@fuzdev/fuz_app 0.86.0 → 0.88.0

package/dist/testing/cross_backend/body_size_smuggling.js

@@ -0,0 +1,138 @@
+import '../assert_dev_env.js';
+/**
+ * Cross-backend request-smuggling probe for the body-size limit's connection
+ * handling — the security sibling of `body_size.ts`.
+ *
+ * When the server caps the request body it answers `413` on the
+ * `Content-Length` header and closes the connection *without reading the
+ * oversized body*. That close is load-bearing: HTTP/1.1 forbids reusing a
+ * keep-alive connection whose request body wasn't consumed, because the unread
+ * body bytes would otherwise be parsed as the start of the next request — a
+ * classic request-smuggling vector. This suite proves the mitigation holds end
+ * to end by **pipelining**: it opens a raw TCP socket and sends, in one write,
+ * an oversized `POST` immediately followed by a second `GET` request. A correct
+ * server rejects the POST with `413` and never processes the trailing GET (the
+ * connection closes with the GET bytes unconsumed); a vulnerable one would
+ * drain past the body and answer the smuggled GET too. The assertion is
+ * therefore "**at most one** HTTP response comes back" — a *second* response is
+ * the smuggle. It's `<= 1` rather than "exactly the 413" because the impls close
+ * differently at the TCP level (node-server graceful close delivers the 413
+ * first; hyper's RST can drop the in-flight 413 before the client reads it), so
+ * demanding a cleanly-read 413 would be flaky; the 413-ness itself is pinned
+ * reliably over `fetch` by `describe_body_size_cross_tests`. A **positive
+ * control** (two pipelined requests → >= 2 responses) proves a second response
+ * *would* be seen if the trailing request were processed — without it the
+ * `<= 1` assertion would be vacuous on a server that never reuses connections,
+ * and it also proves the response counter isn't undercounting.
+ *
+ * Raw-socket by necessity (the `FetchTransport` can't pipeline two requests on
+ * one connection), so — unlike `body_size.ts` — this is **cross-process only**
+ * (no in-process leg; there is no socket in-process) and ungated (the limit is
+ * on every spine). Robust by construction: it counts responses until the
+ * socket closes or a short read timeout, so a server that closes (the expected
+ * path) and one that merely holds the connection open without smuggling both
+ * read as one response; only an actual second response fails.
+ *
+ * Cited property: `docs/security.md` §"Body Size Limiting" (connection close on
+ * oversized reject).
+ *
+ * `$lib`-free by contract (relative + `node:` specifiers only).
+ *
+ * @module
+ */
+import { connect } from 'node:net';
+import { describe, test, assert } from 'vitest';
+import { SPINE_RPC_PATH } from './default_spine_surface.js';
+/** The shared 1 MiB cap (see `body_size.ts` for why it's a local constant). */
+const BODY_LIMIT_DEFAULT_BYTES = 1024 * 1024;
+/**
+ * Open a raw TCP socket to `base_url`, write `request_bytes` once, and collect
+ * everything the server sends back until it closes the connection or
+ * `read_timeout_ms` elapses. Write errors are swallowed: the server closing
+ * mid-upload (the correct response to an oversized body) surfaces as
+ * `EPIPE`/`ECONNRESET` on our unfinished write, which is exactly the behavior
+ * under test — what matters is what we *read back*.
+ */
+const send_raw = (base_url, request_bytes, read_timeout_ms) => new Promise((resolve) => {
+    const url = new URL(base_url);
+    const port = Number(url.port) || (url.protocol === 'https:' ? 443 : 80);
+    const socket = connect({ host: url.hostname, port });
+    let received = '';
+    let settled = false;
+    const finish = () => {
+        if (settled)
+            return;
+        settled = true;
+        clearTimeout(timer);
+        socket.destroy();
+        resolve(received);
+    };
+    const timer = setTimeout(finish, read_timeout_ms);
+    socket.setEncoding('latin1');
+    socket.on('connect', () => socket.write(request_bytes));
+    socket.on('data', (chunk) => {
+        received += chunk;
+    });
+    socket.on('error', () => { }); // EPIPE/ECONNRESET on mid-write close is expected
+    socket.on('close', finish);
+});
+/**
+ * Count HTTP response status lines in a raw byte stream. Deliberately
+ * **unanchored** (no `^`/`m`): a second pipelined response is concatenated
+ * straight after the first response's body, which carries no trailing newline,
+ * so a line-anchored match would miss it — and missing a smuggled second
+ * response is a silent false negative. No response header or JSON error body
+ * contains the literal `HTTP/1.x NNN`, so an unanchored match counts exactly
+ * the status lines. The positive control below proves this counts 2 when the
+ * server genuinely returns 2.
+ */
+const count_responses = (raw) => (raw.match(/HTTP\/1\.[01] \d{3}/g) ?? []).length;
+export const describe_body_size_smuggling_cross_tests = (options) => {
+    const { base_url } = options;
+    const rpc_path = options.rpc_path ?? SPINE_RPC_PATH;
+    const host = new URL(base_url).host;
+    describe('body-size limit — request-smuggling resistance', () => {
+        // Positive control: prove the server returns >1 response on a single
+        // connection. Without this the smuggling assertion below would be
+        // vacuously green on a server that simply never reuses connections — and
+        // it also validates `count_responses` actually counts a second response.
+        test('control: two pipelined requests → ≥2 responses (connection reuse is real)', async () => {
+            const two_requests = `GET ${rpc_path} HTTP/1.1\r\nHost: ${host}\r\n\r\n` +
+                `GET ${rpc_path} HTTP/1.1\r\nHost: ${host}\r\nConnection: close\r\n\r\n`;
+            const response = await send_raw(base_url, two_requests, 2000);
+            const n = count_responses(response);
+            assert.ok(n >= 2, `expected ≥2 responses on one keep-alive connection (got ${n}); without ` +
+                `connection reuse — or with an undercounting matcher — the smuggling ` +
+                `assertion below is not a real signal. Raw head: ${response.slice(0, 120)}`);
+        });
+        test('oversized POST + pipelined GET → smuggled request not processed', async () => {
+            const oversized_len = BODY_LIMIT_DEFAULT_BYTES + 1024;
+            // One write: an over-cap POST (rejected on Content-Length, body never
+            // read) immediately followed by a GET. If the server wrongly drained
+            // the unread body it would reach + answer this GET — a smuggle.
+            const payload = `POST ${rpc_path} HTTP/1.1\r\n` +
+                `Host: ${host}\r\n` +
+                `Content-Type: application/json\r\n` +
+                `Content-Length: ${oversized_len}\r\n` +
+                `\r\n` +
+                'x'.repeat(oversized_len) +
+                `GET ${rpc_path} HTTP/1.1\r\nHost: ${host}\r\n\r\n`;
+            const response = await send_raw(base_url, payload, 2000);
+            // The security property is "the pipelined GET is not processed", i.e.
+            // **at most one** response comes back (the 413, or none if the close
+            // raced the read). A *second* response is the smuggle. We assert `<= 1`
+            // rather than "exactly the 413" because the two impls close the
+            // connection differently at the TCP level — node-server closes
+            // gracefully (the 413 is delivered first), hyper sends an RST that can
+            // drop the in-flight 413 before the client reads it — and demanding a
+            // cleanly-read 413 here would be flaky. That the oversized body is
+            // rejected *with* a 413 is pinned reliably (over `fetch`) by
+            // `describe_body_size_cross_tests`; this test owns only the no-smuggle
+            // half. The control above proves a second response *would* be seen if
+            // the GET were processed, so `<= 1` is a real signal, not a vacuous one.
+            const n = count_responses(response);
+            assert.ok(n <= 1, `expected at most one response (the GET must not be smuggled in off the ` +
+                `unread body); a second response means it was. Saw ${n}. Raw head: ${response.slice(0, 120)}`);
+        });
+    });
+};

