@fuzdev/fuz_app 0.84.0 → 0.85.1

package/dist/testing/CLAUDE.md

@@ -13,9 +13,13 @@ testing-patterns. This file is a reference index for the helpers themselves.
 
 ## Production guard — always the first import
 
-Every module here starts with `import './assert_dev_env.js';` — reads `DEV`
-from `esm-env` and throws if false, preventing production-bundle inclusion.
-Enforced by grep, not a linter; make this the first line in new modules.
+Every runtime-reachable module here starts with `import './assert_dev_env.js';`
+— reads `DEV` from `esm-env` and throws if false, preventing production-bundle
+inclusion. Make this the first line in new modules. Enforced by
+`src/test/testing/assert_dev_env_coverage.test.ts`, which fails if any module
+omits the guard. The sole exemption is `cross_backend/make_cross_backend_project.ts`
+— a vitest-project factory consumed by consumers' `vite.config.ts` at config
+time (never runtime), where a throwing guard would break `vite build`.
 
 ## Stubs, factories, mocks
 
@@ -121,8 +125,7 @@ factories accept any migration namespace set.
 - `create_pg_factory(init_schema, test_url?)` — PostgreSQL; `skip: true` when `test_url` missing. Drops `schema_version` before `init_schema` so migrations re-evaluate against actual tables (prevents stale tracker rows from skipping migrations when DDL changes between sessions). Pool reused + cleaned up across `create()` calls.
 - `auth_truncate_tables` — `['invite', 'api_token', 'auth_session', 'role_grant', 'role_grant_offer', 'actor', 'account']` in FK-safe order. Excludes `audit_log` — unit DB tests don't need to truncate it.
 - `auth_integration_truncate_tables` — `auth_truncate_tables + ['audit_log']` for integration suites that exercise the audit path.
-- `auth_drop_tables` — full set from `auth_migrations` in drop order; call `drop_auth_schema(db)` at the top of `init_schema` on persistent pg databases that may hold stale DDL from previous fuz_app versions.
-- `drop_auth_schema(db)` — `DROP TABLE IF EXISTS <table> CASCADE` for every entry in `auth_drop_tables` plus `schema_version`. Safe on fresh DBs.
+- `drop_auth_schema(db)` — `DROP SCHEMA public CASCADE; CREATE SCHEMA public`; call at the top of `init_schema` on persistent pg databases that may hold stale DDL from previous fuz_app versions. Drift-proof full-schema reset (despite the name, not auth-scoped) — same mechanism as `reset_pglite`.
 - `create_describe_db(factories, truncate_tables)` — returns `describe_db(name, fn)` running `fn(get_db)` once per factory inside a `describe` with shared `beforeAll(create)` + `beforeEach(TRUNCATE)` + `afterAll(close)`. Skipped factories use `describe.skip`.
 - `log_db_factory_status(factories)` — console summary of enabled / skipped factories.
 
@@ -275,6 +278,7 @@ RPC / WS structural invariants (options-free, apply over `surface.rpc_endpoints`
 * `assert_ws_method_descriptions_present` — every WS method on every endpoint has a non-empty `description`.
 * `assert_ws_endpoints_include_protocol_actions` — every WS endpoint includes `heartbeat` + `cancel` (the `protocol_actions` spread from `actions/protocol.js`).
 * `assert_ws_notifications_have_null_auth` — WS method `kind === 'remote_notification' ⟺ auth === null`; guards against drift between spec union and surface emitter.
+* `assert_no_testing_methods` — no `_testing_*` backdoor action (`TESTING_METHOD_PREFIX`) appears as an RPC or WS method on the declared surface. The test-binary actions are live-mounted only; this guards against a future wiring change folding `create_testing_actions(...)` into the surface-generating registry.
 
 Per-endpoint duplicate method names and the auth-shape biconditional are
 already enforced at startup by `compile_action_registry` (see
@@ -1209,6 +1213,29 @@ spine bootstrap (auth + cell + cell_history + fact) and is regenerated +
 drift-guarded by `src/test/cross_backend/spine_expected_schema.db.test.ts`
 (`UPDATE_SCHEMA_READY=1`, then `gro format`).
 
+### Testing-backdoor credential gate — `cross_backend/testing_backdoor.ts`
+
+`describe_testing_backdoor_cross_tests({setup_test, capabilities, rpc_path?})` —
+the negative-credential parity suite for the `_testing_*` backdoor actions.
+For each of `_testing_reset` / `_testing_mint_session` / `_testing_put_fact` /
+`_testing_schema_snapshot` (the three privileged writes plus the schema-dump
+read) it fires three principals over real HTTP: **anonymous** → 401, **session** →
+403 `credential_type_required`, **bearer** → 403 `credential_type_required` —
+proving the daemon-token gate that fences each backdoor action holds end-to-end
+on the real dispatcher (the spec-derived `describe_rpc_attack_surface_tests`
+never enumerates them because they're off the declared surface). Each method is
+sent with **valid** params so the session/bearer cases clear the 400
+input-validation phase and reach the 403 credential gate (order is
+401 → 400 → 403); the handler never runs. Cited property: `docs/security.md`
+§Test Backdoor Actions. Cross-process only (the `_testing_*` actions are
+mounted on the spawned binary, not the in-process app — like the ws/sse
+suites); ungated, since every cross backend that uses
+`default_cross_process_setup` mounts them. fuz_app's own wiring is
+`src/test/cross_backend/testing_backdoor.cross.test.ts`. The complement is the
+in-process spec-level gate test (`src/test/testing/testing_actions_auth.test.ts`,
+asserting each spec declares `credential_types: ['daemon_token']`) + the
+`assert_no_testing_methods` surface invariant.
+
 ### Building a TS test-server binary — `testing_server_core.ts` + adapters
 
 The reusable shape for standing up a **spawnable TS** cross-process test

package/dist/testing/cross_backend/testing_backdoor.d.ts

@@ -0,0 +1,6 @@
+import '../assert_dev_env.js';
+import type { CellCrossTestOptions } from './cell_cross_helpers.js';
+/** Options for the testing-backdoor negative-credential suite. */
+export type TestingBackdoorCrossTestOptions = CellCrossTestOptions;
+export declare const describe_testing_backdoor_cross_tests: (options: TestingBackdoorCrossTestOptions) => void;
+//# sourceMappingURL=testing_backdoor.d.ts.map

package/dist/testing/cross_backend/testing_backdoor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"testing_backdoor.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/testing_backdoor.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAyD9B,OAAO,KAAK,EAAC,oBAAoB,EAAC,MAAM,yBAAyB,CAAC;AAgElE,kEAAkE;AAClE,MAAM,MAAM,+BAA+B,GAAG,oBAAoB,CAAC;AAEnE,eAAO,MAAM,qCAAqC,GACjD,SAAS,+BAA+B,KACtC,IAiCF,CAAC"}

