@marianmeres/ownsuite 1.0.3 → 2.0.0

package/AGENTS.md

@@ -6,7 +6,7 @@ Machine-readable documentation for AI coding assistants.
 
 ```yaml
 name: "@marianmeres/ownsuite"
-version: "1.0.0"
+version: "2.0.0"
 type: "library"
 language: "typescript"
 runtime: "deno"
@@ -27,17 +27,40 @@ Pairs with:
 
 ```
 Ownsuite (orchestrator)
-├── #pubsub           (shared event bus)
+├── #pubsub           (shared event bus, cleared on destroy)
 ├── #context          (propagated to all domains on setContext)
 └── domains: Map<string, OwnedCollectionManager>
-      ├── store       (Svelte-compatible DomainStateWrapper<OwnedCollectionState<TRow>>)
-      ├── adapter     (OwnedCollectionAdapter)
-      ├── state machine: initializing → ready ↔ syncing → error
-      └── optimistic update + rollback on create/update/delete
+      ├── store           (Svelte-compatible DomainStateWrapper<OwnedCollectionState<TRow>>)
+      ├── adapter         (OwnedCollectionAdapter)
+      ├── state machine:  initializing → ready ↔ syncing → error
+      ├── optimistic update + per-row rollback on update/delete
+      ├── mutation chain  (serial create/update/delete)
+      ├── abort-supersede (initialize/refresh — newer call aborts older)
+      └── destroy()       (aborts in-flight ops, drops adapter)
 ```
 
 Each domain holds one list of rows. List operations replace the list wholesale; single-row ops mutate it in place so subscribers see stable references.
 
+### Concurrency model
+
+- **Mutations serialize** per manager via an internal promise chain. A
+  `create/update/delete` that starts while another is in-flight queues
+  behind it; callers still receive their own result through the returned
+  promise. Rejections on the chain are swallowed so they do not block
+  later mutations.
+- **Reads abort-supersede**: a new `initialize()` or `refresh()` aborts
+  any in-flight read on the same manager. The aborted call resolves
+  without writing to the store.
+- **onSuccess uses live data, not a captured snapshot**, so interleaving
+  reads and mutations never resurrect deleted rows or clobber writes.
+- **Rollback is per-row**: a failed `update` reverts just the updated
+  row; a failed `delete` re-inserts the deleted row at its original
+  position. An interleaved refresh that brought new rows is preserved.
+- **AbortSignal plumbing**: every adapter call receives
+  `ctx.signal: AbortSignal`. `reset()` and `destroy()` abort all active
+  signals. Adapters should forward the signal to `fetch()` — ignoring
+  it is safe but leaves abandoned requests running.
+
 ## Directory Structure
 
