@fuzdev/fuz_app 0.87.0 → 0.89.0

package/dist/testing/cross_backend/body_size_smuggling.js

@@ -4,37 +4,45 @@ import '../assert_dev_env.js';
  * handling — the security sibling of `body_size.ts`.
  *
  * When the server caps the request body it answers `413` on the
- * `Content-Length` header and closes the connection *without reading the
- * oversized body*. That close is load-bearing: HTTP/1.1 forbids reusing a
- * keep-alive connection whose request body wasn't consumed, because the unread
- * body bytes would otherwise be parsed as the start of the next request — a
- * classic request-smuggling vector. This suite proves the mitigation holds end
- * to end by **pipelining**: it opens a raw TCP socket and sends, in one write,
- * an oversized `POST` immediately followed by a second `GET` request. A correct
- * server rejects the POST with `413` and never processes the trailing GET (the
- * connection closes with the GET bytes unconsumed); a vulnerable one would
- * drain past the body and answer the smuggled GET too. The assertion is
- * therefore "**at most one** HTTP response comes back" — a *second* response is
- * the smuggle. It's `<= 1` rather than "exactly the 413" because the impls close
- * differently at the TCP level (node-server graceful close delivers the 413
- * first; hyper's RST can drop the in-flight 413 before the client reads it), so
- * demanding a cleanly-read 413 would be flaky; the 413-ness itself is pinned
- * reliably over `fetch` by `describe_body_size_cross_tests`. A **positive
- * control** (two pipelined requests → >= 2 responses) proves a second response
- * *would* be seen if the trailing request were processed — without it the
- * `<= 1` assertion would be vacuous on a server that never reuses connections,
- * and it also proves the response counter isn't undercounting.
+ * `Content-Length` header. The strong (defense-in-depth) posture is to close
+ * the connection *without reading the oversized body*: HTTP/1.1 forbids reusing
+ * a keep-alive connection whose request body wasn't consumed, because unread
+ * body bytes would be parsed as the start of the next request — a classic
+ * request-smuggling vector. This suite probes the boundary by **pipelining**:
+ * it opens a raw TCP socket and sends, in one write, an oversized `POST`
+ * immediately followed by a second `GET`. The assertion forks on the backend's
+ * declared `oversized_reject_closes_connection` capability:
+ *
+ * - **Closes (Node / Deno / hyper)** — the reject closes the socket with the
+ *   GET bytes unconsumed, so **at most one** response comes back. `<= 1` rather
+ *   than "exactly the 413" because the impls close differently at the TCP level
+ *   (node-server graceful close delivers the 413 first; hyper's RST can drop the
+ *   in-flight 413 before the client reads it), so demanding a cleanly-read 413
+ *   would be flaky.
+ * - **Drains + keepalives (Bun)** — `Bun.serve` reads the full declared
+ *   `Content-Length` body and answers the *correctly-framed* pipelined GET, so
+ *   **two** responses come back. This is **not** a smuggle: the GET is delimited
+ *   by the body's `Content-Length`, not the unread body reinterpreted as a
+ *   request — Bun answers it with a clean `400` (`missing method`), not the `x`
+ *   body bytes reparsed. The security property asserted here is **no desync**
+ *   (`<= 2`): a real desync would reframe the 1 MiB of `x` into bogus request
+ *   lines and push the count past two.
+ *
+ * Either way the oversized body is rejected *with* a 413 — pinned reliably over
+ * `fetch` by `describe_body_size_cross_tests`; this test owns only the
+ * connection-handling half. A **positive control** (two pipelined requests →
+ * `>= 2` responses) proves a second response *would* be seen if a trailing
+ * request were processed — without it the close-posture `<= 1` would be vacuous
+ * on a server that never reuses connections — and that the counter isn't
+ * undercounting.
  *
  * Raw-socket by necessity (the `FetchTransport` can't pipeline two requests on
  * one connection), so — unlike `body_size.ts` — this is **cross-process only**
- * (no in-process leg; there is no socket in-process) and ungated (the limit is
- * on every spine). Robust by construction: it counts responses until the
- * socket closes or a short read timeout, so a server that closes (the expected
- * path) and one that merely holds the connection open without smuggling both
- * read as one response; only an actual second response fails.
+ * (no in-process leg; there is no socket in-process). The connection-close half
+ * is capability-gated; the no-desync half holds on every spine.
  *
- * Cited property: `docs/security.md` §"Body Size Limiting" (connection close on
- * oversized reject).
+ * Cited property: `docs/security.md` §"Body Size Limiting" (connection handling
+ * on oversized reject).
  *
  * `$lib`-free by contract (relative + `node:` specifiers only).
  *
@@ -90,6 +98,7 @@ const count_responses = (raw) => (raw.match(/HTTP\/1\.[01] \d{3}/g) ?? []).lengt
 export const describe_body_size_smuggling_cross_tests = (options) => {
     const { base_url } = options;
     const rpc_path = options.rpc_path ?? SPINE_RPC_PATH;
+    const closes_connection = options.closes_connection ?? true;
     const host = new URL(base_url).host;
     describe('body-size limit — request-smuggling resistance', () => {
         // Positive control: prove the server returns >1 response on a single
@@ -118,21 +127,39 @@ export const describe_body_size_smuggling_cross_tests = (options) => {
                 'x'.repeat(oversized_len) +
                 `GET ${rpc_path} HTTP/1.1\r\nHost: ${host}\r\n\r\n`;
             const response = await send_raw(base_url, payload, 2000);
-            // The security property is "the pipelined GET is not processed", i.e.
-            // **at most one** response comes back (the 413, or none if the close
-            // raced the read). A *second* response is the smuggle. We assert `<= 1`
-            // rather than "exactly the 413" because the two impls close the
-            // connection differently at the TCP level — node-server closes
-            // gracefully (the 413 is delivered first), hyper sends an RST that can
-            // drop the in-flight 413 before the client reads it — and demanding a
-            // cleanly-read 413 here would be flaky. That the oversized body is
-            // rejected *with* a 413 is pinned reliably (over `fetch`) by
-            // `describe_body_size_cross_tests`; this test owns only the no-smuggle
-            // half. The control above proves a second response *would* be seen if
-            // the GET were processed, so `<= 1` is a real signal, not a vacuous one.
             const n = count_responses(response);
-            assert.ok(n <= 1, `expected at most one response (the GET must not be smuggled in off the ` +
-                `unread body); a second response means it was. Saw ${n}. Raw head: ${response.slice(0, 120)}`);
+            if (closes_connection) {
+                // Strong posture (Node / Deno / hyper): the reject closes the
+                // connection *without reading the body*, so the pipelined GET is
+                // never reached — **at most one** response comes back (the 413, or
+                // none if the close raced the read). A *second* response would mean
+                // the body was drained and the GET processed. We assert `<= 1` rather
+                // than "exactly the 413" because the impls close differently at the
+                // TCP level — node-server closes gracefully (413 delivered first),
+                // hyper sends an RST that can drop the in-flight 413 before the client
+                // reads it — and demanding a cleanly-read 413 would be flaky. The
+                // 413-ness itself is pinned reliably (over `fetch`) by
+                // `describe_body_size_cross_tests`. The control above proves a second
+                // response *would* be seen if the GET were processed, so `<= 1` is a
+                // real signal, not vacuous.
+                assert.ok(n <= 1, `expected at most one response (oversized reject closes the connection; the ` +
+                    `pipelined GET must not be reached). Saw ${n}. Raw head: ${response.slice(0, 120)}`);
+            }
+            else {
+                // Drain-and-keepalive posture (Bun): `Bun.serve` reads the full
+                // declared `Content-Length` body and keeps the socket alive, so it
+                // answers the *correctly-framed* pipelined GET — **two** responses
+                // (the 413 + a well-formed reply to the GET). This is not a smuggle:
+                // the GET is delimited by the body's `Content-Length`, not the unread
+                // body reinterpreted as request bytes. The security property here is
+                // **no desync** — the body bytes are never reparsed as request(s). A
+                // real desync would reframe the 1 MiB of `x` into bogus request
+                // lines, pushing the count past two; `<= 2` is the no-desync bound,
+                // and the control above proves the counter isn't undercounting.
+                assert.ok(n <= 2, `expected at most two responses (the 413 + one framed reply to the ` +
+                    `pipelined GET); more means the oversized body was reparsed as requests ` +
+                    `(a desync). Saw ${n}. Raw head: ${response.slice(0, 120)}`);
+            }
         });
     });
 };

