, 'revoke delivers a flat role_grant_revoke to the revokee WS', async () => {
+            const fixture = await setup_test();
+            const revokee = await fixture.create_account({ roles: [ROLE_ADMIN] });
+            const role_grant_id = await create_active_role_grant(fixture, revokee);
+            const revokee_ws = await open_ws(revokee.create_session_headers().cookie);
+            try {
+                const revoked = await rpc(fixture, 'role_grant_revoke', { actor_id: revokee.actor.id, role_grant_id, reason: 'cleanup' }, fixture.create_session_headers());
+                assert.isTrue(revoked.ok, `revoke failed: ${JSON.stringify(revoked)}`);
+                const frame = await revokee_ws.wait_for(is_notification_with(ROLE_GRANT_REVOKE_NOTIFICATION_METHOD, (p) => p.role_grant_id === role_grant_id), 5000);
+                // Flat params — guards the no-`offer`-wrapper, `revoked_by`-omitted
+                // shape against drift.
+                const params = RoleGrantRevokeParams.parse(frame.params);
+                assert.strictEqual(params.role_grant_id, role_grant_id);
+                assert.strictEqual(params.role, ROLE_ADMIN);
+                assert.strictEqual(params.reason, 'cleanup');
+                assert.notProperty(frame.params, 'revoked_by');
+            }
+            finally {
+                await revokee_ws.close();
+            }
+        });
+        test_if(capabilities.ws, 'accept of a sibling delivers role_grant_offer_supersede to the other grantor WS', async () => {
+            const fixture = await setup_test();
+            // Three identities: keeper (grantor 1, socket), a second admin grantor
+            // (grantor 2), and the recipient.
+            const grantor2 = await fixture.create_account({ roles: [ROLE_ADMIN] });
+            const recipient = await fixture.create_account({ roles: [ROLE_ADMIN] });
+            // Two coexisting pending offers for the same (recipient, role) — keyed
+            // per grantor, so they don't upsert each other.
+            const keeper_offer = await create_pending_offer(fixture, recipient.account.id);
+            const grantor2_offer = await create_pending_offer(fixture, recipient.account.id, grantor2.create_session_headers());
+            // Open grantor 1 (keeper) — its offer is the one that gets superseded
+            // when the recipient accepts grantor 2's offer.
+            const grantor1_ws = await open_ws(fixture.create_session_headers().cookie);
+            try {
+                const accepted = await rpc(fixture, 'role_grant_offer_accept', { offer_id: grantor2_offer.id }, recipient.create_session_headers());
+                assert.isTrue(accepted.ok, `accept failed: ${JSON.stringify(accepted)}`);
+                const frame = await grantor1_ws.wait_for(is_notification_with(ROLE_GRANT_OFFER_SUPERSEDE_NOTIFICATION_METHOD, (p) => p.offer.id === keeper_offer.id), 5000);
+                const params = RoleGrantOfferSupersedeParams.parse(frame.params);
+                assert.strictEqual(params.offer.id, keeper_offer.id);
+                assert.strictEqual(params.reason, 'sibling_accepted');
+                // cause_id points at the accepted sibling (grantor 2's offer).
+                assert.strictEqual(params.cause_id, grantor2_offer.id);
+                assert.isNotNull(params.offer.superseded_at);
+            }
+            finally {
+                await grantor1_ws.close();
+            }
+        });
+        test_if(capabilities.ws, 'revoke supersedes a pending sibling offer and notifies its grantor WS', async () => {
+            const fixture = await setup_test();
+            const grantor = await fixture.create_account({ roles: [ROLE_ADMIN] });
+            const revokee = await fixture.create_account({ roles: [ROLE_ADMIN] });
+            const role_grant_id = await create_active_role_grant(fixture, revokee);
+            // A *pending* sibling offer for the same (account, role) — this is what
+            // the revoke cascade supersedes.
+            const sibling_offer = await create_pending_offer(fixture, revokee.account.id, grantor.create_session_headers());
+            // Watch the sibling grantor's socket for the supersede push.
+            const grantor_ws = await open_ws(grantor.create_session_headers().cookie);
+            try {
+                const revoked = await rpc(fixture, 'role_grant_revoke', { actor_id: revokee.actor.id, role_grant_id }, fixture.create_session_headers());
+                assert.isTrue(revoked.ok, `revoke failed: ${JSON.stringify(revoked)}`);
+                const frame = await grantor_ws.wait_for(is_notification_with(ROLE_GRANT_OFFER_SUPERSEDE_NOTIFICATION_METHOD, (p) => p.offer.id === sibling_offer.id), 5000);
+                const params = RoleGrantOfferSupersedeParams.parse(frame.params);
+                assert.strictEqual(params.offer.id, sibling_offer.id);
+                assert.strictEqual(params.reason, 'role_grant_revoked');
+                // cause_id points at the revoked role_grant.
