@fuzdev/fuz_app 0.85.0 → 0.85.1

package/dist/testing/CLAUDE.md

@@ -13,9 +13,13 @@ testing-patterns. This file is a reference index for the helpers themselves.
 
 ## Production guard — always the first import
 
-Every module here starts with `import './assert_dev_env.js';` — reads `DEV`
-from `esm-env` and throws if false, preventing production-bundle inclusion.
-Enforced by grep, not a linter; make this the first line in new modules.
+Every runtime-reachable module here starts with `import './assert_dev_env.js';`
+— reads `DEV` from `esm-env` and throws if false, preventing production-bundle
+inclusion. Make this the first line in new modules. Enforced by
+`src/test/testing/assert_dev_env_coverage.test.ts`, which fails if any module
+omits the guard. The sole exemption is `cross_backend/make_cross_backend_project.ts`
+— a vitest-project factory consumed by consumers' `vite.config.ts` at config
+time (never runtime), where a throwing guard would break `vite build`.
 
 ## Stubs, factories, mocks
 
@@ -274,6 +278,7 @@ RPC / WS structural invariants (options-free, apply over `surface.rpc_endpoints`
 * `assert_ws_method_descriptions_present` — every WS method on every endpoint has a non-empty `description`.
 * `assert_ws_endpoints_include_protocol_actions` — every WS endpoint includes `heartbeat` + `cancel` (the `protocol_actions` spread from `actions/protocol.js`).
 * `assert_ws_notifications_have_null_auth` — WS method `kind === 'remote_notification' ⟺ auth === null`; guards against drift between spec union and surface emitter.
+* `assert_no_testing_methods` — no `_testing_*` backdoor action (`TESTING_METHOD_PREFIX`) appears as an RPC or WS method on the declared surface. The test-binary actions are live-mounted only; this guards against a future wiring change folding `create_testing_actions(...)` into the surface-generating registry.
 
 Per-endpoint duplicate method names and the auth-shape biconditional are
 already enforced at startup by `compile_action_registry` (see
@@ -1208,6 +1213,29 @@ spine bootstrap (auth + cell + cell_history + fact) and is regenerated +
 drift-guarded by `src/test/cross_backend/spine_expected_schema.db.test.ts`
 (`UPDATE_SCHEMA_READY=1`, then `gro format`).
 
+### Testing-backdoor credential gate — `cross_backend/testing_backdoor.ts`
+
+`describe_testing_backdoor_cross_tests({setup_test, capabilities, rpc_path?})` —
+the negative-credential parity suite for the `_testing_*` backdoor actions.
+For each of `_testing_reset` / `_testing_mint_session` / `_testing_put_fact` /
+`_testing_schema_snapshot` (the three privileged writes plus the schema-dump
+read) it fires three principals over real HTTP: **anonymous** → 401, **session** →
+403 `credential_type_required`, **bearer** → 403 `credential_type_required` —
+proving the daemon-token gate that fences each backdoor action holds end-to-end
+on the real dispatcher (the spec-derived `describe_rpc_attack_surface_tests`
+never enumerates them because they're off the declared surface). Each method is
+sent with **valid** params so the session/bearer cases clear the 400
+input-validation phase and reach the 403 credential gate (order is
+401 → 400 → 403); the handler never runs. Cited property: `docs/security.md`
+§Test Backdoor Actions. Cross-process only (the `_testing_*` actions are
+mounted on the spawned binary, not the in-process app — like the ws/sse
+suites); ungated, since every cross backend that uses
+`default_cross_process_setup` mounts them. fuz_app's own wiring is
+`src/test/cross_backend/testing_backdoor.cross.test.ts`. The complement is the
+in-process spec-level gate test (`src/test/testing/testing_actions_auth.test.ts`,
+asserting each spec declares `credential_types: ['daemon_token']`) + the
+`assert_no_testing_methods` surface invariant.
+
 ### Building a TS test-server binary — `testing_server_core.ts` + adapters
 
 The reusable shape for standing up a **spawnable TS** cross-process test

package/dist/testing/cross_backend/testing_backdoor.d.ts

@@ -0,0 +1,6 @@
+import '../assert_dev_env.js';
+import type { CellCrossTestOptions } from './cell_cross_helpers.js';
+/** Options for the testing-backdoor negative-credential suite. */
+export type TestingBackdoorCrossTestOptions = CellCrossTestOptions;
+export declare const describe_testing_backdoor_cross_tests: (options: TestingBackdoorCrossTestOptions) => void;
+//# sourceMappingURL=testing_backdoor.d.ts.map

package/dist/testing/cross_backend/testing_backdoor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"testing_backdoor.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/testing_backdoor.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAyD9B,OAAO,KAAK,EAAC,oBAAoB,EAAC,MAAM,yBAAyB,CAAC;AAgElE,kEAAkE;AAClE,MAAM,MAAM,+BAA+B,GAAG,oBAAoB,CAAC;AAEnE,eAAO,MAAM,qCAAqC,GACjD,SAAS,+BAA+B,KACtC,IAiCF,CAAC"}