 ```
@@ -65,7 +88,9 @@ tests/
 ```typescript
 // Main
 export { Ownsuite, createOwnsuite } from "./ownsuite.ts";
-export type { OwnsuiteConfig, OwnsuiteDomainConfig } from "./ownsuite.ts";
+export type {
+	OwnsuiteConfig, OwnsuiteDomainConfig, SetContextOptions,
+} from "./ownsuite.ts";
 
 // Domain managers
 export { BaseDomainManager, OwnedCollectionManager } from "./domains/mod.ts";
@@ -102,15 +127,23 @@ Triggered by `initialize()`, `refresh()`, `create()`, `update()`, `delete()` on
 
 1. **Client NEVER sets `owner_id`.** The server stamps it from the authenticated JWT via `@marianmeres/collection`'s `ownerIdExtractor`. Including `owner_id` in a create/update payload will be rejected (belt-and-braces) or silently ignored (immutability guarantee on update).
 
-2. **Ownership mismatches return 404, not 403.** When the server's `ownerIdScope` rejects access to a foreign row, it responds 404 to avoid leaking row existence. Adapter implementations must not treat 404 as a soft miss — they must throw so the manager transitions to `error` state for unexpected 404s on previously-visible rows.
+2. **Ownership mismatches return 404, not 403.** When the server's `ownerIdScope` rejects access to a foreign row, it responds 404 to avoid leaking row existence. For `list`/`refresh`, adapters must throw — the manager transitions to `error`. For `getOne`, a throw lands only in a returned `null` (see invariant 7).
+
+3. **Row ids default to `model_id`, fallback `id`.** Override via `getRowId` in `OwnsuiteDomainConfig` or `OwnedCollectionManagerOptions` when rows have a different key shape. Empty string is rejected.
+
+4. **`initialize()` never rejects.** Per-domain errors land in that domain's `error` state; the top-level promise resolves. Use `suite.hasErrors()` / `suite.errors()` to detect failed boots, or subscribe to `domain:error`.
+
+5. **Optimistic updates roll back per-row on failure.** `update` mutates the single target row; on error that row reverts to its pre-call value. `delete` removes the target row; on error it is re-inserted at its original position (unless another op has since re-added it). `create` does NOT optimistically insert. Rollback reads the *live* store so an interleaved `refresh()` that brought new rows is preserved.
+
+6. **`OwnsuiteContext.subjectId` is a hint, not authorization.** The server is authoritative. Setting it client-side has no security effect. When subject changes, call `suite.setContext(ctx, { replace: true, refresh: true })` to clear stale per-subject caches.
 
-3. **Row ids default to `model_id`, fallback `id`.** Override via `getRowId` in `OwnsuiteDomainConfig` or `OwnedCollectionManagerOptions` when rows have a different key shape.
+7. **`getOne()` does NOT transition the domain to `error`.** A failing single-row read (commonly a 404 for an un-owned row) returns `null` and emits nothing. The list state is preserved.
 
-4. **`initialize()` never rejects.** Per-domain errors land in that domain's `error` state; the top-level promise resolves. Callers that need failure detection should subscribe to `domain:error` events or inspect `manager.get().state`.
+8. **`update(id)` for a row absent from the cached list does NOT insert.** A missing index means the row was filtered out or never loaded — the successful server response is acknowledged (`own:row:updated` is emitted) but the list remains untouched. Call `refresh()` to surface the row.
 
-5. **Optimistic updates roll back on failure.** `update` and `delete` mutate the list before the server call; on error the list is restored to its pre-call snapshot and the manager transitions to `error`. `create` does NOT optimistically insert (no client-assigned id) — it only inserts after the server returns.
+9. **Mutations serialize; reads abort-supersede.** Within a single manager, `create/update/delete` run one-at-a-time in call order. A newer `initialize/refresh` aborts an older one (the older call becomes a no-op).
 
-6. **`OwnsuiteContext.subjectId` is a hint, not authorization.** The server is authoritative. Setting it client-side has no security effect.
+10. **`ctx.signal` is present on every adapter call.** Adapters should forward it to `fetch()`. Signals abort on `reset()`, `destroy()`, and read-supersede.
 
 ## Common Patterns
 
@@ -152,6 +185,29 @@ suite.on("domain:error",     (e) => {/* e.error */});
 suite.onAny(({ event, data }) => {/* wildcard envelope */});
 ```
 
+### Detecting boot failures
+
+```typescript
+await suite.initialize();
+if (suite.hasErrors()) {
+	const errs = suite.errors(); // { [domainName]: DomainError }
+	// route to error UI, log, retry, ...
+}
+```
+
+### Switching subject mid-session
+
+```typescript
+// Clears the previous subject's context keys and re-fetches every domain.
+suite.setContext({ subjectId: newId }, { replace: true, refresh: true });
+```
+
+### Cleanup
+
+```typescript
+suite.destroy(); // aborts in-flight requests, unsubscribes pubsub, drops adapters
+```
+
 ### Implementing a real adapter
 
 ```typescript
@@ -159,14 +215,14 @@ import type { OwnedCollectionAdapter } from "@marianmeres/ownsuite";
 import { HTTP_ERROR } from "@marianmeres/http-utils";
 
 const adapter: OwnedCollectionAdapter = {
-	async list(_ctx, query) {
+	async list(ctx, query) {
 		const url = new URL(`/api/shop/me/col/order/mod`, location.origin);
 		if (query) for (const [k, v] of Object.entries(query)) url.searchParams.set(k, String(v));
-		const res = await fetch(url);
+		const res = await fetch(url, { signal: ctx.signal }); // forward abort
 		if (!res.ok) throw new HTTP_ERROR.BadRequest(await res.text());
 		return await res.json(); // { data, meta }
 	},
-	// getOne, create, update, delete similarly
+	// getOne, create, update, delete similarly — always forward ctx.signal
 };
 ```
 
