@fuzdev/fuz_app 0.85.0 → 0.86.0

package/dist/actions/CLAUDE.md

@@ -506,8 +506,10 @@ Per-message side-effect queues: `pending_effects` (eager) drains via
 handlers via `emit_after_commit`) drains via `flush_post_commit_effects`.
 Both flush in the same `try/finally` that releases the request controller,
 so fire-and-forget audit / notification effects pushed by the handler
-complete (or reject visibly) before the next message dispatches. See
-`http/CLAUDE.md` §Pending Effects.
+complete (or reject visibly) before the next message dispatches. The
+deferred queue is **discarded on rollback** before it reaches that flush (a
+rolled-back message fires no post-commit effect). See `http/CLAUDE.md`
+§Pending Effects.
 
 **Lifecycle hooks.** `on_socket_open({ws, connection_id, identity, notify, signal})`
 fires after `transport.add_connection` but before the first message;

package/dist/actions/perform_action.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"perform_action.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/perform_action.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAGH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AACpD,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAEjD,OAAO,EAGN,KAAK,cAAc,EACnB,MAAM,4BAA4B,CAAC;AACpC,OAAO,EAAC,KAAK,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACvD,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAEpC,OAAO,EAEN,KAAK,gBAAgB,EAErB,KAAK,kBAAkB,EACvB,MAAM,oBAAoB,CAAC;AAY5B,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAEpD,OAAO,KAAK,EAA+B,SAAS,EAAC,MAAM,iBAAiB,CAAC;AAE7E;;;GAGG;AACH,MAAM,WAAW,kBAAkB;IAClC,kEAAkE;IAClE,MAAM,EAAE,SAAS,CAAC;IAClB,mGAAmG;IACnG,UAAU,EAAE,OAAO,CAAC;IACpB,sDAAsD;IACtD,UAAU,EAAE,gBAAgB,CAAC;IAC7B,yDAAyD;IACzD,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,uEAAuE;IACvE,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;IACvC,qEAAqE;IACrE,SAAS,EAAE,MAAM,CAAC;IAClB,oGAAoG;IACpG,MAAM,EAAE,WAAW,CAAC;IACpB,sFAAsF;IACtF,MAAM,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,KAAK,IAAI,CAAC;IAClD,uDAAuD;IACvD,aAAa,CAAC,EAAE,IAAI,CAAC;IACrB;;;;OAIG;IACH,MAAM,CAAC,EAAE;QAAC,eAAe,EAAE,cAAc,GAAG,IAAI,CAAA;KAAC,CAAC;CAClD;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,iBAAiB;IACjC,gGAAgG;IAChG,EAAE,EAAE,EAAE,CAAC;IACP;;;OAGG;IACH,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACtC;;;OAGG;IACH,mBAAmB,EAAE,KAAK,CAAC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACvD,gDAAgD;IAChD,GAAG,EAAE,MAAM,CAAC;IACZ,kEAAkE;IAClE,sBAAsB,EAAE,WAAW,GAAG,IAAI,CAAC;IAC3C,uEAAuE;IACvE,2BAA2B,EAAE,WAAW,GAAG,IAAI,CAAC;CAChD;AAED;;;;GAIG;AACH,MAAM,MAAM,mBAAmB,GAC5B;IAAC,IAAI,EAAE,IAAI,CAAC;IAAC,MAAM,EAAE,OAAO,CAAA;CAAC,GAC7B;IAAC,IAAI,EAAE,OAAO,CAAC;IAAC,KAAK,EAAE,kBAAkB,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAC,CAAC;AAE9D;;;;;;;;;GASG;AACH,eAAO,MAAM,cAAc,GAC1B,OAAO,kBAAkB,EACzB,MAAM,iBAAiB,KACrB,OAAO,CAAC,mBAAmB,CAwJ7B,CAAC;AAoFF;;;GAGG;AACH,eAAO,MAAM,iCAAiC,GAC7C,IAAI,gBAAgB,EACpB,QAAQ,mBAAmB,KACzB;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,gBAAgB,CAAA;CAAC,GAAG,CAAC;IAAC,MAAM,EAAE,OAAO,CAAA;CAAC,GAAG;IAAC,KAAK,EAAE,kBAAkB,CAAA;CAAC,CAK5F,CAAC"}
+{"version":3,"file":"perform_action.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/perform_action.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAGH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AACpD,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAEjD,OAAO,EAGN,KAAK,cAAc,EACnB,MAAM,4BAA4B,CAAC;AACpC,OAAO,EAAC,KAAK,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACvD,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAGpC,OAAO,EAEN,KAAK,gBAAgB,EAErB,KAAK,kBAAkB,EACvB,MAAM,oBAAoB,CAAC;AAY5B,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAEpD,OAAO,KAAK,EAA+B,SAAS,EAAC,MAAM,iBAAiB,CAAC;AAE7E;;;GAGG;AACH,MAAM,WAAW,kBAAkB;IAClC,kEAAkE;IAClE,MAAM,EAAE,SAAS,CAAC;IAClB,mGAAmG;IACnG,UAAU,EAAE,OAAO,CAAC;IACpB,sDAAsD;IACtD,UAAU,EAAE,gBAAgB,CAAC;IAC7B,yDAAyD;IACzD,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,uEAAuE;IACvE,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;IACvC,qEAAqE;IACrE,SAAS,EAAE,MAAM,CAAC;IAClB,oGAAoG;IACpG,MAAM,EAAE,WAAW,CAAC;IACpB,sFAAsF;IACtF,MAAM,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,KAAK,IAAI,CAAC;IAClD,uDAAuD;IACvD,aAAa,CAAC,EAAE,IAAI,CAAC;IACrB;;;;OAIG;IACH,MAAM,CAAC,EAAE;QAAC,eAAe,EAAE,cAAc,GAAG,IAAI,CAAA;KAAC,CAAC;CAClD;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,iBAAiB;IACjC,gGAAgG;IAChG,EAAE,EAAE,EAAE,CAAC;IACP;;;OAGG;IACH,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACtC;;;OAGG;IACH,mBAAmB,EAAE,KAAK,CAAC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACvD,gDAAgD;IAChD,GAAG,EAAE,MAAM,CAAC;IACZ,kEAAkE;IAClE,sBAAsB,EAAE,WAAW,GAAG,IAAI,CAAC;IAC3C,uEAAuE;IACvE,2BAA2B,EAAE,WAAW,GAAG,IAAI,CAAC;CAChD;AAED;;;;GAIG;AACH,MAAM,MAAM,mBAAmB,GAC5B;IAAC,IAAI,EAAE,IAAI,CAAC;IAAC,MAAM,EAAE,OAAO,CAAA;CAAC,GAC7B;IAAC,IAAI,EAAE,OAAO,CAAC;IAAC,KAAK,EAAE,kBAAkB,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAC,CAAC;AAE9D;;;;;;;;;GASG;AACH,eAAO,MAAM,cAAc,GAC1B,OAAO,kBAAkB,EACzB,MAAM,iBAAiB,KACrB,OAAO,CAAC,mBAAmB,CA6J7B,CAAC;AAoFF;;;GAGG;AACH,eAAO,MAAM,iCAAiC,GAC7C,IAAI,gBAAgB,EACpB,QAAQ,mBAAmB,KACzB;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,gBAAgB,CAAA;CAAC,GAAG,CAAC;IAAC,MAAM,EAAE,OAAO,CAAA;CAAC,GAAG;IAAC,KAAK,EAAE,kBAAkB,CAAA;CAAC,CAK5F,CAAC"}

package/dist/actions/perform_action.js

@@ -41,6 +41,7 @@ import { DEV } from 'esm-env';
 import { apply_authorization_phase, has_any_scoped_role, } from '../auth/request_context.js';
 import {} from '../hono_context.js';
 import { is_void_schema } from '../http/schema_helpers.js';
+import { dispatch_with_post_commit_rollback } from '../http/pending_effects.js';
 import { JSONRPC_VERSION, } from '../http/jsonrpc.js';
 import { jsonrpc_error_messages, jsonrpc_error_code_to_http_status, http_status_to_jsonrpc_error_code, JSONRPC_ERROR_CODES, } from '../http/jsonrpc_errors.js';
 import { ERROR_AUTHENTICATION_REQUIRED, ERROR_INSUFFICIENT_PERMISSIONS, ERROR_CREDENTIAL_TYPE_REQUIRED, } from '../http/error_schemas.js';
@@ -159,11 +160,14 @@ export const perform_action = async (input, deps) => {
         }
         return { kind: 'ok', result: output };
     };
+    // Dispatch — transaction for mutations, pool for reads. Wrapped so a thrown
+    // handler discards the post-commit effects it queued (`emit_after_commit`):
+    // its transaction rolled back, so those effects must not announce state that
+    // never committed. The eager `pending_effects` queue survives rollback
+    // (attempt audits). See `dispatch_with_post_commit_rollback` (canonical
+    // contract) and docs/security.md §"Post-commit WS fan-out".
     try {
-        if (use_transaction) {
-            return await db.transaction((tx) => execute(tx));
-        }
-        return await execute(db);
+        return await dispatch_with_post_commit_rollback(post_commit_effects, () => use_transaction ? db.transaction((tx) => execute(tx)) : execute(db));
     }
     catch (err) {
         // Duck-type check: Error with numeric `code` signals a JSON-RPC error.

package/dist/auth/role_grant_offer_actions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"role_grant_offer_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/role_grant_offer_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAEH,OAAO,EAGN,KAAK,aAAa,EAClB,KAAK,SAAS,EACd,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EAIN,KAAK,gBAAgB,EACrB,MAAM,kBAAkB,CAAC;AA0B1B,OAAO,EAA4C,KAAK,cAAc,EAAC,MAAM,sBAAsB,CAAC;AACpG,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAEhD,OAAO,EAON,KAAK,kBAAkB,EACvB,MAAM,qCAAqC,CAAC;AAiC7C;;;;;;;;GAQG;AACH,MAAM,MAAM,6BAA6B,GAAG,CAC3C,IAAI,EAAE,cAAc,EACpB,KAAK,EAAE;IAAC,aAAa,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAA;CAAC,EACrE,IAAI,EAAE,IAAI,CAAC,gBAAgB,EAAE,KAAK,CAAC,EACnC,GAAG,EAAE,aAAa,KACd,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEhC,qDAAqD;AACrD,MAAM,WAAW,2BAA2B;IAC3C;;;;;OAKG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;IACzB,0FAA0F;IAC1F,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB;;;;;OAKG;IACH,SAAS,CAAC,EAAE,6BAA6B,CAAC;CAC1C;AA6BD;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,yBAAyB,EAAE,6BAavC,CAAC;AAIF;;;;;;;GAOG;AACH,eAAO,MAAM,+BAA+B,GAC3C,MAAM,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,OAAO,CAAC,GAAG;IAC/C,mBAAmB,CAAC,EAAE,kBAAkB,GAAG,IAAI,CAAC;CAChD,EACD,UAAS,2BAAgC,KACvC,KAAK,CAAC,SAAS,CAmdjB,CAAC"}
+{"version":3,"file":"role_grant_offer_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/role_grant_offer_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAEH,OAAO,EAGN,KAAK,aAAa,EAClB,KAAK,SAAS,EACd,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EAIN,KAAK,gBAAgB,EACrB,MAAM,kBAAkB,CAAC;AA0B1B,OAAO,EAA4C,KAAK,cAAc,EAAC,MAAM,sBAAsB,CAAC;AACpG,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAEhD,OAAO,EAON,KAAK,kBAAkB,EACvB,MAAM,qCAAqC,CAAC;AAiC7C;;;;;;;;GAQG;AACH,MAAM,MAAM,6BAA6B,GAAG,CAC3C,IAAI,EAAE,cAAc,EACpB,KAAK,EAAE;IAAC,aAAa,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAA;CAAC,EACrE,IAAI,EAAE,IAAI,CAAC,gBAAgB,EAAE,KAAK,CAAC,EACnC,GAAG,EAAE,aAAa,KACd,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEhC,qDAAqD;AACrD,MAAM,WAAW,2BAA2B;IAC3C;;;;;OAKG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;IACzB,0FAA0F;IAC1F,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB;;;;;OAKG;IACH,SAAS,CAAC,EAAE,6BAA6B,CAAC;CAC1C;AA6BD;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,yBAAyB,EAAE,6BAavC,CAAC;AAIF;;;;;;;GAOG;AACH,eAAO,MAAM,+BAA+B,GAC3C,MAAM,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,OAAO,CAAC,GAAG;IAC/C,mBAAmB,CAAC,EAAE,kBAAkB,GAAG,IAAI,CAAC;CAChD,EACD,UAAS,2BAAgC,KACvC,KAAK,CAAC,SAAS,CAodjB,CAAC"}

package/dist/auth/role_grant_offer_actions.js

@@ -248,9 +248,10 @@ export const create_role_grant_offer_actions = (deps, options = {}) => {
         }));
         // Audit events are written in-transaction by query_accept_offer; wire
         // them through `audit.notify` post-commit so SSE/WS broadcasts fire.
-        // WS notifications piggyback on the same post-commit microtask so the
-        // grantor sees "accepted" and each superseded grantor sees
-        // "supersede" only once the accept has durably committed.
+        // WS notifications ride the same deferred post-commit thunk so the
+        // grantor sees "accepted" and each superseded grantor sees "supersede"
+        // only once the accept has durably committed — and never if it rolls
+        // back (the dispatch site discards `post_commit_effects` on rollback).
         emit_after_commit(ctx, () => {
             fan_out_audit_events(result.audit_events, audit);
             if (notification_sender && grantor_account_id) {