package/dist/testing/cross_backend/testing_backdoor.js

@@ -0,0 +1,126 @@
+import '../assert_dev_env.js';
+/**
+ * Cross-backend negative-credential suite for the `_testing_*` backdoor
+ * actions.
+ *
+ * `_testing_reset` / `_testing_mint_session` / `_testing_put_fact` /
+ * `_testing_schema_snapshot` are privileged test-binary actions the
+ * production wire never exposes — three direct DB writes (full auth wipe,
+ * forged session row, raw fact insert) plus a full-schema introspection read
+ * (the highest info-leak of the set were the gate to break). Their only
+ * structural fence is the **daemon-token** credential gate on
+ * each spec's `auth` axis. A test binary live-mounts them on its RPC
+ * endpoint but keeps them off the declared surface — so the spec-derived
+ * `describe_rpc_attack_surface_tests` never enumerates them, and nothing
+ * else fires them with a non-daemon credential to prove the gate holds
+ * end-to-end. This suite does, against each impl's real auth resolution.
+ *
+ * For every backdoor method, three principals:
+ *
+ * - **anonymous** (no credential) → `401` (pre-validation auth refuses an
+ *   account-less caller before anything else).
+ * - **session** (the keeper's browser-context cookie) → `403`
+ *   `credential_type_required` — a session cookie, even one carrying the
+ *   keeper role, tops out below the daemon-token channel.
+ * - **bearer** (the keeper's api-token, non-browser context) → `403`
+ *   `credential_type_required` — same ceiling; an api token cannot reach
+ *   keeper operations.
+ *
+ * Each method is sent with **valid** params so the session/bearer cases
+ * clear the dispatcher's input-validation (400) phase and actually reach the
+ * post-authorization credential gate (the order is 401 → 400 → 403); the
+ * handler never runs (the gate refuses first), so the writes never execute.
+ *
+ * Complements the spec-level gate check (which pins that each spec *declares*
+ * `credential_types: ['daemon_token']`) and the surface-absence invariant
+ * (`assert_no_testing_methods`) — this one pins the runtime 401/403 behavior
+ * on both impls. Cited property: `security.md` §Test Backdoor Actions
+ * (daemon-token-gated, off-surface, DEV-excluded).
+ *
+ * Cross-process only — the `_testing_*` actions are mounted on the spawned
+ * binary, not the in-process app — like the ws/sse suites. Wire from a
+ * `*.cross.test.ts`. Requires the standard `_testing_*` actions mounted (the
+ * same precondition `default_cross_process_setup` already imposes for its
+ * per-test `_testing_reset`); ungated, since every cross backend mounts them.
+ *
+ * `$lib`-free by contract (relative specifiers only), like the sibling
+ * cross-backend suites.
+ *
+ * @module
+ */
+import { describe, test, assert } from 'vitest';
+import { ERROR_CREDENTIAL_TYPE_REQUIRED } from '../../http/error_schemas.js';
+import { rpc_call } from '../rpc_helpers.js';
+import { SPINE_RPC_PATH } from './default_spine_surface.js';
+/** A well-formed UUID that never names a real row. */
+const NIL_UUID = '00000000-0000-0000-0000-000000000000';
+/**
+ * The backdoor methods + a **valid** params payload each (so the
+ * session/bearer cases reach the 403 credential gate rather than a 400 on
+ * input validation). The handlers never run — the gate refuses first.
+ */
+const backdoor_methods = [
+    { method: '_testing_reset', params: {} },
+    { method: '_testing_mint_session', params: { account_id: NIL_UUID, expires_in_seconds: -60 } },
+    { method: '_testing_put_fact', params: { content: 'backdoor-probe' } },
+    // The schema-dump read — `exclude_tables` is optional, so `{}` is valid
+    // and clears the 400 phase like the writes above.
+    { method: '_testing_schema_snapshot', params: {} },
+];
+const principals = [
+    {
+        name: 'anonymous',
+        status: 401,
+        // Fresh jar so the keeper cookie (cross-process) can't leak in.
+        resolve: (f) => ({ transport: f.fresh_transport(), headers: {} }),
+    },
+    {
+        name: 'session',
+        status: 403,
+        reason: ERROR_CREDENTIAL_TYPE_REQUIRED,
+        resolve: (f) => ({ transport: f.transport, headers: f.create_session_headers() }),
+    },
+    {
+        name: 'bearer',
+        status: 403,
+        reason: ERROR_CREDENTIAL_TYPE_REQUIRED,
+        // Bearer is discarded in a browser context, so suppress Origin (empty
+        // jar + no Origin) — the credential must actually resolve so the refusal
+        // lands on the credential-type gate, not on bearer-discard (→ 401).
+        resolve: (f) => ({
+            transport: f.fresh_transport({ origin: null }),
+            headers: f.create_bearer_headers(),
+            suppress_default_origin: true,
+        }),
+    },
+];
+export const describe_testing_backdoor_cross_tests = (options) => {
+    const { setup_test } = options;
+    const rpc_path = options.rpc_path ?? SPINE_RPC_PATH;
+    describe('testing backdoor credential gate parity', () => {
+        for (const { method, params } of backdoor_methods) {
+            for (const principal of principals) {
+                test(`${method} rejects ${principal.name} → ${principal.status}`, async () => {
+                    const fixture = await setup_test();
+                    const { transport, headers, suppress_default_origin } = principal.resolve(fixture);
+                    const res = await rpc_call({
+                        app: transport,
+                        path: rpc_path,
+                        method,
+                        params,
+                        headers,
+                        ...(suppress_default_origin && { suppress_default_origin: true }),
+                    });
+                    const label = `${method} ${principal.name}`;
+                    assert.ok(!res.ok, `${label}: expected denial (${principal.status}) but the call succeeded`);
+                    assert.strictEqual(res.status, principal.status, `${label}: status`);
+                    // `!res.ok` narrows `res` to the error variant for `res.error`.
+                    if (principal.reason !== undefined && !res.ok) {
+                        const reason = res.error.data?.reason;
+                        assert.strictEqual(reason, principal.reason, `${label}: error.data.reason`);
+                    }
+                });
+            }
+        }
+    });
+};

package/dist/testing/cross_backend/testing_reset_actions.d.ts

@@ -183,9 +183,18 @@ export declare const testing_drain_effects_action_spec: {
  * `_testing_mint_session` — mint an expired-by-construction server-side
  * session for an existing account and return its signed cookie value.
  *
- * The minted `auth_session` row's `expires_at` is backdated (negative
- * `expires_in_seconds`) while the returned cookie's own signed payload
- * stays valid (future). Cross-process auth resolution therefore passes the
+ * `expires_in_seconds` is **constrained negative** (`z.number().int().negative()`)
+ * so the action is structurally incapable of minting a *usable* session: it
+ * can only produce an already-backdated, already-dead `auth_session` row. The
+ * daemon-token gate + loopback binding already fence the backdoor, but the
+ * negative constraint is the make-impossible-states floor — even a misuse
+ * can't forge a valid session for an arbitrary `account_id`. The Rust mirror
+ * (`fuz_testing::create_testing_mint_session_action_spec`) enforces the same
+ * floor.
+ *
+ * The minted `auth_session` row's `expires_at` is backdated while the
+ * returned cookie's own signed payload stays valid (future). Cross-process
+ * auth resolution therefore passes the
  * cookie-payload gate (`parse_session`) and is refused by the authoritative
  * DB-row gate (`query_session_get_valid` — `WHERE expires_at > NOW()`) —
  * the gate the in-process payload-expiry tests never reach and the one that

package/dist/testing/cross_backend/testing_reset_actions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"testing_reset_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/testing_reset_actions.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0DG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAItB,OAAO,EAAa,KAAK,SAAS,EAAC,MAAM,6BAA6B,CAAC;AAGvE,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAChD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,8BAA8B,CAAC;AACjE,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,4BAA4B,CAAC;AACjE,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,gBAAgB,CAAC;AAmBvC;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;QAiBpC;;;;;;;;WAQG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWyC,CAAC;AAE/C;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,iCAAiC;;;;;;;;;;;;;;;;CAWA,CAAC;AAE/C;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;CAeC,CAAC;AAE/C;;;;;;GAMG;AACH,eAAO,MAAM,mCAAmC,QAAO,SACiB,CAAC;AAEzE;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;;;;;;CAeK,CAAC;AAE/C;;;;;;;;;GASG;AACH,eAAO,MAAM,mCAAmC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWF,CAAC;AAE/C;;;;GAIG;AACH,eAAO,MAAM,qCAAqC,QAAO,SAGvD,CAAC;AAEH,4CAA4C;AAC5C,MAAM,WAAW,2BAA2B;IAC3C;;;;;OAKG;IACH,QAAQ,CAAC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACjD;;;;;OAKG;IACH,QAAQ,CAAC,kBAAkB,EAAE,gBAAgB,CAAC;IAC9C;;;;;;;;;;;OAWG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CACxD;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,OAAO,EACb,SAAS,2BAA2B,KAClC,KAAK,CAAC,SAAS,CAqIjB,CAAC;AAEF,0FAA0F;AAC1F,eAAO,MAAM,0BAA0B,UAAmC,CAAC"}
+{"version":3,"file":"testing_reset_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/testing_reset_actions.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0DG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAItB,OAAO,EAAa,KAAK,SAAS,EAAC,MAAM,6BAA6B,CAAC;AAIvE,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAChD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,8BAA8B,CAAC;AACjE,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,4BAA4B,CAAC;AACjE,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,gBAAgB,CAAC;AAkCvC;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;QAiBpC;;;;;;;;WAQG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWyC,CAAC;AAE/C;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,iCAAiC;;;;;;;;;;;;;;;;CAWA,CAAC;AAE/C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;CAwBC,CAAC;AAE/C;;;;;;GAMG;AACH,eAAO,MAAM,mCAAmC,QAAO,SACiB,CAAC;AAEzE;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;;;;;;CAeK,CAAC;AAE/C;;;;;;;;;GASG;AACH,eAAO,MAAM,mCAAmC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWF,CAAC;AAE/C;;;;GAIG;AACH,eAAO,MAAM,qCAAqC,QAAO,SAGvD,CAAC;AAEH,4CAA4C;AAC5C,MAAM,WAAW,2BAA2B;IAC3C;;;;;OAKG;IACH,QAAQ,CAAC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACjD;;;;;OAKG;IACH,QAAQ,CAAC,kBAAkB,EAAE,gBAAgB,CAAC;IAC9C;;;;;;;;;;;OAWG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CACxD;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,OAAO,EACb,SAAS,2BAA2B,KAClC,KAAK,CAAC,SAAS,CAqIjB,CAAC;AAEF,0FAA0F;AAC1F,eAAO,MAAM,0BAA0B,UAAmC,CAAC"}