package/dist/testing/cross_backend/cell_cross_helpers.d.ts

@@ -1,17 +1,6 @@
 import '../assert_dev_env.js';
 import type { z } from 'zod';
 import type { FetchTransport } from '../transports/fetch_transport.js';
-import type { BackendCapabilities } from './capabilities.js';
-import type { SetupTest } from './setup.js';
-/** Shared options for the cell cross-backend parity suites. */
-export interface CellCrossTestOptions {
-    /** Per-test fixture-producing function (fresh keeper + db per call). */
-    readonly setup_test: SetupTest;
-    /** Backend capability declarations — each suite gates on its own flag. */
-    readonly capabilities: BackendCapabilities;
-    /** RPC endpoint path the cell verbs are mounted on. Default `/api/rpc`. */
-    readonly rpc_path?: string;
-}
 /** Minimal JSON-RPC envelope shape the suites read off responses. */
 export interface RpcResult {
     readonly ok: boolean;

package/dist/testing/cross_backend/cell_cross_helpers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cell_cross_helpers.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/cell_cross_helpers.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAmB9B,OAAO,KAAK,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAG3B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,kCAAkC,CAAC;AACrE,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,mBAAmB,CAAC;AAC3D,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,YAAY,CAAC;AAE1C,+DAA+D;AAC/D,MAAM,WAAW,oBAAoB;IACpC,wEAAwE;IACxE,QAAQ,CAAC,UAAU,EAAE,SAAS,CAAC;IAC/B,0EAA0E;IAC1E,QAAQ,CAAC,YAAY,EAAE,mBAAmB,CAAC;IAC3C,2EAA2E;IAC3E,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,qEAAqE;AACrE,MAAM,WAAW,SAAS;IACzB,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;IACrB,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,KAAK,CAAC,EAAE;QAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAA;KAAC,CAAC;CAC5F;AAED;;;;;GAKG;AACH,eAAO,MAAM,cAAc,GAC1B,WAAW,cAAc,EACzB,MAAM,MAAM,EACZ,QAAQ,MAAM,EACd,QAAQ,OAAO,EACf,SAAS,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAC7B,OAAO,CAAC,SAAS,CAMnB,CAAC;AAEF,gFAAgF;AAChF,eAAO,MAAM,YAAY,GAAI,GAAG,SAAS,KAAG,OAG/B,CAAC;AAEd;;;GAGG;AACH,eAAO,MAAM,aAAa,GAAI,CAAC,EAAE,GAAG,SAAS,EAAE,QAAQ,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAG,CAQrE,CAAC"}
+{"version":3,"file":"cell_cross_helpers.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/cell_cross_helpers.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAmB9B,OAAO,KAAK,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAG3B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,kCAAkC,CAAC;AAErE,qEAAqE;AACrE,MAAM,WAAW,SAAS;IACzB,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;IACrB,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,KAAK,CAAC,EAAE;QAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAA;KAAC,CAAC;CAC5F;AAED;;;;;GAKG;AACH,eAAO,MAAM,cAAc,GAC1B,WAAW,cAAc,EACzB,MAAM,MAAM,EACZ,QAAQ,MAAM,EACd,QAAQ,OAAO,EACf,SAAS,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAC7B,OAAO,CAAC,SAAS,CAMnB,CAAC;AAEF,gFAAgF;AAChF,eAAO,MAAM,YAAY,GAAI,GAAG,SAAS,KAAG,OAG/B,CAAC;AAEd;;;GAGG;AACH,eAAO,MAAM,aAAa,GAAI,CAAC,EAAE,GAAG,SAAS,EAAE,QAAQ,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAG,CAQrE,CAAC"}