package/dist/testing/cross_backend/capabilities.d.ts

@@ -99,6 +99,35 @@ export interface BackendCapabilities {
      * readiness parity coverage. The drift → `503` path stays per-impl unit tests.
      */
     readonly ready: boolean;
+    /**
+     * The account surface serves `GET /api/account/status` (account info +
+     * `bootstrap_available` flag). Bundled into `create_account_route_specs`, so
+     * any backend mounting the account routes serves it — `true` for every
+     * spine. Gates the `account status response body` case in
+     * `describe_standard_integration_tests`: when `true` the case asserts the
+     * route is present (fail-loud on 404, no silent skip); when `false` it skips
+     * explicitly (a backend that deliberately omits the route).
+     */
+    readonly account_status: boolean;
+    /**
+     * On an oversized-body `413` reject the backend **closes the connection
+     * without reading the body** (the defense-in-depth posture), rather than
+     * draining the declared `Content-Length` and keeping the socket alive.
+     * Gates the strong half of `describe_body_size_smuggling_cross_tests`: when
+     * `true`, the pipelined GET is never reached (at most one response); when
+     * `false`, the suite instead asserts the weaker but still-load-bearing
+     * no-desync property (the body is framed on `Content-Length`, not reparsed
+     * as request bytes).
+     *
+     * `true` for the Node / Deno (`@hono/node-server` graceful close) and Rust
+     * (hyper RST) backends; `false` for Bun — `Bun.serve` reads the full body
+     * and processes the correctly-framed pipelined request even when the `413`
+     * carries `Connection: close`. Bun is not insecure (no desync — it answers
+     * the cleanly-delimited GET with a proper `400`); the flag records the
+     * connection-handling divergence so the suite stays green without losing the
+     * smuggle detector. See `docs/security.md` §"Body Size Limiting".
+     */
+    readonly oversized_reject_closes_connection: boolean;
 }
 /**
  * Capability declarations for the in-process Hono transport. Every flag

package/dist/testing/cross_backend/capabilities.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"capabilities.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/capabilities.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAmB9B;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IACnC;;;;;;;;;OASG;IACH,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;IAC9B;;;;;;;;OAQG;IACH,QAAQ,CAAC,aAAa,EAAE,OAAO,CAAC;IAChC;;;;;;;OAOG;IACH,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC;IACnC;;;;OAIG;IACH,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;IACrB;;;;;OAKG;IACH,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC;IACtB;;;;;;;OAOG;IACH,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC;IAC5B;;;;;;;;;;OAUG;IACH,QAAQ,CAAC,cAAc,EAAE,OAAO,CAAC;IACjC;;;;;;;;OAQG;IACH,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;IACpC;;;;;;;;OAQG;IACH,QAAQ,CAAC,YAAY,EAAE,OAAO,CAAC;IAC/B;;;;;;;;OAQG;IACH,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;CACxB;AAED;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,EAAE,mBAWpC,CAAC;AAEH;;;;;;;;GAQG;AACH,eAAO,MAAM,OAAO,GAAI,MAAM,OAAO,EAAE,MAAM,MAAM,EAAE,IAAI,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAG,IAMrF,CAAC"}
+{"version":3,"file":"capabilities.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/capabilities.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAgC9B;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IACnC;;;;;;;;;OASG;IACH,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;IAC9B;;;;;;;;OAQG;IACH,QAAQ,CAAC,aAAa,EAAE,OAAO,CAAC;IAChC;;;;;;;OAOG;IACH,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC;IACnC;;;;OAIG;IACH,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;IACrB;;;;;OAKG;IACH,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC;IACtB;;;;;;;OAOG;IACH,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC;IAC5B;;;;;;;;;;OAUG;IACH,QAAQ,CAAC,cAAc,EAAE,OAAO,CAAC;IACjC;;;;;;;;OAQG;IACH,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;IACpC;;;;;;;;OAQG;IACH,QAAQ,CAAC,YAAY,EAAE,OAAO,CAAC;IAC/B;;;;;;;;OAQG;IACH,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IACxB;;;;;;;;OAQG;IACH,QAAQ,CAAC,cAAc,EAAE,OAAO,CAAC;IACjC;;;;;;;;;;;;;;;;;OAiBG;IACH,QAAQ,CAAC,kCAAkC,EAAE,OAAO,CAAC;CACrD;AAED;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,EAAE,mBAapC,CAAC;AAEH;;;;;;;;GAQG;AACH,eAAO,MAAM,OAAO,GAAI,MAAM,OAAO,EAAE,MAAM,MAAM,EAAE,IAAI,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAG,IAMrF,CAAC"}