@@ -234,10 +290,14 @@ dev:
 ## Testing
 
 ```bash
-deno task test       # run all tests (10 tests)
+deno task test       # run all tests (26 tests across ownsuite.test.ts + concurrency.test.ts)
 deno task test:watch # watch mode
 ```
 
+`tests/concurrency.test.ts` covers the critical invariants: concurrent
+mutations, abort-supersede, getOne-not-setting-error, phantom-row
+prevention, destroy semantics, and the errors()/hasErrors() helpers.
+
 ## Build & Publish
 
 ```bash
@@ -277,6 +337,52 @@ Joy ships:
 
 See the full-stack-app-template repo for the end-to-end example.
 
+## Breaking changes in 2.0.0
+
+The 1.x line has one open set of correctness bugs and a permissive API
+that leaked state into domain errors on non-list operations. 2.0.0 fixes
+those; the behaviors changed are:
+
+1. **`getOne()` no longer transitions the domain to `error`.** Previously
+   any adapter throw from `getOne` set `state: "error"` on the whole
+   domain, invalidating a healthy list view. Now it returns `null` and
+   logs at debug level. Callers relying on the error-state transition
+   must subscribe differently (wrap `getOne` or inspect adapter errors
+   directly).
+
+2. **`update(id, ...)` for an id absent from the cached list no longer
+   prepends a phantom row** on successful server response. The server
+   update is still applied (and `own:row:updated` emitted), but the list
+   stays as-is. Call `refresh()` to surface the row. Previously the row
+   was inserted at the top of the list.
+
+3. **`OwnsuiteContext.signal` is now populated by the manager on every
+   adapter call.** Adapters that declared `ctx: OwnsuiteContext` see no
+   compile break (the field was already allowed via the index
+   signature); adapters that want cancellation should now forward
+   `ctx.signal` to `fetch()`. Adapters that ignore it continue to work.
+
+4. **`createMockOwnedCollectionAdapter` rejects `create` payloads
+   containing `model_id`** by default. Tests that were relying on
+   passing a `model_id` at create time must either drop the field or
+   opt out via `rejectClientId: false` in the options. Rows with an
+   empty-string `model_id` in `seed` are also rejected.
+
+5. **Rollback is now per-row, not whole-list.** Behavioral semantics
+   are stricter: a failed `update` reverts only the updated row; a
+   failed `delete` re-inserts only the deleted row. If your app relied
+   on the whole-list-restore side effect (e.g., to drop rows added by
+   a concurrent refresh that raced with a failing mutation), note this
+   subtle shift.
+
+6. **`reset()` now emits `domain:state:changed`** for each domain that
+   transitions out of a non-initializing state. Subscribers that count
+   events may see more of them.
+
+Non-breaking additions: `suite.destroy()`, `suite.errors()`,
+`suite.hasErrors()`, `suite.setContext(ctx, { replace, refresh })`,
+`manager.isDestroyed`, `manager.replaceContext(ctx)`.
+
 ## Differences from `@marianmeres/ecsuite`
 
 | Aspect | ecsuite | ownsuite |

package/API.md

@@ -98,17 +98,44 @@ Initialize all registered domains (or a subset). Runs in parallel. Individual do
 
 **Returns:** `Promise<void>`
 
-#### `suite.setContext(ctx)`
+#### `suite.setContext(ctx, options?)`
 
-Merge `ctx` into the shared context and propagate to every registered domain manager.
+Update the shared context and propagate to every registered domain manager.
 
 **Parameters:**
 - `ctx` (`OwnsuiteContext`)
+- `options` (`SetContextOptions`, optional)
+  - `options.replace` (`boolean`, default `false`) — replace the context wholesale instead of merging. Use this when the subject changes and previous per-subject keys must not leak into adapter calls.
+  - `options.refresh` (`boolean`, default `false`) — fire-and-forget `refresh()` on every domain after the context change. Recommended when `subjectId` changes so stale per-subject caches are cleared.
+
+**Example:**
+```typescript
+// Subject change: drop old context + re-fetch every domain
+suite.setContext({ subjectId: newId }, { replace: true, refresh: true });
+```
 
 #### `suite.getContext(): OwnsuiteContext`
 
 Snapshot of current shared context.
 
+#### `suite.errors(): Record<string, DomainError>`