package/dist/testing/cross_backend/cell_crud.d.ts

@@ -1,4 +1,4 @@
 import '../assert_dev_env.js';
-import { type CellCrossTestOptions } from './cell_cross_helpers.js';
-export declare const describe_cell_crud_cross_tests: (options: CellCrossTestOptions) => void;
+import type { RpcPathCrossSuiteOptions } from './setup.js';
+export declare const describe_cell_crud_cross_tests: (options: RpcPathCrossSuiteOptions) => void;
 //# sourceMappingURL=cell_crud.d.ts.map

package/dist/testing/cross_backend/cell_crud.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cell_crud.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/cell_crud.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAqD9B,OAAO,EAIN,KAAK,oBAAoB,EACzB,MAAM,yBAAyB,CAAC;AAGjC,eAAO,MAAM,8BAA8B,GAAI,SAAS,oBAAoB,KAAG,IAwS9E,CAAC"}
+{"version":3,"file":"cell_crud.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/cell_crud.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAsD9B,OAAO,KAAK,EAAC,wBAAwB,EAAC,MAAM,YAAY,CAAC;AAGzD,eAAO,MAAM,8BAA8B,GAAI,SAAS,wBAAwB,KAAG,IAwSlF,CAAC"}

package/dist/testing/cross_backend/cell_crud.js

@@ -42,7 +42,7 @@ import '../assert_dev_env.js';
 import { describe, assert } from 'vitest';
 import { CellCreateOutput, CellDeleteOutput, CellGetOutput, CellListOutput, CellUpdateOutput, } from '../../auth/cell_action_specs.js';
 import { test_if } from './capabilities.js';
-import { cross_rpc_call, error_reason, expect_output, } from './cell_cross_helpers.js';
+import { cross_rpc_call, error_reason, expect_output } from './cell_cross_helpers.js';
 import { SPINE_RPC_PATH } from './default_spine_surface.js';
 export const describe_cell_crud_cross_tests = (options) => {
     const { setup_test, capabilities } = options;

package/dist/testing/cross_backend/cell_grant_role.d.ts

@@ -1,8 +1,8 @@
 import '../assert_dev_env.js';
-import { type CellCrossTestOptions } from './cell_cross_helpers.js';
+import type { RpcPathCrossSuiteOptions } from './setup.js';
 /** App role the holder is seeded with; matches the spine's registered role. */
 export declare const CELL_EDITOR_ROLE = "cell_editor";
 /** Username the fixture seeds (via `extra_accounts`) holding `CELL_EDITOR_ROLE`. */
 export declare const CELL_ROLE_HOLDER_USERNAME = "cell_role_holder";
-export declare const describe_cell_grant_role_cross_tests: (options: CellCrossTestOptions) => void;
+export declare const describe_cell_grant_role_cross_tests: (options: RpcPathCrossSuiteOptions) => void;
 //# sourceMappingURL=cell_grant_role.d.ts.map

package/dist/testing/cross_backend/cell_grant_role.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cell_grant_role.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/cell_grant_role.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AA6C9B,OAAO,EACN,KAAK,oBAAoB,EAIzB,MAAM,yBAAyB,CAAC;AAGjC,+EAA+E;AAC/E,eAAO,MAAM,gBAAgB,gBAAyB,CAAC;AAEvD,oFAAoF;AACpF,eAAO,MAAM,yBAAyB,qBAAqB,CAAC;AAK5D,eAAO,MAAM,oCAAoC,GAAI,SAAS,oBAAoB,KAAG,IAuIpF,CAAC"}
+{"version":3,"file":"cell_grant_role.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/cell_grant_role.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AA8C9B,OAAO,KAAK,EAAC,wBAAwB,EAAC,MAAM,YAAY,CAAC;AAGzD,+EAA+E;AAC/E,eAAO,MAAM,gBAAgB,gBAAyB,CAAC;AAEvD,oFAAoF;AACpF,eAAO,MAAM,yBAAyB,qBAAqB,CAAC;AAK5D,eAAO,MAAM,oCAAoC,GAAI,SAAS,wBAAwB,KAAG,IAuIxF,CAAC"}

package/dist/testing/cross_backend/cell_grant_role.js

@@ -37,7 +37,7 @@ import { describe, assert } from 'vitest';
 import { CellCreateOutput, CellGetOutput, CellUpdateOutput } from '../../auth/cell_action_specs.js';
 import { CellGrantCreateOutput, ERROR_CELL_GRANT_UNKNOWN_ROLE, } from '../../auth/cell_grant_action_specs.js';
 import { test_if } from './capabilities.js';
-import { cross_rpc_call, error_reason, expect_output, } from './cell_cross_helpers.js';
+import { cross_rpc_call, error_reason, expect_output } from './cell_cross_helpers.js';
 import { SPINE_CELL_EDITOR_ROLE, SPINE_RPC_PATH } from './default_spine_surface.js';
 /** App role the holder is seeded with; matches the spine's registered role. */
 export const CELL_EDITOR_ROLE = SPINE_CELL_EDITOR_ROLE;

package/dist/testing/cross_backend/cell_relations.d.ts

@@ -1,4 +1,4 @@
 import '../assert_dev_env.js';
-import { type CellCrossTestOptions } from './cell_cross_helpers.js';
-export declare const describe_cell_relations_cross_tests: (options: CellCrossTestOptions) => void;
+import type { RpcPathCrossSuiteOptions } from './setup.js';
+export declare const describe_cell_relations_cross_tests: (options: RpcPathCrossSuiteOptions) => void;
 //# sourceMappingURL=cell_relations.d.ts.map