package/dist/testing/cross_backend/capabilities.js

@@ -11,6 +11,19 @@ import '../assert_dev_env.js';
  * capability `true` (see `in_process_capabilities`). Cross-process
  * backends opt in per-flag on their `BackendConfig`.
  *
+ * **Where the per-backend declarations live** (this file owns only the
+ * vocabulary + the in-process preset):
+ *
+ * - `in_process_capabilities` — here; every flag `true`.
+ * - `ts_default_capabilities` / `rust_default_capabilities` — consumer-facing
+ *   family defaults, in `default_backend_configs.ts` (full literals, so adding
+ *   a capability is a compile error until each family declares it).
+ * - `ts_spine_capabilities` / `ts_spine_bun_capabilities` — fuz_app's own TS
+ *   spine presets, in `ts_spine_backend_config.ts` (deltas off the family
+ *   default; Bun flips `oversized_reject_closes_connection`).
+ * - `rust_spine_stub_capabilities` — fuz_app's Rust spine-stub preset, in
+ *   `rust_spine_stub_backend_config.ts` (delta off the rust family default).
+ *
  * @module
  */
 import { test } from 'vitest';
@@ -31,6 +44,8 @@ export const in_process_capabilities = Object.freeze({
     account_lifecycle: true,
     fact_serving: true,
     ready: true,
+    account_status: true,
+    oversized_reject_closes_connection: true,
 });
 /**
  * Conditional `test()` wrapper — registers a vitest case only when

package/dist/testing/cross_backend/default_backend_configs.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"default_backend_configs.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/default_backend_configs.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,OAAO,KAAK,EAAC,sBAAsB,EAAE,aAAa,EAAC,MAAM,qBAAqB,CAAC;AAC/E,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EAA2B,KAAK,gBAAgB,EAAC,MAAM,+BAA+B,CAAC;AAQ9F;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,EAAE,mBAapC,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,yBAAyB,EAAE,mBAatC,CAAC;AAeH,MAAM,WAAW,iCAAiC;IACjD,gFAAgF;IAChF,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,sCAAsC;IACtC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,4DAA4D;IAC5D,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC9C,oDAAoD;IACpD,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,iEAAiE;IACjE,QAAQ,CAAC,SAAS,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACtD,6CAA6C;IAC7C,QAAQ,CAAC,YAAY,CAAC,EAAE,mBAAmB,CAAC;IAC5C,wEAAwE;IACxE,QAAQ,CAAC,KAAK,CAAC,EAAE,gBAAgB,CAAC;IAClC,sEAAsE;IACtE,QAAQ,CAAC,mBAAmB,CAAC,EAAE,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAC/D;;;;OAIG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B;;;;;;OAMG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED;;;;;GAKG;AACH,eAAO,MAAM,8BAA8B,GAC1C,MAAM,iCAAiC,KACrC,aAoCF,CAAC;AAEF,MAAM,WAAW,mCAAmC;IACnD,gFAAgF;IAChF,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,sCAAsC;IACtC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,4DAA4D;IAC5D,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC9C;;;;OAIG;IACH,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,iEAAiE;IACjE,QAAQ,CAAC,SAAS,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACtD,+CAA+C;IAC/C,QAAQ,CAAC,YAAY,CAAC,EAAE,mBAAmB,CAAC;IAC5C,wEAAwE;IACxE,QAAQ,CAAC,KAAK,CAAC,EAAE,gBAAgB,CAAC;IAClC,sEAAsE;IACtE,QAAQ,CAAC,mBAAmB,CAAC,EAAE,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAC/D;;;;OAIG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B;;;;OAIG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B;;;OAGG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED;;;;;GAKG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,mCAAmC,KACvC,aA4CF,CAAC"}
+{"version":3,"file":"default_backend_configs.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/default_backend_configs.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,OAAO,KAAK,EAAC,sBAAsB,EAAE,aAAa,EAAC,MAAM,qBAAqB,CAAC;AAC/E,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EAA2B,KAAK,gBAAgB,EAAC,MAAM,+BAA+B,CAAC;AAQ9F;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,EAAE,mBAoBpC,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,yBAAyB,EAAE,mBAmBtC,CAAC;AAeH,MAAM,WAAW,iCAAiC;IACjD,gFAAgF;IAChF,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,sCAAsC;IACtC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,4DAA4D;IAC5D,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC9C,oDAAoD;IACpD,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,iEAAiE;IACjE,QAAQ,CAAC,SAAS,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACtD,6CAA6C;IAC7C,QAAQ,CAAC,YAAY,CAAC,EAAE,mBAAmB,CAAC;IAC5C,wEAAwE;IACxE,QAAQ,CAAC,KAAK,CAAC,EAAE,gBAAgB,CAAC;IAClC,sEAAsE;IACtE,QAAQ,CAAC,mBAAmB,CAAC,EAAE,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAC/D;;;;OAIG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B;;;;;;OAMG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED;;;;;GAKG;AACH,eAAO,MAAM,8BAA8B,GAC1C,MAAM,iCAAiC,KACrC,aAoCF,CAAC;AAEF,MAAM,WAAW,mCAAmC;IACnD,gFAAgF;IAChF,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,sCAAsC;IACtC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,4DAA4D;IAC5D,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC9C;;;;OAIG;IACH,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,iEAAiE;IACjE,QAAQ,CAAC,SAAS,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACtD,+CAA+C;IAC/C,QAAQ,CAAC,YAAY,CAAC,EAAE,mBAAmB,CAAC;IAC5C,wEAAwE;IACxE,QAAQ,CAAC,KAAK,CAAC,EAAE,gBAAgB,CAAC;IAClC,sEAAsE;IACtE,QAAQ,CAAC,mBAAmB,CAAC,EAAE,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAC/D;;;;OAIG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B;;;;OAIG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B;;;OAGG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED;;;;;GAKG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,mCAAmC,KACvC,aA4CF,CAAC"}