package/dist/testing/cross_backend/testing_reset_actions.js

@@ -68,6 +68,20 @@ import { auth_integration_truncate_tables } from '../db.js';
 import { query_schema_snapshot, SchemaSnapshot } from '../schema_introspect.js';
 import { query_create_actor } from '../../auth/account_queries.js';
 import { create_test_account_with_credentials, mint_test_session, DEFAULT_TEST_PASSWORD, } from '../app_server.js';
+/**
+ * Shared `auth` axis for every `_testing_*` action: keeper-only via the
+ * daemon-token credential, no acting actor. This is the entire structural
+ * fence on the backdoor surface (these actions run direct DB writes the
+ * production wire never exposes), so all five specs reference this one const
+ * rather than re-declaring it — a single source of truth the gate test
+ * (`testing_actions_auth.test.ts`) pins. Mirrors the Rust `DAEMON_TOKEN_ONLY`
+ * / shared `AuthSpec` in `fuz_testing`.
+ */
+const TESTING_ACTION_AUTH = {
+    account: 'required',
+    actor: 'none',
+    credential_types: ['daemon_token'],
+};
 /** Output shape for an individual seeded account (keeper or extra). */
 const SeededAccountShape = z.strictObject({
     account: z.strictObject({ id: Uuid, username: z.string() }),
@@ -104,7 +118,7 @@ export const testing_reset_action_spec = {
     method: '_testing_reset',
     kind: 'request_response',
     initiator: 'frontend',
-    auth: { account: 'required', actor: 'none', credential_types: ['daemon_token'] },
+    auth: TESTING_ACTION_AUTH,
     side_effects: true,
     input: z.strictObject({
         extra_keeper_roles: z.array(z.string()).optional(),
@@ -154,7 +168,7 @@ export const testing_drain_effects_action_spec = {
     method: '_testing_drain_effects',
     kind: 'request_response',
     initiator: 'frontend',
-    auth: { account: 'required', actor: 'none', credential_types: ['daemon_token'] },
+    auth: TESTING_ACTION_AUTH,
     side_effects: false,
     input: z.void(),
     output: z.strictObject({ ok: z.boolean() }),
@@ -165,9 +179,18 @@ export const testing_drain_effects_action_spec = {
  * `_testing_mint_session` — mint an expired-by-construction server-side
  * session for an existing account and return its signed cookie value.
  *
- * The minted `auth_session` row's `expires_at` is backdated (negative
- * `expires_in_seconds`) while the returned cookie's own signed payload
- * stays valid (future). Cross-process auth resolution therefore passes the
+ * `expires_in_seconds` is **constrained negative** (`z.number().int().negative()`)
+ * so the action is structurally incapable of minting a *usable* session: it
+ * can only produce an already-backdated, already-dead `auth_session` row. The
+ * daemon-token gate + loopback binding already fence the backdoor, but the
+ * negative constraint is the make-impossible-states floor — even a misuse
+ * can't forge a valid session for an arbitrary `account_id`. The Rust mirror
+ * (`fuz_testing::create_testing_mint_session_action_spec`) enforces the same
+ * floor.
+ *
+ * The minted `auth_session` row's `expires_at` is backdated while the
+ * returned cookie's own signed payload stays valid (future). Cross-process
+ * auth resolution therefore passes the
  * cookie-payload gate (`parse_session`) and is refused by the authoritative
  * DB-row gate (`query_session_get_valid` — `WHERE expires_at > NOW()`) —
  * the gate the in-process payload-expiry tests never reach and the one that
@@ -186,11 +209,19 @@ export const testing_mint_session_action_spec = {
     method: '_testing_mint_session',
     kind: 'request_response',
     initiator: 'frontend',
-    auth: { account: 'required', actor: 'none', credential_types: ['daemon_token'] },
+    auth: TESTING_ACTION_AUTH,
     side_effects: true,
     input: z.strictObject({
         account_id: Uuid,
-        expires_in_seconds: z.number().int(),
+        expires_in_seconds: z
+            .number()
+            .int()
+            .negative()
+            .meta({
+            description: 'Seconds to offset the session row from NOW(). Constrained negative so this ' +
+                'backdoor can ONLY mint an already-expired (backdated) row — never a usable ' +
+                'session for an arbitrary account. Its sole use is the expired-session gate.',
+        }),
     }),
     output: z.strictObject({ session_cookie: z.string() }),
     async: true,
@@ -223,7 +254,7 @@ export const testing_put_fact_action_spec = {
     method: '_testing_put_fact',
     kind: 'request_response',
     initiator: 'frontend',
-    auth: { account: 'required', actor: 'none', credential_types: ['daemon_token'] },
+    auth: TESTING_ACTION_AUTH,
     side_effects: true,
     input: z.strictObject({
         content: z.string(),
@@ -248,7 +279,7 @@ export const testing_schema_snapshot_action_spec = {
     method: '_testing_schema_snapshot',
     kind: 'request_response',
     initiator: 'frontend',
-    auth: { account: 'required', actor: 'none', credential_types: ['daemon_token'] },
+    auth: TESTING_ACTION_AUTH,
     side_effects: false,
     input: z.strictObject({ exclude_tables: z.array(z.string()).optional() }),
     output: SchemaSnapshot,

package/dist/testing/cross_backend/testing_server_core.d.ts

@@ -127,14 +127,25 @@ export interface StartTestingServerOptions {
     /** Optional logger; defaults to a `[daemon_name]`-namespaced `Logger`. */
     log?: LoggerType;
 }
+/**
+ * Loopback bind hosts — the only ones the test binary may serve on. It ships
+ * deterministic dev secrets (fixed cookie keys + bootstrap token in
+ * `default_secrets.ts`), so binding any network-reachable interface would let
+ * anyone who knows those fixed keys forge cookies against it. An allowlist
+ * (not an `0.0.0.0`/`::` blocklist) closes the gap a concrete LAN/public
+ * interface IP — e.g. `--host 192.168.1.50` — would otherwise slip through.
+ * Covers `localhost`, the IPv4 loopback `127.0.0.0/8`, and IPv6 `::1`.
+ */
+export declare const is_loopback_host: (host: string) => boolean;
 /**
  * Boot a test-mode server using the supplied runtime adapter.
  *
  * Mirrors a production `start_server` at the surface level — stale-daemon
  * check, daemon-info write, bind, graceful drain — but the app is the
  * caller's no-domain (or domain) {@link StartTestingServerOptions.build_app}
- * and the runtime boundary is the {@link TestingServerAdapter}. Refuses to
- * bind an open host (the test binary must stay on loopback).
+ * and the runtime boundary is the {@link TestingServerAdapter}. Refuses any
+ * non-loopback bind host (the test binary must stay on loopback — see
+ * `is_loopback_host`).
  */
 export declare const start_testing_server: (options: StartTestingServerOptions) => Promise<void>;
 //# sourceMappingURL=testing_server_core.d.ts.map