package/dist/testing/cross_backend/cell_relations.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cell_relations.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/cell_relations.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAoF9B,OAAO,EAIN,KAAK,oBAAoB,EACzB,MAAM,yBAAyB,CAAC;AAsFjC,eAAO,MAAM,mCAAmC,GAAI,SAAS,oBAAoB,KAAG,IAyvBnF,CAAC"}
+{"version":3,"file":"cell_relations.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/cell_relations.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAqF9B,OAAO,KAAK,EAAC,wBAAwB,EAAC,MAAM,YAAY,CAAC;AAsFzD,eAAO,MAAM,mCAAmC,GAAI,SAAS,wBAAwB,KAAG,IAyvBvF,CAAC"}

package/dist/testing/cross_backend/cell_relations.js

@@ -60,7 +60,7 @@ import { CellFieldDeleteOutput, CellFieldListOutput, CellFieldSetOutput, } from
 import { CellItemDeleteOutput, CellItemInsertOutput, CellItemListOutput, CellItemMoveOutput, } from '../../auth/cell_item_action_specs.js';
 import { CellAuditListOutput } from '../../auth/cell_audit_action_specs.js';
 import { test_if } from './capabilities.js';
-import { cross_rpc_call, error_reason, expect_output, } from './cell_cross_helpers.js';
+import { cross_rpc_call, error_reason, expect_output } from './cell_cross_helpers.js';
 import { SPINE_RPC_PATH } from './default_spine_surface.js';
 /** Create a cell over the wire and return its id (the parity gate parses the output). */
 const create_cell = async (t, rpc_path, h, params) => expect_output(await cross_rpc_call(t, rpc_path, 'cell_create', params, h), CellCreateOutput).cell

package/dist/testing/cross_backend/conformance_table.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"conformance_table.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/conformance_table.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAwB9B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,uBAAuB,CAAC;AAE1D,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,8BAA8B,CAAC;AAMjE,OAAO,EAIN,KAAK,uBAAuB,EAC5B,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EAAC,KAAK,eAAe,EAA4B,MAAM,uBAAuB,CAAC;AACtF,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,mBAAmB,CAAC;AAC3D,OAAO,KAAK,EAAC,SAAS,EAAc,MAAM,YAAY,CAAC;AAGvD;;;;;GAKG;AACH,MAAM,WAAW,0BAA0B;IAC1C,iEAAiE;IACjE,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,gEAAgE;IAChE,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED,sDAAsD;AACtD,MAAM,WAAW,uBAAuB;IACvC,8CAA8C;IAC9C,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;IAC/C,+DAA+D;IAC/D,QAAQ,CAAC,UAAU,EAAE,SAAS,CAAC;IAC/B,oEAAoE;IACpE,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAC;IACxC,0EAA0E;IAC1E,QAAQ,CAAC,YAAY,EAAE,mBAAmB,CAAC;IAC3C,kEAAkE;IAClE,QAAQ,CAAC,aAAa,EAAE,uBAAuB,CAAC;IAChD,4EAA4E;IAC5E,QAAQ,CAAC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACjD,4EAA4E;IAC5E,QAAQ,CAAC,UAAU,CAAC,EAAE,0BAA0B,CAAC;IACjD,iEAAiE;IACjE,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;CAC7B;AAgOD;;;;;GAKG;AACH,eAAO,MAAM,gCAAgC,GAAI,SAAS,uBAAuB,KAAG,IAgBnF,CAAC"}
+{"version":3,"file":"conformance_table.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/conformance_table.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAwB9B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,uBAAuB,CAAC;AAE1D,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,8BAA8B,CAAC;AAMjE,OAAO,EAIN,KAAK,uBAAuB,EAC5B,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EAAC,KAAK,eAAe,EAA4B,MAAM,uBAAuB,CAAC;AACtF,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,mBAAmB,CAAC;AAC3D,OAAO,KAAK,EAAC,SAAS,EAAc,MAAM,YAAY,CAAC;AAGvD;;;;;GAKG;AACH,MAAM,WAAW,0BAA0B;IAC1C,iEAAiE;IACjE,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,gEAAgE;IAChE,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED,sDAAsD;AACtD,MAAM,WAAW,uBAAuB;IACvC,8CAA8C;IAC9C,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;IAC/C,+DAA+D;IAC/D,QAAQ,CAAC,UAAU,EAAE,SAAS,CAAC;IAC/B,oEAAoE;IACpE,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAC;IACxC,0EAA0E;IAC1E,QAAQ,CAAC,YAAY,EAAE,mBAAmB,CAAC;IAC3C,kEAAkE;IAClE,QAAQ,CAAC,aAAa,EAAE,uBAAuB,CAAC;IAChD,4EAA4E;IAC5E,QAAQ,CAAC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACjD,4EAA4E;IAC5E,QAAQ,CAAC,UAAU,CAAC,EAAE,0BAA0B,CAAC;IACjD,iEAAiE;IACjE,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;CAC7B;AAkOD;;;;;GAKG;AACH,eAAO,MAAM,gCAAgC,GAAI,SAAS,uBAAuB,KAAG,IAgBnF,CAAC"}

package/dist/testing/cross_backend/conformance_table.js

@@ -133,13 +133,15 @@ const run_rpc_case = async (c, transport, headers, suppress_default_origin, reso
     assert.ok(!res.ok, `${c.name}: expected error status ${c.expect.status} but got success`);
     assert.strictEqual(res.status, c.expect.status, `${c.name}: error status`);
     if (c.expect.error_reason !== undefined) {
+        // A row that *declares* a reason must carry it — present AND equal —
+        // mirroring the REST branch's unconditional `body.error` assertion. The
+        // earlier skip-if-absent form let a backend that dropped the reason pass
+        // a row declaring one, blessing a reason/forensic-parity divergence (the
+        // IDOR-mask / privilege reason is exactly the distinguishing bit). Rows
+        // whose denial genuinely has no reason (the bare `unauthenticated()` 401)
+        // simply omit `error_reason` and are pinned by `status` above.
         const reason = res.error.data?.reason;
-        // Most RPC denials carry `error.data.reason` (incl. the pre-validation
-        // 401 now); a denial that genuinely omits it falls back to the status
-        // assertion above to pin the denial class.
-        if (reason !== undefined) {
-            assert.strictEqual(reason, c.expect.error_reason, `${c.name}: error.data.reason`);
-        }
+        assert.strictEqual(reason, c.expect.error_reason, `${c.name}: error.data.reason`);
     }
     if (c.expect.fields)
         assert_fields(res.error.data, c.expect.fields, c.name);