package/dist/hono_context.d.ts

@@ -99,13 +99,15 @@ declare module 'hono' {
          */
         pending_effects: Array<Promise<void>>;
         /**
-         * Post-commit thunks pushed via `emit_after_commit(ctx, fn)`. The
-         * flush middleware invokes each thunk after the handler returns —
-         * never inline — so notifications (WS sends, etc.) cannot fire
-         * mid-transaction. Producers do not push raw thunks directly. The
-         * flush owns per-thunk `try/catch` + `log.error` so a directly-pushed
-         * thunk (tests included) cannot escape the safety net.
-         * Initialized by `create_app_server`. In test mode
+         * Post-commit thunks pushed via `emit_after_commit(ctx, fn)`. The flush
+         * middleware invokes each thunk after the handler returns — never inline
+         * — so notifications (WS sends, etc.) cannot fire mid-transaction; the
+         * queue is also discarded when the handler's transaction rolls back, so a
+         * thunk never fires for state that never committed. Full contract (the
+         * eager-`pending_effects` contrast, the discard mechanism, the flush
+         * safety net) lives on `dispatch_with_post_commit_rollback` /
+         * `emit_after_commit` in `http/pending_effects.ts`. Producers do not push
+         * raw thunks directly. Initialized by `create_app_server`; in test mode
          * (`await_pending_effects: true`), every thunk completes before the
          * response returns.
          */

package/dist/hono_context.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"hono_context.d.ts","sourceRoot":"../src/lib/","sources":["../src/lib/hono_context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAO9D;;;;;;;GAOG;AACH,eAAO,MAAM,gBAAgB,mDAInB,CAAC;AAEX,yDAAyD;AACzD,eAAO,MAAM,cAAc;;;;EAA2B,CAAC;AACvD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,0DAA0D;AAC1D,eAAO,MAAM,mBAAmB,oBAAoB,CAAC;AAErD,qEAAqE;AACrE,eAAO,MAAM,qBAAqB,sBAAsB,CAAC;AAEzD;;;;;;;;GAQG;AACH,eAAO,MAAM,cAAc,oBAAoB,CAAC;AAEhD;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,uBAAuB,wBAAwB,CAAC;AAE7D,OAAO,QAAQ,MAAM,CAAC;IACrB,UAAU,kBAAkB;QAC3B,+DAA+D;QAC/D,SAAS,EAAE,MAAM,CAAC;QAClB,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;QAC/B,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;QACvC,eAAe,EAAE,OAAO,CAAC;QACzB,gBAAgB,EAAE,OAAO,CAAC;QAC1B,eAAe,EAAE,OAAO,CAAC;QACzB,2FAA2F;QAC3F,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;QACvC;;;;;WAKG;QACH,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;QAC/B;;;;;WAKG;QACH,uBAAuB,EAAE,MAAM,GAAG,IAAI,CAAC;QACvC;;;;;;WAMG;QACH,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;QACjC;;;;;;;WAOG;QACH,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QACtC;;;;;;;;;;WAUG;QACH,mBAAmB,EAAE,KAAK,CAAC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QACvD;;;;WAIG;QACH,mBAAmB,EAAE,OAAO,CAAC;KAC7B;CACD"}
+{"version":3,"file":"hono_context.d.ts","sourceRoot":"../src/lib/","sources":["../src/lib/hono_context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAO9D;;;;;;;GAOG;AACH,eAAO,MAAM,gBAAgB,mDAInB,CAAC;AAEX,yDAAyD;AACzD,eAAO,MAAM,cAAc;;;;EAA2B,CAAC;AACvD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,0DAA0D;AAC1D,eAAO,MAAM,mBAAmB,oBAAoB,CAAC;AAErD,qEAAqE;AACrE,eAAO,MAAM,qBAAqB,sBAAsB,CAAC;AAEzD;;;;;;;;GAQG;AACH,eAAO,MAAM,cAAc,oBAAoB,CAAC;AAEhD;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,uBAAuB,wBAAwB,CAAC;AAE7D,OAAO,QAAQ,MAAM,CAAC;IACrB,UAAU,kBAAkB;QAC3B,+DAA+D;QAC/D,SAAS,EAAE,MAAM,CAAC;QAClB,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;QAC/B,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;QACvC,eAAe,EAAE,OAAO,CAAC;QACzB,gBAAgB,EAAE,OAAO,CAAC;QAC1B,eAAe,EAAE,OAAO,CAAC;QACzB,2FAA2F;QAC3F,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;QACvC;;;;;WAKG;QACH,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;QAC/B;;;;;WAKG;QACH,uBAAuB,EAAE,MAAM,GAAG,IAAI,CAAC;QACvC;;;;;;WAMG;QACH,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;QACjC;;;;;;;WAOG;QACH,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QACtC;;;;;;;;;;;;WAYG;QACH,mBAAmB,EAAE,KAAK,CAAC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QACvD;;;;WAIG;QACH,mBAAmB,EAAE,OAAO,CAAC;KAC7B;CACD"}

package/dist/http/CLAUDE.md

@@ -29,7 +29,7 @@ effects, see ../../../docs/architecture.md.
 - `http/jsonrpc_helpers.ts` — message builders, type guards, input/result normalizers.
 - `http/common_routes.ts` — health check + readiness probe (`/ready` schema-drift deploy gate) + authenticated server-status + surface route specs.
 - `http/db_routes.ts` — generic keeper-only table browser route specs (public schema).
-- `http/pending_effects.ts` — `emit_after_commit` + `flush_pending_effects` + `flush_post_commit_effects` + `EmitAfterCommitContext`.
+- `http/pending_effects.ts` — `emit_after_commit` + `dispatch_with_post_commit_rollback` (the shared rollback-discard wrapper both dispatch sites use) + `flush_pending_effects` + `flush_post_commit_effects` + `EmitAfterCommitContext`.
 
 ## Route Spec System
 
@@ -427,7 +427,7 @@ this work that's already started"; thunk pushers say "run this after the
 handler returns" — and burying both behind one field made
 `c.var.pending_effects.push(x)` ambiguous at the call site. Splitting turns the field name into the contract.
 
-### Why `emit_after_commit` defers
+### Why `emit_after_commit` defers — and discards on rollback
 
 The thunk shape is **load-bearing for correctness**. Pushing
 `Promise.resolve().then(fn)` onto an eager queue — what `emit_after_commit`
@@ -437,6 +437,17 @@ would leak a notification for state that never landed. The thunk defers
 the work to flush time; the `try/finally` in the flush middleware runs
 after the handler (and any wrapping transaction) returns.
 
+Deferral alone isn't enough: the flush runs whether the handler returned or
+threw, so a thrown handler (rolling back its transaction) would still fire the
+thunk it queued. So the contract is **two-sided**: both dispatch sites
+(`http/route_spec.ts`, `actions/perform_action.ts`) wrap their handler in the
+shared `dispatch_with_post_commit_rollback` helper, which discards
+`post_commit_effects` on a handler throw — `emit_after_commit` thus reads as
+**"run iff the wrapping transaction commits."** The eager `pending_effects`
+queue is the deliberate opposite (survives rollback — attempt audits). The full
+two-sided contract + Rust-twin parity note live on the helper's TSDoc in
+`http/pending_effects.ts`.
+
 ```typescript
 emit_after_commit(ctx, () => notification_sender.send_to_account(account_id, msg));
 ```
@@ -449,7 +460,7 @@ and any side effect that must run only after the transaction commits.
 
 - **The flush owns the safety net.** `flush_post_commit_effects` wraps every thunk in `try/catch` and routes errors through `ctx.log.error`, so one failing send cannot starve sibling effects in the same batch nor corrupt the already-committed response. Per-thunk `try/catch` inside `emit_after_commit` would skip directly-pushed thunks (e.g. tests); centralizing the wrap in the flush closes that gap.
 - **Test mode (`await_pending_effects: true`) flushes both queues.** Eager: `await flush_pending_effects(pending_effects, log)`. Deferred: `await flush_post_commit_effects(post_commit_effects, log)`. Both complete before the response returns. Production mode wraps the same helpers in `void ...` and threads `on_effect_error` into `flush_pending_effects`'s `on_rejection` callback for fan-out.
-- **Same drain location for both.** The outer flush middleware (`server/app_server.ts`) and the per-message WS flush handle the two queues adjacent to each other. The deferred queue does not drain inside the route-spec wrapper / `perform_action` — that would tighten the "post-commit" timing further but would force three drain sites (REST wrapper, RPC dispatcher, WS dispatcher) to gain timing no current consumer needs.
+- **Drain at the outer flush; discard at the dispatch site.** The successful-path _drain_ of both queues stays at the outer flush middleware (`server/app_server.ts`) + the per-message WS flush — adjacent, one location, no per-wrapper drain timing. What the dispatch sites (route-spec wrapper / `perform_action`) own is the _rollback discard_, via the shared `dispatch_with_post_commit_rollback` helper: on a handler throw they truncate `post_commit_effects` before the outer flush ever sees it, so the flush only drains effects from a committed handler. The eager `pending_effects` queue is never truncated — it drains regardless (attempt audits survive rollback).
 - Structurally satisfied by both `RouteContext` (HTTP) and `ActionContext` (RPC + WS) — they share the `{log, post_commit_effects}` shape, which is why this helper lives in `http/` rather than `actions/` or `auth/`.
 
 WS sends are **not** wrapped by `create_validated_broadcaster` (that only

package/dist/http/pending_effects.d.ts

@@ -17,6 +17,15 @@
  *   returns. Used for WS sends and any work that must observe a committed
  *   transaction.
  *
+ * **Discard on rollback.** A `post_commit_effects` thunk is discarded if the
+ * handler's transaction rolls back (a thrown handler) — it must not announce
+ * state that never committed. Both dispatch sites enforce this by wrapping
+ * their handler in `dispatch_with_post_commit_rollback` (see its TSDoc below
+ * for the full two-sided contract and the Rust-twin parity note). The eager
+ * `pending_effects` queue is the deliberate opposite: its pool writes run
+ * outside the transaction and intentionally **survive** rollback (attempt
+ * audits).
+ *
  * The split exists because the two shapes encode different contracts:
  * eager pushers are saying "wait for this work that's already started";
  * thunk pushers are saying "run this after the handler returns." Burying
@@ -55,11 +64,45 @@ export interface EmitAfterCommitContext {
  * The flush owns the per-thunk `try/catch` + `log.error` so any
  * directly-pushed thunk (tests included) cannot escape the safety net.
  *
+ * Deferral is only half the contract: a queued thunk is also **discarded if
+ * the handler's transaction rolls back** — via `dispatch_with_post_commit_rollback`
+ * (see its TSDoc). So `fn` runs iff the wrapping transaction commits, never for
+ * state that rolled back. Rollback-resilient writes (attempt audits that must
+ * land even when the handler fails) belong on the eager `pending_effects` queue
+ * instead.
+ *
  * @param ctx - context carrying `log` and the `post_commit_effects` queue
  * @param fn - side effect to run after commit; may return `void` or `Promise<void>`
  * @mutates `ctx.post_commit_effects` - appends `fn` verbatim
  */
 export declare const emit_after_commit: (ctx: EmitAfterCommitContext, fn: () => void | Promise<void>) => void;
+/**
+ * Run a handler dispatch (the handler plus its wrapping `db.transaction`),
+ * discarding any `post_commit_effects` it queued via `emit_after_commit` if it
+ * throws. A thrown handler rolls back its transaction, so firing those deferred
+ * effects would announce state that never committed. On any throw the queue is
+ * truncated back to its pre-dispatch depth — **not** cleared, so entries a
+ * surrounding scope pre-seeded survive — and the error re-thrown unchanged.
+ *
+ * The eager `pending_effects` queue is deliberately never touched here: its
+ * pool writes run outside the transaction and intentionally survive rollback
+ * (attempt audits). `emit_after_commit` thus reads as "run iff the wrapping
+ * transaction commits."
+ *
+ * Both dispatch sites — the REST route wrapper (`http/route_spec.ts`) and the
+ * action dispatcher (`actions/perform_action.ts`, the RPC + WS path) — wrap
+ * their handler call in this so the discard contract lives in one place. The
+ * Rust `fuz_actions` spine pins the same contract.
+ *
+ * `post_commit_effects` is `undefined` when a handler runs without the
+ * app-server pending-effects middleware (bare route / dispatch harnesses):
+ * absent ⇒ nothing queued ⇒ nothing to discard.
+ *
+ * @param post_commit_effects - the deferred queue to truncate on throw, or `undefined`
+ * @param dispatch - invokes the handler (and any wrapping transaction)
+ * @mutates `post_commit_effects` - truncated to its pre-dispatch depth on throw
+ */
+export declare const dispatch_with_post_commit_rollback: <T>(post_commit_effects: Array<() => void | Promise<void>> | undefined, dispatch: () => T | Promise<T>) => Promise<Awaited<T>>;
 /**
  * Drain an eager `pending_effects` queue: `Promise.allSettled` the
  * in-flight handles, route every rejection through `log.error`, and

package/dist/http/pending_effects.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"pending_effects.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/http/pending_effects.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD;;;;GAIG;AACH,MAAM,WAAW,sBAAsB;IACtC,GAAG,EAAE,MAAM,CAAC;IACZ,mBAAmB,EAAE,KAAK,CAAC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;CACvD;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,iBAAiB,GAC7B,KAAK,sBAAsB,EAC3B,IAAI,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAC5B,IAEF,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,qBAAqB,GACjC,SAAS,aAAa,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,EACrC,KAAK,MAAM,EACX,eAAe,CAAC,MAAM,EAAE,OAAO,KAAK,IAAI,KACtC,OAAO,CAAC,IAAI,CASd,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,yBAAyB,GACrC,SAAS,aAAa,CAAC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,EAClD,KAAK,MAAM,KACT,OAAO,CAAC,IAAI,CAiBd,CAAC"}
+{"version":3,"file":"pending_effects.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/http/pending_effects.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD;;;;GAIG;AACH,MAAM,WAAW,sBAAsB;IACtC,GAAG,EAAE,MAAM,CAAC;IACZ,mBAAmB,EAAE,KAAK,CAAC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;CACvD;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,eAAO,MAAM,iBAAiB,GAC7B,KAAK,sBAAsB,EAC3B,IAAI,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAC5B,IAEF,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,eAAO,MAAM,kCAAkC,GAAU,CAAC,EACzD,qBAAqB,KAAK,CAAC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,GAAG,SAAS,EAClE,UAAU,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,KAC5B,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAQpB,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,qBAAqB,GACjC,SAAS,aAAa,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,EACrC,KAAK,MAAM,EACX,eAAe,CAAC,MAAM,EAAE,OAAO,KAAK,IAAI,KACtC,OAAO,CAAC,IAAI,CASd,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,yBAAyB,GACrC,SAAS,aAAa,CAAC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,EAClD,KAAK,MAAM,KACT,OAAO,CAAC,IAAI,CAiBd,CAAC"}