package/dist/testing/cross_backend/testing_backdoor.js

@@ -0,0 +1,126 @@
+import '../assert_dev_env.js';
+/**
+ * Cross-backend negative-credential suite for the `_testing_*` backdoor
+ * actions.
+ *
+ * `_testing_reset` / `_testing_mint_session` / `_testing_put_fact` /
+ * `_testing_schema_snapshot` are privileged test-binary actions the
+ * production wire never exposes — three direct DB writes (full auth wipe,
+ * forged session row, raw fact insert) plus a full-schema introspection read
+ * (the highest info-leak of the set were the gate to break). Their only
+ * structural fence is the **daemon-token** credential gate on
+ * each spec's `auth` axis. A test binary live-mounts them on its RPC
+ * endpoint but keeps them off the declared surface — so the spec-derived
+ * `describe_rpc_attack_surface_tests` never enumerates them, and nothing
+ * else fires them with a non-daemon credential to prove the gate holds
+ * end-to-end. This suite does, against each impl's real auth resolution.
+ *
+ * For every backdoor method, three principals:
+ *
+ * - **anonymous** (no credential) → `401` (pre-validation auth refuses an
+ *   account-less caller before anything else).
+ * - **session** (the keeper's browser-context cookie) → `403`
+ *   `credential_type_required` — a session cookie, even one carrying the
+ *   keeper role, tops out below the daemon-token channel.
+ * - **bearer** (the keeper's api-token, non-browser context) → `403`
+ *   `credential_type_required` — same ceiling; an api token cannot reach
+ *   keeper operations.
+ *
+ * Each method is sent with **valid** params so the session/bearer cases
+ * clear the dispatcher's input-validation (400) phase and actually reach the
+ * post-authorization credential gate (the order is 401 → 400 → 403); the
+ * handler never runs (the gate refuses first), so the writes never execute.
+ *
+ * Complements the spec-level gate check (which pins that each spec *declares*
+ * `credential_types: ['daemon_token']`) and the surface-absence invariant
+ * (`assert_no_testing_methods`) — this one pins the runtime 401/403 behavior
+ * on both impls. Cited property: `security.md` §Test Backdoor Actions
+ * (daemon-token-gated, off-surface, DEV-excluded).
+ *
+ * Cross-process only — the `_testing_*` actions are mounted on the spawned
+ * binary, not the in-process app — like the ws/sse suites. Wire from a
+ * `*.cross.test.ts`. Requires the standard `_testing_*` actions mounted (the
+ * same precondition `default_cross_process_setup` already imposes for its
+ * per-test `_testing_reset`); ungated, since every cross backend mounts them.
+ *
+ * `$lib`-free by contract (relative specifiers only), like the sibling
+ * cross-backend suites.
+ *
+ * @module
+ */
+import { describe, test, assert } from 'vitest';
+import { ERROR_CREDENTIAL_TYPE_REQUIRED } from '../../http/error_schemas.js';
+import { rpc_call } from '../rpc_helpers.js';
+import { SPINE_RPC_PATH } from './default_spine_surface.js';
+/** A well-formed UUID that never names a real row. */
+const NIL_UUID = '00000000-0000-0000-0000-000000000000';
+/**
+ * The backdoor methods + a **valid** params payload each (so the
+ * session/bearer cases reach the 403 credential gate rather than a 400 on
+ * input validation). The handlers never run — the gate refuses first.
+ */
+const backdoor_methods = [
+    { method: '_testing_reset', params: {} },
+    { method: '_testing_mint_session', params: { account_id: NIL_UUID, expires_in_seconds: -60 } },
+    { method: '_testing_put_fact', params: { content: 'backdoor-probe' } },
+    // The schema-dump read — `exclude_tables` is optional, so `{}` is valid
+    // and clears the 400 phase like the writes above.
+    { method: '_testing_schema_snapshot', params: {} },
+];
+const principals = [
+    {
+        name: 'anonymous',
+        status: 401,
+        // Fresh jar so the keeper cookie (cross-process) can't leak in.
+        resolve: (f) => ({ transport: f.fresh_transport(), headers: {} }),
+    },
+    {
+        name: 'session',
+        status: 403,
+        reason: ERROR_CREDENTIAL_TYPE_REQUIRED,
+        resolve: (f) => ({ transport: f.transport, headers: f.create_session_headers() }),
+    },
+    {
+        name: 'bearer',
+        status: 403,
+        reason: ERROR_CREDENTIAL_TYPE_REQUIRED,
+        // Bearer is discarded in a browser context, so suppress Origin (empty
+        // jar + no Origin) — the credential must actually resolve so the refusal
+        // lands on the credential-type gate, not on bearer-discard (→ 401).
+        resolve: (f) => ({
+            transport: f.fresh_transport({ origin: null }),
+            headers: f.create_bearer_headers(),
+            suppress_default_origin: true,
+        }),
+    },
+];
+export const describe_testing_backdoor_cross_tests = (options) => {
+    const { setup_test } = options;
+    const rpc_path = options.rpc_path ?? SPINE_RPC_PATH;
+    describe('testing backdoor credential gate parity', () => {
+        for (const { method, params } of backdoor_methods) {
+            for (const principal of principals) {
+                test(`${method} rejects ${principal.name} → ${principal.status}`, async () => {
+                    const fixture = await setup_test();
+                    const { transport, headers, suppress_default_origin } = principal.resolve(fixture);
+                    const res = await rpc_call({
+                        app: transport,
+                        path: rpc_path,
+                        method,
+                        params,
+                        headers,
+                        ...(suppress_default_origin && { suppress_default_origin: true }),
+                    });
+                    const label = `${method} ${principal.name}`;
+                    assert.ok(!res.ok, `${label}: expected denial (${principal.status}) but the call succeeded`);
+                    assert.strictEqual(res.status, principal.status, `${label}: status`);
+                    // `!res.ok` narrows `res` to the error variant for `res.error`.
+                    if (principal.reason !== undefined && !res.ok) {
+                        const reason = res.error.data?.reason;
+                        assert.strictEqual(reason, principal.reason, `${label}: error.data.reason`);
+                    }
+                });
+            }
+        }
+    });
+};

package/dist/testing/cross_backend/testing_reset_actions.d.ts

@@ -183,9 +183,18 @@ export declare const testing_drain_effects_action_spec: {
  * `_testing_mint_session` — mint an expired-by-construction server-side
  * session for an existing account and return its signed cookie value.
  *
- * The minted `auth_session` row's `expires_at` is backdated (negative
- * `expires_in_seconds`) while the returned cookie's own signed payload
- * stays valid (future). Cross-process auth resolution therefore passes the
+ * `expires_in_seconds` is **constrained negative** (`z.number().int().negative()`)
+ * so the action is structurally incapable of minting a *usable* session: it
+ * can only produce an already-backdated, already-dead `auth_session` row. The
+ * daemon-token gate + loopback binding already fence the backdoor, but the
+ * negative constraint is the make-impossible-states floor — even a misuse
+ * can't forge a valid session for an arbitrary `account_id`. The Rust mirror
+ * (`fuz_testing::create_testing_mint_session_action_spec`) enforces the same
+ * floor.
+ *
+ * The minted `auth_session` row's `expires_at` is backdated while the
+ * returned cookie's own signed payload stays valid (future). Cross-process
+ * auth resolution therefore passes the
  * cookie-payload gate (`parse_session`) and is refused by the authoritative
  * DB-row gate (`query_session_get_valid` — `WHERE expires_at > NOW()`) —
  * the gate the in-process payload-expiry tests never reach and the one that

package/dist/testing/cross_backend/testing_reset_actions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"testing_reset_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/testing_reset_actions.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0DG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAItB,OAAO,EAAa,KAAK,SAAS,EAAC,MAAM,6BAA6B,CAAC;AAGvE,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAChD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,8BAA8B,CAAC;AACjE,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,4BAA4B,CAAC;AACjE,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,gBAAgB,CAAC;AAmBvC;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;QAiBpC;;;;;;;;WAQG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWyC,CAAC;AAE/C;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,iCAAiC;;;;;;;;;;;;;;;;CAWA,CAAC;AAE/C;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;CAeC,CAAC;AAE/C;;;;;;GAMG;AACH,eAAO,MAAM,mCAAmC,QAAO,SACiB,CAAC;AAEzE;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;;;;;;CAeK,CAAC;AAE/C;;;;;;;;;GASG;AACH,eAAO,MAAM,mCAAmC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWF,CAAC;AAE/C;;;;GAIG;AACH,eAAO,MAAM,qCAAqC,QAAO,SAGvD,CAAC;AAEH,4CAA4C;AAC5C,MAAM,WAAW,2BAA2B;IAC3C;;;;;OAKG;IACH,QAAQ,CAAC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACjD;;;;;OAKG;IACH,QAAQ,CAAC,kBAAkB,EAAE,gBAAgB,CAAC;IAC9C;;;;;;;;;;;OAWG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CACxD;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,OAAO,EACb,SAAS,2BAA2B,KAClC,KAAK,CAAC,SAAS,CAqIjB,CAAC;AAEF,0FAA0F;AAC1F,eAAO,MAAM,0BAA0B,UAAmC,CAAC"}
+{"version":3,"file":"testing_reset_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/testing_reset_actions.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0DG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAItB,OAAO,EAAa,KAAK,SAAS,EAAC,MAAM,6BAA6B,CAAC;AAIvE,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAChD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,8BAA8B,CAAC;AACjE,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,4BAA4B,CAAC;AACjE,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,gBAAgB,CAAC;AAkCvC;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;QAiBpC;;;;;;;;WAQG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWyC,CAAC;AAE/C;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,iCAAiC;;;;;;;;;;;;;;;;CAWA,CAAC;AAE/C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;CAwBC,CAAC;AAE/C;;;;;;GAMG;AACH,eAAO,MAAM,mCAAmC,QAAO,SACiB,CAAC;AAEzE;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;;;;;;CAeK,CAAC;AAE/C;;;;;;;;;GASG;AACH,eAAO,MAAM,mCAAmC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWF,CAAC;AAE/C;;;;GAIG;AACH,eAAO,MAAM,qCAAqC,QAAO,SAGvD,CAAC;AAEH,4CAA4C;AAC5C,MAAM,WAAW,2BAA2B;IAC3C;;;;;OAKG;IACH,QAAQ,CAAC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACjD;;;;;OAKG;IACH,QAAQ,CAAC,kBAAkB,EAAE,gBAAgB,CAAC;IAC9C;;;;;;;;;;;OAWG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CACxD;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,OAAO,EACb,SAAS,2BAA2B,KAClC,KAAK,CAAC,SAAS,CAqIjB,CAAC;AAEF,0FAA0F;AAC1F,eAAO,MAAM,0BAA0B,UAAmC,CAAC"}