package/dist/testing/cross_backend/fact_serving.d.ts

@@ -1,13 +1,12 @@
 import '../assert_dev_env.js';
-import { type CellCrossTestOptions } from './cell_cross_helpers.js';
-import type { SetupTest } from './setup.js';
+import type { RpcPathCrossSuiteOptions, SetupTest } from './setup.js';
 /**
  * The fact suite adds one optional knob to the shared cell options: a setup
  * variant whose keeper carries a **second actor**. Only the multi-actor case
  * needs it; the rest of the suite runs single-actor, so wiring it is opt-in.
  * Omit it and the multi-actor case silently skips.
  */
-export interface FactServingCrossTestOptions extends CellCrossTestOptions {
+export interface FactServingCrossTestOptions extends RpcPathCrossSuiteOptions {
     readonly setup_test_multi_actor?: SetupTest;
 }
 export declare const describe_fact_serving_cross_tests: (options: FactServingCrossTestOptions) => void;

package/dist/testing/cross_backend/fact_serving.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"fact_serving.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/fact_serving.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AA+C9B,OAAO,EAAgC,KAAK,oBAAoB,EAAC,MAAM,yBAAyB,CAAC;AAEjG,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,YAAY,CAAC;AAE1C;;;;;GAKG;AACH,MAAM,WAAW,2BAA4B,SAAQ,oBAAoB;IACxE,QAAQ,CAAC,sBAAsB,CAAC,EAAE,SAAS,CAAC;CAC5C;AA8BD,eAAO,MAAM,iCAAiC,GAAI,SAAS,2BAA2B,KAAG,IA8NxF,CAAC"}
+{"version":3,"file":"fact_serving.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/fact_serving.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAiD9B,OAAO,KAAK,EAAC,wBAAwB,EAAE,SAAS,EAAC,MAAM,YAAY,CAAC;AAEpE;;;;;GAKG;AACH,MAAM,WAAW,2BAA4B,SAAQ,wBAAwB;IAC5E,QAAQ,CAAC,sBAAsB,CAAC,EAAE,SAAS,CAAC;CAC5C;AA8BD,eAAO,MAAM,iCAAiC,GAAI,SAAS,2BAA2B,KAAG,IA8NxF,CAAC"}

