@ramonclaudio/create-vexpo 0.1.0 → 0.1.1

package/dist/templates/default/__tests__/convex/users-restoreAccount.test.ts

@@ -0,0 +1,96 @@
+/// <reference types="vite/client" />
+/**
+ * Real convexTest coverage for `users.restoreAccount` (authMutation).
+ *
+ * restoreAccount lifts a pending soft-delete: when the authed user's app row
+ * carries a `deletedAt` tombstone, it clears `deletedAt`, bumps `updatedAt`,
+ * and writes an `accountDeletionAudit` row with event "restored". When the
+ * row has no tombstone it's a no-op (returns success, writes nothing).
+ *
+ * The auth harness mirrors __tests__/convex/_auth-harness.test.ts: seed a
+ * Better Auth `user` + unexpired `session` in the component db, capture their
+ * REAL component ids, seed the mirrored app `users` row keyed by authId, then
+ * drive the mutation with a matching identity. restoreAccount rate-limits via
+ * the `criticalAction` bucket, so the rateLimiter component must be registered.
+ */
+import { ConvexError } from "convex/values";
+import { describe, expect, test } from "vitest";
+
+import { api } from "@/convex/_generated/api";
+
+import { auditRowsFor, identityFor, initConvexTest, seedAuthedUser } from "./_harness";
+
+describe("users.restoreAccount", () => {
+  test("clears deletedAt and writes a 'restored' audit row for a tombstoned user", async () => {
+    const t = initConvexTest();
+    const tombstonedAt = Date.now() - 60_000;
+    const { authUserId, sessionId, appUserId } = await seedAuthedUser(t, {
+      deletedAt: tombstonedAt,
+    });
+
+    // Precondition: row really is tombstoned before we restore.
+    const before = await t.run(async (ctx) => ctx.db.get(appUserId));
+    expect(before?.deletedAt).toBe(tombstonedAt);
+
+    const asUser = t.withIdentity(identityFor(authUserId, sessionId));
+    const result = await asUser.mutation(api.users.restoreAccount, {});
+    expect(result).toEqual({ success: true });
+
+    // Real DB effect: the tombstone is gone and updatedAt advanced past it.
+    const after = await t.run(async (ctx) => ctx.db.get(appUserId));
+    expect(after).not.toBeNull();
+    expect(after!.deletedAt).toBeUndefined();
+    expect(after!.updatedAt).toBeGreaterThan(tombstonedAt);
+
+    // Exactly one audit row, event "restored", keyed to this user.
+    const audit = await auditRowsFor(t, appUserId);
+    expect(audit).toHaveLength(1);
+    expect(audit[0]!.event).toBe("restored");
+    expect(audit[0]!.userId).toBe(appUserId);
+    expect(audit[0]!.authId).toBe(authUserId);
+  });
+
+  test("no-op for a user without a tombstone: no audit row, row untouched", async () => {
+    const t = initConvexTest();
+    const { authUserId, sessionId, appUserId } = await seedAuthedUser(t); // no deletedAt
+
+    const beforeUpdatedAt = (await t.run(async (ctx) => ctx.db.get(appUserId)))!.updatedAt;
+
+    const asUser = t.withIdentity(identityFor(authUserId, sessionId));
+    const result = await asUser.mutation(api.users.restoreAccount, {});
+    expect(result).toEqual({ success: true });
+
+    // Early return: updatedAt is NOT bumped and no audit row is written.
+    const after = await t.run(async (ctx) => ctx.db.get(appUserId));
+    expect(after!.deletedAt).toBeUndefined();
+    expect(after!.updatedAt).toBe(beforeUpdatedAt);
+
+    const audit = await auditRowsFor(t, appUserId);
+    expect(audit).toHaveLength(0);
+  });
+
+  test("throws ConvexError when unauthenticated (no identity)", async () => {
+    const t = initConvexTest();
+    await seedAuthedUser(t, { deletedAt: Date.now() - 60_000 });
+
+    // authMutation -> requireAuthenticatedUser -> authenticationRequired().
+    await expect(t.mutation(api.users.restoreAccount, {})).rejects.toThrowError(ConvexError);
+  });
+
+  test("throttles the criticalAction bucket: the call past capacity throws", async () => {
+    const t = initConvexTest();
+    const { authUserId, sessionId } = await seedAuthedUser(t); // no tombstone
+    const asUser = t.withIdentity(identityFor(authUserId, sessionId));
+
+    // criticalAction is a capacity-5 token bucket. restoreAccount runs the rate
+    // check before its idempotent early-return and (unlike deleteAccount) never
+    // revokes the session, so it's safely repeatable with one identity. The
+    // first 5 rapid calls consume the bucket; the 6th has no token and throws.
+    // Guards rateLimitWithThrow against a dropped `throws`, a wrong bucket name,
+    // or a removed call. (A throttled real user just retries after refill.)
+    for (let i = 0; i < 5; i++) {
+      await asUser.mutation(api.users.restoreAccount, {});
+    }
+    await expect(asUser.mutation(api.users.restoreAccount, {})).rejects.toThrowError(ConvexError);
+  });
+});