package/dist/http/pending_effects.js

@@ -17,6 +17,15 @@
  *   returns. Used for WS sends and any work that must observe a committed
  *   transaction.
  *
+ * **Discard on rollback.** A `post_commit_effects` thunk is discarded if the
+ * handler's transaction rolls back (a thrown handler) — it must not announce
+ * state that never committed. Both dispatch sites enforce this by wrapping
+ * their handler in `dispatch_with_post_commit_rollback` (see its TSDoc below
+ * for the full two-sided contract and the Rust-twin parity note). The eager
+ * `pending_effects` queue is the deliberate opposite: its pool writes run
+ * outside the transaction and intentionally **survive** rollback (attempt
+ * audits).
+ *
  * The split exists because the two shapes encode different contracts:
  * eager pushers are saying "wait for this work that's already started";
  * thunk pushers are saying "run this after the handler returns." Burying
@@ -45,6 +54,13 @@
  * The flush owns the per-thunk `try/catch` + `log.error` so any
  * directly-pushed thunk (tests included) cannot escape the safety net.
  *
+ * Deferral is only half the contract: a queued thunk is also **discarded if
+ * the handler's transaction rolls back** — via `dispatch_with_post_commit_rollback`
+ * (see its TSDoc). So `fn` runs iff the wrapping transaction commits, never for
+ * state that rolled back. Rollback-resilient writes (attempt audits that must
+ * land even when the handler fails) belong on the eager `pending_effects` queue
+ * instead.
+ *
  * @param ctx - context carrying `log` and the `post_commit_effects` queue
  * @param fn - side effect to run after commit; may return `void` or `Promise<void>`
  * @mutates `ctx.post_commit_effects` - appends `fn` verbatim
@@ -52,6 +68,43 @@
 export const emit_after_commit = (ctx, fn) => {
     ctx.post_commit_effects.push(fn);
 };
+/**
+ * Run a handler dispatch (the handler plus its wrapping `db.transaction`),
+ * discarding any `post_commit_effects` it queued via `emit_after_commit` if it
+ * throws. A thrown handler rolls back its transaction, so firing those deferred
+ * effects would announce state that never committed. On any throw the queue is
+ * truncated back to its pre-dispatch depth — **not** cleared, so entries a
+ * surrounding scope pre-seeded survive — and the error re-thrown unchanged.
+ *
+ * The eager `pending_effects` queue is deliberately never touched here: its
+ * pool writes run outside the transaction and intentionally survive rollback
+ * (attempt audits). `emit_after_commit` thus reads as "run iff the wrapping
+ * transaction commits."
+ *
+ * Both dispatch sites — the REST route wrapper (`http/route_spec.ts`) and the
+ * action dispatcher (`actions/perform_action.ts`, the RPC + WS path) — wrap
+ * their handler call in this so the discard contract lives in one place. The
+ * Rust `fuz_actions` spine pins the same contract.
+ *
+ * `post_commit_effects` is `undefined` when a handler runs without the
+ * app-server pending-effects middleware (bare route / dispatch harnesses):
+ * absent ⇒ nothing queued ⇒ nothing to discard.
+ *
+ * @param post_commit_effects - the deferred queue to truncate on throw, or `undefined`
+ * @param dispatch - invokes the handler (and any wrapping transaction)
+ * @mutates `post_commit_effects` - truncated to its pre-dispatch depth on throw
+ */
+export const dispatch_with_post_commit_rollback = async (post_commit_effects, dispatch) => {
+    const depth = post_commit_effects?.length ?? 0;
+    try {
+        return await dispatch();
+    }
+    catch (err) {
+        if (post_commit_effects)
+            post_commit_effects.length = depth;
+        throw err;
+    }
+};
 /**
  * Drain an eager `pending_effects` queue: `Promise.allSettled` the
  * in-flight handles, route every rejection through `log.error`, and

package/dist/http/route_spec.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"route_spec.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/http/route_spec.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAW,IAAI,EAAE,iBAAiB,EAAC,MAAM,MAAM,CAAC;AACpE,OAAO,KAAK,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAE3B,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AACpC,OAAO,EACN,KAAK,iBAAiB,EACtB,KAAK,YAAY,EAKjB,MAAM,oBAAoB,CAAC;AAO5B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,sBAAsB,CAAC;AACzD,OAAO,EAAyC,KAAK,SAAS,EAAC,MAAM,iBAAiB,CAAC;AAEvF;;;;;;;;GAQG;AACH,MAAM,WAAW,UAAU;IAC1B,cAAc,EAAE,KAAK,CAAC,iBAAiB,CAAC,CAAC;IACzC,kBAAkB,EAAE,KAAK,CAAC,iBAAiB,CAAC,CAAC;CAC7C;AAED;;;;;;GAMG;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,IAAI,EAAE,SAAS,KAAK,UAAU,CAAC;AAEhE;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,KAAK,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;AAE7F,6CAA6C;AAC7C,MAAM,MAAM,WAAW,GAAG,KAAK,GAAG,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,OAAO,CAAC;AAEtE;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,YAAY;IAC5B;;;OAGG;IACH,EAAE,EAAE,EAAE,CAAC;IACP;;;;;OAKG;IACH,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACtC;;;;;;;OAOG;IACH,mBAAmB,EAAE,KAAK,CAAC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;CACvD;AAED;;;;;;GAMG;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,YAAY,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;AAE7F;;;;;GAKG;AACH,MAAM,WAAW,SAAS;IACzB,MAAM,EAAE,WAAW,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,SAAS,CAAC;IAChB,OAAO,EAAE,YAAY,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;IACpB;;;;;OAKG;IACH,MAAM,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC;IACrB,6EAA6E;IAC7E,KAAK,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC;IACpB,mEAAmE;IACnE,KAAK,EAAE,CAAC,CAAC,OAAO,CAAC;IACjB,oCAAoC;IACpC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC;IAClB;;;;;;;;;;;;;OAaG;IACH,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB;;;;;;OAMG;IACH,UAAU,CAAC,EAAE,YAAY,CAAC;IAC1B;;;;;;;;OAQG;IACH,MAAM,CAAC,EAAE,iBAAiB,CAAC;IAC3B;;;;;;;;;OASG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;CACtB;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,eAAe,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACxF,wBAAgB,eAAe,CAAC,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC;AAK5D;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACzF,wBAAgB,gBAAgB,CAAC,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC;AAK7D;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACxF,wBAAgB,eAAe,CAAC,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC;AAoJ5D;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,GAAI,KAAK,IAAI,EAAE,OAAO,KAAK,CAAC,cAAc,CAAC,KAAG,IAIhF,CAAC;AAkFF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyCG;AACH,eAAO,MAAM,iBAAiB,GAC7B,KAAK,IAAI,EACT,OAAO,KAAK,CAAC,SAAS,CAAC,EACvB,qBAAqB,iBAAiB,EACtC,KAAK,MAAM,EACX,IAAI,EAAE,EACN,YAAY,oBAAoB,KAC9B,IAgEF,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,GAAI,QAAQ,MAAM,EAAE,OAAO,KAAK,CAAC,SAAS,CAAC,KAAG,KAAK,CAAC,SAAS,CAK3F,CAAC"}
+{"version":3,"file":"route_spec.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/http/route_spec.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAW,IAAI,EAAE,iBAAiB,EAAC,MAAM,MAAM,CAAC;AACpE,OAAO,KAAK,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAE3B,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AACpC,OAAO,EACN,KAAK,iBAAiB,EACtB,KAAK,YAAY,EAKjB,MAAM,oBAAoB,CAAC;AAQ5B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,sBAAsB,CAAC;AACzD,OAAO,EAAyC,KAAK,SAAS,EAAC,MAAM,iBAAiB,CAAC;AAEvF;;;;;;;;GAQG;AACH,MAAM,WAAW,UAAU;IAC1B,cAAc,EAAE,KAAK,CAAC,iBAAiB,CAAC,CAAC;IACzC,kBAAkB,EAAE,KAAK,CAAC,iBAAiB,CAAC,CAAC;CAC7C;AAED;;;;;;GAMG;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,IAAI,EAAE,SAAS,KAAK,UAAU,CAAC;AAEhE;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,KAAK,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;AAE7F,6CAA6C;AAC7C,MAAM,MAAM,WAAW,GAAG,KAAK,GAAG,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,OAAO,CAAC;AAEtE;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,YAAY;IAC5B;;;OAGG;IACH,EAAE,EAAE,EAAE,CAAC;IACP;;;;;OAKG;IACH,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACtC;;;;;;;OAOG;IACH,mBAAmB,EAAE,KAAK,CAAC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;CACvD;AAED;;;;;;GAMG;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,YAAY,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;AAE7F;;;;;GAKG;AACH,MAAM,WAAW,SAAS;IACzB,MAAM,EAAE,WAAW,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,SAAS,CAAC;IAChB,OAAO,EAAE,YAAY,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;IACpB;;;;;OAKG;IACH,MAAM,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC;IACrB,6EAA6E;IAC7E,KAAK,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC;IACpB,mEAAmE;IACnE,KAAK,EAAE,CAAC,CAAC,OAAO,CAAC;IACjB,oCAAoC;IACpC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC;IAClB;;;;;;;;;;;;;OAaG;IACH,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB;;;;;;OAMG;IACH,UAAU,CAAC,EAAE,YAAY,CAAC;IAC1B;;;;;;;;OAQG;IACH,MAAM,CAAC,EAAE,iBAAiB,CAAC;IAC3B;;;;;;;;;OASG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;CACtB;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,eAAe,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACxF,wBAAgB,eAAe,CAAC,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC;AAK5D;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACzF,wBAAgB,gBAAgB,CAAC,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC;AAK7D;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACxF,wBAAgB,eAAe,CAAC,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC;AAoJ5D;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,GAAI,KAAK,IAAI,EAAE,OAAO,KAAK,CAAC,cAAc,CAAC,KAAG,IAIhF,CAAC;AAkFF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyCG;AACH,eAAO,MAAM,iBAAiB,GAC7B,KAAK,IAAI,EACT,OAAO,KAAK,CAAC,SAAS,CAAC,EACvB,qBAAqB,iBAAiB,EACtC,KAAK,MAAM,EACX,IAAI,EAAE,EACN,YAAY,oBAAoB,KAC9B,IAkEF,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,GAAI,QAAQ,MAAM,EAAE,OAAO,KAAK,CAAC,SAAS,CAAC,KAAG,KAAK,CAAC,SAAS,CAK3F,CAAC"}

package/dist/http/route_spec.js

@@ -16,6 +16,7 @@ import { DEV } from 'esm-env';
 import { ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY, ERROR_INVALID_ROUTE_PARAMS, ERROR_INVALID_QUERY_PARAMS, } from './error_schemas.js';
 import { ThrownJsonrpcError, jsonrpc_error_code_to_http_status, jsonrpc_error_code_to_name, } from './jsonrpc_errors.js';
 import { is_null_schema, merge_error_schemas } from './schema_helpers.js';
+import { dispatch_with_post_commit_rollback } from './pending_effects.js';
 import { assert_route_auth_acting_biconditional } from './auth_shape.js';
 export function get_route_input(c, _schema) {
     return c.get('validated_input');
@@ -321,17 +322,21 @@ export const apply_route_specs = (app, specs, resolve_auth_guards, log, db, auth
         // Step 1: adapt RouteHandler → Handler (construct RouteContext, call spec.handler)
         const use_transaction = spec.transaction ?? spec.method !== 'GET';
         const inner = spec.handler;
-        let handler = use_transaction
-            ? (c) => db.transaction(async (tx) => inner(c, {
-                db: tx,
+        // Discard post-commit effects a handler queued (`emit_after_commit`) if it
+        // throws — a thrown handler rolls back its wrapping transaction, so firing
+        // those effects would announce state that never committed. The eager
+        // `pending_effects` queue (attempt audits, run outside the transaction) is
+        // untouched. Shared with the action dispatcher (actions/perform_action.ts)
+        // via `dispatch_with_post_commit_rollback`.
+        let handler = (c) => {
+            const route_context = {
                 pending_effects: c.var.pending_effects,
                 post_commit_effects: c.var.post_commit_effects,
-            }))
-            : (c) => inner(c, {
-                db,
-                pending_effects: c.var.pending_effects,
-                post_commit_effects: c.var.post_commit_effects,
-            });
+            };
+            return dispatch_with_post_commit_rollback(c.var.post_commit_effects, () => use_transaction
+                ? db.transaction(async (tx) => inner(c, { db: tx, ...route_context }))
+                : inner(c, { db, ...route_context }));
+        };
         // Step 2: output validation
         handler = wrap_output_validation(handler, spec.output, merged_errors, log);
         // Step 3: error catch layer

package/dist/testing/CLAUDE.md

@@ -13,9 +13,13 @@ testing-patterns. This file is a reference index for the helpers themselves.
 