package/dist/testing/cross_backend/default_backend_configs.js

@@ -20,6 +20,13 @@ export const ts_default_capabilities = Object.freeze({
     // Off by default like `sse` — a generic TS consumer backend may not mount
     // `/ready`. fuz_app's own spine configs (`ts_spine_*`) opt in.
     ready: false,
+    // `GET /api/account/status` is bundled into `create_account_route_specs`, so
+    // every TS backend mounting account routes serves it.
+    account_status: true,
+    // Node/Deno close the socket on an oversized-body reject (the default
+    // posture). A Bun-served consumer overrides to `false` (see the bun spine
+    // config) — fail-loud rather than silently skipping the smuggle detector.
+    oversized_reject_closes_connection: true,
 });
 /**
  * Capabilities for the Rust family. Adds `trusted_proxy: true` (the
@@ -40,6 +47,12 @@ export const rust_default_capabilities = Object.freeze({
     // Off by default like `sse`; the spine-stub preset opts in (it mounts
     // `/ready` over the env-supplied fixture path).
     ready: false,
+    // The Rust `account_router` bundles `/status` into the account routes, so
+    // every Rust spine serving the account surface serves it.
+    account_status: true,
+    // hyper sends an RST on the oversized-body reject — the connection closes
+    // and the pipelined request is never reached.
+    oversized_reject_closes_connection: true,
 });
 /** Bootstrap block built from the default secrets + supplied paths. */
 const build_default_bootstrap = (paths, overrides) => ({

package/dist/testing/cross_backend/default_spine_surface.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"default_spine_surface.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/default_spine_surface.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAIpD,OAAO,KAAK,EAAC,kBAAkB,EAAC,MAAM,8CAA8C,CAAC;AACrF,OAAO,EAAqB,KAAK,gBAAgB,EAAC,MAAM,2BAA2B,CAAC;AACpF,OAAO,EAAwB,KAAK,cAAc,EAAC,MAAM,8BAA8B,CAAC;AAIxF,OAAO,EAAqB,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAC5E,OAAO,KAAK,EAAC,cAAc,EAAE,eAAe,EAAC,MAAM,uBAAuB,CAAC;AAC3E,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,oCAAoC,CAAC;AAGzE;;;GAGG;AACH,eAAO,MAAM,qBAAqB,EAAE,cAAc,CAAC,MAAM,CAAwC,CAAC;AAElG;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB,gBAAgB,CAAC;AAEpD;;;;;;GAMG;AACH,eAAO,MAAM,WAAW,EAAE,gBAExB,CAAC;AAEH,iEAAiE;AACjE,eAAO,MAAM,cAAc,aAAa,CAAC;AAEzC;;;;;;GAMG;AACH,eAAO,MAAM,cAAc,4BAA4B,CAAC;AAExD,+CAA+C;AAC/C,MAAM,WAAW,wBAAwB;IACxC;;;;;;;;;;;;;;;OAeG;IACH,QAAQ,CAAC,mBAAmB,CAAC,EAAE,kBAAkB,GAAG,IAAI,CAAC;CACzD;AAED;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,mBAAmB,GAC/B,KAAK,gBAAgB,EACrB,UAAU,wBAAwB,KAChC,KAAK,CAAC,eAAe,CAQvB,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,wBAAwB,GAAI,KAAK,gBAAgB,KAAG,KAAK,CAAC,SAAS,CAiB/E,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,yBAAyB,EAAE,GAAwD,CAAC;AAEjG;;;;;;;;;GASG;AACH,eAAO,MAAM,6BAA6B,GAAI,MAAM,MAAM,KAAG,SAC6B,CAAC;AAE3F;;;;;;;;GAQG;AACH,eAAO,MAAM,yBAAyB,QAAO,cAM1C,CAAC"}
+{"version":3,"file":"default_spine_surface.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/default_spine_surface.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAIpD,OAAO,KAAK,EAAC,kBAAkB,EAAC,MAAM,8CAA8C,CAAC;AACrF,OAAO,EAAqB,KAAK,gBAAgB,EAAC,MAAM,2BAA2B,CAAC;AACpF,OAAO,EAAwB,KAAK,cAAc,EAAC,MAAM,8BAA8B,CAAC;AAIxF,OAAO,EAAqB,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAC5E,OAAO,KAAK,EAAC,cAAc,EAAE,eAAe,EAAC,MAAM,uBAAuB,CAAC;AAC3E,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,oCAAoC,CAAC;AAGzE;;;GAGG;AACH,eAAO,MAAM,qBAAqB,EAAE,cAAc,CAAC,MAAM,CAAwC,CAAC;AAElG;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB,gBAAgB,CAAC;AAEpD;;;;;;GAMG;AACH,eAAO,MAAM,WAAW,EAAE,gBAExB,CAAC;AAEH,iEAAiE;AACjE,eAAO,MAAM,cAAc,aAAa,CAAC;AAEzC;;;;;;GAMG;AACH,eAAO,MAAM,cAAc,4BAA4B,CAAC;AAExD,+CAA+C;AAC/C,MAAM,WAAW,wBAAwB;IACxC;;;;;;;;;;;;;;;OAeG;IACH,QAAQ,CAAC,mBAAmB,CAAC,EAAE,kBAAkB,GAAG,IAAI,CAAC;CACzD;AAED;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,mBAAmB,GAC/B,KAAK,gBAAgB,EACrB,UAAU,wBAAwB,KAChC,KAAK,CAAC,eAAe,CAQvB,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,wBAAwB,GAAI,KAAK,gBAAgB,KAAG,KAAK,CAAC,SAAS,CAkB/E,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,yBAAyB,EAAE,GAAwD,CAAC;AAEjG;;;;;;;;;GASG;AACH,eAAO,MAAM,6BAA6B,GAAI,MAAM,MAAM,KAAG,SAC6B,CAAC;AAE3F;;;;;;;;GAQG;AACH,eAAO,MAAM,yBAAyB,QAAO,cAM1C,CAAC"}