package/dist/testing/cross_backend/testing_reset_actions.js

@@ -68,6 +68,20 @@ import { auth_integration_truncate_tables } from '../db.js';
 import { query_schema_snapshot, SchemaSnapshot } from '../schema_introspect.js';
 import { query_create_actor } from '../../auth/account_queries.js';
 import { create_test_account_with_credentials, mint_test_session, DEFAULT_TEST_PASSWORD, } from '../app_server.js';
+/**
+ * Shared `auth` axis for every `_testing_*` action: keeper-only via the
+ * daemon-token credential, no acting actor. This is the entire structural
+ * fence on the backdoor surface (these actions run direct DB writes the
+ * production wire never exposes), so all five specs reference this one const
+ * rather than re-declaring it — a single source of truth the gate test
+ * (`testing_actions_auth.test.ts`) pins. Mirrors the Rust `DAEMON_TOKEN_ONLY`
+ * / shared `AuthSpec` in `fuz_testing`.
+ */
+const TESTING_ACTION_AUTH = {
+    account: 'required',
+    actor: 'none',
+    credential_types: ['daemon_token'],
+};
 /** Output shape for an individual seeded account (keeper or extra). */
 const SeededAccountShape = z.strictObject({
     account: z.strictObject({ id: Uuid, username: z.string() }),
@@ -104,7 +118,7 @@ export const testing_reset_action_spec = {
     method: '_testing_reset',
     kind: 'request_response',
     initiator: 'frontend',
-    auth: { account: 'required', actor: 'none', credential_types: ['daemon_token'] },
+    auth: TESTING_ACTION_AUTH,
     side_effects: true,
     input: z.strictObject({
         extra_keeper_roles: z.array(z.string()).optional(),
@@ -154,7 +168,7 @@ export const testing_drain_effects_action_spec = {
     method: '_testing_drain_effects',
     kind: 'request_response',
     initiator: 'frontend',
-    auth: { account: 'required', actor: 'none', credential_types: ['daemon_token'] },
+    auth: TESTING_ACTION_AUTH,
     side_effects: false,
     input: z.void(),
     output: z.strictObject({ ok: z.boolean() }),
@@ -165,9 +179,18 @@ export const testing_drain_effects_action_spec = {
  * `_testing_mint_session` — mint an expired-by-construction server-side
  * session for an existing account and return its signed cookie value.
  *
- * The minted `auth_session` row's `expires_at` is backdated (negative
- * `expires_in_seconds`) while the returned cookie's own signed payload
- * stays valid (future). Cross-process auth resolution therefore passes the
+ * `expires_in_seconds` is **constrained negative** (`z.number().int().negative()`)
+ * so the action is structurally incapable of minting a *usable* session: it
+ * can only produce an already-backdated, already-dead `auth_session` row. The
+ * daemon-token gate + loopback binding already fence the backdoor, but the
+ * negative constraint is the make-impossible-states floor — even a misuse
+ * can't forge a valid session for an arbitrary `account_id`. The Rust mirror
+ * (`fuz_testing::create_testing_mint_session_action_spec`) enforces the same
+ * floor.
+ *
+ * The minted `auth_session` row's `expires_at` is backdated while the
+ * returned cookie's own signed payload stays valid (future). Cross-process
+ * auth resolution therefore passes the
  * cookie-payload gate (`parse_session`) and is refused by the authoritative
  * DB-row gate (`query_session_get_valid` — `WHERE expires_at > NOW()`) —
  * the gate the in-process payload-expiry tests never reach and the one that
@@ -186,11 +209,19 @@ export const testing_mint_session_action_spec = {
     method: '_testing_mint_session',
     kind: 'request_response',
     initiator: 'frontend',
-    auth: { account: 'required', actor: 'none', credential_types: ['daemon_token'] },
+    auth: TESTING_ACTION_AUTH,
     side_effects: true,
     input: z.strictObject({
         account_id: Uuid,
-        expires_in_seconds: z.number().int(),
+        expires_in_seconds: z
+            .number()
+            .int()
+            .negative()
+            .meta({
+            description: 'Seconds to offset the session row from NOW(). Constrained negative so this ' +
+                'backdoor can ONLY mint an already-expired (backdated) row — never a usable ' +
+                'session for an arbitrary account. Its sole use is the expired-session gate.',
+        }),
     }),
     output: z.strictObject({ session_cookie: z.string() }),
     async: true,
@@ -223,7 +254,7 @@ export const testing_put_fact_action_spec = {
     method: '_testing_put_fact',
     kind: 'request_response',
     initiator: 'frontend',
-    auth: { account: 'required', actor: 'none', credential_types: ['daemon_token'] },
+    auth: TESTING_ACTION_AUTH,
     side_effects: true,
     input: z.strictObject({
         content: z.string(),
@@ -248,7 +279,7 @@ export const testing_schema_snapshot_action_spec = {
     method: '_testing_schema_snapshot',
     kind: 'request_response',
     initiator: 'frontend',
-    auth: { account: 'required', actor: 'none', credential_types: ['daemon_token'] },
+    auth: TESTING_ACTION_AUTH,
     side_effects: false,
     input: z.strictObject({ exclude_tables: z.array(z.string()).optional() }),
     output: SchemaSnapshot,

package/dist/testing/cross_backend/testing_server_core.d.ts

@@ -127,14 +127,25 @@ export interface StartTestingServerOptions {
     /** Optional logger; defaults to a `[daemon_name]`-namespaced `Logger`. */
     log?: LoggerType;
 }
+/**
+ * Loopback bind hosts — the only ones the test binary may serve on. It ships
+ * deterministic dev secrets (fixed cookie keys + bootstrap token in
+ * `default_secrets.ts`), so binding any network-reachable interface would let
+ * anyone who knows those fixed keys forge cookies against it. An allowlist
+ * (not an `0.0.0.0`/`::` blocklist) closes the gap a concrete LAN/public
+ * interface IP — e.g. `--host 192.168.1.50` — would otherwise slip through.
+ * Covers `localhost`, the IPv4 loopback `127.0.0.0/8`, and IPv6 `::1`.
+ */
+export declare const is_loopback_host: (host: string) => boolean;
 /**
  * Boot a test-mode server using the supplied runtime adapter.
  *
  * Mirrors a production `start_server` at the surface level — stale-daemon
  * check, daemon-info write, bind, graceful drain — but the app is the
  * caller's no-domain (or domain) {@link StartTestingServerOptions.build_app}
- * and the runtime boundary is the {@link TestingServerAdapter}. Refuses to
- * bind an open host (the test binary must stay on loopback).
+ * and the runtime boundary is the {@link TestingServerAdapter}. Refuses any
+ * non-loopback bind host (the test binary must stay on loopback — see
+ * `is_loopback_host`).
  */
 export declare const start_testing_server: (options: StartTestingServerOptions) => Promise<void>;
 //# sourceMappingURL=testing_server_core.d.ts.map

package/dist/testing/cross_backend/testing_server_core.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"testing_server_core.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/testing_server_core.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAE,IAAI,EAAC,MAAM,MAAM,CAAC;AACxC,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,SAAS,CAAC;AAC9C,OAAO,EAAS,KAAK,MAAM,IAAI,UAAU,EAAC,MAAM,yBAAyB,CAAC;AAG1E,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,uBAAuB,CAAC;AAEvD;;;;;;;GAOG;AACH,MAAM,WAAW,WAAW;IAC3B,QAAQ,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9B,iFAAiF;IACjF,MAAM,CAAC,EAAE,OAAO,CAAC;CACjB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,iBAAiB;IACjC,iBAAiB,EAAE,gBAAgB,CAAC;IACpC,gBAAgB,CAAC,EAAE,CAAC,MAAM,EAAE,WAAW,KAAK,IAAI,CAAC;CACjD;AAED;;;;GAIG;AACH,MAAM,WAAW,oBAAoB;IACpC,6EAA6E;IAC7E,aAAa,EAAE,MAAM,CAAC;IACtB,0FAA0F;IAC1F,OAAO,EAAE,WAAW,CAAC;IACrB,6DAA6D;IAC7D,iBAAiB,EAAE,CAAC,CAAC,EAAE,OAAO,KAAK,MAAM,GAAG,SAAS,CAAC;IACtD,mFAAmF;IACnF,iBAAiB,EAAE,CAAC,GAAG,EAAE,IAAI,KAAK,iBAAiB,CAAC;IACpD,8EAA8E;IAC9E,KAAK,EAAE,CAAC,OAAO,EAAE;QAAC,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,KAAK,WAAW,CAAC;IACxF,+CAA+C;IAC/C,GAAG,EAAE,MAAM,CAAC;IACZ,yEAAyE;IACzE,yBAAyB,EAAE,CAAC,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC;IAClE,oEAAoE;IACpE,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,KAAK,CAAC;CAC9B;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,eAAe;IAC/B,kEAAkE;IAClE,GAAG,EAAE,IAAI,CAAC;IACV,qEAAqE;IACrE,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3B,uEAAuE;IACvE,eAAe,CAAC,EAAE,CAAC,iBAAiB,EAAE,gBAAgB,KAAK,IAAI,CAAC;CAChE;AAED,gDAAgD;AAChD,MAAM,WAAW,yBAAyB;IACzC,+CAA+C;IAC/C,OAAO,EAAE,oBAAoB,CAAC;IAC9B;;;;;;OAMG;IACH,WAAW,EAAE,MAAM,CAAC;IACpB,sCAAsC;IACtC,IAAI,EAAE,MAAM,CAAC;IACb,iBAAiB;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,6CAA6C;IAC7C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;;OAKG;IACH,SAAS,EAAE,MAAM,OAAO,CAAC,eAAe,CAAC,CAAC;IAC1C,0EAA0E;IAC1E,GAAG,CAAC,EAAE,UAAU,CAAC;CACjB;AAKD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,GAAU,SAAS,yBAAyB,KAAG,OAAO,CAAC,IAAI,CA4D3F,CAAC"}
+{"version":3,"file":"testing_server_core.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/testing_server_core.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAE,IAAI,EAAC,MAAM,MAAM,CAAC;AACxC,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,SAAS,CAAC;AAC9C,OAAO,EAAS,KAAK,MAAM,IAAI,UAAU,EAAC,MAAM,yBAAyB,CAAC;AAG1E,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,uBAAuB,CAAC;AAEvD;;;;;;;GAOG;AACH,MAAM,WAAW,WAAW;IAC3B,QAAQ,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9B,iFAAiF;IACjF,MAAM,CAAC,EAAE,OAAO,CAAC;CACjB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,iBAAiB;IACjC,iBAAiB,EAAE,gBAAgB,CAAC;IACpC,gBAAgB,CAAC,EAAE,CAAC,MAAM,EAAE,WAAW,KAAK,IAAI,CAAC;CACjD;AAED;;;;GAIG;AACH,MAAM,WAAW,oBAAoB;IACpC,6EAA6E;IAC7E,aAAa,EAAE,MAAM,CAAC;IACtB,0FAA0F;IAC1F,OAAO,EAAE,WAAW,CAAC;IACrB,6DAA6D;IAC7D,iBAAiB,EAAE,CAAC,CAAC,EAAE,OAAO,KAAK,MAAM,GAAG,SAAS,CAAC;IACtD,mFAAmF;IACnF,iBAAiB,EAAE,CAAC,GAAG,EAAE,IAAI,KAAK,iBAAiB,CAAC;IACpD,8EAA8E;IAC9E,KAAK,EAAE,CAAC,OAAO,EAAE;QAAC,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,KAAK,WAAW,CAAC;IACxF,+CAA+C;IAC/C,GAAG,EAAE,MAAM,CAAC;IACZ,yEAAyE;IACzE,yBAAyB,EAAE,CAAC,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC;IAClE,oEAAoE;IACpE,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,KAAK,CAAC;CAC9B;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,eAAe;IAC/B,kEAAkE;IAClE,GAAG,EAAE,IAAI,CAAC;IACV,qEAAqE;IACrE,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3B,uEAAuE;IACvE,eAAe,CAAC,EAAE,CAAC,iBAAiB,EAAE,gBAAgB,KAAK,IAAI,CAAC;CAChE;AAED,gDAAgD;AAChD,MAAM,WAAW,yBAAyB;IACzC,+CAA+C;IAC/C,OAAO,EAAE,oBAAoB,CAAC;IAC9B;;;;;;OAMG;IACH,WAAW,EAAE,MAAM,CAAC;IACpB,sCAAsC;IACtC,IAAI,EAAE,MAAM,CAAC;IACb,iBAAiB;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,6CAA6C;IAC7C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;;OAKG;IACH,SAAS,EAAE,MAAM,OAAO,CAAC,eAAe,CAAC,CAAC;IAC1C,0EAA0E;IAC1E,GAAG,CAAC,EAAE,UAAU,CAAC;CACjB;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,gBAAgB,GAAI,MAAM,MAAM,KAAG,OAG/C,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,oBAAoB,GAAU,SAAS,yBAAyB,KAAG,OAAO,CAAC,IAAI,CA4D3F,CAAC"}