package/dist/templates/default/__tests__/convex/users-updateAvatar.test.ts

@@ -0,0 +1,92 @@
+/// <reference types="vite/client" />
+/**
+ * Real convexTest coverage for users.updateAvatar (authMutation).
+ *
+ * updateAvatar(storageId):
+ *   - rate-limits on the "userAction" bucket (needs rateLimiter component)
+ *   - deletes the previous uploaded avatar from storage if one exists
+ *   - patches the app users row: avatar = storageId, bumps updatedAt
+ *   - returns { avatarUrl } resolved via ctx.storage.getUrl(storageId)
+ *
+ * Auth is driven the same way as _auth-harness.test.ts: seed a Better Auth
+ * user + unexpired session in the component db, seed the mirrored app users
+ * row keyed by authId, then call with a matching identity (subject == auth
+ * user id, sessionId == session id, both REAL component doc ids).
+ */
+import { ConvexError } from "convex/values";
+import { describe, expect, test } from "vitest";
+
+import { api } from "@/convex/_generated/api";
+
+import { initConvexTest, seedAuthedUser, identityFor, type AuthedTest } from "./_harness";
+
+/** Store a real blob and return its _storage id, the same shape the handler patches. */
+async function storeBlob(t: AuthedTest, body: string) {
+  return await t.run(async (ctx) => ctx.storage.store(new Blob([body])));
+}
+
+describe("users.updateAvatar", () => {
+  test("authed: patches avatar to the storage id and returns its url", async () => {
+    const t = initConvexTest();
+    const { authUserId, sessionId, appUserId } = await seedAuthedUser(t);
+    const storageId = await storeBlob(t, "new-avatar-bytes");
+
+    const before = await t.run(async (ctx) => ctx.db.get(appUserId));
+    expect(before?.avatar).toBeUndefined(); // no avatar to start
+
+    const asUser = t.withIdentity(identityFor(authUserId, sessionId));
+    const result = await asUser.mutation(api.users.updateAvatar, { storageId });
+
+    // Return shape: a resolvable url for the stored blob (not null).
+    expect(result.avatarUrl).toEqual(expect.any(String));
+
+    // Real DB effect: the app users row now points at the new storage id
+    // and updatedAt was bumped past its seed value.
+    const after = await t.run(async (ctx) => ctx.db.get(appUserId));
+    expect(after?.avatar).toBe(storageId);
+    expect(after!.updatedAt).toBeGreaterThanOrEqual(before!.updatedAt);
+
+    // The stored blob is still reachable (it's the current avatar).
+    const url = await t.run(async (ctx) => ctx.storage.getUrl(storageId));
+    expect(url).not.toBeNull();
+  });
+
+  test("authed: replacing an avatar deletes the previous blob from storage", async () => {
+    const t = initConvexTest();
+    const oldStorageId = await storeBlob(t, "original-bytes");
+    const { authUserId, sessionId, appUserId } = await seedAuthedUser(t);
+    // Start the app row with an existing avatar so the handler deletes the old blob.
+    await t.run(async (ctx) => ctx.db.patch(appUserId, { avatar: oldStorageId }));
+
+    // Sanity: the old blob exists before we replace it.
+    expect(await t.run(async (ctx) => ctx.storage.getUrl(oldStorageId))).not.toBeNull();
+
+    const newStorageId = await storeBlob(t, "replacement-bytes");
+    const asUser = t.withIdentity(identityFor(authUserId, sessionId));
+    await asUser.mutation(api.users.updateAvatar, { storageId: newStorageId });
+
+    // The row now points at the new blob...
+    const after = await t.run(async (ctx) => ctx.db.get(appUserId));
+    expect(after?.avatar).toBe(newStorageId);
+
+    // ...and the OLD blob was deleted from storage (getUrl returns null).
+    expect(await t.run(async (ctx) => ctx.storage.getUrl(oldStorageId))).toBeNull();
+    // New blob is still present.
+    expect(await t.run(async (ctx) => ctx.storage.getUrl(newStorageId))).not.toBeNull();
+  });
+
+  test("unauthenticated: throws ConvexError and writes nothing", async () => {
+    const t = initConvexTest();
+    const { appUserId } = await seedAuthedUser(t); // data exists; we just don't authenticate
+    const storageId = await storeBlob(t, "orphan-bytes");
+
+    // authMutation requires a user -> authenticationRequired() (a ConvexError).
+    await expect(t.mutation(api.users.updateAvatar, { storageId })).rejects.toThrowError(
+      ConvexError,
+    );
+
+    // The guarded write never landed.
+    const row = await t.run(async (ctx) => ctx.db.get(appUserId));
+    expect(row?.avatar).toBeUndefined();
+  });
+});