 ## Production guard — always the first import
 
-Every module here starts with `import './assert_dev_env.js';` — reads `DEV`
-from `esm-env` and throws if false, preventing production-bundle inclusion.
-Enforced by grep, not a linter; make this the first line in new modules.
+Every runtime-reachable module here starts with `import './assert_dev_env.js';`
+— reads `DEV` from `esm-env` and throws if false, preventing production-bundle
+inclusion. Make this the first line in new modules. Enforced by
+`src/test/testing/assert_dev_env_coverage.test.ts`, which fails if any module
+omits the guard. The sole exemption is `cross_backend/make_cross_backend_project.ts`
+— a vitest-project factory consumed by consumers' `vite.config.ts` at config
+time (never runtime), where a throwing guard would break `vite build`.
 
 ## Stubs, factories, mocks
 
@@ -274,6 +278,7 @@ RPC / WS structural invariants (options-free, apply over `surface.rpc_endpoints`
 * `assert_ws_method_descriptions_present` — every WS method on every endpoint has a non-empty `description`.
 * `assert_ws_endpoints_include_protocol_actions` — every WS endpoint includes `heartbeat` + `cancel` (the `protocol_actions` spread from `actions/protocol.js`).
 * `assert_ws_notifications_have_null_auth` — WS method `kind === 'remote_notification' ⟺ auth === null`; guards against drift between spec union and surface emitter.
+* `assert_no_testing_methods` — no `_testing_*` backdoor action (`TESTING_METHOD_PREFIX`) appears as an RPC or WS method on the declared surface. The test-binary actions are live-mounted only; this guards against a future wiring change folding `create_testing_actions(...)` into the surface-generating registry.
 
 Per-endpoint duplicate method names and the auth-shape biconditional are
 already enforced at startup by `compile_action_registry` (see
@@ -1208,6 +1213,29 @@ spine bootstrap (auth + cell + cell_history + fact) and is regenerated +
 drift-guarded by `src/test/cross_backend/spine_expected_schema.db.test.ts`
 (`UPDATE_SCHEMA_READY=1`, then `gro format`).
 
+### Testing-backdoor credential gate — `cross_backend/testing_backdoor.ts`
+
+`describe_testing_backdoor_cross_tests({setup_test, capabilities, rpc_path?})` —
+the negative-credential parity suite for the `_testing_*` backdoor actions.
+For each of `_testing_reset` / `_testing_mint_session` / `_testing_put_fact` /
+`_testing_schema_snapshot` (the three privileged writes plus the schema-dump
+read) it fires three principals over real HTTP: **anonymous** → 401, **session** →
+403 `credential_type_required`, **bearer** → 403 `credential_type_required` —
+proving the daemon-token gate that fences each backdoor action holds end-to-end
+on the real dispatcher (the spec-derived `describe_rpc_attack_surface_tests`
+never enumerates them because they're off the declared surface). Each method is
+sent with **valid** params so the session/bearer cases clear the 400
+input-validation phase and reach the 403 credential gate (order is
+401 → 400 → 403); the handler never runs. Cited property: `docs/security.md`
+§Test Backdoor Actions. Cross-process only (the `_testing_*` actions are
+mounted on the spawned binary, not the in-process app — like the ws/sse
+suites); ungated, since every cross backend that uses
+`default_cross_process_setup` mounts them. fuz_app's own wiring is
+`src/test/cross_backend/testing_backdoor.cross.test.ts`. The complement is the
+in-process spec-level gate test (`src/test/testing/testing_actions_auth.test.ts`,
+asserting each spec declares `credential_types: ['daemon_token']`) + the
+`assert_no_testing_methods` surface invariant.
+
 ### Building a TS test-server binary — `testing_server_core.ts` + adapters
 
 The reusable shape for standing up a **spawnable TS** cross-process test

package/dist/testing/cross_backend/capabilities.d.ts

@@ -7,19 +7,32 @@ import '../assert_dev_env.js';
 export interface BackendCapabilities {
     /**
      * Bearer token auth (`Authorization: Bearer <token>`) is wired through
-     * the backend's middleware stack. Gates the bearer-token cases in
-     * `describe_standard_integration_tests` and `describe_rate_limiting_tests`.
+     * the backend's middleware stack.
+     *
+     * **Declared for backend-shape documentation, not gating.** No suite reads
+     * this flag — the bearer-token cases in `describe_standard_integration_tests`
+     * / `describe_rate_limiting_tests` run unconditionally (every spine wires
+     * bearer auth). Fold into a typed capability taxonomy if these gain real
+     * gating readers.
      */
     readonly bearer_auth: boolean;
     /**
-     * Trusted-proxy XFF parsing is wired (`X-Forwarded-For` etc.). Gates
-     * the proxy-resolution cases in `describe_standard_integration_tests`
-     * and the future cross-process proxy integration suite.
+     * Trusted-proxy XFF parsing is wired (`X-Forwarded-For` etc.).
+     *
+     * **Declared for backend-shape documentation, not gating.** No suite reads
+     * this flag (there is no cross-process proxy-resolution suite); it records
+     * the proxy-default difference between the TS family (`false`) and the Rust
+     * family (`true`). Fold into a typed capability taxonomy if it gains real
+     * gating readers.
      */
     readonly trusted_proxy: boolean;
     /**
-     * Per-account login rate limiting is wired. Gates the per-account
-     * rate-limit cases in `describe_rate_limiting_tests`.
+     * Per-account login rate limiting is wired.
+     *
+     * **Declared for backend-shape documentation, not gating.** No suite reads
+     * this flag; the `describe_rate_limiting_tests` per-account cases are
+     * in-process-only and don't cross a process boundary. Fold into a typed
+     * capability taxonomy if it gains real gating readers.
      */
     readonly login_rate_limit: boolean;
     /**

package/dist/testing/cross_backend/capabilities.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"capabilities.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/capabilities.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAmB9B;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IACnC;;;;OAIG;IACH,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;IAC9B;;;;OAIG;IACH,QAAQ,CAAC,aAAa,EAAE,OAAO,CAAC;IAChC;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC;IACnC;;;;OAIG;IACH,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;IACrB;;;;;OAKG;IACH,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC;IACtB;;;;;;;OAOG;IACH,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC;IAC5B;;;;;;;;;;OAUG;IACH,QAAQ,CAAC,cAAc,EAAE,OAAO,CAAC;IACjC;;;;;;;;OAQG;IACH,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;IACpC;;;;;;;;OAQG;IACH,QAAQ,CAAC,YAAY,EAAE,OAAO,CAAC;IAC/B;;;;;;;;OAQG;IACH,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;CACxB;AAED;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,EAAE,mBAWpC,CAAC;AAEH;;;;;;;;GAQG;AACH,eAAO,MAAM,OAAO,GAAI,MAAM,OAAO,EAAE,MAAM,MAAM,EAAE,IAAI,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAG,IAMrF,CAAC"}
+{"version":3,"file":"capabilities.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/capabilities.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAmB9B;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IACnC;;;;;;;;;OASG;IACH,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;IAC9B;;;;;;;;OAQG;IACH,QAAQ,CAAC,aAAa,EAAE,OAAO,CAAC;IAChC;;;;;;;OAOG;IACH,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC;IACnC;;;;OAIG;IACH,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;IACrB;;;;;OAKG;IACH,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC;IACtB;;;;;;;OAOG;IACH,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC;IAC5B;;;;;;;;;;OAUG;IACH,QAAQ,CAAC,cAAc,EAAE,OAAO,CAAC;IACjC;;;;;;;;OAQG;IACH,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;IACpC;;;;;;;;OAQG;IACH,QAAQ,CAAC,YAAY,EAAE,OAAO,CAAC;IAC/B;;;;;;;;OAQG;IACH,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;CACxB;AAED;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,EAAE,mBAWpC,CAAC;AAEH;;;;;;;;GAQG;AACH,eAAO,MAAM,OAAO,GAAI,MAAM,OAAO,EAAE,MAAM,MAAM,EAAE,IAAI,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAG,IAMrF,CAAC"}

package/dist/testing/cross_backend/testing_backdoor.d.ts

@@ -0,0 +1,6 @@
+import '../assert_dev_env.js';
+import type { CellCrossTestOptions } from './cell_cross_helpers.js';
+/** Options for the testing-backdoor negative-credential suite. */
+export type TestingBackdoorCrossTestOptions = CellCrossTestOptions;
+export declare const describe_testing_backdoor_cross_tests: (options: TestingBackdoorCrossTestOptions) => void;
+//# sourceMappingURL=testing_backdoor.d.ts.map

package/dist/testing/cross_backend/testing_backdoor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"testing_backdoor.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/testing_backdoor.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAyD9B,OAAO,KAAK,EAAC,oBAAoB,EAAC,MAAM,yBAAyB,CAAC;AAgElE,kEAAkE;AAClE,MAAM,MAAM,+BAA+B,GAAG,oBAAoB,CAAC;AAEnE,eAAO,MAAM,qCAAqC,GACjD,SAAS,+BAA+B,KACtC,IAiCF,CAAC"}

package/dist/testing/cross_backend/testing_backdoor.js

@@ -0,0 +1,126 @@
+import '../assert_dev_env.js';
+/**
+ * Cross-backend negative-credential suite for the `_testing_*` backdoor
+ * actions.
+ *
+ * `_testing_reset` / `_testing_mint_session` / `_testing_put_fact` /
+ * `_testing_schema_snapshot` are privileged test-binary actions the
+ * production wire never exposes — three direct DB writes (full auth wipe,
+ * forged session row, raw fact insert) plus a full-schema introspection read
+ * (the highest info-leak of the set were the gate to break). Their only
+ * structural fence is the **daemon-token** credential gate on
+ * each spec's `auth` axis. A test binary live-mounts them on its RPC
+ * endpoint but keeps them off the declared surface — so the spec-derived
+ * `describe_rpc_attack_surface_tests` never enumerates them, and nothing
+ * else fires them with a non-daemon credential to prove the gate holds
+ * end-to-end. This suite does, against each impl's real auth resolution.
+ *
+ * For every backdoor method, three principals:
+ *
+ * - **anonymous** (no credential) → `401` (pre-validation auth refuses an
+ *   account-less caller before anything else).
+ * - **session** (the keeper's browser-context cookie) → `403`
+ *   `credential_type_required` — a session cookie, even one carrying the
+ *   keeper role, tops out below the daemon-token channel.
+ * - **bearer** (the keeper's api-token, non-browser context) → `403`
+ *   `credential_type_required` — same ceiling; an api token cannot reach
+ *   keeper operations.
+ *
+ * Each method is sent with **valid** params so the session/bearer cases
+ * clear the dispatcher's input-validation (400) phase and actually reach the
+ * post-authorization credential gate (the order is 401 → 400 → 403); the
+ * handler never runs (the gate refuses first), so the writes never execute.
+ *
+ * Complements the spec-level gate check (which pins that each spec *declares*
+ * `credential_types: ['daemon_token']`) and the surface-absence invariant
+ * (`assert_no_testing_methods`) — this one pins the runtime 401/403 behavior
+ * on both impls. Cited property: `security.md` §Test Backdoor Actions
+ * (daemon-token-gated, off-surface, DEV-excluded).
+ *
+ * Cross-process only — the `_testing_*` actions are mounted on the spawned
+ * binary, not the in-process app — like the ws/sse suites. Wire from a
+ * `*.cross.test.ts`. Requires the standard `_testing_*` actions mounted (the
+ * same precondition `default_cross_process_setup` already imposes for its
+ * per-test `_testing_reset`); ungated, since every cross backend mounts them.
+ *
+ * `$lib`-free by contract (relative specifiers only), like the sibling
+ * cross-backend suites.
+ *
+ * @module
+ */
+import { describe, test, assert } from 'vitest';
+import { ERROR_CREDENTIAL_TYPE_REQUIRED } from '../../http/error_schemas.js';
+import { rpc_call } from '../rpc_helpers.js';
+import { SPINE_RPC_PATH } from './default_spine_surface.js';
+/** A well-formed UUID that never names a real row. */
+const NIL_UUID = '00000000-0000-0000-0000-000000000000';
+/**
+ * The backdoor methods + a **valid** params payload each (so the
+ * session/bearer cases reach the 403 credential gate rather than a 400 on
+ * input validation). The handlers never run — the gate refuses first.
+ */
+const backdoor_methods = [
+    { method: '_testing_reset', params: {} },
+    { method: '_testing_mint_session', params: { account_id: NIL_UUID, expires_in_seconds: -60 } },
+    { method: '_testing_put_fact', params: { content: 'backdoor-probe' } },
+    // The schema-dump read — `exclude_tables` is optional, so `{}` is valid
+    // and clears the 400 phase like the writes above.
+    { method: '_testing_schema_snapshot', params: {} },
+];
+const principals = [
+    {
+        name: 'anonymous',
+        status: 401,
+        // Fresh jar so the keeper cookie (cross-process) can't leak in.
+        resolve: (f) => ({ transport: f.fresh_transport(), headers: {} }),
+    },
+    {
+        name: 'session',
+        status: 403,
+        reason: ERROR_CREDENTIAL_TYPE_REQUIRED,
+        resolve: (f) => ({ transport: f.transport, headers: f.create_session_headers() }),
+    },
+    {
+        name: 'bearer',
+        status: 403,
+        reason: ERROR_CREDENTIAL_TYPE_REQUIRED,
+        // Bearer is discarded in a browser context, so suppress Origin (empty
+        // jar + no Origin) — the credential must actually resolve so the refusal
+        // lands on the credential-type gate, not on bearer-discard (→ 401).
+        resolve: (f) => ({
+            transport: f.fresh_transport({ origin: null }),
+            headers: f.create_bearer_headers(),
+            suppress_default_origin: true,
+        }),
+    },
+];
+export const describe_testing_backdoor_cross_tests = (options) => {
+    const { setup_test } = options;
+    const rpc_path = options.rpc_path ?? SPINE_RPC_PATH;
+    describe('testing backdoor credential gate parity', () => {
+        for (const { method, params } of backdoor_methods) {
+            for (const principal of principals) {
+                test(`${method} rejects ${principal.name} → ${principal.status}`, async () => {
+                    const fixture = await setup_test();
+                    const { transport, headers, suppress_default_origin } = principal.resolve(fixture);
+                    const res = await rpc_call({
+                        app: transport,
+                        path: rpc_path,
+                        method,
+                        params,
+                        headers,
+                        ...(suppress_default_origin && { suppress_default_origin: true }),
+                    });
+                    const label = `${method} ${principal.name}`;
+                    assert.ok(!res.ok, `${label}: expected denial (${principal.status}) but the call succeeded`);
+                    assert.strictEqual(res.status, principal.status, `${label}: status`);
+                    // `!res.ok` narrows `res` to the error variant for `res.error`.
+                    if (principal.reason !== undefined && !res.ok) {
+                        const reason = res.error.data?.reason;
+                        assert.strictEqual(reason, principal.reason, `${label}: error.data.reason`);
+                    }
+                });
+            }
+        }
+    });
+};

