@fuzdev/fuz_app 0.78.0 → 0.79.0

package/dist/testing/CLAUDE.md

@@ -851,7 +851,7 @@ source of truth for wire-shape conformance.
 
 - `testing/cross_backend/capabilities.ts` — `BackendCapabilities` vocabulary
   (`bearer_auth` / `trusted_proxy` / `login_rate_limit` / `ws` / `sse` /
-  `cell_crud` / `cell_relations` / `account_lifecycle`),
+  `cell_crud` / `cell_relations` / `account_lifecycle` / `fact_serving`),
   `test_if(cond, name, fn)`
   for capability-gated cases, and `in_process_capabilities` preset. `cell_crud`
   gates the CRUD parity suite, `cell_relations` the relation / ACL / audit
@@ -860,7 +860,11 @@ source of truth for wire-shape conformance.
   plain CRUD would declare `cell_crud: true, cell_relations: false`.
   `account_lifecycle` gates `describe_account_lifecycle_cross_tests` (the
   `account_delete` / `account_undelete` / `account_purge` parity suite) — also
-  off the declared surface like cells, `true` on every spine.
+  off the declared surface like cells, `true` on every spine. `fact_serving`
+  gates `describe_fact_serving_cross_tests` (the cell-scoped per-reference +
+  admin-only bare-hash fact-serving parity suite); like cells it stays off the
+  declared surface and is `true` on every spine that mounts the serve routes +
+  the `_testing_put_fact` seeder.
 
 ### `cross_backend/standard.ts` — `describe_standard_cross_process_tests`
 

package/dist/testing/audit_completeness.js

@@ -13,7 +13,7 @@ import './assert_dev_env.js';
  * a secondary failure. `describe_rpc_round_trip_tests` covers that RPC
  * directly, so primary breakages localize there first. For *unit-level*
  * "did the handler emit?" assertions without the persistence path, use
- * `create_recording_audit_emitter` from `audit_drift_guard.ts` — that
+ * `create_recording_audit_emitter` from `testing/audit_drift_guard.ts` — that
  * captures emits before they hit DB or transport.
  *
  * Bootstrap is excluded because it requires filesystem token state that

package/dist/testing/audit_drift_guard.d.ts

@@ -25,7 +25,7 @@ export declare const install_audit_drift_guard: () => void;
 /**
  * Marker pushed into a shared sequence array by an emit-recording
  * `audit_factory`. Pair with `RecordedClose` from
- * `connection_closer_helpers.ts` to test close-vs-emit ordering at
+ * `testing/connection_closer_helpers.ts` to test close-vs-emit ordering at
  * handler call sites — see `create_emit_ordering_audit_factory` below.
  */
 export interface AuditEmitMarker {

package/dist/testing/cross_backend/backend_config.d.ts

@@ -105,7 +105,7 @@ export interface BackendConfig {
     readonly bootstrap: BackendBootstrapConfig;
     /**
      * Capabilities this backend supports — drives `test_if(capabilities.X, ...)`
-     * gating in suite bodies. See `capabilities.ts` for the vocabulary and
+     * gating in suite bodies. See `testing/cross_backend/capabilities.ts` for the vocabulary and
      * existing flags.
      */
     readonly capabilities: BackendCapabilities;

package/dist/testing/cross_backend/bench/run_cross_impl_bench.d.ts

@@ -11,7 +11,7 @@ import type { BenchScenario } from './scenario.js';
  * fuz_util's benchmark library is the engine — `Benchmark` runs each scenario
  * as a task and `BenchmarkResult.stats` carries the percentiles; this module
  * is the thin scenario→task→tagged-result adapter. Reporting (markdown,
- * TS-vs-Rust verdict, JSON artifact) lives in `bench_report.ts`.
+ * TS-vs-Rust verdict, JSON artifact) lives in `testing/cross_backend/bench/bench_report.ts`.
  *
  * @module
  */

package/dist/testing/cross_backend/capabilities.d.ts

@@ -66,6 +66,16 @@ export interface BackendCapabilities {
      * this flag opts a backend into the lifecycle parity coverage.
      */
     readonly account_lifecycle: boolean;
+    /**
+     * The cell-gated fact-serving routes (`GET /api/cells/:cell_id/facts/:hash`
+     * + the admin-only `GET /api/facts/:hash`) are live-mounted on the backend,
+     * its DB carries the `fuz_facts` migration namespace, and it registers the
+     * `_testing_put_fact` seeder. Gates `describe_fact_serving_cross_tests` —
+     * the per-reference read model (cell-scoped admit via a viewable cell,
+     * cross-owner-dedup-no-leak, 404-mask, bare-hash admin-only). Like cells,
+     * the serve routes stay off the standard declared surface.
+     */
+    readonly fact_serving: boolean;
 }
 /**
  * Capability declarations for the in-process Hono transport. Every flag