+                assert.strictEqual(params.cause_id, role_grant_id);
+                assert.isNotNull(params.offer.superseded_at);
+            }
+            finally {
+                await grantor_ws.close();
+            }
+        });
+    });
+};

package/dist/testing/integration.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"integration.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/integration.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAsB7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAM9D,OAAO,EAKN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAiB1B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAC,KAAK,mBAAmB,EAAC,MAAM,iCAAiC,CAAC;AACzE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAGxD;;GAEG;AACH,MAAM,WAAW,8BAA8B;IAC9C;;;;OAIG;IACH,UAAU,EAAE,SAAS,CAAC;IACtB;;;;;;;;;OASG;IACH,cAAc,EAAE,cAAc,CAAC;IAC/B,kEAAkE;IAClE,YAAY,EAAE,mBAAmB,CAAC;IAClC;;;;OAIG;IACH,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC;;;;;;;;;;;;OAYG;IACH,aAAa,EAAE,uBAAuB,CAAC;IACvC;;;;;;;OAOG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACH,eAAO,MAAM,mCAAmC,GAC/C,SAAS,8BAA8B,KACrC,IA60CF,CAAC"}
+{"version":3,"file":"integration.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/integration.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAsB7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAM9D,OAAO,EAKN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAkB1B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAC,KAAK,mBAAmB,EAAC,MAAM,iCAAiC,CAAC;AACzE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAGxD;;GAEG;AACH,MAAM,WAAW,8BAA8B;IAC9C;;;;OAIG;IACH,UAAU,EAAE,SAAS,CAAC;IACtB;;;;;;;;;OASG;IACH,cAAc,EAAE,cAAc,CAAC;IAC/B,kEAAkE;IAClE,YAAY,EAAE,mBAAmB,CAAC;IAClC;;;;OAIG;IACH,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC;;;;;;;;;;;;OAYG;IACH,aAAa,EAAE,uBAAuB,CAAC;IACvC;;;;;;;OAOG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACH,eAAO,MAAM,mCAAmC,GAC/C,SAAS,8BAA8B,KACrC,IAw6CF,CAAC"}

package/dist/testing/integration.js

@@ -23,6 +23,7 @@ import { ErrorCoverageCollector, assert_error_coverage, DEFAULT_INTEGRATION_ERRO
 import { is_public_auth } from '../http/auth_shape.js';
 import { account_verify_action_spec, account_session_list_action_spec, account_session_revoke_action_spec, account_session_revoke_all_action_spec, account_token_create_action_spec, account_token_list_action_spec, account_token_revoke_action_spec, } from '../auth/account_action_specs.js';
 import { invite_create_action_spec } from '../auth/admin_action_specs.js';
+import { LoginOutput, AccountStatusOutput } from '../auth/account_routes.js';
 import {} from './cross_backend/capabilities.js';
 import { DEFAULT_TEST_PASSWORD } from './app_server.js';
 /**
@@ -91,6 +92,14 @@ export const describe_standard_integration_tests = (options) => {
             });
             assert_error_coverage(error_collector, auth_routes.length > 0 ? auth_routes : route_specs, {
                 min_coverage: options.error_coverage_min ?? DEFAULT_INTEGRATION_ERROR_COVERAGE,
+                // Authorization denials (403) on these scoped auth routes — the
+                // credential-channel gate on /logout + /password, the invite gate on
+                // /signup — are exercised by the conformance + attack-surface suites,
+                // not this lifecycle suite. Drop 403 from this collector's denominator
+                // (same spirit as the [401, 403, 429] ignore in the attack-surface
+                // tightness defaults); otherwise #10 adding /logout's 403 to the spine
+                // surface tips the ratio under threshold here though the gate is tested.
+                ignore_statuses: [403],
             });
         });
         // --- 1. Login/logout lifecycle ---
@@ -269,6 +278,75 @@ export const describe_standard_integration_tests = (options) => {
                 assert.deepStrictEqual(wrong_pw_keys, no_user_keys, 'Response keys must be identical to prevent account enumeration');
                 assert.strictEqual(wrong_pw_body.error, no_user_body.error, 'Error codes must be identical');
             });
+            // Wire-shape gate: the successful `POST /login` body must strict-parse
+            // against `LoginOutput` (`{ok: true}`). `.strictObject` rejects any
+            // extra field, so a backend leaking `username` / `account_id` (the
+            // Rust spine's old shape) fails here on either impl.