package/dist/testing/cross_backend/testing_server_core.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"testing_server_core.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/testing_server_core.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAE,IAAI,EAAC,MAAM,MAAM,CAAC;AACxC,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,SAAS,CAAC;AAC9C,OAAO,EAAS,KAAK,MAAM,IAAI,UAAU,EAAC,MAAM,yBAAyB,CAAC;AAG1E,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,uBAAuB,CAAC;AAEvD;;;;;;;GAOG;AACH,MAAM,WAAW,WAAW;IAC3B,QAAQ,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9B,iFAAiF;IACjF,MAAM,CAAC,EAAE,OAAO,CAAC;CACjB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,iBAAiB;IACjC,iBAAiB,EAAE,gBAAgB,CAAC;IACpC,gBAAgB,CAAC,EAAE,CAAC,MAAM,EAAE,WAAW,KAAK,IAAI,CAAC;CACjD;AAED;;;;GAIG;AACH,MAAM,WAAW,oBAAoB;IACpC,6EAA6E;IAC7E,aAAa,EAAE,MAAM,CAAC;IACtB,0FAA0F;IAC1F,OAAO,EAAE,WAAW,CAAC;IACrB,6DAA6D;IAC7D,iBAAiB,EAAE,CAAC,CAAC,EAAE,OAAO,KAAK,MAAM,GAAG,SAAS,CAAC;IACtD,mFAAmF;IACnF,iBAAiB,EAAE,CAAC,GAAG,EAAE,IAAI,KAAK,iBAAiB,CAAC;IACpD,8EAA8E;IAC9E,KAAK,EAAE,CAAC,OAAO,EAAE;QAAC,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,KAAK,WAAW,CAAC;IACxF,+CAA+C;IAC/C,GAAG,EAAE,MAAM,CAAC;IACZ,yEAAyE;IACzE,yBAAyB,EAAE,CAAC,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC;IAClE,oEAAoE;IACpE,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,KAAK,CAAC;CAC9B;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,eAAe;IAC/B,kEAAkE;IAClE,GAAG,EAAE,IAAI,CAAC;IACV,qEAAqE;IACrE,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3B,uEAAuE;IACvE,eAAe,CAAC,EAAE,CAAC,iBAAiB,EAAE,gBAAgB,KAAK,IAAI,CAAC;CAChE;AAED,gDAAgD;AAChD,MAAM,WAAW,yBAAyB;IACzC,+CAA+C;IAC/C,OAAO,EAAE,oBAAoB,CAAC;IAC9B;;;;;;OAMG;IACH,WAAW,EAAE,MAAM,CAAC;IACpB,sCAAsC;IACtC,IAAI,EAAE,MAAM,CAAC;IACb,iBAAiB;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,6CAA6C;IAC7C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;;OAKG;IACH,SAAS,EAAE,MAAM,OAAO,CAAC,eAAe,CAAC,CAAC;IAC1C,0EAA0E;IAC1E,GAAG,CAAC,EAAE,UAAU,CAAC;CACjB;AAKD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,GAAU,SAAS,yBAAyB,KAAG,OAAO,CAAC,IAAI,CA4D3F,CAAC"}
+{"version":3,"file":"testing_server_core.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/testing_server_core.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAE,IAAI,EAAC,MAAM,MAAM,CAAC;AACxC,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,SAAS,CAAC;AAC9C,OAAO,EAAS,KAAK,MAAM,IAAI,UAAU,EAAC,MAAM,yBAAyB,CAAC;AAG1E,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,uBAAuB,CAAC;AAEvD;;;;;;;GAOG;AACH,MAAM,WAAW,WAAW;IAC3B,QAAQ,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9B,iFAAiF;IACjF,MAAM,CAAC,EAAE,OAAO,CAAC;CACjB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,iBAAiB;IACjC,iBAAiB,EAAE,gBAAgB,CAAC;IACpC,gBAAgB,CAAC,EAAE,CAAC,MAAM,EAAE,WAAW,KAAK,IAAI,CAAC;CACjD;AAED;;;;GAIG;AACH,MAAM,WAAW,oBAAoB;IACpC,6EAA6E;IAC7E,aAAa,EAAE,MAAM,CAAC;IACtB,0FAA0F;IAC1F,OAAO,EAAE,WAAW,CAAC;IACrB,6DAA6D;IAC7D,iBAAiB,EAAE,CAAC,CAAC,EAAE,OAAO,KAAK,MAAM,GAAG,SAAS,CAAC;IACtD,mFAAmF;IACnF,iBAAiB,EAAE,CAAC,GAAG,EAAE,IAAI,KAAK,iBAAiB,CAAC;IACpD,8EAA8E;IAC9E,KAAK,EAAE,CAAC,OAAO,EAAE;QAAC,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,KAAK,WAAW,CAAC;IACxF,+CAA+C;IAC/C,GAAG,EAAE,MAAM,CAAC;IACZ,yEAAyE;IACzE,yBAAyB,EAAE,CAAC,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC;IAClE,oEAAoE;IACpE,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,KAAK,CAAC;CAC9B;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,eAAe;IAC/B,kEAAkE;IAClE,GAAG,EAAE,IAAI,CAAC;IACV,qEAAqE;IACrE,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3B,uEAAuE;IACvE,eAAe,CAAC,EAAE,CAAC,iBAAiB,EAAE,gBAAgB,KAAK,IAAI,CAAC;CAChE;AAED,gDAAgD;AAChD,MAAM,WAAW,yBAAyB;IACzC,+CAA+C;IAC/C,OAAO,EAAE,oBAAoB,CAAC;IAC9B;;;;;;OAMG;IACH,WAAW,EAAE,MAAM,CAAC;IACpB,sCAAsC;IACtC,IAAI,EAAE,MAAM,CAAC;IACb,iBAAiB;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,6CAA6C;IAC7C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;;OAKG;IACH,SAAS,EAAE,MAAM,OAAO,CAAC,eAAe,CAAC,CAAC;IAC1C,0EAA0E;IAC1E,GAAG,CAAC,EAAE,UAAU,CAAC;CACjB;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,gBAAgB,GAAI,MAAM,MAAM,KAAG,OAG/C,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,oBAAoB,GAAU,SAAS,yBAAyB,KAAG,OAAO,CAAC,IAAI,CA4D3F,CAAC"}

package/dist/testing/cross_backend/testing_server_core.js

@@ -1,24 +1,36 @@
 import '../assert_dev_env.js';
 import { Logger } from '@fuzdev/fuz_util/log.js';
 import { write_daemon_info, read_daemon_info, is_daemon_running } from '../../cli/daemon.js';
-/** Hosts that expose the test binary beyond loopback — refused at startup. */
-const OPEN_HOSTS = new Set(['0.0.0.0', '::', '[::]']);
+/**
+ * Loopback bind hosts — the only ones the test binary may serve on. It ships
+ * deterministic dev secrets (fixed cookie keys + bootstrap token in
+ * `default_secrets.ts`), so binding any network-reachable interface would let
+ * anyone who knows those fixed keys forge cookies against it. An allowlist
+ * (not an `0.0.0.0`/`::` blocklist) closes the gap a concrete LAN/public
+ * interface IP — e.g. `--host 192.168.1.50` — would otherwise slip through.
+ * Covers `localhost`, the IPv4 loopback `127.0.0.0/8`, and IPv6 `::1`.
+ */
+export const is_loopback_host = (host) => {
+    const h = host.replace(/^\[(.*)\]$/, '$1'); // unwrap an `[::1]`-style IPv6 literal
+    return h === 'localhost' || h === '::1' || /^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(h);
+};
 /**
  * Boot a test-mode server using the supplied runtime adapter.
  *
  * Mirrors a production `start_server` at the surface level — stale-daemon
  * check, daemon-info write, bind, graceful drain — but the app is the
  * caller's no-domain (or domain) {@link StartTestingServerOptions.build_app}
- * and the runtime boundary is the {@link TestingServerAdapter}. Refuses to
- * bind an open host (the test binary must stay on loopback).
+ * and the runtime boundary is the {@link TestingServerAdapter}. Refuses any
+ * non-loopback bind host (the test binary must stay on loopback — see
+ * `is_loopback_host`).
  */
 export const start_testing_server = async (options) => {
     const { adapter, daemon_name, host, port, app_version, build_app } = options;
     const log = options.log ?? new Logger(`[${daemon_name}]`);
     const { runtime } = adapter;
-    if (OPEN_HOSTS.has(host)) {
-        log.error(`FATAL: binding to '${host}' exposes the test binary to your entire network. ` +
-            `Use --host localhost (default) or 127.0.0.1 instead.`);
+    if (!is_loopback_host(host)) {
+        log.error(`FATAL: binding to '${host}' exposes the test binary (which ships deterministic ` +
+            `dev secrets) beyond loopback. Use --host localhost (default), 127.0.0.1, or ::1 instead.`);
         adapter.exit(1);
     }
     const stale = await read_daemon_info(runtime, daemon_name);