package/dist/testing/cross_backend/default_spine_surface.js

@@ -80,6 +80,7 @@ export const create_spine_route_specs = (ctx) => [
             ip_rate_limiter: null,
             login_account_rate_limiter: null,
             login_fail_floor_ms: 0,
+            bootstrap_status: ctx.bootstrap_status,
         }),
         ...create_signup_route_specs(ctx.deps, {
             session_options: spine_session_options,

package/dist/testing/cross_backend/in_process_setup.d.ts

@@ -0,0 +1,143 @@
+import '../assert_dev_env.js';
+import type { RouteSpec } from '../../http/route_spec.js';
+import type { AppSurfaceSpec } from '../../http/surface.js';
+import type { BootstrapServerOptions } from '../../server/app_server.js';
+import type { AppServerContext } from '../../server/app_server_context.js';
+import type { SessionOptions } from '../../auth/session_cookie.js';
+import { type CreateTestAppOptions, type SuiteAppOptions } from '../app_server.js';
+import { type RpcEndpointsSuiteOption } from '../rpc_helpers.js';
+import { type BackendCapabilities } from './capabilities.js';
+import { type SetupTest, type ExtraAccountSpec } from './setup.js';
+/**
+ * Options for `default_in_process_setup`. Extends `CreateTestAppOptions`
+ * with the same `extra_accounts` slot the cross-process variant accepts
+ * — both transports observe the same bootstrap-time secondary set so
+ * suite bodies can read `fixture.extra_accounts[username]` uniformly.
+ */
+export interface InProcessSetupOptions extends CreateTestAppOptions {
+    /**
+     * Additional accounts seeded at this transport's bootstrap-equivalent
+     * step. See `ExtraAccountSpec` for the cradle-only-bypass rationale.
+     * Most suites pass `undefined` / `[]`; the `ROLE_KEEPER` probe (in
+     * `describe_standard_admin_integration_tests`) is the primary user.
+     */
+    readonly extra_accounts?: ReadonlyArray<ExtraAccountSpec>;
+    /**
+     * Additional actor names to seed on the bootstrapped keeper — exposed on
+     * `fixture.extra_actors`. See `CrossProcessSetupOptions.extra_actors` /
+     * `TestFixtureBase.extra_actors`. Seeded directly against the live backend
+     * DB (in-process has no wire hop).
+     */
+    readonly extra_actors?: ReadonlyArray<string>;
+}
+/**
+ * Build a `SetupTest` that creates a fresh `TestApp` per call via
+ * `create_test_app` and projects it into the `TestFixture` shape.
+ *
+ * Same factory inputs `create_test_app` already takes — this helper
+ * is a projection layer, not a new lifecycle. fuz_app's own `src/test/`
+ * and consumer suites pass `default_in_process_setup({...factory_inputs})`
+ * in place of the old per-suite factory-input bundle. The `extra_accounts`
+ * slot (see `InProcessSetupOptions`) seeds bootstrap-time secondaries
+ * directly via `create_test_account_with_credentials` against the same
+ * DB the keeper just landed on — mirrors the cross-process
+ * `_testing_reset` cradle so suite bodies read
+ * `fixture.extra_accounts[username]` uniformly regardless of transport.
+ *
+ * The describe-level `auth_integration_truncate_tables` / pglite WASM
+ * cache lifecycle stays in `create_pglite_factory` / `create_describe_db`
+ * (`testing/db.ts`) — `default_in_process_setup` doesn't manage db state
+ * beyond what `create_test_app` already does.
+ */
+export declare const default_in_process_setup: (options: InProcessSetupOptions) => SetupTest;
+/**
+ * Consumer-facing options for `default_in_process_suite_options` — the
+ * minimal factory inputs both `default_in_process_setup` and
+ * `create_test_app_surface_spec` consume to produce the
+ * `{setup_test, surface_source, capabilities}` bundle.
+ */
+export interface DefaultInProcessSuiteOptions {
+    session_options: SessionOptions<string>;
+    create_route_specs: (ctx: AppServerContext) => Array<RouteSpec>;
+    rpc_endpoints?: RpcEndpointsSuiteOption;
+    /**
+     * Bootstrap config — top-level slot, single source of truth for both
+     * surface generation and live dispatch. Same precedent as
+     * `rpc_endpoints`. Discriminated by `mode`; omit for the default (no
+     * bootstrap route mounted).
+     */
+    bootstrap?: BootstrapServerOptions;
+    app_options?: SuiteAppOptions;
+    /**
+     * Additional roles to grant the bootstrapped keeper alongside
+     * `ROLE_KEEPER` — additive, never replaces. The keeper account
+     * always holds `ROLE_KEEPER` (otherwise daemon-token auth breaks);
+     * pass extras here for suites that need additional role coverage.
+     *
+     * Admin-suite consumers pass `[ROLE_ADMIN]` so the default keeper
+     * can hit admin-gated RPC methods.
+     * `describe_standard_admin_integration_tests` and
+     * `describe_audit_completeness_tests` need this.
+     */
+    extra_keeper_roles?: Array<string>;
+    /**
+     * Bootstrap-time secondary accounts seeded alongside the keeper. See
+     * `ExtraAccountSpec` for the cradle-only-bypass rationale. Same shape
+     * as the cross-process `extra_accounts` option — suites read seeded
+     * accounts from `fixture.extra_accounts[username]` regardless of
+     * transport.
+     */
+    extra_accounts?: ReadonlyArray<ExtraAccountSpec>;
+    /**
+     * Additional actor names to seed on the bootstrapped keeper — exposed on
+     * `fixture.extra_actors`. See `TestFixtureBase.extra_actors`.
+     */
+    extra_actors?: ReadonlyArray<string>;
+    /**
+     * Pre-built `AppSurfaceSpec` — overrides the default which calls
+     * `create_test_app_surface_spec` against the same factory inputs.
+     * Pass when surface assembly needs fields outside the shared subset
+     * (e.g. `env_schema`, `event_specs`, `ws_endpoints`, `transform_middleware`).
+     */
+    surface_source?: AppSurfaceSpec;
+}
+/**
+ * Build the full in-process suite bundle in a single helper invocation.
+ * Output covers `{setup_test, surface_source, capabilities}` plus every
+ * factory input the Tier 1 suites read at their top level
+ * (`session_options`, `create_route_specs`, `rpc_endpoints`) — so the
+ * call site spreads once and adds only suite-specific extras
+ * (`roles`, `skip_routes`, `input_overrides`, `db_factories`, ...).
+ *
+ * ```ts
+ * // Suite-extras-free call: helper output is the entire options bag.
+ * describe_round_trip_validation(default_in_process_suite_options({
+ *   session_options,
+ *   create_route_specs,
+ *   rpc_endpoints: [rpc_endpoint_spec],
+ * }));
+ *
+ * // With suite-specific extras: spread and add.
+ * describe_standard_admin_integration_tests({
+ *   ...default_in_process_suite_options({
+ *     session_options, create_route_specs, rpc_endpoints,
+ *     extra_keeper_roles: [ROLE_ADMIN],
+ *   }),
+ *   roles,
+ * });
+ * ```
+ *
+ * Suites that don't read `session_options` / `rpc_endpoints` at their
+ * top level (`round_trip`, `data_exposure`) accept the spread anyway —
+ * excess properties on spread sources aren't checked by TS, and the
+ * uniform shape keeps consumer call sites mechanical.
+ */
+export declare const default_in_process_suite_options: <const O extends DefaultInProcessSuiteOptions>(options: O) => {
+    setup_test: SetupTest;
+    surface_source: AppSurfaceSpec;
+    capabilities: BackendCapabilities;
+    session_options: O["session_options"];
+    create_route_specs: O["create_route_specs"];
+    rpc_endpoints: O["rpc_endpoints"];
+};
+//# sourceMappingURL=in_process_setup.d.ts.map