package/dist/testing/cross_backend/capabilities.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"capabilities.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/capabilities.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAmB9B;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IACnC;;;;OAIG;IACH,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;IAC9B;;;;OAIG;IACH,QAAQ,CAAC,aAAa,EAAE,OAAO,CAAC;IAChC;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC;IACnC;;;;OAIG;IACH,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;IACrB;;;;;OAKG;IACH,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC;IACtB;;;;;;;OAOG;IACH,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC;IAC5B;;;;;;;;;;OAUG;IACH,QAAQ,CAAC,cAAc,EAAE,OAAO,CAAC;IACjC;;;;;;;;OAQG;IACH,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;CACpC;AAED;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,EAAE,mBASpC,CAAC;AAEH;;;;;;;;GAQG;AACH,eAAO,MAAM,OAAO,GAAI,MAAM,OAAO,EAAE,MAAM,MAAM,EAAE,IAAI,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAG,IAMrF,CAAC"}
+{"version":3,"file":"capabilities.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/capabilities.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAmB9B;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IACnC;;;;OAIG;IACH,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;IAC9B;;;;OAIG;IACH,QAAQ,CAAC,aAAa,EAAE,OAAO,CAAC;IAChC;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC;IACnC;;;;OAIG;IACH,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;IACrB;;;;;OAKG;IACH,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC;IACtB;;;;;;;OAOG;IACH,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC;IAC5B;;;;;;;;;;OAUG;IACH,QAAQ,CAAC,cAAc,EAAE,OAAO,CAAC;IACjC;;;;;;;;OAQG;IACH,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;IACpC;;;;;;;;OAQG;IACH,QAAQ,CAAC,YAAY,EAAE,OAAO,CAAC;CAC/B;AAED;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,EAAE,mBAUpC,CAAC;AAEH;;;;;;;;GAQG;AACH,eAAO,MAAM,OAAO,GAAI,MAAM,OAAO,EAAE,MAAM,MAAM,EAAE,IAAI,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAG,IAMrF,CAAC"}

package/dist/testing/cross_backend/capabilities.js

@@ -29,6 +29,7 @@ export const in_process_capabilities = Object.freeze({
     cell_crud: true,
     cell_relations: true,
     account_lifecycle: true,
+    fact_serving: true,
 });
 /**
  * Conditional `test()` wrapper — registers a vitest case only when

package/dist/testing/cross_backend/cell_cross_helpers.d.ts

@@ -24,7 +24,7 @@ export interface RpcResult {
 }
 /**
  * POST a JSON-RPC call over a cross-process `FetchTransport` with the given
- * auth headers. Distinct from `rpc_helpers.ts`'s `app`-based `rpc_call`: this
+ * auth headers. Distinct from `testing/rpc_helpers.ts`'s `app`-based `rpc_call`: this
  * variant drives the cookie-jar `FetchTransport` the cross-backend harness
  * spawns against, and returns the slim `RpcResult` the cell suites read.
  */

package/dist/testing/cross_backend/cell_cross_helpers.js

@@ -1,7 +1,7 @@
 import '../assert_dev_env.js';
 /**
  * Shared call-site primitives for the cell cross-backend parity suites
- * (`cell_crud.ts` + `cell_relations.ts`).
+ * (`testing/cross_backend/cell_crud.ts` + `testing/cross_backend/cell_relations.ts`).
  *
  * The cell verbs are stateful and authz-shaped, so both suites POST raw
  * JSON-RPC envelopes (threading ids + auth headers across calls) and parse
@@ -18,7 +18,7 @@ import { assert } from 'vitest';
 import { create_rpc_post_init } from '../rpc_helpers.js';
 /**
  * POST a JSON-RPC call over a cross-process `FetchTransport` with the given
- * auth headers. Distinct from `rpc_helpers.ts`'s `app`-based `rpc_call`: this
+ * auth headers. Distinct from `testing/rpc_helpers.ts`'s `app`-based `rpc_call`: this
  * variant drives the cookie-jar `FetchTransport` the cross-backend harness
  * spawns against, and returns the slim `RpcResult` the cell suites read.
  */

package/dist/testing/cross_backend/default_backend_configs.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"default_backend_configs.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/default_backend_configs.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,OAAO,KAAK,EAAC,sBAAsB,EAAE,aAAa,EAAC,MAAM,qBAAqB,CAAC;AAC/E,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EAA2B,KAAK,gBAAgB,EAAC,MAAM,+BAA+B,CAAC;AAQ9F;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,EAAE,mBASpC,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,yBAAyB,EAAE,mBAStC,CAAC;AAeH,MAAM,WAAW,iCAAiC;IACjD,gFAAgF;IAChF,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,sCAAsC;IACtC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,4DAA4D;IAC5D,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC9C,oDAAoD;IACpD,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,iEAAiE;IACjE,QAAQ,CAAC,SAAS,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACtD,6CAA6C;IAC7C,QAAQ,CAAC,YAAY,CAAC,EAAE,mBAAmB,CAAC;IAC5C,wEAAwE;IACxE,QAAQ,CAAC,KAAK,CAAC,EAAE,gBAAgB,CAAC;IAClC,sEAAsE;IACtE,QAAQ,CAAC,mBAAmB,CAAC,EAAE,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAC/D;;;;OAIG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B;;;;;;OAMG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED;;;;;GAKG;AACH,eAAO,MAAM,8BAA8B,GAC1C,MAAM,iCAAiC,KACrC,aAoCF,CAAC;AAEF,MAAM,WAAW,mCAAmC;IACnD,gFAAgF;IAChF,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,sCAAsC;IACtC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,4DAA4D;IAC5D,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC9C;;;;OAIG;IACH,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,iEAAiE;IACjE,QAAQ,CAAC,SAAS,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACtD,+CAA+C;IAC/C,QAAQ,CAAC,YAAY,CAAC,EAAE,mBAAmB,CAAC;IAC5C,wEAAwE;IACxE,QAAQ,CAAC,KAAK,CAAC,EAAE,gBAAgB,CAAC;IAClC,sEAAsE;IACtE,QAAQ,CAAC,mBAAmB,CAAC,EAAE,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAC/D;;;;OAIG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B;;;;OAIG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B;;;OAGG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED;;;;;GAKG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,mCAAmC,KACvC,aA4CF,CAAC"}
+{"version":3,"file":"default_backend_configs.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/default_backend_configs.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,OAAO,KAAK,EAAC,sBAAsB,EAAE,aAAa,EAAC,MAAM,qBAAqB,CAAC;AAC/E,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EAA2B,KAAK,gBAAgB,EAAC,MAAM,+BAA+B,CAAC;AAQ9F;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,EAAE,mBAUpC,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,yBAAyB,EAAE,mBAUtC,CAAC;AAeH,MAAM,WAAW,iCAAiC;IACjD,gFAAgF;IAChF,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,sCAAsC;IACtC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,4DAA4D;IAC5D,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC9C,oDAAoD;IACpD,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,iEAAiE;IACjE,QAAQ,CAAC,SAAS,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACtD,6CAA6C;IAC7C,QAAQ,CAAC,YAAY,CAAC,EAAE,mBAAmB,CAAC;IAC5C,wEAAwE;IACxE,QAAQ,CAAC,KAAK,CAAC,EAAE,gBAAgB,CAAC;IAClC,sEAAsE;IACtE,QAAQ,CAAC,mBAAmB,CAAC,EAAE,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAC/D;;;;OAIG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B;;;;;;OAMG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED;;;;;GAKG;AACH,eAAO,MAAM,8BAA8B,GAC1C,MAAM,iCAAiC,KACrC,aAoCF,CAAC;AAEF,MAAM,WAAW,mCAAmC;IACnD,gFAAgF;IAChF,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,sCAAsC;IACtC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,4DAA4D;IAC5D,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC9C;;;;OAIG;IACH,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,iEAAiE;IACjE,QAAQ,CAAC,SAAS,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACtD,+CAA+C;IAC/C,QAAQ,CAAC,YAAY,CAAC,EAAE,mBAAmB,CAAC;IAC5C,wEAAwE;IACxE,QAAQ,CAAC,KAAK,CAAC,EAAE,gBAAgB,CAAC;IAClC,sEAAsE;IACtE,QAAQ,CAAC,mBAAmB,CAAC,EAAE,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAC/D;;;;OAIG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B;;;;OAIG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B;;;OAGG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED;;;;;GAKG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,mCAAmC,KACvC,aA4CF,CAAC"}