package/dist/testing/cross_backend/in_process_setup.d.ts

@@ -0,0 +1,143 @@
+import '../assert_dev_env.js';
+import type { RouteSpec } from '../../http/route_spec.js';
+import type { AppSurfaceSpec } from '../../http/surface.js';
+import type { BootstrapServerOptions } from '../../server/app_server.js';
+import type { AppServerContext } from '../../server/app_server_context.js';
+import type { SessionOptions } from '../../auth/session_cookie.js';
+import { type CreateTestAppOptions, type SuiteAppOptions } from '../app_server.js';
+import { type RpcEndpointsSuiteOption } from '../rpc_helpers.js';
+import { type BackendCapabilities } from './capabilities.js';
+import { type SetupTest, type ExtraAccountSpec } from './setup.js';
+/**
+ * Options for `default_in_process_setup`. Extends `CreateTestAppOptions`
+ * with the same `extra_accounts` slot the cross-process variant accepts
+ * — both transports observe the same bootstrap-time secondary set so
+ * suite bodies can read `fixture.extra_accounts[username]` uniformly.
+ */
+export interface InProcessSetupOptions extends CreateTestAppOptions {
+    /**
+     * Additional accounts seeded at this transport's bootstrap-equivalent
+     * step. See `ExtraAccountSpec` for the cradle-only-bypass rationale.
+     * Most suites pass `undefined` / `[]`; the `ROLE_KEEPER` probe (in
+     * `describe_standard_admin_integration_tests`) is the primary user.
+     */
+    readonly extra_accounts?: ReadonlyArray<ExtraAccountSpec>;
+    /**
+     * Additional actor names to seed on the bootstrapped keeper — exposed on
+     * `fixture.extra_actors`. See `CrossProcessSetupOptions.extra_actors` /
+     * `TestFixtureBase.extra_actors`. Seeded directly against the live backend
+     * DB (in-process has no wire hop).
+     */
+    readonly extra_actors?: ReadonlyArray<string>;
+}
+/**
+ * Build a `SetupTest` that creates a fresh `TestApp` per call via
+ * `create_test_app` and projects it into the `TestFixture` shape.
+ *
+ * Same factory inputs `create_test_app` already takes — this helper
+ * is a projection layer, not a new lifecycle. fuz_app's own `src/test/`
+ * and consumer suites pass `default_in_process_setup({...factory_inputs})`
+ * in place of the old per-suite factory-input bundle. The `extra_accounts`
+ * slot (see `InProcessSetupOptions`) seeds bootstrap-time secondaries
+ * directly via `create_test_account_with_credentials` against the same
+ * DB the keeper just landed on — mirrors the cross-process
+ * `_testing_reset` cradle so suite bodies read
+ * `fixture.extra_accounts[username]` uniformly regardless of transport.
+ *
+ * The describe-level `auth_integration_truncate_tables` / pglite WASM
+ * cache lifecycle stays in `create_pglite_factory` / `create_describe_db`
+ * (`testing/db.ts`) — `default_in_process_setup` doesn't manage db state
+ * beyond what `create_test_app` already does.
+ */
+export declare const default_in_process_setup: (options: InProcessSetupOptions) => SetupTest;
+/**
+ * Consumer-facing options for `default_in_process_suite_options` — the
+ * minimal factory inputs both `default_in_process_setup` and
+ * `create_test_app_surface_spec` consume to produce the
+ * `{setup_test, surface_source, capabilities}` bundle.
+ */
+export interface DefaultInProcessSuiteOptions {
+    session_options: SessionOptions<string>;
+    create_route_specs: (ctx: AppServerContext) => Array<RouteSpec>;
+    rpc_endpoints?: RpcEndpointsSuiteOption;
+    /**
+     * Bootstrap config — top-level slot, single source of truth for both
+     * surface generation and live dispatch. Same precedent as
+     * `rpc_endpoints`. Discriminated by `mode`; omit for the default (no
+     * bootstrap route mounted).
+     */
+    bootstrap?: BootstrapServerOptions;
+    app_options?: SuiteAppOptions;
+    /**
+     * Additional roles to grant the bootstrapped keeper alongside
+     * `ROLE_KEEPER` — additive, never replaces. The keeper account
+     * always holds `ROLE_KEEPER` (otherwise daemon-token auth breaks);
+     * pass extras here for suites that need additional role coverage.
+     *
+     * Admin-suite consumers pass `[ROLE_ADMIN]` so the default keeper
+     * can hit admin-gated RPC methods.
+     * `describe_standard_admin_integration_tests` and
+     * `describe_audit_completeness_tests` need this.
+     */
+    extra_keeper_roles?: Array<string>;
+    /**
+     * Bootstrap-time secondary accounts seeded alongside the keeper. See
+     * `ExtraAccountSpec` for the cradle-only-bypass rationale. Same shape
+     * as the cross-process `extra_accounts` option — suites read seeded
+     * accounts from `fixture.extra_accounts[username]` regardless of
+     * transport.
+     */
+    extra_accounts?: ReadonlyArray<ExtraAccountSpec>;
+    /**
+     * Additional actor names to seed on the bootstrapped keeper — exposed on
+     * `fixture.extra_actors`. See `TestFixtureBase.extra_actors`.
+     */
+    extra_actors?: ReadonlyArray<string>;
+    /**
+     * Pre-built `AppSurfaceSpec` — overrides the default which calls
+     * `create_test_app_surface_spec` against the same factory inputs.
+     * Pass when surface assembly needs fields outside the shared subset
+     * (e.g. `env_schema`, `event_specs`, `ws_endpoints`, `transform_middleware`).
+     */
+    surface_source?: AppSurfaceSpec;
+}
+/**
+ * Build the full in-process suite bundle in a single helper invocation.
+ * Output covers `{setup_test, surface_source, capabilities}` plus every
+ * factory input the Tier 1 suites read at their top level
+ * (`session_options`, `create_route_specs`, `rpc_endpoints`) — so the
+ * call site spreads once and adds only suite-specific extras
+ * (`roles`, `skip_routes`, `input_overrides`, `db_factories`, ...).
+ *
+ * ```ts
+ * // Suite-extras-free call: helper output is the entire options bag.
+ * describe_round_trip_validation(default_in_process_suite_options({
+ *   session_options,
+ *   create_route_specs,
+ *   rpc_endpoints: [rpc_endpoint_spec],
+ * }));
+ *
+ * // With suite-specific extras: spread and add.
+ * describe_standard_admin_integration_tests({
+ *   ...default_in_process_suite_options({
+ *     session_options, create_route_specs, rpc_endpoints,
+ *     extra_keeper_roles: [ROLE_ADMIN],
+ *   }),
+ *   roles,
+ * });
+ * ```
+ *
+ * Suites that don't read `session_options` / `rpc_endpoints` at their
+ * top level (`round_trip`, `data_exposure`) accept the spread anyway —
+ * excess properties on spread sources aren't checked by TS, and the
+ * uniform shape keeps consumer call sites mechanical.
+ */
+export declare const default_in_process_suite_options: <const O extends DefaultInProcessSuiteOptions>(options: O) => {
+    setup_test: SetupTest;
+    surface_source: AppSurfaceSpec;
+    capabilities: BackendCapabilities;
+    session_options: O["session_options"];
+    create_route_specs: O["create_route_specs"];
+    rpc_endpoints: O["rpc_endpoints"];
+};
+//# sourceMappingURL=in_process_setup.d.ts.map

package/dist/testing/cross_backend/in_process_setup.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"in_process_setup.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/in_process_setup.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAqB9B,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,0BAA0B,CAAC;AACxD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,uBAAuB,CAAC;AAC1D,OAAO,KAAK,EAAC,sBAAsB,EAAC,MAAM,4BAA4B,CAAC;AACvE,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,oCAAoC,CAAC;AACzE,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,8BAA8B,CAAC;AAGjE,OAAO,EAIN,KAAK,oBAAoB,EACzB,KAAK,eAAe,EACpB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EAGN,KAAK,uBAAuB,EAC5B,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAA0B,KAAK,mBAAmB,EAAC,MAAM,mBAAmB,CAAC;AAEpF,OAAO,EAGN,KAAK,SAAS,EAEd,KAAK,gBAAgB,EACrB,MAAM,YAAY,CAAC;AAepB;;;;;GAKG;AACH,MAAM,WAAW,qBAAsB,SAAQ,oBAAoB;IAClE;;;;;OAKG;IACH,QAAQ,CAAC,cAAc,CAAC,EAAE,aAAa,CAAC,gBAAgB,CAAC,CAAC;IAC1D;;;;;OAKG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAC9C;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,wBAAwB,GACnC,SAAS,qBAAqB,KAAG,SAqEjC,CAAC;AAEH;;;;;GAKG;AACH,MAAM,WAAW,4BAA4B;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,aAAa,CAAC,EAAE,uBAAuB,CAAC;IACxC;;;;;OAKG;IACH,SAAS,CAAC,EAAE,sBAAsB,CAAC;IACnC,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B;;;;;;;;;;OAUG;IACH,kBAAkB,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACnC;;;;;;OAMG;IACH,cAAc,CAAC,EAAE,aAAa,CAAC,gBAAgB,CAAC,CAAC;IACjD;;;OAGG;IACH,YAAY,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACrC;;;;;OAKG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;CAChC;AAWD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,eAAO,MAAM,gCAAgC,GAAI,KAAK,CAAC,CAAC,SAAS,4BAA4B,EAC5F,SAAS,CAAC,KACR;IACF,UAAU,EAAE,SAAS,CAAC;IACtB,cAAc,EAAE,cAAc,CAAC;IAC/B,YAAY,EAAE,mBAAmB,CAAC;IAClC,eAAe,EAAE,CAAC,CAAC,iBAAiB,CAAC,CAAC;IACtC,kBAAkB,EAAE,CAAC,CAAC,oBAAoB,CAAC,CAAC;IAC5C,aAAa,EAAE,CAAC,CAAC,eAAe,CAAC,CAAC;CA2BjC,CAAC"}