package/dist/testing/cross_backend/in_process_setup.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"in_process_setup.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/in_process_setup.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAqB9B,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,0BAA0B,CAAC;AACxD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,uBAAuB,CAAC;AAC1D,OAAO,KAAK,EAAC,sBAAsB,EAAC,MAAM,4BAA4B,CAAC;AACvE,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,oCAAoC,CAAC;AACzE,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,8BAA8B,CAAC;AAGjE,OAAO,EAIN,KAAK,oBAAoB,EACzB,KAAK,eAAe,EACpB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EAGN,KAAK,uBAAuB,EAC5B,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAA0B,KAAK,mBAAmB,EAAC,MAAM,mBAAmB,CAAC;AAEpF,OAAO,EAGN,KAAK,SAAS,EAEd,KAAK,gBAAgB,EACrB,MAAM,YAAY,CAAC;AAepB;;;;;GAKG;AACH,MAAM,WAAW,qBAAsB,SAAQ,oBAAoB;IAClE;;;;;OAKG;IACH,QAAQ,CAAC,cAAc,CAAC,EAAE,aAAa,CAAC,gBAAgB,CAAC,CAAC;IAC1D;;;;;OAKG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAC9C;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,wBAAwB,GACnC,SAAS,qBAAqB,KAAG,SAqEjC,CAAC;AAEH;;;;;GAKG;AACH,MAAM,WAAW,4BAA4B;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,aAAa,CAAC,EAAE,uBAAuB,CAAC;IACxC;;;;;OAKG;IACH,SAAS,CAAC,EAAE,sBAAsB,CAAC;IACnC,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B;;;;;;;;;;OAUG;IACH,kBAAkB,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACnC;;;;;;OAMG;IACH,cAAc,CAAC,EAAE,aAAa,CAAC,gBAAgB,CAAC,CAAC;IACjD;;;OAGG;IACH,YAAY,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACrC;;;;;OAKG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;CAChC;AAWD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,eAAO,MAAM,gCAAgC,GAAI,KAAK,CAAC,CAAC,SAAS,4BAA4B,EAC5F,SAAS,CAAC,KACR;IACF,UAAU,EAAE,SAAS,CAAC;IACtB,cAAc,EAAE,cAAc,CAAC;IAC/B,YAAY,EAAE,mBAAmB,CAAC;IAClC,eAAe,EAAE,CAAC,CAAC,iBAAiB,CAAC,CAAC;IACtC,kBAAkB,EAAE,CAAC,CAAC,oBAAoB,CAAC,CAAC;IAC5C,aAAa,EAAE,CAAC,CAAC,eAAe,CAAC,CAAC;CA2BjC,CAAC"}