package/dist/testing/cross_backend/default_backend_configs.js

@@ -16,6 +16,7 @@ export const ts_default_capabilities = Object.freeze({
     cell_crud: true,
     cell_relations: true,
     account_lifecycle: true,
+    fact_serving: true,
 });
 /**
  * Capabilities for the Rust family. Adds `trusted_proxy: true` (the
@@ -32,6 +33,7 @@ export const rust_default_capabilities = Object.freeze({
     cell_crud: true,
     cell_relations: true,
     account_lifecycle: true,
+    fact_serving: true,
 });
 /** Bootstrap block built from the default secrets + supplied paths. */
 const build_default_bootstrap = (paths, overrides) => ({

package/dist/testing/cross_backend/default_secrets.d.ts

@@ -10,7 +10,7 @@ import '../assert_dev_env.js';
  * production load.
  *
  * Each constant is exported individually so consumers can override one
- * without re-deriving the rest. Builders in `default_backend_configs.ts`
+ * without re-deriving the rest. Builders in `testing/cross_backend/default_backend_configs.ts`
  * thread these defaults into the `BackendConfig.bootstrap` block and the
  * `SECRET_FUZ_COOKIE_KEYS` env entry; callers compose the
  * `bootstrap_overrides` knob when they need a non-default keeper.

package/dist/testing/cross_backend/default_secrets.js

@@ -10,7 +10,7 @@ import '../assert_dev_env.js';
  * production load.
  *
  * Each constant is exported individually so consumers can override one
- * without re-deriving the rest. Builders in `default_backend_configs.ts`
+ * without re-deriving the rest. Builders in `testing/cross_backend/default_backend_configs.ts`
  * thread these defaults into the `BackendConfig.bootstrap` block and the
  * `SECRET_FUZ_COOKIE_KEYS` env entry; callers compose the
  * `bootstrap_overrides` knob when they need a non-default keeper.

package/dist/testing/cross_backend/default_spine_surface.d.ts

@@ -63,7 +63,7 @@ export interface SpineRpcEndpointsOptions {
  * closures are never called across the process boundary.
  *
  * Test binaries append their own `_testing_reset` action to this endpoint's
- * `actions` (see `testing_reset_actions.ts`); it is intentionally excluded
+ * `actions` (see `testing/cross_backend/testing_reset_actions.ts`); it is intentionally excluded
  * here so it stays off the declared surface (the harness calls it directly
  * over the daemon-token channel).
  *

package/dist/testing/cross_backend/default_spine_surface.js

@@ -71,7 +71,7 @@ export const SPINE_SSE_PATH = '/api/admin/audit/stream';
  * closures are never called across the process boundary.
  *
  * Test binaries append their own `_testing_reset` action to this endpoint's
- * `actions` (see `testing_reset_actions.ts`); it is intentionally excluded
+ * `actions` (see `testing/cross_backend/testing_reset_actions.ts`); it is intentionally excluded
  * here so it stays off the declared surface (the harness calls it directly
  * over the daemon-token channel).
  *

package/dist/testing/cross_backend/fact_serving.d.ts

@@ -0,0 +1,14 @@
+import '../assert_dev_env.js';
+import { type CellCrossTestOptions } from './cell_cross_helpers.js';
+import type { SetupTest } from './setup.js';
+/**
+ * The fact suite adds one optional knob to the shared cell options: a setup
+ * variant whose keeper carries a **second actor**. Only the multi-actor case
+ * needs it; the rest of the suite runs single-actor, so wiring it is opt-in.
+ * Omit it and the multi-actor case silently skips.
+ */
+export interface FactServingCrossTestOptions extends CellCrossTestOptions {
+    readonly setup_test_multi_actor?: SetupTest;
+}
+export declare const describe_fact_serving_cross_tests: (options: FactServingCrossTestOptions) => void;
+//# sourceMappingURL=fact_serving.d.ts.map