package/dist/testing/cross_backend/testing_reset_actions.d.ts

@@ -183,9 +183,18 @@ export declare const testing_drain_effects_action_spec: {
  * `_testing_mint_session` — mint an expired-by-construction server-side
  * session for an existing account and return its signed cookie value.
  *
- * The minted `auth_session` row's `expires_at` is backdated (negative
- * `expires_in_seconds`) while the returned cookie's own signed payload
- * stays valid (future). Cross-process auth resolution therefore passes the
+ * `expires_in_seconds` is **constrained negative** (`z.number().int().negative()`)
+ * so the action is structurally incapable of minting a *usable* session: it
+ * can only produce an already-backdated, already-dead `auth_session` row. The
+ * daemon-token gate + loopback binding already fence the backdoor, but the
+ * negative constraint is the make-impossible-states floor — even a misuse
+ * can't forge a valid session for an arbitrary `account_id`. The Rust mirror
+ * (`fuz_testing::create_testing_mint_session_action_spec`) enforces the same
+ * floor.
+ *
+ * The minted `auth_session` row's `expires_at` is backdated while the
+ * returned cookie's own signed payload stays valid (future). Cross-process
+ * auth resolution therefore passes the
  * cookie-payload gate (`parse_session`) and is refused by the authoritative
  * DB-row gate (`query_session_get_valid` — `WHERE expires_at > NOW()`) —
  * the gate the in-process payload-expiry tests never reach and the one that

package/dist/testing/cross_backend/testing_reset_actions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"testing_reset_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/testing_reset_actions.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0DG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAItB,OAAO,EAAa,KAAK,SAAS,EAAC,MAAM,6BAA6B,CAAC;AAGvE,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAChD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,8BAA8B,CAAC;AACjE,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,4BAA4B,CAAC;AACjE,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,gBAAgB,CAAC;AAmBvC;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;QAiBpC;;;;;;;;WAQG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWyC,CAAC;AAE/C;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,iCAAiC;;;;;;;;;;;;;;;;CAWA,CAAC;AAE/C;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;CAeC,CAAC;AAE/C;;;;;;GAMG;AACH,eAAO,MAAM,mCAAmC,QAAO,SACiB,CAAC;AAEzE;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;;;;;;CAeK,CAAC;AAE/C;;;;;;;;;GASG;AACH,eAAO,MAAM,mCAAmC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWF,CAAC;AAE/C;;;;GAIG;AACH,eAAO,MAAM,qCAAqC,QAAO,SAGvD,CAAC;AAEH,4CAA4C;AAC5C,MAAM,WAAW,2BAA2B;IAC3C;;;;;OAKG;IACH,QAAQ,CAAC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACjD;;;;;OAKG;IACH,QAAQ,CAAC,kBAAkB,EAAE,gBAAgB,CAAC;IAC9C;;;;;;;;;;;OAWG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CACxD;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,OAAO,EACb,SAAS,2BAA2B,KAClC,KAAK,CAAC,SAAS,CAqIjB,CAAC;AAEF,0FAA0F;AAC1F,eAAO,MAAM,0BAA0B,UAAmC,CAAC"}
+{"version":3,"file":"testing_reset_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/testing_reset_actions.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0DG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAItB,OAAO,EAAa,KAAK,SAAS,EAAC,MAAM,6BAA6B,CAAC;AAIvE,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAChD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,8BAA8B,CAAC;AACjE,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,4BAA4B,CAAC;AACjE,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,gBAAgB,CAAC;AAkCvC;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;QAiBpC;;;;;;;;WAQG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWyC,CAAC;AAE/C;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,iCAAiC;;;;;;;;;;;;;;;;CAWA,CAAC;AAE/C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;CAwBC,CAAC;AAE/C;;;;;;GAMG;AACH,eAAO,MAAM,mCAAmC,QAAO,SACiB,CAAC;AAEzE;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;;;;;;CAeK,CAAC;AAE/C;;;;;;;;;GASG;AACH,eAAO,MAAM,mCAAmC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWF,CAAC;AAE/C;;;;GAIG;AACH,eAAO,MAAM,qCAAqC,QAAO,SAGvD,CAAC;AAEH,4CAA4C;AAC5C,MAAM,WAAW,2BAA2B;IAC3C;;;;;OAKG;IACH,QAAQ,CAAC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACjD;;;;;OAKG;IACH,QAAQ,CAAC,kBAAkB,EAAE,gBAAgB,CAAC;IAC9C;;;;;;;;;;;OAWG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CACxD;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,OAAO,EACb,SAAS,2BAA2B,KAClC,KAAK,CAAC,SAAS,CAqIjB,CAAC;AAEF,0FAA0F;AAC1F,eAAO,MAAM,0BAA0B,UAAmC,CAAC"}

package/dist/testing/cross_backend/testing_reset_actions.js

@@ -68,6 +68,20 @@ import { auth_integration_truncate_tables } from '../db.js';
 import { query_schema_snapshot, SchemaSnapshot } from '../schema_introspect.js';
 import { query_create_actor } from '../../auth/account_queries.js';
 import { create_test_account_with_credentials, mint_test_session, DEFAULT_TEST_PASSWORD, } from '../app_server.js';
+/**
+ * Shared `auth` axis for every `_testing_*` action: keeper-only via the
+ * daemon-token credential, no acting actor. This is the entire structural
+ * fence on the backdoor surface (these actions run direct DB writes the
+ * production wire never exposes), so all five specs reference this one const
+ * rather than re-declaring it — a single source of truth the gate test
+ * (`testing_actions_auth.test.ts`) pins. Mirrors the Rust `DAEMON_TOKEN_ONLY`
+ * / shared `AuthSpec` in `fuz_testing`.
+ */
+const TESTING_ACTION_AUTH = {
+    account: 'required',
+    actor: 'none',
+    credential_types: ['daemon_token'],
+};
 /** Output shape for an individual seeded account (keeper or extra). */
 const SeededAccountShape = z.strictObject({
     account: z.strictObject({ id: Uuid, username: z.string() }),
@@ -104,7 +118,7 @@ export const testing_reset_action_spec = {
     method: '_testing_reset',
     kind: 'request_response',
     initiator: 'frontend',
-    auth: { account: 'required', actor: 'none', credential_types: ['daemon_token'] },
+    auth: TESTING_ACTION_AUTH,
     side_effects: true,
     input: z.strictObject({
         extra_keeper_roles: z.array(z.string()).optional(),
@@ -154,7 +168,7 @@ export const testing_drain_effects_action_spec = {
     method: '_testing_drain_effects',
     kind: 'request_response',
     initiator: 'frontend',
-    auth: { account: 'required', actor: 'none', credential_types: ['daemon_token'] },
+    auth: TESTING_ACTION_AUTH,
     side_effects: false,
     input: z.void(),
     output: z.strictObject({ ok: z.boolean() }),
@@ -165,9 +179,18 @@ export const testing_drain_effects_action_spec = {
  * `_testing_mint_session` — mint an expired-by-construction server-side
  * session for an existing account and return its signed cookie value.
  *
- * The minted `auth_session` row's `expires_at` is backdated (negative
- * `expires_in_seconds`) while the returned cookie's own signed payload
- * stays valid (future). Cross-process auth resolution therefore passes the
+ * `expires_in_seconds` is **constrained negative** (`z.number().int().negative()`)
+ * so the action is structurally incapable of minting a *usable* session: it
+ * can only produce an already-backdated, already-dead `auth_session` row. The
+ * daemon-token gate + loopback binding already fence the backdoor, but the
+ * negative constraint is the make-impossible-states floor — even a misuse
+ * can't forge a valid session for an arbitrary `account_id`. The Rust mirror
+ * (`fuz_testing::create_testing_mint_session_action_spec`) enforces the same
+ * floor.
+ *
+ * The minted `auth_session` row's `expires_at` is backdated while the
+ * returned cookie's own signed payload stays valid (future). Cross-process
+ * auth resolution therefore passes the
  * cookie-payload gate (`parse_session`) and is refused by the authoritative
  * DB-row gate (`query_session_get_valid` — `WHERE expires_at > NOW()`) —
  * the gate the in-process payload-expiry tests never reach and the one that
@@ -186,11 +209,19 @@ export const testing_mint_session_action_spec = {
     method: '_testing_mint_session',
     kind: 'request_response',
     initiator: 'frontend',
-    auth: { account: 'required', actor: 'none', credential_types: ['daemon_token'] },
+    auth: TESTING_ACTION_AUTH,
     side_effects: true,
     input: z.strictObject({
         account_id: Uuid,
-        expires_in_seconds: z.number().int(),
+        expires_in_seconds: z
+            .number()
+            .int()
+            .negative()
+            .meta({
+            description: 'Seconds to offset the session row from NOW(). Constrained negative so this ' +
+                'backdoor can ONLY mint an already-expired (backdated) row — never a usable ' +
+                'session for an arbitrary account. Its sole use is the expired-session gate.',
+        }),
     }),
     output: z.strictObject({ session_cookie: z.string() }),
     async: true,
@@ -223,7 +254,7 @@ export const testing_put_fact_action_spec = {
     method: '_testing_put_fact',
     kind: 'request_response',
     initiator: 'frontend',
-    auth: { account: 'required', actor: 'none', credential_types: ['daemon_token'] },
+    auth: TESTING_ACTION_AUTH,
     side_effects: true,
     input: z.strictObject({
         content: z.string(),
@@ -248,7 +279,7 @@ export const testing_schema_snapshot_action_spec = {
     method: '_testing_schema_snapshot',
     kind: 'request_response',
     initiator: 'frontend',
-    auth: { account: 'required', actor: 'none', credential_types: ['daemon_token'] },
+    auth: TESTING_ACTION_AUTH,
     side_effects: false,
     input: z.strictObject({ exclude_tables: z.array(z.string()).optional() }),
     output: SchemaSnapshot,

package/dist/testing/cross_backend/testing_server_core.d.ts

@@ -127,14 +127,25 @@ export interface StartTestingServerOptions {
     /** Optional logger; defaults to a `[daemon_name]`-namespaced `Logger`. */
     log?: LoggerType;
 }
+/**
+ * Loopback bind hosts — the only ones the test binary may serve on. It ships
+ * deterministic dev secrets (fixed cookie keys + bootstrap token in
+ * `default_secrets.ts`), so binding any network-reachable interface would let
+ * anyone who knows those fixed keys forge cookies against it. An allowlist
+ * (not an `0.0.0.0`/`::` blocklist) closes the gap a concrete LAN/public
+ * interface IP — e.g. `--host 192.168.1.50` — would otherwise slip through.
+ * Covers `localhost`, the IPv4 loopback `127.0.0.0/8`, and IPv6 `::1`.
+ */
+export declare const is_loopback_host: (host: string) => boolean;
 /**
  * Boot a test-mode server using the supplied runtime adapter.
  *
  * Mirrors a production `start_server` at the surface level — stale-daemon
  * check, daemon-info write, bind, graceful drain — but the app is the
  * caller's no-domain (or domain) {@link StartTestingServerOptions.build_app}
- * and the runtime boundary is the {@link TestingServerAdapter}. Refuses to
- * bind an open host (the test binary must stay on loopback).
+ * and the runtime boundary is the {@link TestingServerAdapter}. Refuses any
+ * non-loopback bind host (the test binary must stay on loopback — see
+ * `is_loopback_host`).
  */
 export declare const start_testing_server: (options: StartTestingServerOptions) => Promise<void>;
 //# sourceMappingURL=testing_server_core.d.ts.map