package/dist/testing/mock_fs.d.ts

@@ -1,3 +1,4 @@
+import './assert_dev_env.js';
 /**
  * In-memory file system mock for tests that use dependency-injected
  * `read_file` and `write_file` callbacks. Avoids module-level mocking.

package/dist/testing/mock_fs.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mock_fs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/mock_fs.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,WAAW,MAAM;IACtB,SAAS,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAC/D,UAAU,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/E,QAAQ,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,CAAC;CAC/C;AAED;;;;;GAKG;AACH,eAAO,MAAM,cAAc,GAAI,gBAAe,MAAM,CAAC,MAAM,EAAE,MAAM,CAAM,KAAG,MAsB3E,CAAC"}
+{"version":3,"file":"mock_fs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/mock_fs.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;GAKG;AAEH,MAAM,WAAW,MAAM;IACtB,SAAS,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAC/D,UAAU,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/E,QAAQ,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,CAAC;CAC/C;AAED;;;;;GAKG;AACH,eAAO,MAAM,cAAc,GAAI,gBAAe,MAAM,CAAC,MAAM,EAAE,MAAM,CAAM,KAAG,MAsB3E,CAAC"}

package/dist/testing/mock_fs.js

@@ -1,9 +1,4 @@
-/**
- * In-memory file system mock for tests that use dependency-injected
- * `read_file` and `write_file` callbacks. Avoids module-level mocking.
- *
- * @module
- */
+import './assert_dev_env.js';
 /**
  * Creates an in-memory file system for tests.
  *

package/dist/testing/surface_invariants.d.ts

@@ -142,6 +142,38 @@ export declare const assert_ws_endpoints_include_protocol_actions: (surface: App
  * surface mocks the shape incorrectly.
  */
 export declare const assert_ws_notifications_have_null_auth: (surface: AppSurface) => void;
+/**
+ * Reserved method-name prefix for the daemon-token-gated test-backdoor
+ * actions (`_testing_reset`, `_testing_mint_session`, `_testing_put_fact`,
+ * `_testing_drain_effects`, `_testing_schema_snapshot`). Test binaries
+ * live-mount these on their RPC endpoint but they must never appear on a
+ * **declared** surface.
+ */
+export declare const TESTING_METHOD_PREFIX = "_testing_";
+/**
+ * No `_testing_*` backdoor action ever appears as a method on the declared
+ * surface (RPC or WS).
+ *
+ * The test-backdoor actions (`_testing_reset` et al.) are daemon-token-gated
+ * privileged actions a consumer's test binary appends to its live RPC
+ * endpoint at assembly time — but they are deliberately excluded from
+ * surface generation (`spine_rpc_endpoints` and every consumer's
+ * `create_*_app_surface_spec` omit them) so the published attack surface,
+ * the committed `*_attack_surface.json` snapshot, and codegen never carry
+ * a backdoor. This invariant is the structural guard against a future
+ * wiring change that folds `create_testing_actions(...)` into the *declared*
+ * registry instead of the live-only append — the surface stays the
+ * authoritative "what the server exposes" map only if a backdoor can never
+ * hide in it.
+ *
+ * Pairs with the wire-level negative-credential check
+ * (`describe_testing_backdoor_cross_tests`, cross-process) and the
+ * spec-level gate check: this one pins absence-from-surface, those pin
+ * the daemon-token gate and the 401/403 behavior.
+ *
+ * @throws AssertionError naming the offending endpoint + method.
+ */
+export declare const assert_no_testing_methods: (surface: AppSurface) => void;
 /**
  * Configuration for security policy invariants.
  *
@@ -282,7 +314,8 @@ export declare const assert_surface_invariants: (surface: AppSurface) => void;
  * `actions/CLAUDE.md` §Registry compile) — these assertions cover only
  * the contract-surface concerns that a runtime registration check
  * cannot: empty descriptions, missing protocol-action spread on WS
- * endpoints, and kind ⇔ auth drift on WS methods.
+ * endpoints, kind ⇔ auth drift on WS methods, and a `_testing_*`
+ * backdoor action leaking onto the declared surface.
  *
  * @throws AssertionError on the first invariant violation; the message
  *   names the offending endpoint, method, and field.