package/dist/testing/cross_backend/fact_serving.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fact_serving.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/fact_serving.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AA+C9B,OAAO,EAAgC,KAAK,oBAAoB,EAAC,MAAM,yBAAyB,CAAC;AAEjG,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,YAAY,CAAC;AAE1C;;;;;GAKG;AACH,MAAM,WAAW,2BAA4B,SAAQ,oBAAoB;IACxE,QAAQ,CAAC,sBAAsB,CAAC,EAAE,SAAS,CAAC;CAC5C;AA8BD,eAAO,MAAM,iCAAiC,GAAI,SAAS,2BAA2B,KAAG,IA4OxF,CAAC"}

package/dist/testing/cross_backend/fact_serving.js

@@ -0,0 +1,201 @@
+import '../assert_dev_env.js';
+/**
+ * Cross-backend fact-serving parity suite — the per-reference (cell-scoped)
+ * read model over real HTTP.
+ *
+ * Re-proves the D1 fact-access cases (`docs/security.md` § Fact Access Control)
+ * against each backend's real auth resolution, twinning fuz_app's
+ * `server/serve_fact_route.ts` and the Rust `fuz_fact_serving` routers:
+ *
+ * - **cell-scoped admit** — anon reads a fact through a viewable (public)
+ *   referencing cell → 200 + bytes;
+ * - **cross-owner dedup does not leak** — A's *private* reference to bytes that
+ *   B *also* publishes from a *public* cell stays 404 for everyone but A, even
+ *   though the identical bytes are world-readable via B's cell (one deduped
+ *   `fact` row; authz lives on the `(cell, hash)` edge, never unioned);
+ * - **404-mask** — a missing cell and a viewable cell that doesn't reference
+ *   the hash both 404 (never 403, never "exists elsewhere");
+ * - **bare-hash admin-only** — `GET /api/facts/:hash` is admin (keeper) only:
+ *   non-admin → 403, anonymous → 401;
+ * - **multi-actor fallthrough** — a multi-actor caller resolves to a null
+ *   (anonymous) context, so it can't read its own *private* fact via the
+ *   cell-scoped route (admitted only by public cells). Opt-in (needs the
+ *   multi-actor setup); a deliberate **tripwire** that fails on backends whose
+ *   credential resolution is single-actor-per-account and greens once a backend
+ *   gains multi-actor support.
+ *
+ * Facts are seeded **embedded** via `_testing_put_fact` (the cross-process
+ * driver has no DB handle); the referencing cell via the `cell_create` RPC
+ * (`extract_refs` lifts the `blake3:` hash in `data` into `cell.refs`). Gated
+ * on `capabilities.fact_serving`; runs under every `cross_backend_*` project —
+ * the TS spine binary and the Rust `testing_spine_stub` both mount the serve
+ * routes + the seeder.
+ *
+ * `$lib`-free by contract (relative specifiers only) so it imports from the
+ * spawnable cross-process test files.
+ *
+ * @module
+ */
+import { describe, assert } from 'vitest';
+import { z } from 'zod';
+import { FactHashSchema } from '@fuzdev/fuz_util/fact_hash.js';
+import { CellCreateOutput } from '../../auth/cell_action_specs.js';
+import { test_if } from './capabilities.js';
+import { cross_rpc_call, expect_output } from './cell_cross_helpers.js';
+import { SPINE_RPC_PATH } from './default_spine_surface.js';
+/** A blake3 hash that is a valid form but references no seeded fact. */
+const UNRELATED_HASH = `blake3:${'0'.repeat(64)}`;
+/** Nil UUID — a valid `Uuid` param that resolves to no cell. */
+const NIL_UUID = '00000000-0000-0000-0000-000000000000';
+/**
+ * `_testing_put_fact`'s output envelope. Parsing the seeder's `result` against
+ * it extends the cell suite's wire-shape parity gate (every RPC `result` is
+ * schema-checked) to the one fact-suite RPC that previously cast its output —
+ * a TS↔Rust drift in the seeder's envelope (extra field, non-`blake3:` hash)
+ * fails here rather than silently downstream.
+ */
+const TestingPutFactOutput = z.strictObject({ hash: FactHashSchema });
+/** GET a fact over a cross-process `FetchTransport`; returns `{status, content_type, text}`. */
+const fact_get = async (transport, path, headers) => {
+    const res = await transport(path, { method: 'GET', headers });
+    return {
+        status: res.status,
+        content_type: res.headers.get('content-type'),
+        text: await res.text(),
+    };
+};
+export const describe_fact_serving_cross_tests = (options) => {
+    const { setup_test, setup_test_multi_actor, capabilities } = options;
+    const rpc_path = options.rpc_path ?? SPINE_RPC_PATH;
+    /** Seed an embedded fact over the daemon channel; returns its `blake3:` hash. */
+    const put_fact = async (fixture, content, content_type) => expect_output(await cross_rpc_call(fixture.transport, rpc_path, '_testing_put_fact', content_type === undefined ? { content } : { content, content_type }, fixture.create_daemon_token_headers()), TestingPutFactOutput).hash;
+    /**
+     * Create a cell referencing `hash` (`extract_refs` lifts it into `cell.refs`).
+     * Pass `acting` when the caller's account holds more than one actor —
+     * `cell_create` is `actor: 'required'`, so a multi-actor account must
+     * disambiguate or the authorization phase rejects with `actor_required`.
+     */
+    const create_cell_with_ref = async (transport, headers, hash, visibility, acting) => expect_output(await cross_rpc_call(transport, rpc_path, 'cell_create', acting === undefined
+        ? { data: { kind: 'doc', cover: hash }, visibility }
+        : { data: { kind: 'doc', cover: hash }, visibility, acting }, headers), CellCreateOutput).cell.id;
+    const cell_fact_path = (cell_id, hash) => `/api/cells/${cell_id}/facts/${hash}`;
+    describe('fact serving parity (cell-scoped per-reference reads)', () => {
+        test_if(capabilities.fact_serving, 'cell-scoped admit: anon reads a fact through a public referencing cell', async () => {
+            const fixture = await setup_test();
+            const hash = await put_fact(fixture, 'public-fact-bytes', 'text/plain');
+            const cell_id = await create_cell_with_ref(fixture.transport, fixture.create_session_headers(), hash, 'public');
+            const anon = fixture.fresh_transport({ origin: null });
+            const got = await fact_get(anon, cell_fact_path(cell_id, hash), {});
+            assert.strictEqual(got.status, 200, `expected 200, body: ${got.text}`);
+            assert.strictEqual(got.text, 'public-fact-bytes');
+            // The served `Content-Type` echoes the seeded value on both backends.
+            assert.strictEqual(got.content_type, 'text/plain', 'served content-type drifted');
+        });
+        test_if(capabilities.fact_serving, 'cross-owner dedup does not leak: A’s private reference stays 404 while B publishes the same bytes', async () => {
+            const fixture = await setup_test();
+            const a = await fixture.create_account({ username: 'fact_owner_a' });
+            const b = await fixture.create_account({ username: 'fact_owner_b' });
+            // One fact, identical bytes from both owners — deduped to a single row.
+            const hash = await put_fact(fixture, 'shared-deduped-bytes');
+            const t = fixture.fresh_transport();
+            const a_cell = await create_cell_with_ref(t, a.create_session_headers(), hash, 'private');
+            const b_cell = await create_cell_with_ref(t, b.create_session_headers(), hash, 'public');
+            // B published it from a public cell → readable via B's cell (anon OK).
+            const anon = fixture.fresh_transport({ origin: null });