package/dist/testing/cross_backend/testing_server_core.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"testing_server_core.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/testing_server_core.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAE,IAAI,EAAC,MAAM,MAAM,CAAC;AACxC,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,SAAS,CAAC;AAC9C,OAAO,EAAS,KAAK,MAAM,IAAI,UAAU,EAAC,MAAM,yBAAyB,CAAC;AAG1E,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,uBAAuB,CAAC;AAEvD;;;;;;;GAOG;AACH,MAAM,WAAW,WAAW;IAC3B,QAAQ,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9B,iFAAiF;IACjF,MAAM,CAAC,EAAE,OAAO,CAAC;CACjB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,iBAAiB;IACjC,iBAAiB,EAAE,gBAAgB,CAAC;IACpC,gBAAgB,CAAC,EAAE,CAAC,MAAM,EAAE,WAAW,KAAK,IAAI,CAAC;CACjD;AAED;;;;GAIG;AACH,MAAM,WAAW,oBAAoB;IACpC,6EAA6E;IAC7E,aAAa,EAAE,MAAM,CAAC;IACtB,0FAA0F;IAC1F,OAAO,EAAE,WAAW,CAAC;IACrB,6DAA6D;IAC7D,iBAAiB,EAAE,CAAC,CAAC,EAAE,OAAO,KAAK,MAAM,GAAG,SAAS,CAAC;IACtD,mFAAmF;IACnF,iBAAiB,EAAE,CAAC,GAAG,EAAE,IAAI,KAAK,iBAAiB,CAAC;IACpD,8EAA8E;IAC9E,KAAK,EAAE,CAAC,OAAO,EAAE;QAAC,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,KAAK,WAAW,CAAC;IACxF,+CAA+C;IAC/C,GAAG,EAAE,MAAM,CAAC;IACZ,yEAAyE;IACzE,yBAAyB,EAAE,CAAC,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC;IAClE,oEAAoE;IACpE,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,KAAK,CAAC;CAC9B;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,eAAe;IAC/B,kEAAkE;IAClE,GAAG,EAAE,IAAI,CAAC;IACV,qEAAqE;IACrE,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3B,uEAAuE;IACvE,eAAe,CAAC,EAAE,CAAC,iBAAiB,EAAE,gBAAgB,KAAK,IAAI,CAAC;CAChE;AAED,gDAAgD;AAChD,MAAM,WAAW,yBAAyB;IACzC,+CAA+C;IAC/C,OAAO,EAAE,oBAAoB,CAAC;IAC9B;;;;;;OAMG;IACH,WAAW,EAAE,MAAM,CAAC;IACpB,sCAAsC;IACtC,IAAI,EAAE,MAAM,CAAC;IACb,iBAAiB;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,6CAA6C;IAC7C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;;OAKG;IACH,SAAS,EAAE,MAAM,OAAO,CAAC,eAAe,CAAC,CAAC;IAC1C,0EAA0E;IAC1E,GAAG,CAAC,EAAE,UAAU,CAAC;CACjB;AAKD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,GAAU,SAAS,yBAAyB,KAAG,OAAO,CAAC,IAAI,CA4D3F,CAAC"}
+{"version":3,"file":"testing_server_core.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/testing_server_core.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAE,IAAI,EAAC,MAAM,MAAM,CAAC;AACxC,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,SAAS,CAAC;AAC9C,OAAO,EAAS,KAAK,MAAM,IAAI,UAAU,EAAC,MAAM,yBAAyB,CAAC;AAG1E,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,uBAAuB,CAAC;AAEvD;;;;;;;GAOG;AACH,MAAM,WAAW,WAAW;IAC3B,QAAQ,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9B,iFAAiF;IACjF,MAAM,CAAC,EAAE,OAAO,CAAC;CACjB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,iBAAiB;IACjC,iBAAiB,EAAE,gBAAgB,CAAC;IACpC,gBAAgB,CAAC,EAAE,CAAC,MAAM,EAAE,WAAW,KAAK,IAAI,CAAC;CACjD;AAED;;;;GAIG;AACH,MAAM,WAAW,oBAAoB;IACpC,6EAA6E;IAC7E,aAAa,EAAE,MAAM,CAAC;IACtB,0FAA0F;IAC1F,OAAO,EAAE,WAAW,CAAC;IACrB,6DAA6D;IAC7D,iBAAiB,EAAE,CAAC,CAAC,EAAE,OAAO,KAAK,MAAM,GAAG,SAAS,CAAC;IACtD,mFAAmF;IACnF,iBAAiB,EAAE,CAAC,GAAG,EAAE,IAAI,KAAK,iBAAiB,CAAC;IACpD,8EAA8E;IAC9E,KAAK,EAAE,CAAC,OAAO,EAAE;QAAC,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,KAAK,WAAW,CAAC;IACxF,+CAA+C;IAC/C,GAAG,EAAE,MAAM,CAAC;IACZ,yEAAyE;IACzE,yBAAyB,EAAE,CAAC,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC;IAClE,oEAAoE;IACpE,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,KAAK,CAAC;CAC9B;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,eAAe;IAC/B,kEAAkE;IAClE,GAAG,EAAE,IAAI,CAAC;IACV,qEAAqE;IACrE,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3B,uEAAuE;IACvE,eAAe,CAAC,EAAE,CAAC,iBAAiB,EAAE,gBAAgB,KAAK,IAAI,CAAC;CAChE;AAED,gDAAgD;AAChD,MAAM,WAAW,yBAAyB;IACzC,+CAA+C;IAC/C,OAAO,EAAE,oBAAoB,CAAC;IAC9B;;;;;;OAMG;IACH,WAAW,EAAE,MAAM,CAAC;IACpB,sCAAsC;IACtC,IAAI,EAAE,MAAM,CAAC;IACb,iBAAiB;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,6CAA6C;IAC7C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;;OAKG;IACH,SAAS,EAAE,MAAM,OAAO,CAAC,eAAe,CAAC,CAAC;IAC1C,0EAA0E;IAC1E,GAAG,CAAC,EAAE,UAAU,CAAC;CACjB;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,gBAAgB,GAAI,MAAM,MAAM,KAAG,OAG/C,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,oBAAoB,GAAU,SAAS,yBAAyB,KAAG,OAAO,CAAC,IAAI,CA4D3F,CAAC"}

package/dist/testing/cross_backend/testing_server_core.js

@@ -1,24 +1,36 @@
 import '../assert_dev_env.js';
 import { Logger } from '@fuzdev/fuz_util/log.js';
 import { write_daemon_info, read_daemon_info, is_daemon_running } from '../../cli/daemon.js';
-/** Hosts that expose the test binary beyond loopback — refused at startup. */
-const OPEN_HOSTS = new Set(['0.0.0.0', '::', '[::]']);
+/**
+ * Loopback bind hosts — the only ones the test binary may serve on. It ships
+ * deterministic dev secrets (fixed cookie keys + bootstrap token in
+ * `default_secrets.ts`), so binding any network-reachable interface would let
+ * anyone who knows those fixed keys forge cookies against it. An allowlist
+ * (not an `0.0.0.0`/`::` blocklist) closes the gap a concrete LAN/public
+ * interface IP — e.g. `--host 192.168.1.50` — would otherwise slip through.
+ * Covers `localhost`, the IPv4 loopback `127.0.0.0/8`, and IPv6 `::1`.
+ */
+export const is_loopback_host = (host) => {
+    const h = host.replace(/^\[(.*)\]$/, '$1'); // unwrap an `[::1]`-style IPv6 literal
+    return h === 'localhost' || h === '::1' || /^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(h);
+};
 /**
  * Boot a test-mode server using the supplied runtime adapter.
  *
  * Mirrors a production `start_server` at the surface level — stale-daemon
  * check, daemon-info write, bind, graceful drain — but the app is the
  * caller's no-domain (or domain) {@link StartTestingServerOptions.build_app}
- * and the runtime boundary is the {@link TestingServerAdapter}. Refuses to
- * bind an open host (the test binary must stay on loopback).
+ * and the runtime boundary is the {@link TestingServerAdapter}. Refuses any
+ * non-loopback bind host (the test binary must stay on loopback — see
+ * `is_loopback_host`).
  */
 export const start_testing_server = async (options) => {
     const { adapter, daemon_name, host, port, app_version, build_app } = options;
     const log = options.log ?? new Logger(`[${daemon_name}]`);
     const { runtime } = adapter;
-    if (OPEN_HOSTS.has(host)) {
-        log.error(`FATAL: binding to '${host}' exposes the test binary to your entire network. ` +
-            `Use --host localhost (default) or 127.0.0.1 instead.`);
+    if (!is_loopback_host(host)) {
+        log.error(`FATAL: binding to '${host}' exposes the test binary (which ships deterministic ` +
+            `dev secrets) beyond loopback. Use --host localhost (default), 127.0.0.1, or ::1 instead.`);
         adapter.exit(1);
     }
     const stale = await read_daemon_info(runtime, daemon_name);

package/dist/testing/cross_backend/ts_spine_backend_config.d.ts

@@ -23,8 +23,11 @@ export declare const TS_SPINE_DIR_ENV = "FUZ_TESTING_TS_SPINE_DIR";
  * Audit-log SSE stream path the TS spine binary serves (it wires
  * `audit_log_sse`). Matches `SPINE_SSE_PATH` in `testing/cross_backend/default_spine_surface.ts`
  * and the cross-process SSE suite's default. Scoped to the TS configs
- * (which advertise `capabilities.sse: true`) — the Rust spine doesn't serve
- * the stream, so the shared `ts_default_capabilities` stays `sse: false`.
+ * (which advertise `capabilities.sse: true`) — the shared
+ * `ts_default_capabilities` stays `sse: false` because not every consumer
+ * wires `audit_log_sse`, so the default stays honest for backends that don't
+ * serve the stream. (The Rust `testing_spine_stub` does serve it and opts in
+ * via `rust_spine_stub_backend_config`.)
  */
 export declare const TS_SPINE_SSE_PATH = "/api/admin/audit/stream";
 /** Default port for the Node TS spine binary — slots beside the Rust `spine_stub` (1177). */

package/dist/testing/cross_backend/ts_spine_backend_config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ts_spine_backend_config.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/ts_spine_backend_config.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,qBAAqB,CAAC;AAOvD,8GAA8G;AAC9G,eAAO,MAAM,gBAAgB,6BAA6B,CAAC;AAE3D;;;;;;GAMG;AACH,eAAO,MAAM,iBAAiB,4BAA4B,CAAC;AAS3D,6FAA6F;AAC7F,eAAO,MAAM,0BAA0B,OAAO,CAAC;AAE/C,iDAAiD;AACjD,eAAO,MAAM,0BAA0B,OAAO,CAAC;AAE/C,gDAAgD;AAChD,eAAO,MAAM,yBAAyB,OAAO,CAAC;AAE9C,yDAAyD;AACzD,eAAO,MAAM,mBAAmB,wDAAwD,CAAC;AAEzF,yDAAyD;AACzD,eAAO,MAAM,mBAAmB,wDAAwD,CAAC;AAEzF,wDAAwD;AACxD,eAAO,MAAM,kBAAkB,uDAAuD,CAAC;AAEvF,MAAM,WAAW,2BAA2B;IAC3C,mFAAmF;IACnF,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,8DAA8D;IAC9D,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED;;;GAGG;AACH,eAAO,MAAM,4BAA4B,GACxC,UAAS,2BAAgC,KACvC,aAgBF,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,2BAA2B,GACvC,UAAS,2BAAgC,KACvC,aAgBF,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,4BAA4B,GACxC,UAAS,2BAAgC,KACvC,aA6BF,CAAC"}
+{"version":3,"file":"ts_spine_backend_config.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/ts_spine_backend_config.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,qBAAqB,CAAC;AAOvD,8GAA8G;AAC9G,eAAO,MAAM,gBAAgB,6BAA6B,CAAC;AAE3D;;;;;;;;;GASG;AACH,eAAO,MAAM,iBAAiB,4BAA4B,CAAC;AAS3D,6FAA6F;AAC7F,eAAO,MAAM,0BAA0B,OAAO,CAAC;AAE/C,iDAAiD;AACjD,eAAO,MAAM,0BAA0B,OAAO,CAAC;AAE/C,gDAAgD;AAChD,eAAO,MAAM,yBAAyB,OAAO,CAAC;AAE9C,yDAAyD;AACzD,eAAO,MAAM,mBAAmB,wDAAwD,CAAC;AAEzF,yDAAyD;AACzD,eAAO,MAAM,mBAAmB,wDAAwD,CAAC;AAEzF,wDAAwD;AACxD,eAAO,MAAM,kBAAkB,uDAAuD,CAAC;AAEvF,MAAM,WAAW,2BAA2B;IAC3C,mFAAmF;IACnF,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,8DAA8D;IAC9D,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED;;;GAGG;AACH,eAAO,MAAM,4BAA4B,GACxC,UAAS,2BAAgC,KACvC,aAgBF,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,2BAA2B,GACvC,UAAS,2BAAgC,KACvC,aAgBF,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,4BAA4B,GACxC,UAAS,2BAAgC,KACvC,aA6BF,CAAC"}

package/dist/testing/cross_backend/ts_spine_backend_config.js

@@ -7,8 +7,11 @@ export const TS_SPINE_DIR_ENV = 'FUZ_TESTING_TS_SPINE_DIR';
  * Audit-log SSE stream path the TS spine binary serves (it wires
  * `audit_log_sse`). Matches `SPINE_SSE_PATH` in `testing/cross_backend/default_spine_surface.ts`
  * and the cross-process SSE suite's default. Scoped to the TS configs
- * (which advertise `capabilities.sse: true`) — the Rust spine doesn't serve
- * the stream, so the shared `ts_default_capabilities` stays `sse: false`.
+ * (which advertise `capabilities.sse: true`) — the shared
+ * `ts_default_capabilities` stays `sse: false` because not every consumer
+ * wires `audit_log_sse`, so the default stays honest for backends that don't
+ * serve the stream. (The Rust `testing_spine_stub` does serve it and opts in
+ * via `rust_spine_stub_backend_config`.)
  */
 export const TS_SPINE_SSE_PATH = '/api/admin/audit/stream';
 /**

package/dist/testing/mock_fs.d.ts

@@ -1,3 +1,4 @@
+import './assert_dev_env.js';
 /**
  * In-memory file system mock for tests that use dependency-injected
  * `read_file` and `write_file` callbacks. Avoids module-level mocking.