package/dist/testing/cross_backend/in_process_setup.js

@@ -0,0 +1,166 @@
+import '../assert_dev_env.js';
+import { ROLE_KEEPER } from '../../auth/role_schema.js';
+import { query_create_actor } from '../../auth/account_queries.js';
+import { create_test_app, create_test_account_with_credentials, mint_test_session, } from '../app_server.js';
+import { create_test_app_surface_spec } from '../stubs.js';
+import { http_transport, } from '../rpc_helpers.js';
+import { in_process_capabilities } from './capabilities.js';
+import { build_extra_account_fixture, EXPIRED_SESSION_OFFSET_SECONDS, } from './setup.js';
+/**
+ * Wrap a Hono-style app into a `FetchTransport`-shaped object so the
+ * shared `TestFixtureBase.transport` type holds for both in-process and
+ * cross-process setups. In-process has no real cookie jar — the no-op
+ * `cookies()` returns `[]`; in-process tests build cookies via
+ * `fixture.create_session_headers()` instead.
+ */
+const in_process_fetch_transport = (app) => {
+    const call = http_transport(app);
+    const transport = ((url, init) => call(url, init));
+    return Object.assign(transport, { cookies: () => [] });
+};
+/**
+ * Build a `SetupTest` that creates a fresh `TestApp` per call via
+ * `create_test_app` and projects it into the `TestFixture` shape.
+ *
+ * Same factory inputs `create_test_app` already takes — this helper
+ * is a projection layer, not a new lifecycle. fuz_app's own `src/test/`
+ * and consumer suites pass `default_in_process_setup({...factory_inputs})`
+ * in place of the old per-suite factory-input bundle. The `extra_accounts`
+ * slot (see `InProcessSetupOptions`) seeds bootstrap-time secondaries
+ * directly via `create_test_account_with_credentials` against the same
+ * DB the keeper just landed on — mirrors the cross-process
+ * `_testing_reset` cradle so suite bodies read
+ * `fixture.extra_accounts[username]` uniformly regardless of transport.
+ *
+ * The describe-level `auth_integration_truncate_tables` / pglite WASM
+ * cache lifecycle stays in `create_pglite_factory` / `create_describe_db`
+ * (`testing/db.ts`) — `default_in_process_setup` doesn't manage db state
+ * beyond what `create_test_app` already does.
+ */
+export const default_in_process_setup = (options) => async () => {
+    // Per-test fresh db. When `options.migration_namespaces` is set,
+    // `create_test_app` provisions an auth+extras PGlite (e.g. the cell
+    // layer); otherwise the auth-only default. Either way the factory
+    // resets + re-migrates on each `create`, so the per-test keeper
+    // bootstrap below lands on a clean DB.
+    const test_app = await create_test_app(options);
+    // Seed bootstrap-time secondaries against the same DB the keeper
+    // just landed on. Direct-insert is the only path for roles whose
+    // `grant_paths` excludes `'admin'` (e.g. `ROLE_KEEPER`) — see
+    // `ExtraAccountSpec` for why this bypass is bootstrap-cradle-only.
+    const extra_accounts = {};
+    const { cookie_name } = options.session_options;
+    for (const spec of options.extra_accounts ?? []) {
+        const seeded = await create_test_account_with_credentials({
+            db: test_app.backend.deps.db,
+            keyring: test_app.backend.keyring,
+            session_options: options.session_options,
+            password: test_app.backend.deps.password,
+            username: spec.username,
+            password_value: spec.password_value,
+            roles: [...spec.roles],
+        });
+        extra_accounts[spec.username] = build_extra_account_fixture(seeded, cookie_name);
+    }
+    // Seed additional keeper actors directly against the same DB. Mirrors
+    // the cross-process `_testing_reset` `extra_actors` path; no production
+    // wire mints a second actor, so this bootstrap-cradle insert is the
+    // only way into a multi-actor keeper state.
+    const extra_actors = [];
+    for (const name of options.extra_actors ?? []) {
+        const seeded_actor = await query_create_actor({ db: test_app.backend.deps.db }, test_app.backend.account.id, name);
+        extra_actors.push({ id: seeded_actor.id, name: seeded_actor.name });
+    }
+    return {
+        transport: in_process_fetch_transport(test_app.app),
+        // In-process the wrapper is stateless and never auto-adds Origin —
+        // `options` is accepted for API symmetry with cross-process but
+        // has no observable effect.
+        fresh_transport: () => in_process_fetch_transport(test_app.app),
+        account: test_app.backend.account,
+        actor: test_app.backend.actor,
+        create_session_headers: test_app.create_session_headers,
+        create_bearer_headers: test_app.create_bearer_headers,
+        create_daemon_token_headers: test_app.create_daemon_token_headers,
+        create_account: test_app.create_account,
+        extra_accounts,
+        extra_actors,
+        // Forge directly against the live backend's DB + keyring — no wire
+        // hop needed in-process.
+        mint_expired_session: async () => {
+            const { session_cookie } = await mint_test_session({
+                db: test_app.backend.deps.db,
+                keyring: test_app.backend.keyring,
+                session_options: options.session_options,
+                account_id: test_app.backend.account.id,
+                expires_in_seconds: EXPIRED_SESSION_OFFSET_SECONDS,
+            });
+            return `${cookie_name}=${session_cookie}`;
+        },
+    };
+};
+// NOTE: bootstrap config is read from `options.bootstrap` — top-level slot,
+// single source of truth for both the surface spec (so the route appears in
+// `expected_public_routes` / attack-surface iteration) AND the live
+// `create_test_app` (so the route exists at dispatch time and returns 403
+// `ERROR_ALREADY_BOOTSTRAPPED` matching its declared 403 schema). Same
+// precedent as `rpc_endpoints`. Discriminated union shape (`mode: 'disabled'`
+// | `'surface_only'` | `'live'`) replaces the old `token_path: string | null`
+// overload that conflated three deployment intents on one channel.
+/**
+ * Build the full in-process suite bundle in a single helper invocation.
+ * Output covers `{setup_test, surface_source, capabilities}` plus every
+ * factory input the Tier 1 suites read at their top level
+ * (`session_options`, `create_route_specs`, `rpc_endpoints`) — so the
+ * call site spreads once and adds only suite-specific extras
+ * (`roles`, `skip_routes`, `input_overrides`, `db_factories`, ...).
+ *
+ * ```ts
+ * // Suite-extras-free call: helper output is the entire options bag.
+ * describe_round_trip_validation(default_in_process_suite_options({
+ *   session_options,
+ *   create_route_specs,
+ *   rpc_endpoints: [rpc_endpoint_spec],
+ * }));
+ *
+ * // With suite-specific extras: spread and add.
+ * describe_standard_admin_integration_tests({
+ *   ...default_in_process_suite_options({
+ *     session_options, create_route_specs, rpc_endpoints,
+ *     extra_keeper_roles: [ROLE_ADMIN],
+ *   }),
+ *   roles,
+ * });
+ * ```
+ *
+ * Suites that don't read `session_options` / `rpc_endpoints` at their
+ * top level (`round_trip`, `data_exposure`) accept the spread anyway —
+ * excess properties on spread sources aren't checked by TS, and the
+ * uniform shape keeps consumer call sites mechanical.
+ */
+export const default_in_process_suite_options = (options) => ({
+    setup_test: default_in_process_setup({
+        session_options: options.session_options,
+        create_route_specs: options.create_route_specs,
+        rpc_endpoints: options.rpc_endpoints,
+        bootstrap: options.bootstrap,
+        app_options: options.app_options,
+        roles: [ROLE_KEEPER, ...(options.extra_keeper_roles ?? [])],
+        extra_accounts: options.extra_accounts,
+        extra_actors: options.extra_actors,
+    }),
+    surface_source: options.surface_source ??
+        create_test_app_surface_spec({
+            session_options: options.session_options,
+            create_route_specs: options.create_route_specs,
+            rpc_endpoints: options.rpc_endpoints,
+            // Mirror what `create_test_app` → `create_app_server` will mount.
+            // Both helpers read from the top-level `bootstrap` slot so surface
+            // and live app stay in sync by construction.
+            bootstrap: options.bootstrap,
+        }),
+    capabilities: in_process_capabilities,
+    session_options: options.session_options,
+    create_route_specs: options.create_route_specs,
+    rpc_endpoints: options.rpc_endpoints,
+});

