@pyreon/reactivity 0.24.5 → 0.24.6

package/src/tests/manifest-snapshot.test.ts

@@ -1,96 +0,0 @@
-import {
-  renderApiReferenceEntries,
-  renderLlmsFullSection,
-  renderLlmsTxtLine,
-} from '@pyreon/manifest'
-import reactivityManifest from '../manifest'
-
-describe('gen-docs — reactivity snapshot', () => {
-  it('renders @pyreon/reactivity to its expected llms.txt bullet', () => {
-    expect(renderLlmsTxtLine(reactivityManifest)).toMatchInlineSnapshot(`"- @pyreon/reactivity — Fine-grained reactivity: signal, computed, effect, batch, onCleanup, createStore, watch, createResource, untrack. Pyreon signals are NOT \`.value\` getters (Vue ref) or \`[state, setState]\` tuples (React useState). The signal IS the function: \`count()\` reads, \`count.set(v)\` writes, \`count.update(fn)\` derives. This is the #1 confusion for developers coming from other frameworks."`)
-  })
-
-  it('renders @pyreon/reactivity to its expected llms-full.txt section — full body snapshot', () => {
-    expect(renderLlmsFullSection(reactivityManifest)).toMatchInlineSnapshot(`
-      "## @pyreon/reactivity — Complete API
-
-      Standalone reactive primitives — no DOM, no JSX, no framework dependency. Signals are callable functions (\`count()\` to read, \`count.set(5)\` to write, \`count.update(n => n + 1)\` to derive). Subscribers tracked via \`Set<() => void>\`; batch uses pointer swap for zero-allocation grouping. Every other Pyreon package builds on this foundation but \`@pyreon/reactivity\` can be used independently in Node, Bun, or browser scripts without any framework overhead.
-
-      \`\`\`typescript
-      import { signal, computed, effect, batch, onCleanup, createStore, watch, untrack } from "@pyreon/reactivity"
-
-      // signal<T>() — callable function, NOT .value getter/setter
-      const count = signal(0)
-      count()              // read (subscribes)
-      count.set(5)         // write
-      count.update(n => n + 1)  // derive
-      count.peek()         // read WITHOUT subscribing
-
-      // computed<T>() — auto-tracked, memoized
-      const doubled = computed(() => count() * 2)
-
-      // effect() — re-runs when dependencies change
-      const dispose = effect(() => {
-        console.log("Count:", count())
-        onCleanup(() => console.log("cleaning up"))
-      })
-
-      // batch() — group 3+ writes into a single notification pass
-      batch(() => {
-        count.set(10)
-        count.set(20)  // subscribers fire once, with 20
-      })
-
-      // watch(source, callback) — explicit dependency tracking
-      watch(() => count(), (next, prev) => {
-        console.log(\`changed from \${prev} to \${next}\`)
-      })
-
-      // createStore() — deeply reactive object (proxy-based)
-      const store = createStore({ todos: [{ text: 'Learn Pyreon', done: false }] })
-      store.todos[0].done = true  // fine-grained update, no immer needed
-
-      // untrack() — read signals without subscribing
-      effect(() => {
-        const current = count()
-        const other = untrack(() => otherSignal())  // won't re-run when otherSignal changes
-      })
-      \`\`\`
-
-      > **Signals are callable functions**: Pyreon signals are NOT \`.value\` getters (Vue ref) or \`[state, setState]\` tuples (React useState). The signal IS the function: \`count()\` reads, \`count.set(v)\` writes, \`count.update(fn)\` derives. This is the #1 confusion for developers coming from other frameworks.
-      >
-      > **No dependency arrays**: \`effect()\` and \`computed()\` auto-track dependencies on each execution — no \`[dep1, dep2]\` array needed. Every signal read inside the body is a tracked dependency. This means conditional reads (\`if (cond()) { return x() }\`) only track \`x\` when \`cond()\` is true.
-      >
-      > **Standalone**: \`@pyreon/reactivity\` has zero dependencies. Use it in Node/Bun scripts, edge workers, or any JavaScript environment without pulling in the rest of the framework. \`@pyreon/core\` and \`@pyreon/runtime-dom\` build on it but are not required.