package/dist/testing/surface_invariants.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"surface_invariants.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/surface_invariants.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAuB7B,OAAO,KAAK,EAAC,UAAU,EAAuB,MAAM,oBAAoB,CAAC;AAezE;;GAEG;AACH,eAAO,MAAM,mCAAmC,GAAI,SAAS,UAAU,KAAG,IAQzE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,8BAA8B,GAAI,SAAS,UAAU,KAAG,IASpE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,+BAA+B,GAAI,SAAS,UAAU,KAAG,IAQrE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,gCAAgC,GAAI,SAAS,UAAU,KAAG,IAQtE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,+BAA+B,GAAI,SAAS,UAAU,KAAG,IAQrE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,2BAA2B,GAAI,SAAS,UAAU,KAAG,IAIjE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,0BAA0B,GAAI,SAAS,UAAU,KAAG,IAOhE,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,mCAAmC,GAAI,SAAS,UAAU,KAAG,IAezE,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,uCAAuC,GAAI,SAAS,UAAU,KAAG,IAO7E,CAAC;AAyBF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,oCAAoC,GAAI,SAAS,UAAU,KAAG,IAoC1E,CAAC;AAsEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,sCAAsC,GAAI,SAAS,UAAU,KAAG,IAU5E,CAAC;AAIF,4DAA4D;AAC5D,MAAM,MAAM,sBAAsB,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,CAAC;AAEpE,iEAAiE;AACjE,MAAM,WAAW,qBAAqB;IACrC,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,sBAAsB,CAAC;IACpC,qDAAqD;IACrD,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC;CAClC;AAiED;;;;;;;;GAQG;AACH,eAAO,MAAM,4BAA4B,GAAI,SAAS,UAAU,KAAG,KAAK,CAAC,qBAAqB,CAgB7F,CAAC;AAIF;;;;;;GAMG;AACH,eAAO,MAAM,sCAAsC,GAAI,SAAS,UAAU,KAAG,IAS5E,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,qCAAqC,GAAI,SAAS,UAAU,KAAG,IAS3E,CAAC;AAEF;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,4CAA4C,GAAI,SAAS,UAAU,KAAG,IAWlF,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,sCAAsC,GAAI,SAAS,UAAU,KAAG,IAa5E,CAAC;AAIF;;;;GAIG;AACH,MAAM,WAAW,4BAA4B;IAC5C;;;;;OAKG;IACH,wBAAwB,CAAC,EAAE,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC,CAAC;IAClD;;;OAGG;IACH,yBAAyB,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC1C;;;OAGG;IACH,qBAAqB,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtC;AASD;;;;;;GAMG;AACH,eAAO,MAAM,oCAAoC,GAChD,SAAS,UAAU,EACnB,qBAAoB,KAAK,CAAC,MAAM,GAAG,MAAM,CAA8B,KACrE,IAcF,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,qCAAqC,GACjD,SAAS,UAAU,EACnB,YAAW,KAAK,CAAC,MAAM,CAAM,KAC3B,IAYF,CAAC;AAEF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,+BAA+B,GAAI,SAAS,UAAU,KAAG,IAQrE,CAAC;AAKF;;;;;GAKG;AACH,eAAO,MAAM,iCAAiC,GAC7C,SAAS,UAAU,EACnB,WAAU,KAAK,CAAC,MAAM,CAAiC,KACrD,IASF,CAAC;AAWF,mDAAmD;AACnD,MAAM,WAAW,2BAA2B;IAC3C,6FAA6F;IAC7F,eAAe,CAAC,EAAE,sBAAsB,CAAC;IACzC,mEAAmE;IACnE,eAAe,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAChC,kDAAkD;IAClD,SAAS,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,uCAAuC,EAAE,aAAa,CAAC,MAAM,CAAM,CAAC;AAEjF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,8BAA8B,EAAE,2BAG5C,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,6BAA6B,GACzC,SAAS,UAAU,EACnB,UAAU,2BAA2B,KACnC,IAsBF,CAAC;AAIF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,yBAAyB,GAAI,SAAS,UAAU,KAAG,IAY/D,CAAC;AAEF;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,gCAAgC,GAAI,SAAS,UAAU,KAAG,IAKtE,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,8BAA8B,GAC1C,SAAS,UAAU,EACnB,UAAS,4BAAiC,KACxC,IAKF,CAAC"}
+{"version":3,"file":"surface_invariants.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/surface_invariants.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAuB7B,OAAO,KAAK,EAAC,UAAU,EAAuB,MAAM,oBAAoB,CAAC;AAezE;;GAEG;AACH,eAAO,MAAM,mCAAmC,GAAI,SAAS,UAAU,KAAG,IAQzE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,8BAA8B,GAAI,SAAS,UAAU,KAAG,IASpE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,+BAA+B,GAAI,SAAS,UAAU,KAAG,IAQrE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,gCAAgC,GAAI,SAAS,UAAU,KAAG,IAQtE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,+BAA+B,GAAI,SAAS,UAAU,KAAG,IAQrE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,2BAA2B,GAAI,SAAS,UAAU,KAAG,IAIjE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,0BAA0B,GAAI,SAAS,UAAU,KAAG,IAOhE,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,mCAAmC,GAAI,SAAS,UAAU,KAAG,IAezE,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,uCAAuC,GAAI,SAAS,UAAU,KAAG,IAO7E,CAAC;AAyBF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,oCAAoC,GAAI,SAAS,UAAU,KAAG,IAoC1E,CAAC;AAsEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,sCAAsC,GAAI,SAAS,UAAU,KAAG,IAU5E,CAAC;AAIF,4DAA4D;AAC5D,MAAM,MAAM,sBAAsB,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,CAAC;AAEpE,iEAAiE;AACjE,MAAM,WAAW,qBAAqB;IACrC,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,sBAAsB,CAAC;IACpC,qDAAqD;IACrD,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC;CAClC;AAiED;;;;;;;;GAQG;AACH,eAAO,MAAM,4BAA4B,GAAI,SAAS,UAAU,KAAG,KAAK,CAAC,qBAAqB,CAgB7F,CAAC;AAIF;;;;;;GAMG;AACH,eAAO,MAAM,sCAAsC,GAAI,SAAS,UAAU,KAAG,IAS5E,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,qCAAqC,GAAI,SAAS,UAAU,KAAG,IAS3E,CAAC;AAEF;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,4CAA4C,GAAI,SAAS,UAAU,KAAG,IAWlF,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,sCAAsC,GAAI,SAAS,UAAU,KAAG,IAa5E,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,qBAAqB,cAAc,CAAC;AAEjD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,eAAO,MAAM,yBAAyB,GAAI,SAAS,UAAU,KAAG,IAoB/D,CAAC;AAIF;;;;GAIG;AACH,MAAM,WAAW,4BAA4B;IAC5C;;;;;OAKG;IACH,wBAAwB,CAAC,EAAE,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC,CAAC;IAClD;;;OAGG;IACH,yBAAyB,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC1C;;;OAGG;IACH,qBAAqB,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtC;AASD;;;;;;GAMG;AACH,eAAO,MAAM,oCAAoC,GAChD,SAAS,UAAU,EACnB,qBAAoB,KAAK,CAAC,MAAM,GAAG,MAAM,CAA8B,KACrE,IAcF,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,qCAAqC,GACjD,SAAS,UAAU,EACnB,YAAW,KAAK,CAAC,MAAM,CAAM,KAC3B,IAYF,CAAC;AAEF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,+BAA+B,GAAI,SAAS,UAAU,KAAG,IAQrE,CAAC;AAKF;;;;;GAKG;AACH,eAAO,MAAM,iCAAiC,GAC7C,SAAS,UAAU,EACnB,WAAU,KAAK,CAAC,MAAM,CAAiC,KACrD,IASF,CAAC;AAWF,mDAAmD;AACnD,MAAM,WAAW,2BAA2B;IAC3C,6FAA6F;IAC7F,eAAe,CAAC,EAAE,sBAAsB,CAAC;IACzC,mEAAmE;IACnE,eAAe,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAChC,kDAAkD;IAClD,SAAS,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,uCAAuC,EAAE,aAAa,CAAC,MAAM,CAAM,CAAC;AAEjF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,8BAA8B,EAAE,2BAG5C,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,6BAA6B,GACzC,SAAS,UAAU,EACnB,UAAU,2BAA2B,KACnC,IAsBF,CAAC;AAIF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,yBAAyB,GAAI,SAAS,UAAU,KAAG,IAY/D,CAAC;AAEF;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,gCAAgC,GAAI,SAAS,UAAU,KAAG,IAMtE,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,8BAA8B,GAC1C,SAAS,UAAU,EACnB,UAAS,4BAAiC,KACxC,IAKF,CAAC"}