+            const via_b = await fact_get(anon, cell_fact_path(b_cell, hash), {});
+            assert.strictEqual(via_b.status, 200, `B's public cell should serve the fact: ${via_b.text}`);
+            // Seeded without a content_type → both backends fall back to octet-stream.
+            assert.strictEqual(via_b.content_type, 'application/octet-stream', 'no-content-type fact should serve as octet-stream');
+            // A's PRIVATE reference must NOT leak — to anon or to B — even though
+            // the identical bytes are world-readable via B's public cell.
+            const a_via_anon = await fact_get(anon, cell_fact_path(a_cell, hash), {});
+            assert.strictEqual(a_via_anon.status, 404, "A's private reference leaked to anon");
+            const a_via_b = await fact_get(t, cell_fact_path(a_cell, hash), b.create_session_headers());
+            assert.strictEqual(a_via_b.status, 404, "A's private reference leaked to B");
+            // A can read its own private cell's fact.
+            const a_via_a = await fact_get(t, cell_fact_path(a_cell, hash), a.create_session_headers());
+            assert.strictEqual(a_via_a.status, 200, 'A could not read its own private fact');
+        });
+        test_if(capabilities.fact_serving, '404-mask: missing cell, missing edge, and edge-without-bytes all 404 alike', async () => {
+            const fixture = await setup_test();
+            const hash = await put_fact(fixture, '404-mask-bytes');
+            const t = fixture.fresh_transport();
+            const admin_headers = fixture.create_session_headers();
+            // Missing cell → 404.
+            const missing = await fact_get(t, cell_fact_path(NIL_UUID, hash), admin_headers);
+            assert.strictEqual(missing.status, 404, 'missing cell did not 404');
+            // A viewable (keeper-owned, public) cell that references a DIFFERENT
+            // hash → 404 (missing cell→fact edge), even though the caller can view
+            // the cell. `path` is admin-only and the keeper is admin.
+            const unrelated_cell = await create_cell_with_ref(t, admin_headers, UNRELATED_HASH, 'public');
+            const no_edge = await fact_get(t, cell_fact_path(unrelated_cell, hash), admin_headers);
+            assert.strictEqual(no_edge.status, 404, 'cell without the edge did not 404');
+            // Edge present but no `fact` row: the same cell DOES reference
+            // `UNRELATED_HASH`, which was never seeded. Cell + edge + view all
+            // pass, so this exercises the distinct serve-time "metadata missing"
+            // 404 branch — masked identically to the authz 404s above.
+            const edge_no_bytes = await fact_get(t, cell_fact_path(unrelated_cell, UNRELATED_HASH), admin_headers);
+            assert.strictEqual(edge_no_bytes.status, 404, 'edge to an absent fact did not 404');
+        });
+        test_if(capabilities.fact_serving, 'bare-hash route is admin-only', async () => {
+            const fixture = await setup_test();
+            const non_admin = await fixture.create_account({ username: 'fact_non_admin' });
+            const hash = await put_fact(fixture, 'bare-hash-bytes');
+            const t = fixture.fresh_transport();
+            // keeper holds ROLE_ADMIN → 200 + the actual bytes.
+            const as_admin = await fact_get(t, `/api/facts/${hash}`, fixture.create_session_headers());
+            assert.strictEqual(as_admin.status, 200, `admin bare-hash read failed: ${as_admin.text}`);
+            assert.strictEqual(as_admin.text, 'bare-hash-bytes', 'bare-hash route served wrong bytes');
+            // non-admin → 403.
+            const as_non_admin = await fact_get(t, `/api/facts/${hash}`, non_admin.create_session_headers());
+            assert.strictEqual(as_non_admin.status, 403, 'non-admin reached the bare-hash route');
+            // anonymous → 401.
+            const anon = fixture.fresh_transport({ origin: null });
+            const as_anon = await fact_get(anon, `/api/facts/${hash}`, {});
+            assert.strictEqual(as_anon.status, 401, 'anon reached the bare-hash route');
+        });
+        // The cell-scoped route is pure-public — no `acting?` slot — so the handler
+        // can't disambiguate a multi-actor account and resolves it to a null
+        // (anonymous) context. This pins that fallthrough: a multi-actor caller is
+        // admitted ONLY by public cells, never via owner / grant / admin — so it
+        // can't read its own PRIVATE fact through this route. (Contrast the
+        // single-actor owner in the cross-owner case above, who reads its own
+        // private fact → 200.) Gated on the opt-in multi-actor setup.
+        test_if(capabilities.fact_serving && setup_test_multi_actor !== undefined, 'multi-actor caller is treated as anonymous (public-only) on the cell-scoped route', async () => {
+            const fixture = await setup_test_multi_actor();
+            assert.ok(fixture.extra_actors.length >= 1, 'multi-actor setup seeded no second actor');
+            const t = fixture.fresh_transport();
+            const keeper = fixture.create_session_headers();
+            const acting = fixture.actor.id; // the keeper's bootstrap actor
+            // Seeding a multi-actor account over the wire (daemon-token put + the
+            // actor-required cell creates) is the part that can't run on a backend
+            // whose credential resolution is single-actor-per-account. Surface that
+            // as a labeled tripwire so the red reads as "multi-actor unsupported on
+            // this backend", not a daemon-auth regression — it greens here once the
+            // backend gains multi-actor support. The behavior assertions below stay
+            // OUTSIDE the catch so a real fallthrough regression surfaces as itself.
+            let hash;
+            let private_cell;
+            let public_cell;
+            try {
+                hash = await put_fact(fixture, 'multi-actor-bytes');
+                private_cell = await create_cell_with_ref(t, keeper, hash, 'private', acting);
+                public_cell = await create_cell_with_ref(t, keeper, hash, 'public', acting);
+            }
+            catch (cause) {
+                throw new Error('this backend cannot drive a multi-actor account — its credential ' +
+                    'resolution is single-actor-per-account, so the cell-scoped multi-actor ' +
+                    'fallthrough is unverified here until the backend gains multi-actor support', { cause });
+            }
+            // Owns a PRIVATE cell, yet reading its own fact back resolves to a null
+            // (anonymous) context → 404. The owner path never runs.
+            const own_private = await fact_get(t, cell_fact_path(private_cell, hash), keeper);
+            assert.strictEqual(own_private.status, 404, "multi-actor owner's private read was admitted");
+            // A PUBLIC cell still admits the anonymous-treated caller → 200, proving
+            // the 404 above is the multi-actor fallthrough, not a blanket block.
+            const via_public = await fact_get(t, cell_fact_path(public_cell, hash), keeper);
+            assert.strictEqual(via_public.status, 200, 'multi-actor caller blocked from a public cell');
+            assert.strictEqual(via_public.text, 'multi-actor-bytes');
+        });
+    });
+};