+
+Map of currently-errored domains to their `DomainError`. Empty if none are in error state. Use after `initialize()` to detect silent boot failures.
+
+#### `suite.hasErrors(): boolean`
+
+True if any domain is currently in `error` state.
+
+#### `suite.destroy()`
+
+Dispose of the suite: destroys every registered domain (which aborts in-flight adapter requests), clears the domain map, and unsubscribes every listener attached to the internal pubsub. Safe to call multiple times.
+
+Subsequent method calls are best-effort no-ops (e.g., `initialize()` returns immediately, `setContext()` ignores the call). `registerDomain()` throws after destroy.
+
+#### `suite.isDestroyed: boolean`
+
+True after `destroy()` has been called.
+
 #### `suite.on(type, subscriber)`
 
 Subscribe to a specific event type.
@@ -177,7 +204,9 @@ Re-fetch the list. Same as `initialize` but re-entrant; accepts an adapter-speci
 
 #### `manager.getOne(id): Promise<TRow | null>`
 
-Fetch a single row by id. Does **not** mutate the list. Returns `null` on error and transitions the manager to `error` state.
+Fetch a single row by id. Does **not** mutate the list and does **not** transition the domain to `error` on failure — a 404 for an un-owned row or a network blip on a read shouldn't invalidate a healthy list view. Returns `null` on any failure (including missing adapter). Emits `own:row:fetched` on success.
+
+Callers that need error detail should wrap this method and inspect the adapter error themselves.
 
 #### `manager.create(data): Promise<TRow | null>`
 
@@ -190,15 +219,19 @@ Create a new row. On success, prepends the server-returned row to the list. On f
 
 #### `manager.update(id, data): Promise<TRow | null>`
 
-Update a row. Optimistically merges `data` into the existing row; on server failure the list is rolled back to its pre-call state. On success, the server-returned row replaces the optimistic one.
+Update a row. Optimistically merges `data` into the existing row; on server failure the single row reverts to its pre-call value (other rows are untouched — including any added by an interleaved `refresh()`). On success, the server-returned row replaces the optimistic one.
+
+If `id` is **not** in the current cached list (filtered out by an active query, or not loaded), the optimistic step is a no-op AND the successful server response is **not** inserted — call `refresh()` if you want the row to appear. The `own:row:updated` event is emitted regardless.
 
 **Parameters:**
 - `id` (`string`)
 - `data` (`TUpdate`)
 
+Mutations serialize per-manager — a `create/update/delete` that starts while another is in-flight queues behind it.
+
 #### `manager.delete(id): Promise<boolean>`
 
-Delete a row. Optimistically removes it from the list; on server failure the list is rolled back.
+Delete a row. Optimistically removes it from the list; on server failure the single row is re-inserted at its original position (unless another op has since re-added it).
 
 **Returns:** `true` on success, `false` on failure.
 
@@ -214,13 +247,21 @@ Find a row by id in the current list without hitting the server.
 
 Swap or inspect the adapter at runtime.
 
-#### `manager.setContext(ctx)` / `manager.getContext()`
+#### `manager.setContext(ctx)` / `manager.replaceContext(ctx)` / `manager.getContext()`
 
-Per-manager context. `Ownsuite.setContext()` propagates to every manager.
+Per-manager context. `setContext` merges into the existing context; `replaceContext` replaces it wholesale. `Ownsuite.setContext()` propagates to every manager (with the same `{ replace }` option).
 
 #### `manager.reset()`
 
-Reset to `initializing` state.
+Reset to `initializing` state. Aborts any in-flight reads or mutations (their completions become no-ops) and emits `domain:state:changed`.
+
+#### `manager.destroy()`
+
+Abort in-flight operations, drop the adapter reference, and mark the manager as destroyed. Subsequent method calls are best-effort no-ops. Usually invoked via `Ownsuite.destroy()`, but safe to call directly.
+
+#### `manager.isDestroyed: boolean`
+
+True after `destroy()` has been called.
 
 ---
 
@@ -255,16 +296,26 @@ interface OwnsuiteDomainConfig<TRow, TCreate, TUpdate> {
 }
 ```
 