package/dist/testing/mock_fs.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mock_fs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/mock_fs.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,WAAW,MAAM;IACtB,SAAS,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAC/D,UAAU,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/E,QAAQ,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,CAAC;CAC/C;AAED;;;;;GAKG;AACH,eAAO,MAAM,cAAc,GAAI,gBAAe,MAAM,CAAC,MAAM,EAAE,MAAM,CAAM,KAAG,MAsB3E,CAAC"}
+{"version":3,"file":"mock_fs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/mock_fs.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;GAKG;AAEH,MAAM,WAAW,MAAM;IACtB,SAAS,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAC/D,UAAU,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/E,QAAQ,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,CAAC;CAC/C;AAED;;;;;GAKG;AACH,eAAO,MAAM,cAAc,GAAI,gBAAe,MAAM,CAAC,MAAM,EAAE,MAAM,CAAM,KAAG,MAsB3E,CAAC"}

package/dist/testing/mock_fs.js

@@ -1,9 +1,4 @@
-/**
- * In-memory file system mock for tests that use dependency-injected
- * `read_file` and `write_file` callbacks. Avoids module-level mocking.
- *
- * @module
- */
+import './assert_dev_env.js';
 /**
  * Creates an in-memory file system for tests.
  *

package/dist/testing/surface_invariants.d.ts

@@ -142,6 +142,38 @@ export declare const assert_ws_endpoints_include_protocol_actions: (surface: App
  * surface mocks the shape incorrectly.
  */
 export declare const assert_ws_notifications_have_null_auth: (surface: AppSurface) => void;
+/**
+ * Reserved method-name prefix for the daemon-token-gated test-backdoor
+ * actions (`_testing_reset`, `_testing_mint_session`, `_testing_put_fact`,
+ * `_testing_drain_effects`, `_testing_schema_snapshot`). Test binaries
+ * live-mount these on their RPC endpoint but they must never appear on a
+ * **declared** surface.
+ */
+export declare const TESTING_METHOD_PREFIX = "_testing_";
+/**
+ * No `_testing_*` backdoor action ever appears as a method on the declared
+ * surface (RPC or WS).
+ *
+ * The test-backdoor actions (`_testing_reset` et al.) are daemon-token-gated
+ * privileged actions a consumer's test binary appends to its live RPC
+ * endpoint at assembly time — but they are deliberately excluded from
+ * surface generation (`spine_rpc_endpoints` and every consumer's
+ * `create_*_app_surface_spec` omit them) so the published attack surface,
+ * the committed `*_attack_surface.json` snapshot, and codegen never carry
+ * a backdoor. This invariant is the structural guard against a future
+ * wiring change that folds `create_testing_actions(...)` into the *declared*
+ * registry instead of the live-only append — the surface stays the
+ * authoritative "what the server exposes" map only if a backdoor can never
+ * hide in it.
+ *
+ * Pairs with the wire-level negative-credential check
+ * (`describe_testing_backdoor_cross_tests`, cross-process) and the
+ * spec-level gate check: this one pins absence-from-surface, those pin
+ * the daemon-token gate and the 401/403 behavior.
+ *
+ * @throws AssertionError naming the offending endpoint + method.
+ */
+export declare const assert_no_testing_methods: (surface: AppSurface) => void;
 /**
  * Configuration for security policy invariants.
  *
@@ -282,7 +314,8 @@ export declare const assert_surface_invariants: (surface: AppSurface) => void;
  * `actions/CLAUDE.md` §Registry compile) — these assertions cover only
  * the contract-surface concerns that a runtime registration check
  * cannot: empty descriptions, missing protocol-action spread on WS
- * endpoints, and kind ⇔ auth drift on WS methods.
+ * endpoints, kind ⇔ auth drift on WS methods, and a `_testing_*`
+ * backdoor action leaking onto the declared surface.
  *
  * @throws AssertionError on the first invariant violation; the message
  *   names the offending endpoint, method, and field.

package/dist/testing/surface_invariants.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"surface_invariants.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/surface_invariants.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAuB7B,OAAO,KAAK,EAAC,UAAU,EAAuB,MAAM,oBAAoB,CAAC;AAezE;;GAEG;AACH,eAAO,MAAM,mCAAmC,GAAI,SAAS,UAAU,KAAG,IAQzE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,8BAA8B,GAAI,SAAS,UAAU,KAAG,IASpE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,+BAA+B,GAAI,SAAS,UAAU,KAAG,IAQrE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,gCAAgC,GAAI,SAAS,UAAU,KAAG,IAQtE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,+BAA+B,GAAI,SAAS,UAAU,KAAG,IAQrE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,2BAA2B,GAAI,SAAS,UAAU,KAAG,IAIjE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,0BAA0B,GAAI,SAAS,UAAU,KAAG,IAOhE,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,mCAAmC,GAAI,SAAS,UAAU,KAAG,IAezE,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,uCAAuC,GAAI,SAAS,UAAU,KAAG,IAO7E,CAAC;AAyBF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,oCAAoC,GAAI,SAAS,UAAU,KAAG,IAoC1E,CAAC;AAsEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,sCAAsC,GAAI,SAAS,UAAU,KAAG,IAU5E,CAAC;AAIF,4DAA4D;AAC5D,MAAM,MAAM,sBAAsB,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,CAAC;AAEpE,iEAAiE;AACjE,MAAM,WAAW,qBAAqB;IACrC,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,sBAAsB,CAAC;IACpC,qDAAqD;IACrD,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC;CAClC;AAiED;;;;;;;;GAQG;AACH,eAAO,MAAM,4BAA4B,GAAI,SAAS,UAAU,KAAG,KAAK,CAAC,qBAAqB,CAgB7F,CAAC;AAIF;;;;;;GAMG;AACH,eAAO,MAAM,sCAAsC,GAAI,SAAS,UAAU,KAAG,IAS5E,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,qCAAqC,GAAI,SAAS,UAAU,KAAG,IAS3E,CAAC;AAEF;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,4CAA4C,GAAI,SAAS,UAAU,KAAG,IAWlF,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,sCAAsC,GAAI,SAAS,UAAU,KAAG,IAa5E,CAAC;AAIF;;;;GAIG;AACH,MAAM,WAAW,4BAA4B;IAC5C;;;;;OAKG;IACH,wBAAwB,CAAC,EAAE,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC,CAAC;IAClD;;;OAGG;IACH,yBAAyB,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC1C;;;OAGG;IACH,qBAAqB,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtC;AASD;;;;;;GAMG;AACH,eAAO,MAAM,oCAAoC,GAChD,SAAS,UAAU,EACnB,qBAAoB,KAAK,CAAC,MAAM,GAAG,MAAM,CAA8B,KACrE,IAcF,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,qCAAqC,GACjD,SAAS,UAAU,EACnB,YAAW,KAAK,CAAC,MAAM,CAAM,KAC3B,IAYF,CAAC;AAEF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,+BAA+B,GAAI,SAAS,UAAU,KAAG,IAQrE,CAAC;AAKF;;;;;GAKG;AACH,eAAO,MAAM,iCAAiC,GAC7C,SAAS,UAAU,EACnB,WAAU,KAAK,CAAC,MAAM,CAAiC,KACrD,IASF,CAAC;AAWF,mDAAmD;AACnD,MAAM,WAAW,2BAA2B;IAC3C,6FAA6F;IAC7F,eAAe,CAAC,EAAE,sBAAsB,CAAC;IACzC,mEAAmE;IACnE,eAAe,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAChC,kDAAkD;IAClD,SAAS,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,uCAAuC,EAAE,aAAa,CAAC,MAAM,CAAM,CAAC;AAEjF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,8BAA8B,EAAE,2BAG5C,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,6BAA6B,GACzC,SAAS,UAAU,EACnB,UAAU,2BAA2B,KACnC,IAsBF,CAAC;AAIF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,yBAAyB,GAAI,SAAS,UAAU,KAAG,IAY/D,CAAC;AAEF;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,gCAAgC,GAAI,SAAS,UAAU,KAAG,IAKtE,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,8BAA8B,GAC1C,SAAS,UAAU,EACnB,UAAS,4BAAiC,KACxC,IAKF,CAAC"}
+{"version":3,"file":"surface_invariants.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/surface_invariants.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAuB7B,OAAO,KAAK,EAAC,UAAU,EAAuB,MAAM,oBAAoB,CAAC;AAezE;;GAEG;AACH,eAAO,MAAM,mCAAmC,GAAI,SAAS,UAAU,KAAG,IAQzE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,8BAA8B,GAAI,SAAS,UAAU,KAAG,IASpE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,+BAA+B,GAAI,SAAS,UAAU,KAAG,IAQrE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,gCAAgC,GAAI,SAAS,UAAU,KAAG,IAQtE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,+BAA+B,GAAI,SAAS,UAAU,KAAG,IAQrE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,2BAA2B,GAAI,SAAS,UAAU,KAAG,IAIjE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,0BAA0B,GAAI,SAAS,UAAU,KAAG,IAOhE,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,mCAAmC,GAAI,SAAS,UAAU,KAAG,IAezE,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,uCAAuC,GAAI,SAAS,UAAU,KAAG,IAO7E,CAAC;AAyBF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,oCAAoC,GAAI,SAAS,UAAU,KAAG,IAoC1E,CAAC;AAsEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,sCAAsC,GAAI,SAAS,UAAU,KAAG,IAU5E,CAAC;AAIF,4DAA4D;AAC5D,MAAM,MAAM,sBAAsB,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,CAAC;AAEpE,iEAAiE;AACjE,MAAM,WAAW,qBAAqB;IACrC,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,sBAAsB,CAAC;IACpC,qDAAqD;IACrD,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC;CAClC;AAiED;;;;;;;;GAQG;AACH,eAAO,MAAM,4BAA4B,GAAI,SAAS,UAAU,KAAG,KAAK,CAAC,qBAAqB,CAgB7F,CAAC;AAIF;;;;;;GAMG;AACH,eAAO,MAAM,sCAAsC,GAAI,SAAS,UAAU,KAAG,IAS5E,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,qCAAqC,GAAI,SAAS,UAAU,KAAG,IAS3E,CAAC;AAEF;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,4CAA4C,GAAI,SAAS,UAAU,KAAG,IAWlF,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,sCAAsC,GAAI,SAAS,UAAU,KAAG,IAa5E,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,qBAAqB,cAAc,CAAC;AAEjD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,eAAO,MAAM,yBAAyB,GAAI,SAAS,UAAU,KAAG,IAoB/D,CAAC;AAIF;;;;GAIG;AACH,MAAM,WAAW,4BAA4B;IAC5C;;;;;OAKG;IACH,wBAAwB,CAAC,EAAE,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC,CAAC;IAClD;;;OAGG;IACH,yBAAyB,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC1C;;;OAGG;IACH,qBAAqB,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtC;AASD;;;;;;GAMG;AACH,eAAO,MAAM,oCAAoC,GAChD,SAAS,UAAU,EACnB,qBAAoB,KAAK,CAAC,MAAM,GAAG,MAAM,CAA8B,KACrE,IAcF,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,qCAAqC,GACjD,SAAS,UAAU,EACnB,YAAW,KAAK,CAAC,MAAM,CAAM,KAC3B,IAYF,CAAC;AAEF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,+BAA+B,GAAI,SAAS,UAAU,KAAG,IAQrE,CAAC;AAKF;;;;;GAKG;AACH,eAAO,MAAM,iCAAiC,GAC7C,SAAS,UAAU,EACnB,WAAU,KAAK,CAAC,MAAM,CAAiC,KACrD,IASF,CAAC;AAWF,mDAAmD;AACnD,MAAM,WAAW,2BAA2B;IAC3C,6FAA6F;IAC7F,eAAe,CAAC,EAAE,sBAAsB,CAAC;IACzC,mEAAmE;IACnE,eAAe,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAChC,kDAAkD;IAClD,SAAS,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,uCAAuC,EAAE,aAAa,CAAC,MAAM,CAAM,CAAC;AAEjF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,8BAA8B,EAAE,2BAG5C,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,6BAA6B,GACzC,SAAS,UAAU,EACnB,UAAU,2BAA2B,KACnC,IAsBF,CAAC;AAIF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,yBAAyB,GAAI,SAAS,UAAU,KAAG,IAY/D,CAAC;AAEF;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,gCAAgC,GAAI,SAAS,UAAU,KAAG,IAMtE,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,8BAA8B,GAC1C,SAAS,UAAU,EACnB,UAAS,4BAAiC,KACxC,IAKF,CAAC"}

package/dist/testing/surface_invariants.js

@@ -452,6 +452,52 @@ export const assert_ws_notifications_have_null_auth = (surface) => {
         }
     }
 };
+/**
+ * Reserved method-name prefix for the daemon-token-gated test-backdoor
+ * actions (`_testing_reset`, `_testing_mint_session`, `_testing_put_fact`,
+ * `_testing_drain_effects`, `_testing_schema_snapshot`). Test binaries
+ * live-mount these on their RPC endpoint but they must never appear on a
+ * **declared** surface.
+ */
+export const TESTING_METHOD_PREFIX = '_testing_';
+/**
+ * No `_testing_*` backdoor action ever appears as a method on the declared
+ * surface (RPC or WS).
+ *
+ * The test-backdoor actions (`_testing_reset` et al.) are daemon-token-gated
+ * privileged actions a consumer's test binary appends to its live RPC
+ * endpoint at assembly time — but they are deliberately excluded from
+ * surface generation (`spine_rpc_endpoints` and every consumer's
+ * `create_*_app_surface_spec` omit them) so the published attack surface,
+ * the committed `*_attack_surface.json` snapshot, and codegen never carry
+ * a backdoor. This invariant is the structural guard against a future
+ * wiring change that folds `create_testing_actions(...)` into the *declared*
+ * registry instead of the live-only append — the surface stays the
+ * authoritative "what the server exposes" map only if a backdoor can never
+ * hide in it.
+ *
+ * Pairs with the wire-level negative-credential check
+ * (`describe_testing_backdoor_cross_tests`, cross-process) and the
+ * spec-level gate check: this one pins absence-from-surface, those pin
+ * the daemon-token gate and the 401/403 behavior.
+ *
+ * @throws AssertionError naming the offending endpoint + method.
+ */
+export const assert_no_testing_methods = (surface) => {
+    for (const ep of surface.rpc_endpoints) {
+        for (const method of ep.methods) {
+            assert.ok(!method.name.startsWith(TESTING_METHOD_PREFIX), `RPC endpoint '${ep.path}' exposes test-backdoor method '${method.name}' on the ` +
+                `declared surface — '${TESTING_METHOD_PREFIX}*' actions must be live-mounted only, ` +
+                `never folded into the surface-generating registry`);
+        }
+    }
+    for (const ep of surface.ws_endpoints) {
+        for (const method of ep.methods) {
+            assert.ok(!method.name.startsWith(TESTING_METHOD_PREFIX), `WS endpoint '${ep.path}' exposes test-backdoor method '${method.name}' on the ` +
+                `declared surface — '${TESTING_METHOD_PREFIX}*' actions must be live-mounted only`);
+        }
+    }
+};
 /** Default patterns for sensitive REST routes that should be rate-limited. */
 const DEFAULT_SENSITIVE_PATTERNS = [
     /\/login$/,
@@ -637,7 +683,8 @@ export const assert_surface_invariants = (surface) => {
  * `actions/CLAUDE.md` §Registry compile) — these assertions cover only
  * the contract-surface concerns that a runtime registration check
  * cannot: empty descriptions, missing protocol-action spread on WS
- * endpoints, and kind ⇔ auth drift on WS methods.
+ * endpoints, kind ⇔ auth drift on WS methods, and a `_testing_*`
+ * backdoor action leaking onto the declared surface.
  *
  * @throws AssertionError on the first invariant violation; the message
  *   names the offending endpoint, method, and field.
@@ -647,6 +694,7 @@ export const assert_rpc_ws_surface_invariants = (surface) => {
     assert_ws_method_descriptions_present(surface);
     assert_ws_endpoints_include_protocol_actions(surface);
     assert_ws_notifications_have_null_auth(surface);
+    assert_no_testing_methods(surface);
 };
 /**
  * Run security policy invariants. Configurable with sensible defaults.