package/dist/testing/cross_backend/testing_server_core.js

@@ -1,24 +1,36 @@
 import '../assert_dev_env.js';
 import { Logger } from '@fuzdev/fuz_util/log.js';
 import { write_daemon_info, read_daemon_info, is_daemon_running } from '../../cli/daemon.js';
-/** Hosts that expose the test binary beyond loopback — refused at startup. */
-const OPEN_HOSTS = new Set(['0.0.0.0', '::', '[::]']);
+/**
+ * Loopback bind hosts — the only ones the test binary may serve on. It ships
+ * deterministic dev secrets (fixed cookie keys + bootstrap token in
+ * `default_secrets.ts`), so binding any network-reachable interface would let
+ * anyone who knows those fixed keys forge cookies against it. An allowlist
+ * (not an `0.0.0.0`/`::` blocklist) closes the gap a concrete LAN/public
+ * interface IP — e.g. `--host 192.168.1.50` — would otherwise slip through.
+ * Covers `localhost`, the IPv4 loopback `127.0.0.0/8`, and IPv6 `::1`.
+ */
+export const is_loopback_host = (host) => {
+    const h = host.replace(/^\[(.*)\]$/, '$1'); // unwrap an `[::1]`-style IPv6 literal
+    return h === 'localhost' || h === '::1' || /^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(h);
+};
 /**
  * Boot a test-mode server using the supplied runtime adapter.
  *
  * Mirrors a production `start_server` at the surface level — stale-daemon
  * check, daemon-info write, bind, graceful drain — but the app is the
  * caller's no-domain (or domain) {@link StartTestingServerOptions.build_app}
- * and the runtime boundary is the {@link TestingServerAdapter}. Refuses to
- * bind an open host (the test binary must stay on loopback).
+ * and the runtime boundary is the {@link TestingServerAdapter}. Refuses any
+ * non-loopback bind host (the test binary must stay on loopback — see
+ * `is_loopback_host`).
  */
 export const start_testing_server = async (options) => {
     const { adapter, daemon_name, host, port, app_version, build_app } = options;
     const log = options.log ?? new Logger(`[${daemon_name}]`);
     const { runtime } = adapter;
-    if (OPEN_HOSTS.has(host)) {
-        log.error(`FATAL: binding to '${host}' exposes the test binary to your entire network. ` +
-            `Use --host localhost (default) or 127.0.0.1 instead.`);
+    if (!is_loopback_host(host)) {
+        log.error(`FATAL: binding to '${host}' exposes the test binary (which ships deterministic ` +
+            `dev secrets) beyond loopback. Use --host localhost (default), 127.0.0.1, or ::1 instead.`);
         adapter.exit(1);
     }
     const stale = await read_daemon_info(runtime, daemon_name);

package/dist/testing/db.d.ts

@@ -71,25 +71,18 @@ export declare const auth_truncate_tables: string[];
  */
 export declare const auth_integration_truncate_tables: string[];
 /**
- * All auth tables in drop order (children first for FK safety).
- *
- * The full set created by `auth_migrations` — use for clean-slate
- * test DB initialization. `auth_truncate_tables` is the subset for
- * between-test data cleanup (excludes `audit_log`).
- *
- * When adding tables to `auth_migrations`, add them here too.
- */
-export declare const auth_drop_tables: readonly ["app_settings", "invite", "audit_log", "api_token", "auth_session", "role_grant", "role_grant_offer", "actor", "account", "bootstrap_lock"];
-/**
- * Drop all auth tables and schema version tracking for a clean slate.
+ * Reset the entire `public` schema for a clean slate before re-migration.
  *
  * Recommended at the start of `init_schema` callbacks for `create_pg_factory`.
- * Persistent test databases can accumulate stale schema from previous fuz_app
- * versions — this ensures migrations run against a truly empty database.
- * Safe on fresh databases (`IF EXISTS` on all statements). No-op effect for
- * PGlite (already fresh), but harmless to call unconditionally.
+ * Persistent test databases accumulate stale DDL across fuz_app versions;
+ * `DROP SCHEMA public CASCADE; CREATE SCHEMA public` wipes every table, type,
+ * and sequence regardless of namespace, so migrations always run against a
+ * truly empty database. Drift-proof — unlike a hand-maintained drop list it
+ * needs no upkeep when the schema gains a table. Despite the historical name,
+ * this resets the whole schema, not just auth tables (the only documented use
+ * is clean-slate re-migration, which always wanted a full reset).
  *
- * @mutates db - drops every table in `auth_drop_tables` plus `schema_version`.
+ * @mutates db - drops and recreates the `public` schema; all tables gone.
  */
 export declare const drop_auth_schema: (db: Db) => Promise<void>;
 /**

package/dist/testing/db.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"db.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/db.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AA6B7B,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAKpC;;GAEG;AACH,eAAO,MAAM,KAAK,SAA4B,CAAC;AAE/C;;GAEG;AACH,MAAM,WAAW,SAAS;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,OAAO,CAAC,EAAE,CAAC,CAAC;IAC1B,KAAK,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACjC,IAAI,EAAE,OAAO,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,YAAY,GAAU,IAAI,EAAE,KAAG,OAAO,CAAC,IAAI,CAGvD,CAAC;AAMF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,qBAAqB,GAAI,aAAa,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,KAAG,SAkB7E,CAAC;AAEH;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,iBAAiB,GAC7B,aAAa,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,EACtC,WAAW,MAAM,KACf,SA2DF,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,oBAAoB,UAQhC,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,gCAAgC,UAAyC,CAAC;AAEvF;;;;;;;;GAQG;AACH,eAAO,MAAM,gBAAgB,uJAWnB,CAAC;AAEX;;;;;;;;;;GAUG;AACH,eAAO,MAAM,gBAAgB,GAAU,IAAI,EAAE,KAAG,OAAO,CAAC,IAAI,CAK3D,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,kBAAkB,GAC9B,WAAW,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC,EACvC,iBAAiB,KAAK,CAAC,MAAM,CAAC,KAC5B,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,IAAI,KAAK,IAAI,CAwBzD,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,qBAAqB,GAAI,WAAW,KAAK,CAAC,SAAS,CAAC,KAAG,IAMnE,CAAC"}
+{"version":3,"file":"db.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/db.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AA6B7B,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAKpC;;GAEG;AACH,eAAO,MAAM,KAAK,SAA4B,CAAC;AAE/C;;GAEG;AACH,MAAM,WAAW,SAAS;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,OAAO,CAAC,EAAE,CAAC,CAAC;IAC1B,KAAK,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACjC,IAAI,EAAE,OAAO,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,YAAY,GAAU,IAAI,EAAE,KAAG,OAAO,CAAC,IAAI,CAGvD,CAAC;AAMF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,qBAAqB,GAAI,aAAa,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,KAAG,SAkB7E,CAAC;AAEH;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,iBAAiB,GAC7B,aAAa,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,EACtC,WAAW,MAAM,KACf,SA2DF,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,oBAAoB,UAQhC,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,gCAAgC,UAAyC,CAAC;AAEvF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,gBAAgB,GAAU,IAAI,EAAE,KAAG,OAAO,CAAC,IAAI,CAG3D,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,kBAAkB,GAC9B,WAAW,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC,EACvC,iBAAiB,KAAK,CAAC,MAAM,CAAC,KAC5B,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,IAAI,KAAK,IAAI,CAwBzD,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,qBAAqB,GAAI,WAAW,KAAK,CAAC,SAAS,CAAC,KAAG,IAMnE,CAAC"}