package/dist/testing/cross_backend/in_process_setup.js

@@ -0,0 +1,166 @@
+import '../assert_dev_env.js';
+import { ROLE_KEEPER } from '../../auth/role_schema.js';
+import { query_create_actor } from '../../auth/account_queries.js';
+import { create_test_app, create_test_account_with_credentials, mint_test_session, } from '../app_server.js';
+import { create_test_app_surface_spec } from '../stubs.js';
+import { http_transport, } from '../rpc_helpers.js';
+import { in_process_capabilities } from './capabilities.js';
+import { build_extra_account_fixture, EXPIRED_SESSION_OFFSET_SECONDS, } from './setup.js';
+/**
+ * Wrap a Hono-style app into a `FetchTransport`-shaped object so the
+ * shared `TestFixtureBase.transport` type holds for both in-process and
+ * cross-process setups. In-process has no real cookie jar — the no-op
+ * `cookies()` returns `[]`; in-process tests build cookies via
+ * `fixture.create_session_headers()` instead.
+ */
+const in_process_fetch_transport = (app) => {
+    const call = http_transport(app);
+    const transport = ((url, init) => call(url, init));
+    return Object.assign(transport, { cookies: () => [] });
+};
+/**
+ * Build a `SetupTest` that creates a fresh `TestApp` per call via
+ * `create_test_app` and projects it into the `TestFixture` shape.
+ *
+ * Same factory inputs `create_test_app` already takes — this helper
+ * is a projection layer, not a new lifecycle. fuz_app's own `src/test/`
+ * and consumer suites pass `default_in_process_setup({...factory_inputs})`
+ * in place of the old per-suite factory-input bundle. The `extra_accounts`
+ * slot (see `InProcessSetupOptions`) seeds bootstrap-time secondaries
+ * directly via `create_test_account_with_credentials` against the same
+ * DB the keeper just landed on — mirrors the cross-process
+ * `_testing_reset` cradle so suite bodies read
+ * `fixture.extra_accounts[username]` uniformly regardless of transport.
+ *
+ * The describe-level `auth_integration_truncate_tables` / pglite WASM
+ * cache lifecycle stays in `create_pglite_factory` / `create_describe_db`
+ * (`testing/db.ts`) — `default_in_process_setup` doesn't manage db state
+ * beyond what `create_test_app` already does.
+ */
+export const default_in_process_setup = (options) => async () => {
+    // Per-test fresh db. When `options.migration_namespaces` is set,
+    // `create_test_app` provisions an auth+extras PGlite (e.g. the cell
+    // layer); otherwise the auth-only default. Either way the factory
+    // resets + re-migrates on each `create`, so the per-test keeper
+    // bootstrap below lands on a clean DB.
+    const test_app = await create_test_app(options);
+    // Seed bootstrap-time secondaries against the same DB the keeper
+    // just landed on. Direct-insert is the only path for roles whose
+    // `grant_paths` excludes `'admin'` (e.g. `ROLE_KEEPER`) — see
+    // `ExtraAccountSpec` for why this bypass is bootstrap-cradle-only.
+    const extra_accounts = {};
+    const { cookie_name } = options.session_options;
+    for (const spec of options.extra_accounts ?? []) {
+        const seeded = await create_test_account_with_credentials({
+            db: test_app.backend.deps.db,
+            keyring: test_app.backend.keyring,
+            session_options: options.session_options,
+            password: test_app.backend.deps.password,
+            username: spec.username,
+            password_value: spec.password_value,
+            roles: [...spec.roles],
+        });
+        extra_accounts[spec.username] = build_extra_account_fixture(seeded, cookie_name);
+    }
+    // Seed additional keeper actors directly against the same DB. Mirrors
+    // the cross-process `_testing_reset` `extra_actors` path; no production
+    // wire mints a second actor, so this bootstrap-cradle insert is the
+    // only way into a multi-actor keeper state.
+    const extra_actors = [];
+    for (const name of options.extra_actors ?? []) {
+        const seeded_actor = await query_create_actor({ db: test_app.backend.deps.db }, test_app.backend.account.id, name);
+        extra_actors.push({ id: seeded_actor.id, name: seeded_actor.name });
+    }
+    return {
+        transport: in_process_fetch_transport(test_app.app),
+        // In-process the wrapper is stateless and never auto-adds Origin —
+        // `options` is accepted for API symmetry with cross-process but
+        // has no observable effect.
+        fresh_transport: () => in_process_fetch_transport(test_app.app),
+        account: test_app.backend.account,
+        actor: test_app.backend.actor,
+        create_session_headers: test_app.create_session_headers,
+        create_bearer_headers: test_app.create_bearer_headers,
+        create_daemon_token_headers: test_app.create_daemon_token_headers,
+        create_account: test_app.create_account,
+        extra_accounts,
+        extra_actors,
+        // Forge directly against the live backend's DB + keyring — no wire
+        // hop needed in-process.
+        mint_expired_session: async () => {
+            const { session_cookie } = await mint_test_session({
+                db: test_app.backend.deps.db,
+                keyring: test_app.backend.keyring,
+                session_options: options.session_options,
+                account_id: test_app.backend.account.id,
+                expires_in_seconds: EXPIRED_SESSION_OFFSET_SECONDS,
+            });
+            return `${cookie_name}=${session_cookie}`;
+        },
+    };
+};
+// NOTE: bootstrap config is read from `options.bootstrap` — top-level slot,
+// single source of truth for both the surface spec (so the route appears in
+// `expected_public_routes` / attack-surface iteration) AND the live
+// `create_test_app` (so the route exists at dispatch time and returns 403
+// `ERROR_ALREADY_BOOTSTRAPPED` matching its declared 403 schema). Same
+// precedent as `rpc_endpoints`. Discriminated union shape (`mode: 'disabled'`
+// | `'surface_only'` | `'live'`) replaces the old `token_path: string | null`
+// overload that conflated three deployment intents on one channel.
+/**
+ * Build the full in-process suite bundle in a single helper invocation.
+ * Output covers `{setup_test, surface_source, capabilities}` plus every
+ * factory input the Tier 1 suites read at their top level
+ * (`session_options`, `create_route_specs`, `rpc_endpoints`) — so the
+ * call site spreads once and adds only suite-specific extras
+ * (`roles`, `skip_routes`, `input_overrides`, `db_factories`, ...).
+ *
+ * ```ts
+ * // Suite-extras-free call: helper output is the entire options bag.
+ * describe_round_trip_validation(default_in_process_suite_options({
+ *   session_options,
+ *   create_route_specs,
+ *   rpc_endpoints: [rpc_endpoint_spec],
+ * }));
+ *
+ * // With suite-specific extras: spread and add.
+ * describe_standard_admin_integration_tests({
+ *   ...default_in_process_suite_options({
+ *     session_options, create_route_specs, rpc_endpoints,
+ *     extra_keeper_roles: [ROLE_ADMIN],
+ *   }),
+ *   roles,
+ * });
+ * ```
+ *
+ * Suites that don't read `session_options` / `rpc_endpoints` at their
+ * top level (`round_trip`, `data_exposure`) accept the spread anyway —
+ * excess properties on spread sources aren't checked by TS, and the
+ * uniform shape keeps consumer call sites mechanical.
+ */
+export const default_in_process_suite_options = (options) => ({
+    setup_test: default_in_process_setup({
+        session_options: options.session_options,
+        create_route_specs: options.create_route_specs,
+        rpc_endpoints: options.rpc_endpoints,
+        bootstrap: options.bootstrap,
+        app_options: options.app_options,
+        roles: [ROLE_KEEPER, ...(options.extra_keeper_roles ?? [])],
+        extra_accounts: options.extra_accounts,
+        extra_actors: options.extra_actors,
+    }),
+    surface_source: options.surface_source ??
+        create_test_app_surface_spec({
+            session_options: options.session_options,
+            create_route_specs: options.create_route_specs,
+            rpc_endpoints: options.rpc_endpoints,
+            // Mirror what `create_test_app` → `create_app_server` will mount.
+            // Both helpers read from the top-level `bootstrap` slot so surface
+            // and live app stay in sync by construction.
+            bootstrap: options.bootstrap,
+        }),
+    capabilities: in_process_capabilities,
+    session_options: options.session_options,
+    create_route_specs: options.create_route_specs,
+    rpc_endpoints: options.rpc_endpoints,
+});