-      "
-    `)
-  })
-
-  it('renders @pyreon/reactivity to MCP api-reference entries — one per api[] item', () => {
-    const record = renderApiReferenceEntries(reactivityManifest)
-    // 26 entries: 8 original (signal/computed/effect/batch/onCleanup/watch/
-    // createStore/untrack) + 1 createResource (PR #459) + 13 from M1
-    // enrichment (renderEffect, nextTick, createSelector, cell, reconcile,
-    // isStore, effectScope, getCurrentScope, setCurrentScope,
-    // onSignalUpdate, inspectSignal, why, setErrorHandler) + 3 from M4
-    // Vue parity (markRaw, shallowReactive, onScopeDispose) + 1
-    // getReactiveTrace (reactive-trace error-report enrichment) + 2
-    // reactive-devtools bridge (activateReactiveDevtools, getReactiveGraph).
-    expect(Object.keys(record).length).toBe(28)
-    expect(Object.keys(record)).toContain('reactivity/signal')
-    expect(Object.keys(record)).toContain('reactivity/createResource')
-    // Spot-check the flagship API — signal is the core primitive
-    const signal = record['reactivity/signal']!
-    expect(signal.mistakes?.split('\n').length).toBe(6)
-    expect(signal.notes).toContain('CALLABLE FUNCTION')
-    // Spot-check createResource has the dispose mistake (regression for H3)
-    const resource = record['reactivity/createResource']!
-    expect(resource.mistakes).toContain('Forgetting `dispose()`')
-    // Spot-check newly-added entries surface their key foot-guns
-    expect(record['reactivity/createSelector']!.mistakes).toContain(
-      'every row subscribes to source',
-    )
-    expect(record['reactivity/effectScope']!.mistakes).toContain('leak')
-    expect(record['reactivity/cell']!.notes).toContain('NOT callable')
-  })
-})

package/src/tests/reactive-devtools-treeshake.test.ts

@@ -1,48 +0,0 @@
-/**
- * Tree-shake regression lock for the reactive-devtools instrumentation.
- *
- * `signal()` / `computed()` / `effect()` gained `_rdRegister` /
- * `_rdRecordFire` calls on their hot paths, each inside the existing
- * `process.env.NODE_ENV !== 'production'` gate. The framework's perf
- * claims rest on those calls compiling to NOTHING in production builds
- * (benchmarks run prod bundles). This test bundles each instrumented
- * module through esbuild with the prod define + minify (what every
- * modern bundler does for a release build) and asserts every trace of
- * the devtools bridge is gone — then bundles it dev-mode and asserts
- * the instrumentation IS present, so the test can't pass for the wrong
- * reason (the PR #200 bisect lesson).
- */
-import { build } from 'esbuild'
-import { dirname, join } from 'node:path'
-import { fileURLToPath } from 'node:url'
-import { describe, expect, it } from 'vitest'
-
-const SRC = join(dirname(fileURLToPath(import.meta.url)), '..')
-const MARKERS = /RecordFire|RdRegister|pxRdId|reactive-devtools/
-
-async function bundle(entry: string, env: 'production' | 'development') {
-  const r = await build({
-    entryPoints: [join(SRC, entry)],
-    bundle: true,
-    minify: true,
-    write: false,
-    format: 'esm',
-    logLevel: 'silent',
-    define: { 'process.env.NODE_ENV': JSON.stringify(env) },
-  })
-  return r.outputFiles[0]!.text
-}
-
-describe('reactive-devtools — prod tree-shake', () => {
-  for (const entry of ['signal.ts', 'computed.ts', 'effect.ts']) {
-    it(`${entry}: instrumentation is fully eliminated in production`, async () => {
-      const prod = await bundle(entry, 'production')
-      expect(prod).not.toMatch(MARKERS)
-    })
-
-    it(`${entry}: instrumentation IS present in development (anti-false-pass)`, async () => {
-      const dev = await bundle(entry, 'development')
-      expect(dev).toMatch(MARKERS)