+### `SetContextOptions`
+
+```typescript
+interface SetContextOptions {
+	replace?: boolean;   // default: false — merge into existing context
+	refresh?: boolean;   // default: false — fire refresh() on every domain
+}
+```
+
 ### `OwnsuiteContext`
 
 ```typescript
 interface OwnsuiteContext {
 	subjectId?: string;
+	signal?: AbortSignal;  // manager-injected, per-call
 	[key: string]: unknown;
 }
 ```
 
-Context passed to adapters. **`subjectId` is a hint only** — the server authoritatively resolves the owner from the authenticated JWT. The context object is the extension point for passing host-app data (correlation ids, feature flags, tenants) through adapter calls.
+Context passed to adapters. **`subjectId` is a hint only** — the server authoritatively resolves the owner from the authenticated JWT. **`signal` is injected by the manager** on every call; adapters should forward it to `fetch()` for cancellation on `reset()`/`destroy()`/read-supersede. The context object is also the extension point for passing host-app data (correlation ids, feature flags, tenants) through adapter calls.
 
 ### `OwnedCollectionAdapter<TRow, TCreate, TUpdate>`
 
@@ -383,9 +434,13 @@ interface MockAdapterOptions<TRow> {
 	failOn?: { list?: boolean; getOne?: boolean; create?: boolean; update?: boolean; delete?: boolean };
 	getRowId?: (row: TRow) => string;
 	newId?: () => string;
+	/** Reject create payloads containing `model_id` (default: true). */
+	rejectClientId?: boolean;
 }
 ```
 
+The mock adapter forwards `ctx.signal` — `delayMs` waits can be aborted mid-sleep so tests that assert on abort-supersede semantics run deterministically.
+
 ---
 
 ## Implementing a real adapter
@@ -393,27 +448,33 @@ interface MockAdapterOptions<TRow> {
 Point the adapter at your server's owner-scoped mount (typically `/api/<stack>/me/col/<entity>/...`). The server is responsible for `owner_id` enforcement — the client only talks to `/me/*`.
 
 ```typescript
-import type { OwnedCollectionAdapter } from "@marianmeres/ownsuite";
+import type { OwnedCollectionAdapter, OwnsuiteContext } from "@marianmeres/ownsuite";
 import { HTTP_ERROR } from "@marianmeres/http-utils";
 
 export function createRestAdapter(stack: string, entity: string): OwnedCollectionAdapter {
 	const base = `/api/${stack}/me/col/${entity}`;
-	const json = async <T>(method: string, url: string, body?: unknown): Promise<T> => {
+	const json = async <T>(
+		method: string,
+		url: string,
+		ctx: OwnsuiteContext,
+		body?: unknown,
+	): Promise<T> => {
 		const res = await fetch(url, {
 			method,
 			headers: { "content-type": "application/json" },
 			body: body === undefined ? undefined : JSON.stringify(body),
+			signal: ctx.signal, // forward manager-injected abort signal
 		});
 		if (!res.ok) throw new HTTP_ERROR.BadRequest(await res.text());
 		return await res.json();
 	};
 	return {
-		list: (_ctx) => json("GET", `${base}/mod`),
-		getOne: (id, _ctx) => json("GET", `${base}/mod/${id}`),
-		create: (data, _ctx) => json("POST", `${base}/mod`, data),
-		update: (id, data, _ctx) => json("PUT", `${base}/mod/${id}`, data),
-		delete: async (id, _ctx) => {
-			await json("DELETE", `${base}/mod/${id}`);
+		list: (ctx) => json("GET", `${base}/mod`, ctx),
+		getOne: (id, ctx) => json("GET", `${base}/mod/${id}`, ctx),
+		create: (data, ctx) => json("POST", `${base}/mod`, ctx, data),
+		update: (id, data, ctx) => json("PUT", `${base}/mod/${id}`, ctx, data),
+		delete: async (id, ctx) => {
+			await json("DELETE", `${base}/mod/${id}`, ctx);
 			return true;
 		},
 	};

package/README.md

@@ -16,11 +16,14 @@ Ownsuite gives front-end applications a uniform way to read, create, update and
 ## Features
 