+            test('successful login body strict-parses against LoginOutput', async () => {
+                const fixture = await options.setup_test();
+                const login_route = find_auth_route(route_specs, '/login', 'POST');
+                assert.ok(login_route, 'Expected POST /login route — ensure create_route_specs includes account routes');
+                const res = await fixture.transport(login_route.path, {
+                    method: 'POST',
+                    headers: {
+                        host: 'localhost',
+                        origin: 'http://localhost:5173',
+                        'content-type': 'application/json',
+                    },
+                    body: JSON.stringify({
+                        username: fixture.account.username,
+                        password: DEFAULT_TEST_PASSWORD,
+                    }),
+                });
+                assert.strictEqual(res.status, 200);
+                const body = await res.json();
+                // Throws on any extra or missing field — drift on either backend fails.
+                LoginOutput.parse(body);
+            });
+        });
+        // --- 1b. Account status body (strict schema) ---
+        describe('account status response body', () => {
+            // Wire-shape gate: the authenticated `GET /api/account/status` body
+            // must strict-parse against `AccountStatusOutput` — the full shape
+            // `{account: SessionAccountJson, actor: ActorSummaryJson | null,
+            // role_grants: RoleGrantSummaryJson[]}`. `.strictObject` rejects any
+            // extra or missing field on `account` / `actor` / each role_grant, so
+            // a backend returning the old narrow shape (Rust's `{account:{id,
+            // username}, role_grants:[{role}]}`) fails here on either impl. The
+            // fixture keeper is single-actor, so `actor` must be non-null and
+            // `role_grants` populated (keeper holds keeper + admin globally).
+            //
+            // `/status` is mounted at `create_app_server` time (it needs the
+            // `bootstrap_available` runtime state), not by `create_account_route_specs`
+            // and not listed in the declared surface, so we can't gate on `route_specs`.
+            // A backend that mounts only the account-route factory (e.g. a minimal
+            // in-process route set) doesn't serve it — probe at runtime and skip on
+            // 404. The full spine surfaces (in-process + cross-process) serve it, so
+            // the gate runs there. `find_auth_route` can't be used: `/status` isn't a
+            // `RestAuthRouteSuffix`.
+            test('authenticated status body strict-parses against AccountStatusOutput', async (ctx) => {
+                const fixture = await options.setup_test();
+                const login_route = find_auth_route(route_specs, '/login', 'POST');
+                assert.ok(login_route, 'Expected POST /login route — ensure create_route_specs includes account routes');
+                // `/status` is the sibling of `/login` under the same account prefix.
+                const status_path = login_route.path.replace(/\/login$/, '/status');
+                const res = await fixture.transport(status_path, {
+                    method: 'GET',
+                    headers: fixture.create_session_headers({ host: 'localhost' }),
+                });
+                if (res.status === 404) {
+                    // Backend doesn't mount /status (minimal route set) — nothing to gate.
+                    ctx.skip();
+                    return;
+                }
+                assert.strictEqual(res.status, 200);
+                const body = await res.json();
+                // Throws on any extra/missing field across account/actor/role_grants.
+                const parsed = AccountStatusOutput.parse(body);
+                // Single-actor keeper: actor resolved, role_grants populated.
+                assert.ok(parsed.actor, 'single-actor keeper must resolve a non-null actor');
+                assert.ok(parsed.role_grants.length > 0, 'single-actor keeper must have populated role_grants');
+            });
         });
         // --- 2. Cookie attributes ---
         describe('cookie attributes', () => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fuzdev/fuz_app",
-  "version": "0.75.0",
+  "version": "0.77.0",
   "description": "fullstack app library",
   "glyph": "🗝",
   "logo": "logo.svg",
@@ -63,10 +63,10 @@
   },
   "devDependencies": {
     "@electric-sql/pglite": "^0.4.5",
-    "@fuzdev/blake3_wasm": "^0.1.0",
+    "@fuzdev/blake3_wasm": "^0.1.1",
     "@fuzdev/fuz_code": "^0.45.1",
-    "@fuzdev/fuz_css": "^0.60.0",
-    "@fuzdev/fuz_ui": "^0.195.1",
+    "@fuzdev/fuz_css": "^0.61.1",
+    "@fuzdev/fuz_ui": "^0.197.0",
     "@fuzdev/fuz_util": "^0.63.0",
     "@fuzdev/gro": "^0.200.0",
     "@hono/node-server": "^1.19.14",
@@ -94,7 +94,7 @@
     "prettier-plugin-svelte": "^3.5.1",
     "svelte": "^5.56.0",
     "svelte-check": "^4.4.5",
-    "svelte-docinfo": "^0.2.0",
+    "svelte-docinfo": "^0.2.1",
     "svelte2tsx": "^0.7.52",
     "tslib": "^2.8.1",
     "typescript": "^5.9.3",