-    })
-  }
-})

package/src/tests/reactive-devtools.test.ts

@@ -1,296 +0,0 @@
-import { afterEach, describe, expect, it } from 'vitest'
-import { computed } from '../computed'
-import { effect } from '../effect'
-import {
-  _rdPrune,
-  activateReactiveDevtools,
-  deactivateReactiveDevtools,
-  getReactiveFires,
-  getReactiveGraph,
-  isReactiveDevtoolsActive,
-} from '../reactive-devtools'
-import { signal } from '../signal'
-
-afterEach(() => {
-  deactivateReactiveDevtools()
-})
-
-describe('reactive-devtools — opt-in contract', () => {
-  it('is inactive by default and tracks nothing until activated', () => {
-    expect(isReactiveDevtoolsActive()).toBe(false)
-    const s = signal(1)
-    s.set(2)
-    const c = computed(() => s() + 1)
-    c()
-    expect(getReactiveGraph().nodes).toEqual([])
-    expect(getReactiveFires()).toEqual([])
-  })
-
-  it('activate() then deactivate() is idempotent and clears state', () => {
-    activateReactiveDevtools()
-    expect(isReactiveDevtoolsActive()).toBe(true)
-    activateReactiveDevtools() // idempotent
-    expect(isReactiveDevtoolsActive()).toBe(true)
-    const s = signal(0, { name: 'x' })
-    s()
-    expect(getReactiveGraph().nodes.length).toBe(1)
-    deactivateReactiveDevtools()
-    expect(isReactiveDevtoolsActive()).toBe(false)
-    expect(getReactiveGraph().nodes).toEqual([])
-  })
-})
-
-describe('reactive-devtools — node registry', () => {
-  it('registers a named signal with kind + value preview', () => {
-    activateReactiveDevtools()
-    const count = signal(42, { name: 'count' })
-    void count()
-    const g = getReactiveGraph()
-    const node = g.nodes.find((n) => n.name === 'count')
-    expect(node).toBeDefined()
-    expect(node!.kind).toBe('signal')
-    expect(node!.value).toBe('42')
-  })
-
-  it('synthesizes a label for anonymous derived/effect nodes', () => {
-    activateReactiveDevtools()
-    const s = signal(1)
-    const d = computed(() => s() * 2)
-    void d()
-    effect(() => void s())
-    const g = getReactiveGraph()
-    expect(g.nodes.some((n) => n.kind === 'derived' && /^derived#\d+$/.test(n.name))).toBe(true)
-    expect(g.nodes.some((n) => n.kind === 'effect' && /^effect#\d+$/.test(n.name))).toBe(true)
-  })
-
-  it('previews non-primitive signal values without throwing', () => {
-    activateReactiveDevtools()
-    const obj = signal({ a: 1, b: 2 }, { name: 'o' })
-    void obj()
-    const arr = signal([1, 2, 3], { name: 'arr' })
-    void arr()
-    const g = getReactiveGraph()
-    expect(g.nodes.find((n) => n.name === 'o')!.value).toContain('{')
-    expect(g.nodes.find((n) => n.name === 'arr')!.value).toBe('Array(3)')
-  })
-})
-
-describe('reactive-devtools — edges from live subscriber sets', () => {
-  it('captures signal → derived → effect edges', () => {
-    activateReactiveDevtools()
-    const s = signal(1, { name: 's' })
-    const d = computed(() => s() + 1)
-    let seen = 0
-    effect(() => {
-      seen = d()
-    })
-    expect(seen).toBe(2)
-
-    const g = getReactiveGraph()
-    const sId = g.nodes.find((n) => n.name === 's')!.id
-    const dNode = g.nodes.find((n) => n.kind === 'derived')!
-    const eNode = g.nodes.find((n) => n.kind === 'effect')!
-
-    // s is read by d; d is read by the effect.
-    expect(g.edges).toContainEqual({ from: sId, to: dNode.id })
-    expect(g.edges).toContainEqual({ from: dNode.id, to: eNode.id })
-  })
-
-  it('reflects subscriber count + reacts to writes (fires + lastFire)', () => {
-    activateReactiveDevtools()
-    const s = signal(0, { name: 'live' })
-    effect(() => void s())
-    s.set(1)
-    s.set(2)
-    const node = getReactiveGraph().nodes.find((n) => n.name === 'live')!