package/dist/testing/cross_backend/rust_spine_stub_backend_config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"rust_spine_stub_backend_config.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/rust_spine_stub_backend_config.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAuC9B,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,qBAAqB,CAAC;AAQvD,uGAAuG;AACvG,eAAO,MAAM,uBAAuB,oCAAoC,CAAC;AAEzE;;;;;GAKG;AACH,eAAO,MAAM,wCAAwC,6CAA6C,CAAC;AAEnG,kGAAkG;AAClG,eAAO,MAAM,4BAA4B,OAAO,CAAC;AAEjD,0FAA0F;AAC1F,eAAO,MAAM,oCAAoC,sDACG,CAAC;AAErD,MAAM,WAAW,6BAA6B;IAC7C,8DAA8D;IAC9D,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,+EAA+E;IAC/E,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B;;;OAGG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED;;;;;;;;;;GAUG;AACH,eAAO,MAAM,8BAA8B,GAC1C,UAAS,6BAAkC,KACzC,aA6CF,CAAC"}
+{"version":3,"file":"rust_spine_stub_backend_config.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/rust_spine_stub_backend_config.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAuC9B,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,qBAAqB,CAAC;AAQvD,uGAAuG;AACvG,eAAO,MAAM,uBAAuB,oCAAoC,CAAC;AAEzE;;;;;GAKG;AACH,eAAO,MAAM,wCAAwC,6CAA6C,CAAC;AAenG,kGAAkG;AAClG,eAAO,MAAM,4BAA4B,OAAO,CAAC;AAEjD,0FAA0F;AAC1F,eAAO,MAAM,oCAAoC,sDACG,CAAC;AAErD,MAAM,WAAW,6BAA6B;IAC7C,8DAA8D;IAC9D,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,+EAA+E;IAC/E,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B;;;OAGG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED;;;;;;;;;;GAUG;AACH,eAAO,MAAM,8BAA8B,GAC1C,UAAS,6BAAkC,KACzC,aAwCF,CAAC"}

package/dist/testing/cross_backend/rust_spine_stub_backend_config.js

@@ -46,6 +46,18 @@ export const RUST_SPINE_STUB_BIN_ENV = 'FUZ_TESTING_RUST_SPINE_STUB_BIN';
  * column-presence is engine-portable, so one file is the cross-impl contract.
  */
 export const RUST_SPINE_STUB_EXPECTED_SCHEMA_PATH_ENV = 'FUZ_RUST_SPINE_STUB_EXPECTED_SCHEMA_PATH';
+/**
+ * Capabilities for the Rust `testing_spine_stub` — `rust_default_capabilities`
+ * plus `sse` (the stub serves `GET /api/admin/audit/stream` over the spine
+ * `fuz_realtime::SseRegistry` + audit listener) and `ready` (it live-mounts
+ * `/ready` over the env-supplied fixture path). Named (not inline) so every
+ * spine preset is greppable, mirroring `ts_spine_capabilities`.
+ */
+const rust_spine_stub_capabilities = Object.freeze({
+    ...rust_default_capabilities,
+    sse: true,
+    ready: true,
+});
 /** Default listening port — slots beside zzz's 1175/1176; matches the binary's `DEFAULT_PORT`. */
 export const RUST_SPINE_STUB_DEFAULT_PORT = 1177;
 /** Default Postgres database — real PG (PGlite isn't reachable from `tokio-postgres`). */
@@ -78,12 +90,7 @@ export const rust_spine_stub_backend_config = (options = {}) => {
         // is the lower-precedence fallback — both carry the same value.
         start_command: [binary_path, '--port', String(port)],
         database_url,
-        // The stub serves `GET /api/admin/audit/stream` (the spine
-        // `fuz_realtime::SseRegistry` + audit listener), so it advertises `sse`
-        // like the TS spines — the cross-process SSE suite's three cases run. It
-        // also live-mounts `/ready` over the env-supplied fixture path, so it
-        // advertises `ready` for `describe_ready_cross_tests`.
-        capabilities: { ...rust_default_capabilities, sse: true, ready: true },
+        capabilities: rust_spine_stub_capabilities,
         port_env_var: 'FUZ_RUST_SPINE_STUB_PORT',
         rust_log: 'info,testing_spine_stub=info',
         paths,