package/dist/testing/cross_backend/setup.d.ts

@@ -24,7 +24,7 @@ export interface CreateTestAccountOptions {
 }
 /**
  * Shape returned by `TestFixture.create_account`. Aliased to the
- * existing `TestAccount` interface from `app_server.ts` — same shape,
+ * existing `TestAccount` interface from `testing/app_server.ts` — same shape,
  * stable name on the cross-backend testing surface so call sites read
  * `fixture.create_account(...)` returning `TestAccountFixture` without
  * crossing module boundaries.
@@ -225,7 +225,7 @@ export interface InProcessSetupOptions extends CreateTestAppOptions {
  *
  * The describe-level `auth_integration_truncate_tables` / pglite WASM
  * cache lifecycle stays in `create_pglite_factory` / `create_describe_db`
- * (`testing/db.js`) — `default_in_process_setup` doesn't manage db state
+ * (`testing/db.ts`) — `default_in_process_setup` doesn't manage db state
  * beyond what `create_test_app` already does.
  */
 export declare const default_in_process_setup: (options: InProcessSetupOptions) => SetupTest;
@@ -355,7 +355,7 @@ export interface CrossProcessSetupOptions {
  * Capture a backend's schema snapshot over the `_testing_schema_snapshot`
  * RPC action (keeper daemon-token channel). The canonical way for a
  * cross-impl parity gate to read each backend's live schema — pair two
- * calls with `assert_schema_snapshots_equal` (`testing/schema_parity.js`).
+ * calls with `assert_schema_snapshots_equal` (`testing/schema_parity.ts`).
  *
  * `exclude_tables` drops documented divergences from both sides before
  * comparison (e.g. a cell-primary Rust backend lacks tables the TS schema

package/dist/testing/cross_backend/setup.js

@@ -82,7 +82,7 @@ const in_process_fetch_transport = (app) => {
  *
  * The describe-level `auth_integration_truncate_tables` / pglite WASM
  * cache lifecycle stays in `create_pglite_factory` / `create_describe_db`
- * (`testing/db.js`) — `default_in_process_setup` doesn't manage db state
+ * (`testing/db.ts`) — `default_in_process_setup` doesn't manage db state
  * beyond what `create_test_app` already does.
  */
 export const default_in_process_setup = (options) => async () => {
@@ -248,7 +248,7 @@ const rpc_via_transport = async (transport, rpc_path, method, params, backend_na
  * Capture a backend's schema snapshot over the `_testing_schema_snapshot`
  * RPC action (keeper daemon-token channel). The canonical way for a
  * cross-impl parity gate to read each backend's live schema — pair two
- * calls with `assert_schema_snapshots_equal` (`testing/schema_parity.js`).
+ * calls with `assert_schema_snapshots_equal` (`testing/schema_parity.ts`).
  *
  * `exclude_tables` drops documented divergences from both sides before
  * comparison (e.g. a cell-primary Rust backend lacks tables the TS schema

package/dist/testing/cross_backend/spawn_backend.d.ts

@@ -19,7 +19,7 @@ import '../assert_dev_env.js';
  *    `_testing_reset` and other keeper-credential calls can authenticate.
  *
  * Bootstrapping (`POST /api/account/bootstrap`) is a separate concern —
- * the caller composes `bootstrap()` from `../transports/bootstrap.ts`
+ * the caller composes `bootstrap()` from `testing/transports/bootstrap.ts`
  * against a `FetchTransport` built around `handle.config.base_url`.
  * Splitting the two keeps `spawn_backend` consumer-agnostic — fuz_app
  * knows nothing about specific binary contents.