-    expect(node.subscribers).toBe(1)
-    expect(node.fires).toBe(2)
-    expect(node.lastFire).not.toBeNull()
-  })
-})
-
-describe('reactive-devtools — value preview branches', () => {
-  it('previews every primitive + edge shape', () => {
-    activateReactiveDevtools()
-    const cases: [string, unknown, (v: string) => void][] = [
-      ['s_str', 'hello', (v) => expect(v).toBe('"hello"')],
-      ['s_num', 7, (v) => expect(v).toBe('7')],
-      ['s_bool', true, (v) => expect(v).toBe('true')],
-      ['s_big', 10n, (v) => expect(v).toBe('10')],
-      ['s_null', null, (v) => expect(v).toBe('null')],
-      ['s_undef', undefined, (v) => expect(v).toBe('undefined')],
-      ['s_sym', Symbol('z'), (v) => expect(v).toContain('Symbol')],
-      ['s_fn', function named() {}, (v) => expect(v).toContain('[Function named]')],
-      [
-        's_long',
-        'x'.repeat(200),
-        (v) => expect(v.endsWith('…') && v.length <= 61).toBe(true),
-      ],
-    ]
-    for (const [name, val] of cases) {
-      const s = signal(val, { name })
-      void s()
-    }
-    const g = getReactiveGraph()
-    for (const [name, , assertFn] of cases) {
-      assertFn(g.nodes.find((n) => n.name === name)!.value)
-    }
-  })
-
-  it('never throws on a value whose property access throws', () => {
-    activateReactiveDevtools()
-    const hostile = new Proxy(
-      {},
-      {
-        ownKeys() {
-          throw new Error('boom')
-        },
-        get() {
-          throw new Error('boom')
-        },
-      },
-    )
-    const s = signal(hostile, { name: 'hostile' })
-    void s()
-    const node = getReactiveGraph().nodes.find((n) => n.name === 'hostile')!
-    expect(typeof node.value).toBe('string')
-  })
-
-  it('handles a value whose ownKeys throws but ctor read succeeds', () => {
-    activateReactiveDevtools()
-    // `.constructor` resolves fine (default get), but Object.keys() trips
-    // the inner keys try/catch.
-    const keysHostile = new Proxy(
-      {},
-      {
-        ownKeys() {
-          throw new Error('no keys')
-        },
-      },
-    )
-    const s = signal(keysHostile, { name: 'kh' })
-    void s()
-    const node = getReactiveGraph().nodes.find((n) => n.name === 'kh')!
-    expect(node.value).toBe('{}')
-  })
-
-  it('effect nodes carry no value preview', () => {
-    activateReactiveDevtools()
-    const s = signal(1)
-    effect(() => void s())
-    const eff = getReactiveGraph().nodes.find((n) => n.kind === 'effect')!
-    expect(eff.value).toBe('')
-  })
-})
-
-describe('reactive-devtools — resilience', () => {
-  it('a stale __pxRdId (registry cleared, node re-fires) is buffered, not crashed', () => {
-    activateReactiveDevtools()
-    const s = signal(0, { name: 'stale' })
-    void s()
-    deactivateReactiveDevtools()
-    // Re-activate: _byId is empty but `s` still carries its old __pxRdId.
-    activateReactiveDevtools()
-    expect(() => s.set(1)).not.toThrow()
-    // Fire is still buffered even though no record exists for the id.
-    expect(getReactiveFires().length).toBe(1)
-    // …and it does not appear as a node (record was cleared).
-    expect(getReactiveGraph().nodes.find((n) => n.name === 'stale')).toBeUndefined()
-  })
-
-  it('getReactiveFires is empty before any fire', () => {
-    activateReactiveDevtools()
-    expect(getReactiveFires()).toEqual([])
-  })
-
-  it('_rdPrune removes a record (FinalizationRegistry callback path)', () => {
-    activateReactiveDevtools()
-    const s = signal(1, { name: 'pruneme' })
-    void s()
-    const before = getReactiveGraph().nodes.find((n) => n.name === 'pruneme')
-    expect(before).toBeDefined()
-    _rdPrune(before!.id)
-    expect(getReactiveGraph().nodes.find((n) => n.name === 'pruneme')).toBeUndefined()
-  })
-})
-
-describe('reactive-devtools — bounded fire timeline', () => {
-  it('records signal writes + computed recomputes in order', () => {
-    activateReactiveDevtools()
-    const s = signal(0, { name: 't' })
-    const d = computed(() => s() + 1)
-    effect(() => void d())
-    s.set(1)
-    s.set(2)
-    const fires = getReactiveFires()
-    expect(fires.length).toBeGreaterThanOrEqual(2)
-    // monotonic, non-decreasing timestamps
-    for (let i = 1; i < fires.length; i++) {
-      expect(fires[i]!.ts).toBeGreaterThanOrEqual(fires[i - 1]!.ts)
-    }
-  })
-
-  it('caps the ring buffer (no unbounded growth)', () => {
-    activateReactiveDevtools()
-    const s = signal(0, { name: 'spin' })
-    for (let i = 1; i <= 700; i++) s.set(i)
-    expect(getReactiveFires().length).toBeLessThanOrEqual(512)
-  })
-})
-
-describe('reactive-devtools — preview() edge branches (coverage lock)', () => {
-  // Lifts reactive-devtools.ts off the 8 uncovered `preview()` /
-  // performance-fallback branches that landed with #703 and dragged
-  // @pyreon/reactivity global branch coverage to 89.75% (< the 90%
-  // gate). With these: 90.7% (478/527) — the Coverage CI gate passes.