 - **Generic domain managers** — register any owner-scoped collection by name; no hard-coded domain list
-- **Optimistic updates** — UI mutates immediately; the manager rolls back on server failure
+- **Optimistic updates** with per-row rollback — UI mutates immediately; failed ops revert just the affected row
+- **Race-safe concurrency** — mutations serialize; reads abort-supersede (a newer `refresh()` aborts an older one)
+- **AbortSignal plumbing** — every adapter call receives a per-operation signal, wired to `destroy()` and route-change cancellation
 - **Svelte-compatible stores** — every domain exposes a `subscribe()` method
 - **Adapter pattern** — plug in any HTTP/WebSocket/mock transport
 - **Event system** — subscribe to list fetches, row CRUD, and lifecycle transitions
-- **Mock adapter** — in-memory fixture for tests, with configurable failure injection
+- **Mock adapter** — in-memory fixture for tests, with configurable failure injection and latency
+- **Explicit lifecycle** — `suite.destroy()` aborts in-flight work and releases listeners cleanly
 
 ## Installation
 
@@ -65,6 +68,12 @@ suite.domain("orders").subscribe((s) => {
 await suite.domain("orders").create({ data: { total: 99 } });
 await suite.domain("orders").update(id, { data: { total: 120 } });
 await suite.domain("orders").delete(id);
+
+// 6. Detect silent boot failures
+if (suite.hasErrors()) console.warn("boot errors:", suite.errors());
+
+// 7. Clean up on teardown (SPA unmount, tenant switch, test harness)
+suite.destroy();
 ```
 
 ## Architecture at a glance
@@ -103,6 +112,16 @@ await suite.domain("notes").update("1", { data: { label: "new" } });
 
 See [API.md](API.md) for complete API documentation.
 
+## Breaking changes in 2.0.0
+
+- `getOne()` no longer transitions the domain to `error` on failure — it returns `null` quietly.
+- `update(id, ...)` for an id absent from the cached list no longer prepends a phantom row — the server update is still applied server-side (event emitted), but the list stays unchanged. Call `refresh()` to surface it.
+- `createMockOwnedCollectionAdapter` rejects `create` payloads containing a client-supplied `model_id` by default (opt out with `rejectClientId: false`).
+- Rollback on failed `update`/`delete` is now per-row, not whole-list. Interleaved refresh results are preserved.
+- `reset()` now emits `domain:state:changed`.
+
+See [AGENTS.md](AGENTS.md) "Breaking changes in 2.0.0" for the full list and migration notes.
+
 ## License
 
 [MIT](LICENSE)

package/dist/adapters/mock.d.ts

@@ -2,9 +2,10 @@
  * @module adapters/mock
  *
  * In-memory mock adapter for testing. Stores rows in a local Map keyed by
- * `model_id`, applies an optional latency, and can inject failures. Useful
- * for unit tests without a real server, and for exercising the manager's
- * optimistic-update rollback path deterministically.
+ * `model_id`, applies an optional latency, honors `ctx.signal` for
+ * cancellation, and can inject failures. Useful for unit tests without a
+ * real server, and for exercising the manager's optimistic-update rollback
+ * path deterministically.
  */
 import type { OwnedCollectionAdapter } from "../types/adapter.js";
 export interface MockAdapterOptions<TRow> {
@@ -24,6 +25,12 @@ export interface MockAdapterOptions<TRow> {
     getRowId?: (row: TRow) => string;
     /** Factory for new row ids (defaults to `crypto.randomUUID`). */
     newId?: () => string;
+    /**
+     * If true (default), `create` rejects payloads that include a
+     * `model_id` — matches the production server contract where the server
+     * is authoritative over ids. Set to `false` to bypass for legacy tests.
+     */
+    rejectClientId?: boolean;
 }
 /**
  * Build an in-memory `OwnedCollectionAdapter` for tests.

package/dist/adapters/mock.js

@@ -2,68 +2,122 @@
  * @module adapters/mock
  *
  * In-memory mock adapter for testing. Stores rows in a local Map keyed by
- * `model_id`, applies an optional latency, and can inject failures. Useful
- * for unit tests without a real server, and for exercising the manager's
- * optimistic-update rollback path deterministically.
+ * `model_id`, applies an optional latency, honors `ctx.signal` for
+ * cancellation, and can inject failures. Useful for unit tests without a
+ * real server, and for exercising the manager's optimistic-update rollback
+ * path deterministically.
  */
 const defaultGetRowId = (r) => {
     const rec = r;
     const id = rec.model_id ?? rec.id;
-    if (typeof id !== "string") {
-        throw new Error("MockAdapter: row has no string `model_id` or `id`; pass `getRowId`");
+    if (typeof id !== "string" || id === "") {
+        throw new Error("MockAdapter: row has no non-empty string `model_id` or `id`; pass `getRowId`");