package/dist/testing/ws_round_trip.d.ts

@@ -1,3 +1,4 @@
+import './assert_dev_env.js';
 /**
  * In-process test helpers for WebSocket JSON-RPC round-trips.
  *

package/dist/testing/ws_round_trip.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ws_round_trip.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/ws_round_trip.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAO,MAAM,MAAM,CAAC;AACxC,OAAO,EACN,SAAS,EAET,KAAK,gBAAgB,EAErB,KAAK,QAAQ,EACb,MAAM,SAAS,CAAC;AACjB,OAAO,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAC/C,OAAO,EAAc,KAAK,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAE9D,OAAO,KAAK,EAAC,eAAe,EAAC,MAAM,2BAA2B,CAAC;AAC/D,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,4BAA4B,CAAC;AAEvD,OAAO,KAAK,EAAC,sBAAsB,EAAC,MAAM,kCAAkC,CAAC;AAE7E,OAAO,EAAqB,KAAK,uBAAuB,EAAC,MAAM,kCAAkC,CAAC;AAElG,OAAO,EAAC,yBAAyB,EAAC,MAAM,qCAAqC,CAAC;AAC9E,OAAO,EAAsB,KAAK,cAAc,EAAC,MAAM,4BAA4B,CAAC;AAEpF,OAAO,EAKN,KAAK,cAAc,EACnB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EAKN,KAAK,QAAQ,EACb,MAAM,2BAA2B,CAAC;AAMnC;;;GAGG;AACH,MAAM,WAAW,MAAM;IACtB,EAAE,EAAE,SAAS,CAAC;IACd,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACrB,MAAM,EAAE,KAAK,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAC,CAAC,CAAC;CAChD;AAED;;;;GAIG;AACH,eAAO,MAAM,cAAc,QAAO,MAajC,CAAC;AAEF,8CAA8C;AAC9C,MAAM,WAAW,sBAAsB;IACtC,eAAe,EAAE,cAAc,CAAC;IAChC,gEAAgE;IAChE,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B;;;OAGG;IACH,eAAe,CAAC,EAAE,cAAc,CAAC;CACjC;AAED;;;;GAIG;AACH,eAAO,MAAM,wBAAwB,GAAI,MAAM,sBAAsB,KAAG,OAavE,CAAC;AAEF,uFAAuF;AACvF,MAAM,WAAW,WAAW;IAC3B,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,iBAAiB,EAAE,MAAM,CAAC,CAAC,EAAE,OAAO,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACtE;AAED;;;;GAIG;AACH,eAAO,MAAM,mBAAmB,QAAO,WAatC,CAAC;AAEF;;;;GAIG;AACH,qBAAa,wBAAyB,YAAW,sBAAsB;;IACtE,QAAQ,EAAE,UAAU,GAAG,SAAS,CAAa;gBAEjC,KAAK,EAAE,aAAa,CAAC,eAAe,CAAC;IAGjD,qBAAqB,IAAI,SAAS;IAGlC,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS;CAG/D;AAED;;;;GAIG;AACH,eAAO,MAAM,mBAAmB,GAC/B,YAAY,WAAW,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,EAC9C,OAAO,YAAY,EACnB,IAAI,SAAS,KACX,OAAO,CAAC,IAAI,CAId,CAAC;AAMF,2CAA2C;AAC3C,MAAM,WAAW,iBAAiB;IACjC,wEAAwE;IACxE,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,yFAAyF;IACzF,eAAe,CAAC,EAAE,cAAc,CAAC;IACjC,mFAAmF;IACnF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,gEAAgE;IAChE,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,sFAAsF;IACtF,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAED,4CAA4C;AAC5C,MAAM,WAAW,0BAA0B;IAC1C;;;;;OAKG;IACH,OAAO,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC/B,kEAAkE;IAClE,SAAS,CAAC,EAAE,yBAAyB,CAAC;IACtC;;;;OAIG;IACH,SAAS,CAAC,EAAE,uBAAuB,CAAC,WAAW,CAAC,CAAC;IACjD,gEAAgE;IAChE,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,yDAAyD;IACzD,cAAc,CAAC,EAAE,uBAAuB,CAAC,gBAAgB,CAAC,CAAC;IAC3D,yDAAyD;IACzD,eAAe,CAAC,EAAE,uBAAuB,CAAC,iBAAiB,CAAC,CAAC;CAC7D;AAED,kEAAkE;AAClE,MAAM,WAAW,aAAa;IAC7B,SAAS,EAAE,yBAAyB,CAAC;IACrC;;;;;;;;;;OAUG;IACH,OAAO,EAAE,CAAC,QAAQ,CAAC,EAAE,iBAAiB,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;CAC7D;AAiED;;;;;;;;GAQG;AACH,eAAO,MAAM,sBAAsB,GAAI,SAAS,0BAA0B,KAAG,aA0M5E,CAAC;AAEF,0EAA0E;AAC1E,eAAO,MAAM,eAAe,QAAO,iBAGjC,CAAC;AAYH;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,mBAAmB,GAAI,IAAI,SAAS,MAAM,EAAE,SAAS;IACjE,OAAO,EAAE,aAAa,CAAC;IACvB,KAAK,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;CACtC,KAAG,IAIH,CAAC"}
+{"version":3,"file":"ws_round_trip.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/ws_round_trip.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAO,MAAM,MAAM,CAAC;AACxC,OAAO,EACN,SAAS,EAET,KAAK,gBAAgB,EAErB,KAAK,QAAQ,EACb,MAAM,SAAS,CAAC;AACjB,OAAO,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAC/C,OAAO,EAAc,KAAK,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAE9D,OAAO,KAAK,EAAC,eAAe,EAAC,MAAM,2BAA2B,CAAC;AAC/D,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,4BAA4B,CAAC;AAEvD,OAAO,KAAK,EAAC,sBAAsB,EAAC,MAAM,kCAAkC,CAAC;AAE7E,OAAO,EAAqB,KAAK,uBAAuB,EAAC,MAAM,kCAAkC,CAAC;AAElG,OAAO,EAAC,yBAAyB,EAAC,MAAM,qCAAqC,CAAC;AAC9E,OAAO,EAAsB,KAAK,cAAc,EAAC,MAAM,4BAA4B,CAAC;AAEpF,OAAO,EAKN,KAAK,cAAc,EACnB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EAKN,KAAK,QAAQ,EACb,MAAM,2BAA2B,CAAC;AAMnC;;;GAGG;AACH,MAAM,WAAW,MAAM;IACtB,EAAE,EAAE,SAAS,CAAC;IACd,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACrB,MAAM,EAAE,KAAK,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAC,CAAC,CAAC;CAChD;AAED;;;;GAIG;AACH,eAAO,MAAM,cAAc,QAAO,MAajC,CAAC;AAEF,8CAA8C;AAC9C,MAAM,WAAW,sBAAsB;IACtC,eAAe,EAAE,cAAc,CAAC;IAChC,gEAAgE;IAChE,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B;;;OAGG;IACH,eAAe,CAAC,EAAE,cAAc,CAAC;CACjC;AAED;;;;GAIG;AACH,eAAO,MAAM,wBAAwB,GAAI,MAAM,sBAAsB,KAAG,OAavE,CAAC;AAEF,uFAAuF;AACvF,MAAM,WAAW,WAAW;IAC3B,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,iBAAiB,EAAE,MAAM,CAAC,CAAC,EAAE,OAAO,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACtE;AAED;;;;GAIG;AACH,eAAO,MAAM,mBAAmB,QAAO,WAatC,CAAC;AAEF;;;;GAIG;AACH,qBAAa,wBAAyB,YAAW,sBAAsB;;IACtE,QAAQ,EAAE,UAAU,GAAG,SAAS,CAAa;gBAEjC,KAAK,EAAE,aAAa,CAAC,eAAe,CAAC;IAGjD,qBAAqB,IAAI,SAAS;IAGlC,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS;CAG/D;AAED;;;;GAIG;AACH,eAAO,MAAM,mBAAmB,GAC/B,YAAY,WAAW,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,EAC9C,OAAO,YAAY,EACnB,IAAI,SAAS,KACX,OAAO,CAAC,IAAI,CAId,CAAC;AAMF,2CAA2C;AAC3C,MAAM,WAAW,iBAAiB;IACjC,wEAAwE;IACxE,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,yFAAyF;IACzF,eAAe,CAAC,EAAE,cAAc,CAAC;IACjC,mFAAmF;IACnF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,gEAAgE;IAChE,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,sFAAsF;IACtF,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAED,4CAA4C;AAC5C,MAAM,WAAW,0BAA0B;IAC1C;;;;;OAKG;IACH,OAAO,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC/B,kEAAkE;IAClE,SAAS,CAAC,EAAE,yBAAyB,CAAC;IACtC;;;;OAIG;IACH,SAAS,CAAC,EAAE,uBAAuB,CAAC,WAAW,CAAC,CAAC;IACjD,gEAAgE;IAChE,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,yDAAyD;IACzD,cAAc,CAAC,EAAE,uBAAuB,CAAC,gBAAgB,CAAC,CAAC;IAC3D,yDAAyD;IACzD,eAAe,CAAC,EAAE,uBAAuB,CAAC,iBAAiB,CAAC,CAAC;CAC7D;AAED,kEAAkE;AAClE,MAAM,WAAW,aAAa;IAC7B,SAAS,EAAE,yBAAyB,CAAC;IACrC;;;;;;;;;;OAUG;IACH,OAAO,EAAE,CAAC,QAAQ,CAAC,EAAE,iBAAiB,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;CAC7D;AAiED;;;;;;;;GAQG;AACH,eAAO,MAAM,sBAAsB,GAAI,SAAS,0BAA0B,KAAG,aA0M5E,CAAC;AAEF,0EAA0E;AAC1E,eAAO,MAAM,eAAe,QAAO,iBAGjC,CAAC;AAYH;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,mBAAmB,GAAI,IAAI,SAAS,MAAM,EAAE,SAAS;IACjE,OAAO,EAAE,aAAa,CAAC;IACvB,KAAK,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;CACtC,KAAG,IAIH,CAAC"}

package/dist/testing/ws_round_trip.js

@@ -1,41 +1,4 @@
-/**
- * In-process test helpers for WebSocket JSON-RPC round-trips.
- *
- * Drives `register_action_ws` without an HTTP server. Consumers supply
- * specs + handlers; the harness constructs real `WSContext` instances
- * backed by test-owned `send`/`close` pairs, fakes the authenticated
- * Hono context (`request_context`, credential type, session id, api
- * token id), and exposes a `connect()` factory returning a `WsClient`
- * per connection.
- *
- * Three layers are exported:
- *
- *   - **Primitives** (`create_fake_ws`, `create_fake_hono_context`,
- *     `create_stub_upgrade`, `MinimalActionEnvironment`,
- *     `dispatch_ws_message`) — used by fuz_app's own dispatcher tests
- *     and by consumers wiring tight one-off tests.
- *   - **Harness** (`create_ws_test_harness`, `keeper_identity`) — the
- *     high-level driver. Give it specs + handlers, get back
- *     `{transport, connect()}`. `connect()` is async and resolves after
- *     `on_socket_open` completes, so broadcasts sent immediately after
- *     `await harness.connect()` reach the client. Returns a `WsClient`
- *     (shared interface — see `transports/ws_client.ts`); the same
- *     interface is implemented by `transports/ws_transport.ts` for
- *     cross-process tests.
- *   - **Broadcast wiring** — `build_broadcast_api` for wiring a typed
- *     broadcast API against the harness's transport. Wire-frame types
- *     + predicates (`is_notification`, `is_response_for`,
- *     `JsonrpcNotificationFrame`, ...) live in `transports/ws_client.ts`
- *     so both in-process and cross-process drivers reference one source.
- *
- * Hono's wire upgrade is skipped — the Node test runtime has no
- * `@hono/node-ws` adapter — but the full dispatch path is exercised
- * (per-action auth, input validation, `ctx.notify` back to the
- * originating socket, broadcast via `BackendWebsocketTransport`, and
- * close-on-revoke).
- *
- * @module
- */
+import './assert_dev_env.js';
 import { WSContext, createWSMessageEvent, } from 'hono/ws';
 import { Logger } from '@fuzdev/fuz_util/log.js';
 import { create_uuid } from '@fuzdev/fuz_util/id.js';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fuzdev/fuz_app",
-  "version": "0.85.0",
+  "version": "0.86.0",
   "description": "fullstack app library",
   "glyph": "🗝",
   "logo": "logo.svg",