package/dist/testing/surface_invariants.js

@@ -452,6 +452,52 @@ export const assert_ws_notifications_have_null_auth = (surface) => {
         }
     }
 };
+/**
+ * Reserved method-name prefix for the daemon-token-gated test-backdoor
+ * actions (`_testing_reset`, `_testing_mint_session`, `_testing_put_fact`,
+ * `_testing_drain_effects`, `_testing_schema_snapshot`). Test binaries
+ * live-mount these on their RPC endpoint but they must never appear on a
+ * **declared** surface.
+ */
+export const TESTING_METHOD_PREFIX = '_testing_';
+/**
+ * No `_testing_*` backdoor action ever appears as a method on the declared
+ * surface (RPC or WS).
+ *
+ * The test-backdoor actions (`_testing_reset` et al.) are daemon-token-gated
+ * privileged actions a consumer's test binary appends to its live RPC
+ * endpoint at assembly time — but they are deliberately excluded from
+ * surface generation (`spine_rpc_endpoints` and every consumer's
+ * `create_*_app_surface_spec` omit them) so the published attack surface,
+ * the committed `*_attack_surface.json` snapshot, and codegen never carry
+ * a backdoor. This invariant is the structural guard against a future
+ * wiring change that folds `create_testing_actions(...)` into the *declared*
+ * registry instead of the live-only append — the surface stays the
+ * authoritative "what the server exposes" map only if a backdoor can never
+ * hide in it.
+ *
+ * Pairs with the wire-level negative-credential check
+ * (`describe_testing_backdoor_cross_tests`, cross-process) and the
+ * spec-level gate check: this one pins absence-from-surface, those pin
+ * the daemon-token gate and the 401/403 behavior.
+ *
+ * @throws AssertionError naming the offending endpoint + method.
+ */
+export const assert_no_testing_methods = (surface) => {
+    for (const ep of surface.rpc_endpoints) {
+        for (const method of ep.methods) {
+            assert.ok(!method.name.startsWith(TESTING_METHOD_PREFIX), `RPC endpoint '${ep.path}' exposes test-backdoor method '${method.name}' on the ` +
+                `declared surface — '${TESTING_METHOD_PREFIX}*' actions must be live-mounted only, ` +
+                `never folded into the surface-generating registry`);
+        }
+    }
+    for (const ep of surface.ws_endpoints) {
+        for (const method of ep.methods) {
+            assert.ok(!method.name.startsWith(TESTING_METHOD_PREFIX), `WS endpoint '${ep.path}' exposes test-backdoor method '${method.name}' on the ` +
+                `declared surface — '${TESTING_METHOD_PREFIX}*' actions must be live-mounted only`);
+        }
+    }
+};
 /** Default patterns for sensitive REST routes that should be rate-limited. */
 const DEFAULT_SENSITIVE_PATTERNS = [
     /\/login$/,
@@ -637,7 +683,8 @@ export const assert_surface_invariants = (surface) => {
  * `actions/CLAUDE.md` §Registry compile) — these assertions cover only
  * the contract-surface concerns that a runtime registration check
  * cannot: empty descriptions, missing protocol-action spread on WS
- * endpoints, and kind ⇔ auth drift on WS methods.
+ * endpoints, kind ⇔ auth drift on WS methods, and a `_testing_*`
+ * backdoor action leaking onto the declared surface.
  *
  * @throws AssertionError on the first invariant violation; the message
  *   names the offending endpoint, method, and field.
@@ -647,6 +694,7 @@ export const assert_rpc_ws_surface_invariants = (surface) => {
     assert_ws_method_descriptions_present(surface);
     assert_ws_endpoints_include_protocol_actions(surface);
     assert_ws_notifications_have_null_auth(surface);
+    assert_no_testing_methods(surface);
 };
 /**
  * Run security policy invariants. Configurable with sensible defaults.

package/dist/testing/ws_round_trip.d.ts

@@ -1,3 +1,4 @@
+import './assert_dev_env.js';
 /**
  * In-process test helpers for WebSocket JSON-RPC round-trips.
  *