     }
     return id;
 };
+function safeClone(value) {
+    if (value === null || value === undefined)
+        return value;
+    try {
+        return structuredClone(value);
+    }
+    catch {
+        try {
+            return JSON.parse(JSON.stringify(value));
+        }
+        catch {
+            return value;
+        }
+    }
+}
+/** Throw an AbortError-shaped error if the signal was aborted. */
+function throwIfAborted(signal) {
+    if (signal?.aborted) {
+        const reason = signal.reason;
+        const err = new Error(typeof reason === "string" ? `mock: aborted (${reason})` : "mock: aborted");
+        err.name = "AbortError";
+        throw err;
+    }
+}
 /**
  * Build an in-memory `OwnedCollectionAdapter` for tests.
  */
 export function createMockOwnedCollectionAdapter(options = {}) {
-    const { delayMs = 0, failOn = {}, getRowId = defaultGetRowId, newId = () => crypto.randomUUID(), } = options;
+    const { delayMs = 0, failOn = {}, getRowId = defaultGetRowId, newId = () => crypto.randomUUID(), rejectClientId = true, } = options;
     const store = new Map();
     for (const r of options.seed ?? [])
         store.set(getRowId(r), r);
-    const sleep = () => delayMs > 0
-        ? new Promise((res) => setTimeout(res, delayMs))
-        : Promise.resolve();
+    /**
+     * Latency helper that also observes abort. Returns when either the
+     * delay elapses or the signal fires — the caller then checks
+     * `throwIfAborted` to convert to an error.
+     */
+    const sleep = (signal) => {
+        if (delayMs <= 0)
+            return Promise.resolve();
+        return new Promise((resolve) => {
+            const t = setTimeout(resolve, delayMs);
+            signal?.addEventListener("abort", () => {
+                clearTimeout(t);
+                resolve();
+            }, { once: true });
+        });
+    };
     return {
-        async list(_ctx, _query) {
-            await sleep();
+        async list(ctx, _query) {
+            await sleep(ctx.signal);
+            throwIfAborted(ctx.signal);
             if (failOn.list)
                 throw new Error("mock: list failed");
-            const rows = [...store.values()];
+            const rows = [...store.values()].map((r) => safeClone(r));
             return { data: rows, meta: { total: rows.length } };
         },
-        async getOne(id, _ctx) {
-            await sleep();
+        async getOne(id, ctx) {
+            await sleep(ctx.signal);
+            throwIfAborted(ctx.signal);
             if (failOn.getOne)
                 throw new Error("mock: getOne failed");
             const row = store.get(id);
             if (!row)
                 throw new Error(`mock: row ${id} not found`);
-            return { data: row };
+            return { data: safeClone(row) };
         },
-        async create(data, _ctx) {
-            await sleep();
+        async create(data, ctx) {
+            await sleep(ctx.signal);
+            throwIfAborted(ctx.signal);
             if (failOn.create)
                 throw new Error("mock: create failed");
+            const input = data;
+            if (rejectClientId &&
+                input !== null &&
+                typeof input === "object" &&
+                "model_id" in input) {
+                throw new Error("mock: create payload must not include `model_id` — the server assigns the id");
+            }
             const id = newId();
-            const row = { ...data, model_id: id };
+            const cloned = safeClone(data);
+            const row = { ...cloned, model_id: id };
             store.set(id, row);
-            return { data: row };
+            return { data: safeClone(row) };
         },
-        async update(id, data, _ctx) {
-            await sleep();
+        async update(id, data, ctx) {
+            await sleep(ctx.signal);
+            throwIfAborted(ctx.signal);
             if (failOn.update)
                 throw new Error("mock: update failed");
             const existing = store.get(id);
             if (!existing)
                 throw new Error(`mock: row ${id} not found`);
-            const merged = { ...existing, ...data };
+            const merged = {
+                ...existing,
+                ...safeClone(data),
+            };
             store.set(id, merged);
-            return { data: merged };
+            return { data: safeClone(merged) };
         },
-        async delete(id, _ctx) {
-            await sleep();
+        async delete(id, ctx) {
+            await sleep(ctx.signal);
+            throwIfAborted(ctx.signal);
             if (failOn.delete)
                 throw new Error("mock: delete failed");
             return store.delete(id);