package/dist/testing/db.js

@@ -178,42 +178,22 @@ export const auth_truncate_tables = [
  */
 export const auth_integration_truncate_tables = [...auth_truncate_tables, 'audit_log'];
 /**
- * All auth tables in drop order (children first for FK safety).
- *
- * The full set created by `auth_migrations` — use for clean-slate
- * test DB initialization. `auth_truncate_tables` is the subset for
- * between-test data cleanup (excludes `audit_log`).
- *
- * When adding tables to `auth_migrations`, add them here too.
- */
-export const auth_drop_tables = [
-    'app_settings',
-    'invite',
-    'audit_log',
-    'api_token',
-    'auth_session',
-    'role_grant',
-    'role_grant_offer',
-    'actor',
-    'account',
-    'bootstrap_lock',
-];
-/**
- * Drop all auth tables and schema version tracking for a clean slate.
+ * Reset the entire `public` schema for a clean slate before re-migration.
  *
  * Recommended at the start of `init_schema` callbacks for `create_pg_factory`.
- * Persistent test databases can accumulate stale schema from previous fuz_app
- * versions — this ensures migrations run against a truly empty database.
- * Safe on fresh databases (`IF EXISTS` on all statements). No-op effect for
- * PGlite (already fresh), but harmless to call unconditionally.
- *
- * @mutates db - drops every table in `auth_drop_tables` plus `schema_version`.
+ * Persistent test databases accumulate stale DDL across fuz_app versions;
+ * `DROP SCHEMA public CASCADE; CREATE SCHEMA public` wipes every table, type,
+ * and sequence regardless of namespace, so migrations always run against a
+ * truly empty database. Drift-proof — unlike a hand-maintained drop list it
+ * needs no upkeep when the schema gains a table. Despite the historical name,
+ * this resets the whole schema, not just auth tables (the only documented use
+ * is clean-slate re-migration, which always wanted a full reset).
+ *
+ * @mutates db - drops and recreates the `public` schema; all tables gone.
  */
 export const drop_auth_schema = async (db) => {
-    for (const table of auth_drop_tables) {
-        await db.query(`DROP TABLE IF EXISTS ${assert_valid_sql_identifier(table)} CASCADE`);
-    }
-    await db.query('DROP TABLE IF EXISTS schema_version CASCADE');
+    await db.query('DROP SCHEMA public CASCADE');
+    await db.query('CREATE SCHEMA public');
 };
 /**
  * Create a `describe_db` function bound to specific factories and truncate tables.

package/dist/testing/mock_fs.d.ts

@@ -1,3 +1,4 @@
+import './assert_dev_env.js';
 /**
  * In-memory file system mock for tests that use dependency-injected
  * `read_file` and `write_file` callbacks. Avoids module-level mocking.

package/dist/testing/mock_fs.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mock_fs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/mock_fs.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,WAAW,MAAM;IACtB,SAAS,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAC/D,UAAU,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/E,QAAQ,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,CAAC;CAC/C;AAED;;;;;GAKG;AACH,eAAO,MAAM,cAAc,GAAI,gBAAe,MAAM,CAAC,MAAM,EAAE,MAAM,CAAM,KAAG,MAsB3E,CAAC"}
+{"version":3,"file":"mock_fs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/mock_fs.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;GAKG;AAEH,MAAM,WAAW,MAAM;IACtB,SAAS,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAC/D,UAAU,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/E,QAAQ,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,CAAC;CAC/C;AAED;;;;;GAKG;AACH,eAAO,MAAM,cAAc,GAAI,gBAAe,MAAM,CAAC,MAAM,EAAE,MAAM,CAAM,KAAG,MAsB3E,CAAC"}

package/dist/testing/mock_fs.js

@@ -1,9 +1,4 @@
-/**
- * In-memory file system mock for tests that use dependency-injected
- * `read_file` and `write_file` callbacks. Avoids module-level mocking.
- *
- * @module
- */
+import './assert_dev_env.js';
 /**
  * Creates an in-memory file system for tests.
  *

package/dist/testing/surface_invariants.d.ts

@@ -142,6 +142,38 @@ export declare const assert_ws_endpoints_include_protocol_actions: (surface: App
  * surface mocks the shape incorrectly.
  */
 export declare const assert_ws_notifications_have_null_auth: (surface: AppSurface) => void;
+/**
+ * Reserved method-name prefix for the daemon-token-gated test-backdoor
+ * actions (`_testing_reset`, `_testing_mint_session`, `_testing_put_fact`,
+ * `_testing_drain_effects`, `_testing_schema_snapshot`). Test binaries
+ * live-mount these on their RPC endpoint but they must never appear on a
+ * **declared** surface.
+ */
+export declare const TESTING_METHOD_PREFIX = "_testing_";
+/**
+ * No `_testing_*` backdoor action ever appears as a method on the declared
+ * surface (RPC or WS).
+ *
+ * The test-backdoor actions (`_testing_reset` et al.) are daemon-token-gated
+ * privileged actions a consumer's test binary appends to its live RPC
+ * endpoint at assembly time — but they are deliberately excluded from
+ * surface generation (`spine_rpc_endpoints` and every consumer's
+ * `create_*_app_surface_spec` omit them) so the published attack surface,
+ * the committed `*_attack_surface.json` snapshot, and codegen never carry
+ * a backdoor. This invariant is the structural guard against a future
+ * wiring change that folds `create_testing_actions(...)` into the *declared*
+ * registry instead of the live-only append — the surface stays the
+ * authoritative "what the server exposes" map only if a backdoor can never
+ * hide in it.
+ *
+ * Pairs with the wire-level negative-credential check
+ * (`describe_testing_backdoor_cross_tests`, cross-process) and the
+ * spec-level gate check: this one pins absence-from-surface, those pin
+ * the daemon-token gate and the 401/403 behavior.
+ *
+ * @throws AssertionError naming the offending endpoint + method.
+ */
+export declare const assert_no_testing_methods: (surface: AppSurface) => void;
 /**
  * Configuration for security policy invariants.
  *
@@ -282,7 +314,8 @@ export declare const assert_surface_invariants: (surface: AppSurface) => void;
  * `actions/CLAUDE.md` §Registry compile) — these assertions cover only
  * the contract-surface concerns that a runtime registration check
  * cannot: empty descriptions, missing protocol-action spread on WS
- * endpoints, and kind ⇔ auth drift on WS methods.
+ * endpoints, kind ⇔ auth drift on WS methods, and a `_testing_*`
+ * backdoor action leaking onto the declared surface.
  *
  * @throws AssertionError on the first invariant violation; the message
  *   names the offending endpoint, method, and field.