package/dist/testing/cross_backend/spawn_backend.js

@@ -19,7 +19,7 @@ import '../assert_dev_env.js';
  *    `_testing_reset` and other keeper-credential calls can authenticate.
  *
  * Bootstrapping (`POST /api/account/bootstrap`) is a separate concern —
- * the caller composes `bootstrap()` from `../transports/bootstrap.ts`
+ * the caller composes `bootstrap()` from `testing/transports/bootstrap.ts`
  * against a `FetchTransport` built around `handle.config.base_url`.
  * Splitting the two keeps `spawn_backend` consumer-agnostic — fuz_app
  * knows nothing about specific binary contents.

package/dist/testing/cross_backend/testing_reset_actions.d.ts

@@ -228,6 +228,40 @@ export declare const testing_mint_session_action_spec: {
  * `create_testing_actions`; in-process suites mount it directly).
  */
 export declare const create_testing_drain_effects_action: () => RpcAction;
+/**
+ * `_testing_put_fact` — seed an **embedded** fact (`fact.bytes`) for the
+ * cross-process fact-serving suite, which drives over real HTTP and has no
+ * `PgFactStore` to call. Hashes the UTF-8 `content` (blake3, via
+ * `fact_hash_bytes` — the same hash the Rust `_testing_put_fact` computes),
+ * inserts the row idempotently, and returns `{hash}`. The referencing cell is
+ * seeded separately via the `cell_create` RPC. Embedded-only is enough for the
+ * authz assertions (cell-scoped admit, cross-owner-no-leak, 404-mask, bare-hash
+ * admin-only); external / X-Accel parity stays covered by the forge's own gate.
+ *
+ * `auth` gates on the daemon-token credential, matching `_testing_reset` — the
+ * action does a direct `fact` insert the production wire never exposes. The
+ * Rust mirror is `fuz_testing::create_testing_put_fact_action_spec`.
+ */
+export declare const testing_put_fact_action_spec: {
+    readonly method: "_testing_put_fact";
+    readonly kind: "request_response";
+    readonly initiator: "frontend";
+    readonly auth: {
+        readonly account: "required";
+        readonly actor: "none";
+        readonly credential_types: readonly ["daemon_token"];
+    };
+    readonly side_effects: true;
+    readonly input: z.ZodObject<{
+        content: z.ZodString;
+        content_type: z.ZodOptional<z.ZodString>;
+    }, z.core.$strict>;
+    readonly output: z.ZodObject<{
+        hash: z.core.$ZodBranded<z.ZodString, "FactHash", "out">;
+    }, z.core.$strict>;
+    readonly async: true;
+    readonly description: string;
+};
 /**
  * `_testing_schema_snapshot` — introspect the live database into a normalized
  * `SchemaSnapshot` for cross-impl parity diffing. The cross-backend harness

package/dist/testing/cross_backend/testing_reset_actions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"testing_reset_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/testing_reset_actions.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0DG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,EAAa,KAAK,SAAS,EAAC,MAAM,6BAA6B,CAAC;AAEvE,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAChD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,8BAA8B,CAAC;AACjE,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,4BAA4B,CAAC;AACjE,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,gBAAgB,CAAC;AAmBvC;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;QAiBpC;;;;;;;;WAQG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWyC,CAAC;AAE/C;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,iCAAiC;;;;;;;;;;;;;;;;CAWA,CAAC;AAE/C;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;CAeC,CAAC;AAE/C;;;;;;GAMG;AACH,eAAO,MAAM,mCAAmC,QAAO,SACiB,CAAC;AAEzE;;;;;;;;;GASG;AACH,eAAO,MAAM,mCAAmC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWF,CAAC;AAE/C;;;;GAIG;AACH,eAAO,MAAM,qCAAqC,QAAO,SAGvD,CAAC;AAEH,4CAA4C;AAC5C,MAAM,WAAW,2BAA2B;IAC3C;;;;;OAKG;IACH,QAAQ,CAAC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACjD;;;;;OAKG;IACH,QAAQ,CAAC,kBAAkB,EAAE,gBAAgB,CAAC;IAC9C;;;;;;;;;;;OAWG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CACxD;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,OAAO,EACb,SAAS,2BAA2B,KAClC,KAAK,CAAC,SAAS,CAsHjB,CAAC;AAEF,0FAA0F;AAC1F,eAAO,MAAM,0BAA0B,UAAmC,CAAC"}
+{"version":3,"file":"testing_reset_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/testing_reset_actions.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0DG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAItB,OAAO,EAAa,KAAK,SAAS,EAAC,MAAM,6BAA6B,CAAC;AAGvE,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAChD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,8BAA8B,CAAC;AACjE,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,4BAA4B,CAAC;AACjE,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,gBAAgB,CAAC;AAmBvC;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;QAiBpC;;;;;;;;WAQG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWyC,CAAC;AAE/C;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,iCAAiC;;;;;;;;;;;;;;;;CAWA,CAAC;AAE/C;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;CAeC,CAAC;AAE/C;;;;;;GAMG;AACH,eAAO,MAAM,mCAAmC,QAAO,SACiB,CAAC;AAEzE;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;;;;;;CAeK,CAAC;AAE/C;;;;;;;;;GASG;AACH,eAAO,MAAM,mCAAmC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWF,CAAC;AAE/C;;;;GAIG;AACH,eAAO,MAAM,qCAAqC,QAAO,SAGvD,CAAC;AAEH,4CAA4C;AAC5C,MAAM,WAAW,2BAA2B;IAC3C;;;;;OAKG;IACH,QAAQ,CAAC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACjD;;;;;OAKG;IACH,QAAQ,CAAC,kBAAkB,EAAE,gBAAgB,CAAC;IAC9C;;;;;;;;;;;OAWG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CACxD;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,OAAO,EACb,SAAS,2BAA2B,KAClC,KAAK,CAAC,SAAS,CAqIjB,CAAC;AAEF,0FAA0F;AAC1F,eAAO,MAAM,0BAA0B,UAAmC,CAAC"}