package/dist/testing/cross_backend/origin.d.ts

@@ -1,10 +1,10 @@
 import '../assert_dev_env.js';
-import type { CellCrossTestOptions } from './cell_cross_helpers.js';
+import type { RpcPathCrossSuiteOptions } from './setup.js';
 /**
- * Options for the origin parity suite. Shares the shape of the cell /
- * account-lifecycle suites (`setup_test` / `capabilities` / `rpc_path`);
- * reuses `CellCrossTestOptions` rather than minting a structural duplicate.
+ * Options for the origin parity suite. The standard RPC-dispatched
+ * cross-suite shape (`setup_test` / `capabilities` / `rpc_path`); aliases
+ * the shared `RpcPathCrossSuiteOptions` rather than minting a duplicate.
  */
-export type OriginCrossTestOptions = CellCrossTestOptions;
+export type OriginCrossTestOptions = RpcPathCrossSuiteOptions;
 export declare const describe_origin_cross_tests: (options: OriginCrossTestOptions) => void;
 //# sourceMappingURL=origin.d.ts.map

package/dist/testing/cross_backend/origin.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"origin.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/origin.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAkC9B,OAAO,KAAK,EAAC,oBAAoB,EAAC,MAAM,yBAAyB,CAAC;AAGlE;;;;GAIG;AACH,MAAM,MAAM,sBAAsB,GAAG,oBAAoB,CAAC;AAM1D,eAAO,MAAM,2BAA2B,GAAI,SAAS,sBAAsB,KAAG,IAwC7E,CAAC"}
+{"version":3,"file":"origin.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/origin.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAkC9B,OAAO,KAAK,EAAC,wBAAwB,EAAC,MAAM,YAAY,CAAC;AAGzD;;;;GAIG;AACH,MAAM,MAAM,sBAAsB,GAAG,wBAAwB,CAAC;AAM9D,eAAO,MAAM,2BAA2B,GAAI,SAAS,sBAAsB,KAAG,IAwC7E,CAAC"}