-  const valueOf = (name: string) =>
-    getReactiveGraph().nodes.find((n) => n.name === name)?.value
-
-  it('anonymous function → [Function anonymous] (|| fallback arm)', () => {
-    activateReactiveDevtools()
-    const s = signal<unknown>((() => () => {})(), { name: 'anonFn' })
-    void s()
-    expect(valueOf('anonFn')).toBe('[Function anonymous]')
-  })
-
-  it('plain object whose ctor IS Object → no ctor prefix (empty-arm)', () => {
-    activateReactiveDevtools()
-    const s = signal<unknown>({ a: 1 }, { name: 'plainObj' })
-    void s()
-    expect(valueOf('plainObj')).toBe('{a}')
-  })
-
-  it('object with more than 3 keys → truncates with ellipsis', () => {
-    activateReactiveDevtools()
-    const s = signal<unknown>({ a: 1, b: 2, c: 3, d: 4 }, { name: 'bigObj' })
-    void s()
-    expect(valueOf('bigObj')).toBe('{a, b, c, …}')
-  })
-
-  it('classed object → keeps the ctor prefix (truthy arm)', () => {
-    class Box {
-      x = 1
-    }
-    activateReactiveDevtools()
-    const s = signal<unknown>(new Box(), { name: 'boxObj' })
-    void s()
-    expect(valueOf('boxObj')).toBe('Box {x}')
-  })
-
-  it('records the Date.now fallback when performance is unavailable', () => {
-    const realPerf = globalThis.performance
-    try {
-      // Exercise the `typeof performance === 'undefined'` defensive arm.
-      delete (globalThis as { performance?: unknown }).performance
-      activateReactiveDevtools()
-      const s = signal(0, { name: 'noPerf' })
-      void s()
-      expect(() => s.set(1)).not.toThrow()
-      const fires = getReactiveFires()
-      expect(fires.length).toBeGreaterThanOrEqual(1)
-      expect(typeof fires[0]!.ts).toBe('number')
-    } finally {
-      ;(globalThis as { performance?: unknown }).performance = realPerf
-    }
-  })
-})

package/src/tests/reactive-trace.test.ts

@@ -1,102 +0,0 @@
-import { clearReactiveTrace, getReactiveTrace } from '../reactive-trace'
-import { signal } from '../signal'
-
-describe('reactive-trace ring buffer', () => {
-  beforeEach(() => clearReactiveTrace())
-
-  test('empty before any write', () => {
-    expect(getReactiveTrace()).toEqual([])
-  })
-
-  test('records writes chronologically with name + previews', () => {
-    const count = signal(0, { name: 'count' })
-    count.set(1)
-    count.set(2)
-    const trace = getReactiveTrace()
-    expect(trace).toHaveLength(2)
-    expect(trace[0]).toMatchObject({ name: 'count', prev: '0', next: '1' })
-    expect(trace[1]).toMatchObject({ name: 'count', prev: '1', next: '2' })
-    expect(trace[0]!.timestamp).toBeTypeOf('number')
-  })
-
-  test('no-op writes (Object.is equal) are not recorded', () => {
-    const s = signal(5, { name: 's' })
-    s.set(5) // same value — _set returns early before the recorder
-    expect(getReactiveTrace()).toEqual([])
-    s.set(6)
-    expect(getReactiveTrace()).toHaveLength(1)
-  })
-
-  test('anonymous signals record name: undefined', () => {
-    const s = signal('a')
-    s.set('b')
-    const trace = getReactiveTrace()
-    expect(trace[0]!.name).toBeUndefined()
-    expect(trace[0]).toMatchObject({ prev: '"a"', next: '"b"' })
-  })
-
-  test('previews are bounded and never throw on hostile values', () => {
-    const s = signal<unknown>(null, { name: 'hostile' })
-    // getter that throws
-    const evil = {
-      get boom() {
-        throw new Error('nope')
-      },
-    }
-    s.set(evil)
-    // circular
-    const circ: Record<string, unknown> = {}
-    circ.self = circ
-    s.set(circ)
-    // huge string
-    s.set('x'.repeat(5000))
-    const trace = getReactiveTrace()
-    expect(trace).toHaveLength(3)
-    for (const e of trace) {
-      // Each preview stays bounded (PREVIEW_MAX=80 + ellipsis).