package/dist/testing/surface_invariants.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"surface_invariants.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/surface_invariants.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAuB7B,OAAO,KAAK,EAAC,UAAU,EAAuB,MAAM,oBAAoB,CAAC;AAezE;;GAEG;AACH,eAAO,MAAM,mCAAmC,GAAI,SAAS,UAAU,KAAG,IAQzE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,8BAA8B,GAAI,SAAS,UAAU,KAAG,IASpE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,+BAA+B,GAAI,SAAS,UAAU,KAAG,IAQrE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,gCAAgC,GAAI,SAAS,UAAU,KAAG,IAQtE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,+BAA+B,GAAI,SAAS,UAAU,KAAG,IAQrE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,2BAA2B,GAAI,SAAS,UAAU,KAAG,IAIjE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,0BAA0B,GAAI,SAAS,UAAU,KAAG,IAOhE,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,mCAAmC,GAAI,SAAS,UAAU,KAAG,IAezE,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,uCAAuC,GAAI,SAAS,UAAU,KAAG,IAO7E,CAAC;AAyBF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,oCAAoC,GAAI,SAAS,UAAU,KAAG,IAoC1E,CAAC;AAsEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,sCAAsC,GAAI,SAAS,UAAU,KAAG,IAU5E,CAAC;AAIF,4DAA4D;AAC5D,MAAM,MAAM,sBAAsB,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,CAAC;AAEpE,iEAAiE;AACjE,MAAM,WAAW,qBAAqB;IACrC,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,sBAAsB,CAAC;IACpC,qDAAqD;IACrD,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC;CAClC;AAiED;;;;;;;;GAQG;AACH,eAAO,MAAM,4BAA4B,GAAI,SAAS,UAAU,KAAG,KAAK,CAAC,qBAAqB,CAgB7F,CAAC;AAIF;;;;;;GAMG;AACH,eAAO,MAAM,sCAAsC,GAAI,SAAS,UAAU,KAAG,IAS5E,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,qCAAqC,GAAI,SAAS,UAAU,KAAG,IAS3E,CAAC;AAEF;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,4CAA4C,GAAI,SAAS,UAAU,KAAG,IAWlF,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,sCAAsC,GAAI,SAAS,UAAU,KAAG,IAa5E,CAAC;AAIF;;;;GAIG;AACH,MAAM,WAAW,4BAA4B;IAC5C;;;;;OAKG;IACH,wBAAwB,CAAC,EAAE,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC,CAAC;IAClD;;;OAGG;IACH,yBAAyB,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC1C;;;OAGG;IACH,qBAAqB,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtC;AASD;;;;;;GAMG;AACH,eAAO,MAAM,oCAAoC,GAChD,SAAS,UAAU,EACnB,qBAAoB,KAAK,CAAC,MAAM,GAAG,MAAM,CAA8B,KACrE,IAcF,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,qCAAqC,GACjD,SAAS,UAAU,EACnB,YAAW,KAAK,CAAC,MAAM,CAAM,KAC3B,IAYF,CAAC;AAEF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,+BAA+B,GAAI,SAAS,UAAU,KAAG,IAQrE,CAAC;AAKF;;;;;GAKG;AACH,eAAO,MAAM,iCAAiC,GAC7C,SAAS,UAAU,EACnB,WAAU,KAAK,CAAC,MAAM,CAAiC,KACrD,IASF,CAAC;AAWF,mDAAmD;AACnD,MAAM,WAAW,2BAA2B;IAC3C,6FAA6F;IAC7F,eAAe,CAAC,EAAE,sBAAsB,CAAC;IACzC,mEAAmE;IACnE,eAAe,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAChC,kDAAkD;IAClD,SAAS,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,uCAAuC,EAAE,aAAa,CAAC,MAAM,CAAM,CAAC;AAEjF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,8BAA8B,EAAE,2BAG5C,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,6BAA6B,GACzC,SAAS,UAAU,EACnB,UAAU,2BAA2B,KACnC,IAsBF,CAAC;AAIF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,yBAAyB,GAAI,SAAS,UAAU,KAAG,IAY/D,CAAC;AAEF;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,gCAAgC,GAAI,SAAS,UAAU,KAAG,IAKtE,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,8BAA8B,GAC1C,SAAS,UAAU,EACnB,UAAS,4BAAiC,KACxC,IAKF,CAAC"}
+{"version":3,"file":"surface_invariants.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/surface_invariants.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAuB7B,OAAO,KAAK,EAAC,UAAU,EAAuB,MAAM,oBAAoB,CAAC;AAezE;;GAEG;AACH,eAAO,MAAM,mCAAmC,GAAI,SAAS,UAAU,KAAG,IAQzE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,8BAA8B,GAAI,SAAS,UAAU,KAAG,IASpE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,+BAA+B,GAAI,SAAS,UAAU,KAAG,IAQrE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,gCAAgC,GAAI,SAAS,UAAU,KAAG,IAQtE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,+BAA+B,GAAI,SAAS,UAAU,KAAG,IAQrE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,2BAA2B,GAAI,SAAS,UAAU,KAAG,IAIjE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,0BAA0B,GAAI,SAAS,UAAU,KAAG,IAOhE,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,mCAAmC,GAAI,SAAS,UAAU,KAAG,IAezE,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,uCAAuC,GAAI,SAAS,UAAU,KAAG,IAO7E,CAAC;AAyBF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,oCAAoC,GAAI,SAAS,UAAU,KAAG,IAoC1E,CAAC;AAsEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,sCAAsC,GAAI,SAAS,UAAU,KAAG,IAU5E,CAAC;AAIF,4DAA4D;AAC5D,MAAM,MAAM,sBAAsB,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,CAAC;AAEpE,iEAAiE;AACjE,MAAM,WAAW,qBAAqB;IACrC,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,sBAAsB,CAAC;IACpC,qDAAqD;IACrD,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC;CAClC;AAiED;;;;;;;;GAQG;AACH,eAAO,MAAM,4BAA4B,GAAI,SAAS,UAAU,KAAG,KAAK,CAAC,qBAAqB,CAgB7F,CAAC;AAIF;;;;;;GAMG;AACH,eAAO,MAAM,sCAAsC,GAAI,SAAS,UAAU,KAAG,IAS5E,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,qCAAqC,GAAI,SAAS,UAAU,KAAG,IAS3E,CAAC;AAEF;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,4CAA4C,GAAI,SAAS,UAAU,KAAG,IAWlF,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,sCAAsC,GAAI,SAAS,UAAU,KAAG,IAa5E,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,qBAAqB,cAAc,CAAC;AAEjD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,eAAO,MAAM,yBAAyB,GAAI,SAAS,UAAU,KAAG,IAoB/D,CAAC;AAIF;;;;GAIG;AACH,MAAM,WAAW,4BAA4B;IAC5C;;;;;OAKG;IACH,wBAAwB,CAAC,EAAE,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC,CAAC;IAClD;;;OAGG;IACH,yBAAyB,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC1C;;;OAGG;IACH,qBAAqB,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtC;AASD;;;;;;GAMG;AACH,eAAO,MAAM,oCAAoC,GAChD,SAAS,UAAU,EACnB,qBAAoB,KAAK,CAAC,MAAM,GAAG,MAAM,CAA8B,KACrE,IAcF,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,qCAAqC,GACjD,SAAS,UAAU,EACnB,YAAW,KAAK,CAAC,MAAM,CAAM,KAC3B,IAYF,CAAC;AAEF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,+BAA+B,GAAI,SAAS,UAAU,KAAG,IAQrE,CAAC;AAKF;;;;;GAKG;AACH,eAAO,MAAM,iCAAiC,GAC7C,SAAS,UAAU,EACnB,WAAU,KAAK,CAAC,MAAM,CAAiC,KACrD,IASF,CAAC;AAWF,mDAAmD;AACnD,MAAM,WAAW,2BAA2B;IAC3C,6FAA6F;IAC7F,eAAe,CAAC,EAAE,sBAAsB,CAAC;IACzC,mEAAmE;IACnE,eAAe,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAChC,kDAAkD;IAClD,SAAS,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,uCAAuC,EAAE,aAAa,CAAC,MAAM,CAAM,CAAC;AAEjF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,8BAA8B,EAAE,2BAG5C,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,6BAA6B,GACzC,SAAS,UAAU,EACnB,UAAU,2BAA2B,KACnC,IAsBF,CAAC;AAIF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,yBAAyB,GAAI,SAAS,UAAU,KAAG,IAY/D,CAAC;AAEF;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,gCAAgC,GAAI,SAAS,UAAU,KAAG,IAMtE,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,8BAA8B,GAC1C,SAAS,UAAU,EACnB,UAAS,4BAAiC,KACxC,IAKF,CAAC"}

package/dist/testing/surface_invariants.js

@@ -452,6 +452,52 @@ export const assert_ws_notifications_have_null_auth = (surface) => {
         }
     }
 };
+/**
+ * Reserved method-name prefix for the daemon-token-gated test-backdoor
+ * actions (`_testing_reset`, `_testing_mint_session`, `_testing_put_fact`,
+ * `_testing_drain_effects`, `_testing_schema_snapshot`). Test binaries
+ * live-mount these on their RPC endpoint but they must never appear on a
+ * **declared** surface.
+ */
+export const TESTING_METHOD_PREFIX = '_testing_';
+/**
+ * No `_testing_*` backdoor action ever appears as a method on the declared
+ * surface (RPC or WS).
+ *
+ * The test-backdoor actions (`_testing_reset` et al.) are daemon-token-gated
+ * privileged actions a consumer's test binary appends to its live RPC
+ * endpoint at assembly time — but they are deliberately excluded from
+ * surface generation (`spine_rpc_endpoints` and every consumer's
+ * `create_*_app_surface_spec` omit them) so the published attack surface,
+ * the committed `*_attack_surface.json` snapshot, and codegen never carry
+ * a backdoor. This invariant is the structural guard against a future
+ * wiring change that folds `create_testing_actions(...)` into the *declared*
+ * registry instead of the live-only append — the surface stays the
+ * authoritative "what the server exposes" map only if a backdoor can never
+ * hide in it.
+ *
+ * Pairs with the wire-level negative-credential check
+ * (`describe_testing_backdoor_cross_tests`, cross-process) and the
+ * spec-level gate check: this one pins absence-from-surface, those pin
+ * the daemon-token gate and the 401/403 behavior.
+ *
+ * @throws AssertionError naming the offending endpoint + method.
+ */
+export const assert_no_testing_methods = (surface) => {
+    for (const ep of surface.rpc_endpoints) {
+        for (const method of ep.methods) {
+            assert.ok(!method.name.startsWith(TESTING_METHOD_PREFIX), `RPC endpoint '${ep.path}' exposes test-backdoor method '${method.name}' on the ` +
+                `declared surface — '${TESTING_METHOD_PREFIX}*' actions must be live-mounted only, ` +
+                `never folded into the surface-generating registry`);
+        }
+    }
+    for (const ep of surface.ws_endpoints) {
+        for (const method of ep.methods) {
+            assert.ok(!method.name.startsWith(TESTING_METHOD_PREFIX), `WS endpoint '${ep.path}' exposes test-backdoor method '${method.name}' on the ` +
+                `declared surface — '${TESTING_METHOD_PREFIX}*' actions must be live-mounted only`);
+        }
+    }
+};
 /** Default patterns for sensitive REST routes that should be rate-limited. */
 const DEFAULT_SENSITIVE_PATTERNS = [
     /\/login$/,
@@ -637,7 +683,8 @@ export const assert_surface_invariants = (surface) => {
  * `actions/CLAUDE.md` §Registry compile) — these assertions cover only
  * the contract-surface concerns that a runtime registration check
  * cannot: empty descriptions, missing protocol-action spread on WS
- * endpoints, and kind ⇔ auth drift on WS methods.
+ * endpoints, kind ⇔ auth drift on WS methods, and a `_testing_*`
+ * backdoor action leaking onto the declared surface.
  *
  * @throws AssertionError on the first invariant violation; the message
  *   names the offending endpoint, method, and field.
@@ -647,6 +694,7 @@ export const assert_rpc_ws_surface_invariants = (surface) => {
     assert_ws_method_descriptions_present(surface);
     assert_ws_endpoints_include_protocol_actions(surface);
     assert_ws_notifications_have_null_auth(surface);
+    assert_no_testing_methods(surface);
 };
 /**
  * Run security policy invariants. Configurable with sensible defaults.