package/dist/testing/cross_backend/testing_reset_actions.js

@@ -60,7 +60,9 @@ import '../assert_dev_env.js';
  */
 import { z } from 'zod';
 import { Uuid } from '@fuzdev/fuz_util/id.js';
+import { fact_hash_bytes, FactHashSchema } from '@fuzdev/fuz_util/fact_hash.js';
 import { rpc_action } from '../../actions/action_rpc.js';
+import { query_put_fact } from '../../db/fact_queries.js';
 import { ROLE_ADMIN, ROLE_KEEPER } from '../../auth/role_schema.js';
 import { auth_integration_truncate_tables } from '../db.js';
 import { query_schema_snapshot, SchemaSnapshot } from '../schema_introspect.js';
@@ -203,6 +205,35 @@ export const testing_mint_session_action_spec = {
  * `create_testing_actions`; in-process suites mount it directly).
  */
 export const create_testing_drain_effects_action = () => rpc_action(testing_drain_effects_action_spec, async () => ({ ok: true }));
+/**
+ * `_testing_put_fact` — seed an **embedded** fact (`fact.bytes`) for the
+ * cross-process fact-serving suite, which drives over real HTTP and has no
+ * `PgFactStore` to call. Hashes the UTF-8 `content` (blake3, via
+ * `fact_hash_bytes` — the same hash the Rust `_testing_put_fact` computes),
+ * inserts the row idempotently, and returns `{hash}`. The referencing cell is
+ * seeded separately via the `cell_create` RPC. Embedded-only is enough for the
+ * authz assertions (cell-scoped admit, cross-owner-no-leak, 404-mask, bare-hash
+ * admin-only); external / X-Accel parity stays covered by the forge's own gate.
+ *
+ * `auth` gates on the daemon-token credential, matching `_testing_reset` — the
+ * action does a direct `fact` insert the production wire never exposes. The
+ * Rust mirror is `fuz_testing::create_testing_put_fact_action_spec`.
+ */
+export const testing_put_fact_action_spec = {
+    method: '_testing_put_fact',
+    kind: 'request_response',
+    initiator: 'frontend',
+    auth: { account: 'required', actor: 'none', credential_types: ['daemon_token'] },
+    side_effects: true,
+    input: z.strictObject({
+        content: z.string(),
+        content_type: z.string().optional(),
+    }),
+    output: z.strictObject({ hash: FactHashSchema }),
+    async: true,
+    description: 'Test-binary only — seed an embedded fact (blake3 of the UTF-8 content) and return its hash, ' +
+        'so the cross-process fact-serving suite can store bytes without a DB handle.',
+};
 /**
  * `_testing_schema_snapshot` — introspect the live database into a normalized
  * `SchemaSnapshot` for cross-impl parity diffing. The cross-backend harness
@@ -349,6 +380,18 @@ export const create_testing_actions = (deps, options) => {
             });
             return { session_cookie };
         }),
+        rpc_action(testing_put_fact_action_spec, async (input, ctx) => {
+            const bytes = new TextEncoder().encode(input.content);
+            const hash = fact_hash_bytes(bytes);
+            await query_put_fact({ db: ctx.db }, {
+                hash,
+                bytes,
+                external_url: null,
+                content_type: input.content_type ?? null,
+                size: bytes.length,
+            });
+            return { hash };
+        }),
         create_testing_drain_effects_action(),
         create_testing_schema_snapshot_action(),
     ];

package/dist/testing/cross_backend/testing_server_bun.js

@@ -3,8 +3,8 @@ import '../assert_dev_env.js';
  * Bun runtime adapter for spawnable cross-process test server binaries.
  *
  * Binds `Bun.serve` and `hono/bun`'s module-level `upgradeWebSocket` +
- * `websocket` handler. The shared `testing_server_core.ts` owns the rest.
- * Third sibling to `testing_server_node.ts` / `testing_server_deno.ts` —
+ * `websocket` handler. The shared `testing/cross_backend/testing_server_core.ts` owns the rest.
+ * Third sibling to `testing/cross_backend/testing_server_node.ts` / `testing/cross_backend/testing_server_deno.ts` —
  * together the three isolate the JS-runtime axis (Node V8 / Deno V8 / Bun
  * JSC) on identical TS surfaces, and the Rust spine binary covers the
  * cross-language axis.
@@ -15,7 +15,7 @@ import '../assert_dev_env.js';
  * implements the `node:fs` / `node:process` surface `RuntimeDeps` +
  * `cli/daemon` touch.
  *
- * `Bun.serve` is declared locally (mirroring `testing_server_deno.ts`'s
+ * `Bun.serve` is declared locally (mirroring `testing/cross_backend/testing_server_deno.ts`'s
  * `Deno` declaration) so this module typechecks under fuz_app's Node-based
  * config without `@types/bun`. It is only ever *run* under Bun.
  *