package/dist/templates/default/__tests__/convex/users-updateProfile.test.ts

@@ -0,0 +1,126 @@
+/// <reference types="vite/client" />
+/**
+ * Real convexTest coverage for the authed mutation `users.updateProfile`.
+ *
+ * updateProfile is an authMutation that:
+ *   - rate-limits on the "userAction" bucket,
+ *   - validates bio (<= 500 chars) and throws a VAL_3001 ConvexError otherwise,
+ *   - patches the app `users` row's bio + updatedAt,
+ *   - returns the app user _id.
+ *
+ * Auth resolves through Better Auth: ctx.auth.getUserIdentity() (root ctx) ->
+ * betterAuth component session findOne (_id == identity.sessionId, expiresAt >
+ * now) -> betterAuth user findOne (_id == identity.subject) -> app `users` row
+ * by index "authId" == betterAuth user id. So we seed three rows and hand
+ * t.withIdentity an identity whose subject/sessionId are the REAL component
+ * doc ids. (Same harness shape proven in `_auth-harness.test.ts`.)
+ */
+import { ConvexError } from "convex/values";
+import { describe, expect, test } from "vitest";
+
+import { api } from "@/convex/_generated/api";
+
+import { identityFor, initConvexTest, seedAuthedUser, type AuthedTest } from "./_harness";
+
+type SeededAppUserId = Awaited<ReturnType<typeof seedAuthedUser>>["appUserId"];
+
+/** The shared seedAuthedUser doesn't seed bio, so set it directly on the row. */
+async function setBio(t: AuthedTest, appUserId: SeededAppUserId, bio: string) {
+  await t.run(async (ctx) => ctx.db.patch(appUserId, { bio }));
+}
+
+describe("users.updateProfile", () => {
+  test("authenticated: patches bio on the real users row and returns its id", async () => {
+    const t = initConvexTest();
+    const { authUserId, sessionId, appUserId } = await seedAuthedUser(t);
+    await setBio(t, appUserId, "old bio");
+
+    // Snapshot updatedAt before so we can prove the patch moved it.
+    const before = await t.run(async (ctx) => ctx.db.get(appUserId));
+    expect(before?.bio).toBe("old bio");
+    const updatedAtBefore = before!.updatedAt;
+
+    const asUser = t.withIdentity(identityFor(authUserId, sessionId));
+    const returnedId = await asUser.mutation(api.users.updateProfile, {
+      bio: "Countess of computing.",
+    });
+    expect(returnedId).toBe(appUserId);
+
+    // Real DB effect: read the row straight from the table.
+    const after = await t.run(async (ctx) => ctx.db.get(appUserId));
+    expect(after?.bio).toBe("Countess of computing.");
+    // updatedAt is bumped by the handler (Date.now()), never backwards.
+    expect(after!.updatedAt).toBeGreaterThanOrEqual(updatedAtBefore);
+
+    // Surfaces through the authed read path too.
+    const me = await asUser.query(api.users.getMe, {});
+    expect(me!.bio).toBe("Countess of computing.");
+  });
+
+  test("authenticated: bio at the 500-char limit is accepted", async () => {
+    const t = initConvexTest();
+    const { authUserId, sessionId, appUserId } = await seedAuthedUser(t);
+
+    const maxBio = "a".repeat(500);
+    const asUser = t.withIdentity(identityFor(authUserId, sessionId));
+    await asUser.mutation(api.users.updateProfile, { bio: maxBio });
+
+    const row = await t.run(async (ctx) => ctx.db.get(appUserId));
+    expect(row?.bio).toBe(maxBio);
+    expect(row?.bio?.length).toBe(500);
+  });
+
+  test("authenticated: bio over 500 chars is rejected as a VAL_3001 ConvexError, no write", async () => {
+    const t = initConvexTest();
+    const { authUserId, sessionId, appUserId } = await seedAuthedUser(t);
+    await setBio(t, appUserId, "untouched");
+
+    const tooLong = "a".repeat(501);
+    const asUser = t.withIdentity(identityFor(authUserId, sessionId));
+
+    await expect(asUser.mutation(api.users.updateProfile, { bio: tooLong })).rejects.toThrowError(
+      ConvexError,
+    );
+
+    // Assert the structured error code + field, and that the bad write was
+    // rejected before touching the row (mutation transaction rolled back).
+    let caught: unknown;
+    try {
+      await asUser.mutation(api.users.updateProfile, { bio: tooLong });
+    } catch (err) {
+      caught = err;
+    }
+    expect(caught).toBeInstanceOf(ConvexError);
+    const data = (caught as ConvexError<{ code: string; field?: string }>).data;
+    expect(data.code).toBe("VAL_3001");
+    expect(data.field).toBe("bio");
+
+    const row = await t.run(async (ctx) => ctx.db.get(appUserId));
+    expect(row?.bio).toBe("untouched");
+  });
+
+  test("unauthenticated: the authMutation throws a ConvexError and writes nothing", async () => {
+    const t = initConvexTest();
+    // Seed the data, but call WITHOUT an identity. requireAuthenticatedUser
+    // throws authenticationRequired() (AUTH_1001) before the handler runs.
+    const { appUserId } = await seedAuthedUser(t);
+    await setBio(t, appUserId, "before");
+
+    await expect(t.mutation(api.users.updateProfile, { bio: "after" })).rejects.toThrowError(
+      ConvexError,
+    );
+
+    let caught: unknown;
+    try {
+      await t.mutation(api.users.updateProfile, { bio: "after" });
+    } catch (err) {
+      caught = err;
+    }
+    expect(caught).toBeInstanceOf(ConvexError);
+    expect((caught as ConvexError<{ code: string }>).data.code).toBe("AUTH_1001");
+
+    // No write happened.
+    const row = await t.run(async (ctx) => ctx.db.get(appUserId));
+    expect(row?.bio).toBe("before");
+  });
+});