-      expect(e.prev.length).toBeLessThanOrEqual(81)
-      expect(e.next.length).toBeLessThanOrEqual(81)
-    }
-    // The huge-string write got truncated with an ellipsis marker.
-    expect(trace[2]!.next.endsWith('…')).toBe(true)
-  })
-
-  test('object preview shows constructor + shallow keys, not full JSON', () => {
-    class Box {
-      a = 1
-      b = 2
-    }
-    const s = signal<unknown>(0, { name: 'o' })
-    s.set(new Box())
-    s.set({ x: 1, y: 2, z: 3 })
-    const trace = getReactiveTrace()
-    expect(trace[0]!.next).toContain('Box')
-    expect(trace[1]!.next).toContain('x, y, z')
-  })
-
-  test('ring buffer is bounded at 50 — oldest evicted, order preserved', () => {
-    const s = signal(0, { name: 'ring' })
-    for (let i = 1; i <= 70; i++) s.set(i)
-    const trace = getReactiveTrace()
-    expect(trace).toHaveLength(50)
-    // Oldest surviving write is the 21st (writes 1..20 evicted).
-    expect(trace[0]).toMatchObject({ prev: '20', next: '21' })
-    expect(trace[49]).toMatchObject({ prev: '69', next: '70' })
-  })
-
-  test('returned array is a copy — mutating it does not affect the buffer', () => {
-    const s = signal(0, { name: 'c' })
-    s.set(1)
-    const a = getReactiveTrace()
-    a.push({ name: 'fake', prev: 'x', next: 'y', timestamp: 0 })
-    expect(getReactiveTrace()).toHaveLength(1)
-  })
-
-  test('clearReactiveTrace resets to empty', () => {
-    const s = signal(0, { name: 'c' })
-    s.set(1)
-    expect(getReactiveTrace()).toHaveLength(1)
-    clearReactiveTrace()
-    expect(getReactiveTrace()).toEqual([])
-  })
-})

package/src/tests/reconcile-security.test.ts

@@ -1,45 +0,0 @@
-import { reconcile } from '../reconcile'
-import { createStore } from '../store'
-
-// Regression: prototype-pollution hardening for the documented
-// "apply an untrusted API response straight into a store" path.
-// `JSON.parse('{"__proto__":{…}}')` produces an OWN enumerable
-// `__proto__` key that `Object.keys` returns — the canonical
-// merge-path pollution vector. Both `reconcile()` and the store
-// proxy `set` trap must refuse the dangerous keys.
-describe('reconcile / store — prototype pollution hardening', () => {
-  afterEach(() => {
-    // Scrub any pollution so a failure here can't cascade into other suites.
-    delete (Object.prototype as Record<string, unknown>).polluted
-    delete (Object.prototype as Record<string, unknown>).isAdmin
-  })
-
-  test('reconcile ignores a JSON __proto__ payload (no Object.prototype mutation)', () => {
-    const state = createStore<Record<string, unknown>>({ user: { name: 'a' } })
-    const malicious = JSON.parse('{"__proto__":{"polluted":"yes"},"user":{"name":"b"}}')
-
-    reconcile(malicious, state)
-
-    expect(({} as Record<string, unknown>).polluted).toBeUndefined()
-    expect(Object.getPrototypeOf(state)).toBe(Object.prototype)
-    // Legitimate data still reconciled.
-    expect((state.user as { name: string }).name).toBe('b')
-  })
-
-  test('reconcile ignores nested constructor.prototype payload', () => {
-    const state = createStore<Record<string, unknown>>({})
-    const malicious = JSON.parse('{"constructor":{"prototype":{"isAdmin":true}}}')
-
-    reconcile(malicious, state)
-
-    expect(({} as Record<string, unknown>).isAdmin).toBeUndefined()
-  })
-
-  test('store proxy set trap refuses __proto__ assignment', () => {
-    const state = createStore<Record<string, unknown>>({})
-    ;(state as Record<string, unknown>).__proto__ = { polluted: 'yes' }
-
-    expect(({} as Record<string, unknown>).polluted).toBeUndefined()
-    expect(Object.getPrototypeOf(state)).toBe(Object.prototype)
-  })
-})