package/dist/testing/ws_round_trip.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ws_round_trip.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/ws_round_trip.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAO,MAAM,MAAM,CAAC;AACxC,OAAO,EACN,SAAS,EAET,KAAK,gBAAgB,EAErB,KAAK,QAAQ,EACb,MAAM,SAAS,CAAC;AACjB,OAAO,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAC/C,OAAO,EAAc,KAAK,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAE9D,OAAO,KAAK,EAAC,eAAe,EAAC,MAAM,2BAA2B,CAAC;AAC/D,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,4BAA4B,CAAC;AAEvD,OAAO,KAAK,EAAC,sBAAsB,EAAC,MAAM,kCAAkC,CAAC;AAE7E,OAAO,EAAqB,KAAK,uBAAuB,EAAC,MAAM,kCAAkC,CAAC;AAElG,OAAO,EAAC,yBAAyB,EAAC,MAAM,qCAAqC,CAAC;AAC9E,OAAO,EAAsB,KAAK,cAAc,EAAC,MAAM,4BAA4B,CAAC;AAEpF,OAAO,EAKN,KAAK,cAAc,EACnB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EAKN,KAAK,QAAQ,EACb,MAAM,2BAA2B,CAAC;AAMnC;;;GAGG;AACH,MAAM,WAAW,MAAM;IACtB,EAAE,EAAE,SAAS,CAAC;IACd,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACrB,MAAM,EAAE,KAAK,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAC,CAAC,CAAC;CAChD;AAED;;;;GAIG;AACH,eAAO,MAAM,cAAc,QAAO,MAajC,CAAC;AAEF,8CAA8C;AAC9C,MAAM,WAAW,sBAAsB;IACtC,eAAe,EAAE,cAAc,CAAC;IAChC,gEAAgE;IAChE,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B;;;OAGG;IACH,eAAe,CAAC,EAAE,cAAc,CAAC;CACjC;AAED;;;;GAIG;AACH,eAAO,MAAM,wBAAwB,GAAI,MAAM,sBAAsB,KAAG,OAavE,CAAC;AAEF,uFAAuF;AACvF,MAAM,WAAW,WAAW;IAC3B,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,iBAAiB,EAAE,MAAM,CAAC,CAAC,EAAE,OAAO,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACtE;AAED;;;;GAIG;AACH,eAAO,MAAM,mBAAmB,QAAO,WAatC,CAAC;AAEF;;;;GAIG;AACH,qBAAa,wBAAyB,YAAW,sBAAsB;;IACtE,QAAQ,EAAE,UAAU,GAAG,SAAS,CAAa;gBAEjC,KAAK,EAAE,aAAa,CAAC,eAAe,CAAC;IAGjD,qBAAqB,IAAI,SAAS;IAGlC,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS;CAG/D;AAED;;;;GAIG;AACH,eAAO,MAAM,mBAAmB,GAC/B,YAAY,WAAW,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,EAC9C,OAAO,YAAY,EACnB,IAAI,SAAS,KACX,OAAO,CAAC,IAAI,CAId,CAAC;AAMF,2CAA2C;AAC3C,MAAM,WAAW,iBAAiB;IACjC,wEAAwE;IACxE,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,yFAAyF;IACzF,eAAe,CAAC,EAAE,cAAc,CAAC;IACjC,mFAAmF;IACnF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,gEAAgE;IAChE,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,sFAAsF;IACtF,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAED,4CAA4C;AAC5C,MAAM,WAAW,0BAA0B;IAC1C;;;;;OAKG;IACH,OAAO,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC/B,kEAAkE;IAClE,SAAS,CAAC,EAAE,yBAAyB,CAAC;IACtC;;;;OAIG;IACH,SAAS,CAAC,EAAE,uBAAuB,CAAC,WAAW,CAAC,CAAC;IACjD,gEAAgE;IAChE,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,yDAAyD;IACzD,cAAc,CAAC,EAAE,uBAAuB,CAAC,gBAAgB,CAAC,CAAC;IAC3D,yDAAyD;IACzD,eAAe,CAAC,EAAE,uBAAuB,CAAC,iBAAiB,CAAC,CAAC;CAC7D;AAED,kEAAkE;AAClE,MAAM,WAAW,aAAa;IAC7B,SAAS,EAAE,yBAAyB,CAAC;IACrC;;;;;;;;;;OAUG;IACH,OAAO,EAAE,CAAC,QAAQ,CAAC,EAAE,iBAAiB,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;CAC7D;AAiED;;;;;;;;GAQG;AACH,eAAO,MAAM,sBAAsB,GAAI,SAAS,0BAA0B,KAAG,aA0M5E,CAAC;AAEF,0EAA0E;AAC1E,eAAO,MAAM,eAAe,QAAO,iBAGjC,CAAC;AAYH;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,mBAAmB,GAAI,IAAI,SAAS,MAAM,EAAE,SAAS;IACjE,OAAO,EAAE,aAAa,CAAC;IACvB,KAAK,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;CACtC,KAAG,IAIH,CAAC"}
+{"version":3,"file":"ws_round_trip.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/ws_round_trip.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAO,MAAM,MAAM,CAAC;AACxC,OAAO,EACN,SAAS,EAET,KAAK,gBAAgB,EAErB,KAAK,QAAQ,EACb,MAAM,SAAS,CAAC;AACjB,OAAO,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAC/C,OAAO,EAAc,KAAK,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAE9D,OAAO,KAAK,EAAC,eAAe,EAAC,MAAM,2BAA2B,CAAC;AAC/D,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,4BAA4B,CAAC;AAEvD,OAAO,KAAK,EAAC,sBAAsB,EAAC,MAAM,kCAAkC,CAAC;AAE7E,OAAO,EAAqB,KAAK,uBAAuB,EAAC,MAAM,kCAAkC,CAAC;AAElG,OAAO,EAAC,yBAAyB,EAAC,MAAM,qCAAqC,CAAC;AAC9E,OAAO,EAAsB,KAAK,cAAc,EAAC,MAAM,4BAA4B,CAAC;AAEpF,OAAO,EAKN,KAAK,cAAc,EACnB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EAKN,KAAK,QAAQ,EACb,MAAM,2BAA2B,CAAC;AAMnC;;;GAGG;AACH,MAAM,WAAW,MAAM;IACtB,EAAE,EAAE,SAAS,CAAC;IACd,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACrB,MAAM,EAAE,KAAK,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAC,CAAC,CAAC;CAChD;AAED;;;;GAIG;AACH,eAAO,MAAM,cAAc,QAAO,MAajC,CAAC;AAEF,8CAA8C;AAC9C,MAAM,WAAW,sBAAsB;IACtC,eAAe,EAAE,cAAc,CAAC;IAChC,gEAAgE;IAChE,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B;;;OAGG;IACH,eAAe,CAAC,EAAE,cAAc,CAAC;CACjC;AAED;;;;GAIG;AACH,eAAO,MAAM,wBAAwB,GAAI,MAAM,sBAAsB,KAAG,OAavE,CAAC;AAEF,uFAAuF;AACvF,MAAM,WAAW,WAAW;IAC3B,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,iBAAiB,EAAE,MAAM,CAAC,CAAC,EAAE,OAAO,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACtE;AAED;;;;GAIG;AACH,eAAO,MAAM,mBAAmB,QAAO,WAatC,CAAC;AAEF;;;;GAIG;AACH,qBAAa,wBAAyB,YAAW,sBAAsB;;IACtE,QAAQ,EAAE,UAAU,GAAG,SAAS,CAAa;gBAEjC,KAAK,EAAE,aAAa,CAAC,eAAe,CAAC;IAGjD,qBAAqB,IAAI,SAAS;IAGlC,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS;CAG/D;AAED;;;;GAIG;AACH,eAAO,MAAM,mBAAmB,GAC/B,YAAY,WAAW,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,EAC9C,OAAO,YAAY,EACnB,IAAI,SAAS,KACX,OAAO,CAAC,IAAI,CAId,CAAC;AAMF,2CAA2C;AAC3C,MAAM,WAAW,iBAAiB;IACjC,wEAAwE;IACxE,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,yFAAyF;IACzF,eAAe,CAAC,EAAE,cAAc,CAAC;IACjC,mFAAmF;IACnF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,gEAAgE;IAChE,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,sFAAsF;IACtF,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAED,4CAA4C;AAC5C,MAAM,WAAW,0BAA0B;IAC1C;;;;;OAKG;IACH,OAAO,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC/B,kEAAkE;IAClE,SAAS,CAAC,EAAE,yBAAyB,CAAC;IACtC;;;;OAIG;IACH,SAAS,CAAC,EAAE,uBAAuB,CAAC,WAAW,CAAC,CAAC;IACjD,gEAAgE;IAChE,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,yDAAyD;IACzD,cAAc,CAAC,EAAE,uBAAuB,CAAC,gBAAgB,CAAC,CAAC;IAC3D,yDAAyD;IACzD,eAAe,CAAC,EAAE,uBAAuB,CAAC,iBAAiB,CAAC,CAAC;CAC7D;AAED,kEAAkE;AAClE,MAAM,WAAW,aAAa;IAC7B,SAAS,EAAE,yBAAyB,CAAC;IACrC;;;;;;;;;;OAUG;IACH,OAAO,EAAE,CAAC,QAAQ,CAAC,EAAE,iBAAiB,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;CAC7D;AAiED;;;;;;;;GAQG;AACH,eAAO,MAAM,sBAAsB,GAAI,SAAS,0BAA0B,KAAG,aA0M5E,CAAC;AAEF,0EAA0E;AAC1E,eAAO,MAAM,eAAe,QAAO,iBAGjC,CAAC;AAYH;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,mBAAmB,GAAI,IAAI,SAAS,MAAM,EAAE,SAAS;IACjE,OAAO,EAAE,aAAa,CAAC;IACvB,KAAK,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;CACtC,KAAG,IAIH,CAAC"}

package/dist/testing/ws_round_trip.js

@@ -1,41 +1,4 @@
-/**
- * In-process test helpers for WebSocket JSON-RPC round-trips.
- *
- * Drives `register_action_ws` without an HTTP server. Consumers supply
- * specs + handlers; the harness constructs real `WSContext` instances
- * backed by test-owned `send`/`close` pairs, fakes the authenticated
- * Hono context (`request_context`, credential type, session id, api
- * token id), and exposes a `connect()` factory returning a `WsClient`
- * per connection.
- *
- * Three layers are exported:
- *
- *   - **Primitives** (`create_fake_ws`, `create_fake_hono_context`,
- *     `create_stub_upgrade`, `MinimalActionEnvironment`,
- *     `dispatch_ws_message`) — used by fuz_app's own dispatcher tests
- *     and by consumers wiring tight one-off tests.
- *   - **Harness** (`create_ws_test_harness`, `keeper_identity`) — the
- *     high-level driver. Give it specs + handlers, get back
- *     `{transport, connect()}`. `connect()` is async and resolves after
- *     `on_socket_open` completes, so broadcasts sent immediately after
- *     `await harness.connect()` reach the client. Returns a `WsClient`
- *     (shared interface — see `transports/ws_client.ts`); the same
- *     interface is implemented by `transports/ws_transport.ts` for
- *     cross-process tests.
- *   - **Broadcast wiring** — `build_broadcast_api` for wiring a typed
- *     broadcast API against the harness's transport. Wire-frame types
- *     + predicates (`is_notification`, `is_response_for`,
- *     `JsonrpcNotificationFrame`, ...) live in `transports/ws_client.ts`
- *     so both in-process and cross-process drivers reference one source.
- *
- * Hono's wire upgrade is skipped — the Node test runtime has no
- * `@hono/node-ws` adapter — but the full dispatch path is exercised
- * (per-action auth, input validation, `ctx.notify` back to the
- * originating socket, broadcast via `BackendWebsocketTransport`, and
- * close-on-revoke).
- *
- * @module
- */
+import './assert_dev_env.js';
 import { WSContext, createWSMessageEvent, } from 'hono/ws';
 import { Logger } from '@fuzdev/fuz_util/log.js';
 import { create_uuid } from '@fuzdev/fuz_util/id.js';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fuzdev/fuz_app",
-  "version": "0.85.0",
+  "version": "0.85.1",
   "description": "fullstack app library",
   "glyph": "🗝",
   "logo": "logo.svg",