package/dist/testing/ws_round_trip.d.ts

@@ -1,3 +1,4 @@
+import './assert_dev_env.js';
 /**
  * In-process test helpers for WebSocket JSON-RPC round-trips.
  *

package/dist/testing/ws_round_trip.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ws_round_trip.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/ws_round_trip.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAO,MAAM,MAAM,CAAC;AACxC,OAAO,EACN,SAAS,EAET,KAAK,gBAAgB,EAErB,KAAK,QAAQ,EACb,MAAM,SAAS,CAAC;AACjB,OAAO,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAC/C,OAAO,EAAc,KAAK,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAE9D,OAAO,KAAK,EAAC,eAAe,EAAC,MAAM,2BAA2B,CAAC;AAC/D,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,4BAA4B,CAAC;AAEvD,OAAO,KAAK,EAAC,sBAAsB,EAAC,MAAM,kCAAkC,CAAC;AAE7E,OAAO,EAAqB,KAAK,uBAAuB,EAAC,MAAM,kCAAkC,CAAC;AAElG,OAAO,EAAC,yBAAyB,EAAC,MAAM,qCAAqC,CAAC;AAC9E,OAAO,EAAsB,KAAK,cAAc,EAAC,MAAM,4BAA4B,CAAC;AAEpF,OAAO,EAKN,KAAK,cAAc,EACnB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EAKN,KAAK,QAAQ,EACb,MAAM,2BAA2B,CAAC;AAMnC;;;GAGG;AACH,MAAM,WAAW,MAAM;IACtB,EAAE,EAAE,SAAS,CAAC;IACd,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACrB,MAAM,EAAE,KAAK,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAC,CAAC,CAAC;CAChD;AAED;;;;GAIG;AACH,eAAO,MAAM,cAAc,QAAO,MAajC,CAAC;AAEF,8CAA8C;AAC9C,MAAM,WAAW,sBAAsB;IACtC,eAAe,EAAE,cAAc,CAAC;IAChC,gEAAgE;IAChE,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B;;;OAGG;IACH,eAAe,CAAC,EAAE,cAAc,CAAC;CACjC;AAED;;;;GAIG;AACH,eAAO,MAAM,wBAAwB,GAAI,MAAM,sBAAsB,KAAG,OAavE,CAAC;AAEF,uFAAuF;AACvF,MAAM,WAAW,WAAW;IAC3B,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,iBAAiB,EAAE,MAAM,CAAC,CAAC,EAAE,OAAO,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACtE;AAED;;;;GAIG;AACH,eAAO,MAAM,mBAAmB,QAAO,WAatC,CAAC;AAEF;;;;GAIG;AACH,qBAAa,wBAAyB,YAAW,sBAAsB;;IACtE,QAAQ,EAAE,UAAU,GAAG,SAAS,CAAa;gBAEjC,KAAK,EAAE,aAAa,CAAC,eAAe,CAAC;IAGjD,qBAAqB,IAAI,SAAS;IAGlC,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS;CAG/D;AAED;;;;GAIG;AACH,eAAO,MAAM,mBAAmB,GAC/B,YAAY,WAAW,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,EAC9C,OAAO,YAAY,EACnB,IAAI,SAAS,KACX,OAAO,CAAC,IAAI,CAId,CAAC;AAMF,2CAA2C;AAC3C,MAAM,WAAW,iBAAiB;IACjC,wEAAwE;IACxE,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,yFAAyF;IACzF,eAAe,CAAC,EAAE,cAAc,CAAC;IACjC,mFAAmF;IACnF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,gEAAgE;IAChE,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,sFAAsF;IACtF,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAED,4CAA4C;AAC5C,MAAM,WAAW,0BAA0B;IAC1C;;;;;OAKG;IACH,OAAO,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC/B,kEAAkE;IAClE,SAAS,CAAC,EAAE,yBAAyB,CAAC;IACtC;;;;OAIG;IACH,SAAS,CAAC,EAAE,uBAAuB,CAAC,WAAW,CAAC,CAAC;IACjD,gEAAgE;IAChE,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,yDAAyD;IACzD,cAAc,CAAC,EAAE,uBAAuB,CAAC,gBAAgB,CAAC,CAAC;IAC3D,yDAAyD;IACzD,eAAe,CAAC,EAAE,uBAAuB,CAAC,iBAAiB,CAAC,CAAC;CAC7D;AAED,kEAAkE;AAClE,MAAM,WAAW,aAAa;IAC7B,SAAS,EAAE,yBAAyB,CAAC;IACrC;;;;;;;;;;OAUG;IACH,OAAO,EAAE,CAAC,QAAQ,CAAC,EAAE,iBAAiB,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;CAC7D;AAiED;;;;;;;;GAQG;AACH,eAAO,MAAM,sBAAsB,GAAI,SAAS,0BAA0B,KAAG,aA0M5E,CAAC;AAEF,0EAA0E;AAC1E,eAAO,MAAM,eAAe,QAAO,iBAGjC,CAAC;AAYH;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,mBAAmB,GAAI,IAAI,SAAS,MAAM,EAAE,SAAS;IACjE,OAAO,EAAE,aAAa,CAAC;IACvB,KAAK,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;CACtC,KAAG,IAIH,CAAC"}
+{"version":3,"file":"ws_round_trip.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/ws_round_trip.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAO,MAAM,MAAM,CAAC;AACxC,OAAO,EACN,SAAS,EAET,KAAK,gBAAgB,EAErB,KAAK,QAAQ,EACb,MAAM,SAAS,CAAC;AACjB,OAAO,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAC/C,OAAO,EAAc,KAAK,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAE9D,OAAO,KAAK,EAAC,eAAe,EAAC,MAAM,2BAA2B,CAAC;AAC/D,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,4BAA4B,CAAC;AAEvD,OAAO,KAAK,EAAC,sBAAsB,EAAC,MAAM,kCAAkC,CAAC;AAE7E,OAAO,EAAqB,KAAK,uBAAuB,EAAC,MAAM,kCAAkC,CAAC;AAElG,OAAO,EAAC,yBAAyB,EAAC,MAAM,qCAAqC,CAAC;AAC9E,OAAO,EAAsB,KAAK,cAAc,EAAC,MAAM,4BAA4B,CAAC;AAEpF,OAAO,EAKN,KAAK,cAAc,EACnB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EAKN,KAAK,QAAQ,EACb,MAAM,2BAA2B,CAAC;AAMnC;;;GAGG;AACH,MAAM,WAAW,MAAM;IACtB,EAAE,EAAE,SAAS,CAAC;IACd,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACrB,MAAM,EAAE,KAAK,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAC,CAAC,CAAC;CAChD;AAED;;;;GAIG;AACH,eAAO,MAAM,cAAc,QAAO,MAajC,CAAC;AAEF,8CAA8C;AAC9C,MAAM,WAAW,sBAAsB;IACtC,eAAe,EAAE,cAAc,CAAC;IAChC,gEAAgE;IAChE,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B;;;OAGG;IACH,eAAe,CAAC,EAAE,cAAc,CAAC;CACjC;AAED;;;;GAIG;AACH,eAAO,MAAM,wBAAwB,GAAI,MAAM,sBAAsB,KAAG,OAavE,CAAC;AAEF,uFAAuF;AACvF,MAAM,WAAW,WAAW;IAC3B,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,iBAAiB,EAAE,MAAM,CAAC,CAAC,EAAE,OAAO,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACtE;AAED;;;;GAIG;AACH,eAAO,MAAM,mBAAmB,QAAO,WAatC,CAAC;AAEF;;;;GAIG;AACH,qBAAa,wBAAyB,YAAW,sBAAsB;;IACtE,QAAQ,EAAE,UAAU,GAAG,SAAS,CAAa;gBAEjC,KAAK,EAAE,aAAa,CAAC,eAAe,CAAC;IAGjD,qBAAqB,IAAI,SAAS;IAGlC,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS;CAG/D;AAED;;;;GAIG;AACH,eAAO,MAAM,mBAAmB,GAC/B,YAAY,WAAW,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,EAC9C,OAAO,YAAY,EACnB,IAAI,SAAS,KACX,OAAO,CAAC,IAAI,CAId,CAAC;AAMF,2CAA2C;AAC3C,MAAM,WAAW,iBAAiB;IACjC,wEAAwE;IACxE,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,yFAAyF;IACzF,eAAe,CAAC,EAAE,cAAc,CAAC;IACjC,mFAAmF;IACnF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,gEAAgE;IAChE,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,sFAAsF;IACtF,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAED,4CAA4C;AAC5C,MAAM,WAAW,0BAA0B;IAC1C;;;;;OAKG;IACH,OAAO,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC/B,kEAAkE;IAClE,SAAS,CAAC,EAAE,yBAAyB,CAAC;IACtC;;;;OAIG;IACH,SAAS,CAAC,EAAE,uBAAuB,CAAC,WAAW,CAAC,CAAC;IACjD,gEAAgE;IAChE,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,yDAAyD;IACzD,cAAc,CAAC,EAAE,uBAAuB,CAAC,gBAAgB,CAAC,CAAC;IAC3D,yDAAyD;IACzD,eAAe,CAAC,EAAE,uBAAuB,CAAC,iBAAiB,CAAC,CAAC;CAC7D;AAED,kEAAkE;AAClE,MAAM,WAAW,aAAa;IAC7B,SAAS,EAAE,yBAAyB,CAAC;IACrC;;;;;;;;;;OAUG;IACH,OAAO,EAAE,CAAC,QAAQ,CAAC,EAAE,iBAAiB,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;CAC7D;AAiED;;;;;;;;GAQG;AACH,eAAO,MAAM,sBAAsB,GAAI,SAAS,0BAA0B,KAAG,aA0M5E,CAAC;AAEF,0EAA0E;AAC1E,eAAO,MAAM,eAAe,QAAO,iBAGjC,CAAC;AAYH;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,mBAAmB,GAAI,IAAI,SAAS,MAAM,EAAE,SAAS;IACjE,OAAO,EAAE,aAAa,CAAC;IACvB,KAAK,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;CACtC,KAAG,IAIH,CAAC"}

package/dist/testing/ws_round_trip.js

@@ -1,41 +1,4 @@
-/**
- * In-process test helpers for WebSocket JSON-RPC round-trips.
- *
- * Drives `register_action_ws` without an HTTP server. Consumers supply
- * specs + handlers; the harness constructs real `WSContext` instances
- * backed by test-owned `send`/`close` pairs, fakes the authenticated
- * Hono context (`request_context`, credential type, session id, api
- * token id), and exposes a `connect()` factory returning a `WsClient`
- * per connection.
- *
- * Three layers are exported:
- *
- *   - **Primitives** (`create_fake_ws`, `create_fake_hono_context`,
- *     `create_stub_upgrade`, `MinimalActionEnvironment`,
- *     `dispatch_ws_message`) — used by fuz_app's own dispatcher tests
- *     and by consumers wiring tight one-off tests.
- *   - **Harness** (`create_ws_test_harness`, `keeper_identity`) — the
- *     high-level driver. Give it specs + handlers, get back
- *     `{transport, connect()}`. `connect()` is async and resolves after
- *     `on_socket_open` completes, so broadcasts sent immediately after
- *     `await harness.connect()` reach the client. Returns a `WsClient`
- *     (shared interface — see `transports/ws_client.ts`); the same
- *     interface is implemented by `transports/ws_transport.ts` for
- *     cross-process tests.
- *   - **Broadcast wiring** — `build_broadcast_api` for wiring a typed
- *     broadcast API against the harness's transport. Wire-frame types
- *     + predicates (`is_notification`, `is_response_for`,
- *     `JsonrpcNotificationFrame`, ...) live in `transports/ws_client.ts`
- *     so both in-process and cross-process drivers reference one source.
- *
- * Hono's wire upgrade is skipped — the Node test runtime has no
- * `@hono/node-ws` adapter — but the full dispatch path is exercised
- * (per-action auth, input validation, `ctx.notify` back to the
- * originating socket, broadcast via `BackendWebsocketTransport`, and
- * close-on-revoke).
- *
- * @module
- */
+import './assert_dev_env.js';
 import { WSContext, createWSMessageEvent, } from 'hono/ws';
 import { Logger } from '@fuzdev/fuz_util/log.js';
 import { create_uuid } from '@fuzdev/fuz_util/id.js';

package/dist/ui/ConfirmButton.svelte

@@ -50,14 +50,13 @@
 	import type {SvelteHTMLElements} from 'svelte/elements';
 	import type {ComponentProps, Snippet} from 'svelte';
 	import type {OmitStrict} from '@fuzdev/fuz_util/types.js';
-	import Glyph from '@fuzdev/fuz_ui/Glyph.svelte';
+	import {icon_remove} from '@fuzdev/fuz_ui/icons.js';
 	import PendingAnimation from '@fuzdev/fuz_ui/PendingAnimation.svelte';
+	import Svg from '@fuzdev/fuz_ui/Svg.svelte';
 
 	import PopoverButton from './PopoverButton.svelte';
 	import type {Popover} from './popover.svelte.js';
 
-	const GLYPH_REMOVE = '🗙';
-
 	const {
 		onconfirm,
 		popover_button_attrs,
@@ -140,7 +139,7 @@
 				{#if popover_button_content}
 					{@render popover_button_content(popover, () => confirm(popover))}
 				{:else}
-					<Glyph glyph={GLYPH_REMOVE} />
+					<Svg data={icon_remove} />
 				{/if}
 			</button>
 		{/if}
@@ -155,7 +154,7 @@
 			{:else if label !== undefined}
 				{label}
 			{:else}
-				<Glyph glyph={GLYPH_REMOVE} />
+				<Svg data={icon_remove} />
 			{/if}
 		</span>
 		{#if pending}

package/dist/ui/ConfirmButton.svelte.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ConfirmButton.svelte.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/ui/ConfirmButton.svelte"],"names":[],"mappings":"AAkDA,OAAO,KAAK,EAAC,kBAAkB,EAAC,MAAM,iBAAiB,CAAC;AACxD,OAAO,KAAK,EAAC,cAAc,EAAE,OAAO,EAAC,MAAM,QAAQ,CAAC;AACpD,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,2BAA2B,CAAC;AAI1D,OAAO,aAAa,MAAM,wBAAwB,CAAC;AACnD,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,qBAAqB,CAAC;AAEhD,KAAK,gBAAgB,GAAI,UAAU,CAAC,cAAc,CAAC,OAAO,aAAa,CAAC,EAAE,iBAAiB,GAAG,UAAU,CAAC,GACxG,UAAU,CAAC,kBAAkB,CAAC,QAAQ,CAAC,EAAE,UAAU,CAAC,GAAG;IACtD,SAAS,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,IAAI,CAAC;IACtC,oBAAoB,CAAC,EAAE,kBAAkB,CAAC,QAAQ,CAAC,GAAG,SAAS,CAAC;IAChE,eAAe,CAAC,EAAE,OAAO,GAAG,SAAS,CAAC;IACtC,yEAAyE;IACzE,eAAe,CAAC,EAAE,OAAO,CAAC,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC,CAAC,GAAG,SAAS,CAAC;IAC/E,qCAAqC;IACrC,sBAAsB,CAAC,EAAE,OAAO,CAAC,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC,CAAC,GAAG,SAAS,CAAC;IACtF,yDAAyD;IACzD,QAAQ,CAAC,EAAE,OAAO,CAAC,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC,CAAC,GAAG,SAAS,CAAC;IACxE,iFAAiF;IACjF,KAAK,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC3B;;;;OAIG;IACH,OAAO,CAAC,EAAE,OAAO,GAAG,SAAS,CAAC;CAC9B,CAAC;AAgGJ,QAAA,MAAM,aAAa,sDAAwC,CAAC;AAC5D,KAAK,aAAa,GAAG,UAAU,CAAC,OAAO,aAAa,CAAC,CAAC;AACtD,eAAe,aAAa,CAAC"}
+{"version":3,"file":"ConfirmButton.svelte.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/ui/ConfirmButton.svelte"],"names":[],"mappings":"AAkDA,OAAO,KAAK,EAAC,kBAAkB,EAAC,MAAM,iBAAiB,CAAC;AACxD,OAAO,KAAK,EAAC,cAAc,EAAE,OAAO,EAAC,MAAM,QAAQ,CAAC;AACpD,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,2BAA2B,CAAC;AAK1D,OAAO,aAAa,MAAM,wBAAwB,CAAC;AACnD,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,qBAAqB,CAAC;AAEhD,KAAK,gBAAgB,GAAI,UAAU,CAAC,cAAc,CAAC,OAAO,aAAa,CAAC,EAAE,iBAAiB,GAAG,UAAU,CAAC,GACxG,UAAU,CAAC,kBAAkB,CAAC,QAAQ,CAAC,EAAE,UAAU,CAAC,GAAG;IACtD,SAAS,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,IAAI,CAAC;IACtC,oBAAoB,CAAC,EAAE,kBAAkB,CAAC,QAAQ,CAAC,GAAG,SAAS,CAAC;IAChE,eAAe,CAAC,EAAE,OAAO,GAAG,SAAS,CAAC;IACtC,yEAAyE;IACzE,eAAe,CAAC,EAAE,OAAO,CAAC,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC,CAAC,GAAG,SAAS,CAAC;IAC/E,qCAAqC;IACrC,sBAAsB,CAAC,EAAE,OAAO,CAAC,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC,CAAC,GAAG,SAAS,CAAC;IACtF,yDAAyD;IACzD,QAAQ,CAAC,EAAE,OAAO,CAAC,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC,CAAC,GAAG,SAAS,CAAC;IACxE,iFAAiF;IACjF,KAAK,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC3B;;;;OAIG;IACH,OAAO,CAAC,EAAE,OAAO,GAAG,SAAS,CAAC;CAC9B,CAAC;AA+FJ,QAAA,MAAM,aAAa,sDAAwC,CAAC;AAC5D,KAAK,aAAa,GAAG,UAAU,CAAC,OAAO,aAAa,CAAC,CAAC;AACtD,eAAe,aAAa,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fuzdev/fuz_app",
-  "version": "0.84.0",
+  "version": "0.85.1",
   "description": "fullstack app library",
   "glyph": "🗝",
   "logo": "logo.svg",
@@ -70,10 +70,11 @@
     "@electric-sql/pglite": "^0.4.5",
     "@fuzdev/blake3_wasm": "^0.1.1",
     "@fuzdev/fuz_code": "^0.46.0",
-    "@fuzdev/fuz_css": "^0.62.0",
-    "@fuzdev/fuz_ui": "^0.199.0",
+    "@fuzdev/fuz_css": "^0.63.0",
+    "@fuzdev/fuz_ui": "^0.205.0",
     "@fuzdev/fuz_util": "^0.65.1",
     "@fuzdev/gro": "^0.204.0",
+    "@fuzdev/mdz": "^0.1.0",
     "@hono/node-server": "^1.19.14",
     "@hono/node-ws": "^1.3.1",
     "@node-rs/argon2": "^2.0.2",
@@ -98,7 +99,7 @@
     "prettier-plugin-svelte": "^3.5.1",
     "svelte": "^5.56.2",
     "svelte-check": "^4.6.0",
-    "svelte-docinfo": "^0.4.1",
+    "svelte-docinfo": "^0.5.1",
     "svelte2tsx": "^0.7.52",
     "tslib": "^2.8.1",
     "typescript": "^5.9.3",