package/dist/templates/default/__tests__/convex/webhook.test.ts

@@ -290,6 +290,37 @@ describe("withWebhook (HMAC signature verification)", () => {
     expect(res.status).toBe(200);
   });
 
+  test("401 when replay timestamp is in the future", async () => {
+    // The window is two-sided (Math.abs of the age), so a forward-skewed clock
+    // is rejected too. A one-sided `age > max` check would pass every other
+    // replay test but accept arbitrarily-future timestamps; this pins that.
+    const handler = withWebhook(
+      {
+        source: "test",
+        signatureHeader: "x-signature",
+        secretEnv: "TEST_WEBHOOK_SECRET",
+        algorithm: "sha256",
+        replay: { header: "x-timestamp", maxAgeSeconds: 60 },
+      },
+      () => new Response("ok"),
+    );
+    const body = "{}";
+    const signature = await sign("sha256", SECRET, body);
+    const future = Date.now() + 120_000; // 2 minutes ahead, exceeds 60s window
+    const res = await handler(
+      ctx,
+      makeRequest({
+        body,
+        signatureHeader: "x-signature",
+        signatureValue: signature,
+        timestampHeader: "x-timestamp",
+        timestampValue: String(future),
+      }),
+    );
+    expect(res.status).toBe(401);
+    expect(await res.text()).toContain("timestamp out of window");
+  });
+
   test("X-Request-Id header is set on every response", async () => {
     const handler = withWebhook(
       {

package/dist/templates/default/__tests__/lib/deep-link.test.ts

@@ -1,7 +1,7 @@
 import { beforeEach, describe, expect, it, vi } from "vitest";
 
 vi.mock("expo-linking", () => {
-  function parse(url: string) {
+  const parse = vi.fn((url: string) => {
     try {
       const u = new URL(url);
       const queryParams: Record<string, string> = {};
@@ -17,12 +17,19 @@ vi.mock("expo-linking", () => {
     } catch {
       return { scheme: null, hostname: null, path: url, queryParams: null };
     }
-  }
+  });
   return { parse, createURL: (p: string) => p };
 });
 
+import { parse } from "expo-linking";
+
+import { redirectSystemPath } from "@/app/+native-intent";
 import { resolveDeepLink } from "@/lib/deep-link";
 
+const parseMock = parse as unknown as ReturnType<typeof vi.fn>;
+
+const redirect = (path: string) => redirectSystemPath!({ path, initial: false });
+
 beforeEach(() => {
   vi.clearAllMocks();
 });
@@ -31,37 +38,75 @@ describe("resolveDeepLink", () => {
   it("parses a valid path with query params", () => {
     const result = resolveDeepLink("vexpo://app/linked?foo=bar&n=1");
     expect(result.path).toBe("/linked");
+    expect(result.href).toBe("/linked");
     expect(result.params).toEqual({ foo: "bar", n: "1" });
   });
 
+  it("resolves a path alias to its canonical href", () => {
+    const result = resolveDeepLink("vexpo://app/about");
+    expect(result.path).toBe("/about");
+    expect(result.href).toBe("/help");
+  });
+
   it("returns null path for disallowed routes", () => {
     const result = resolveDeepLink("vexpo://app/admin");
     expect(result.path).toBeNull();
+    expect(result.href).toBeNull();
     expect(result.params).toEqual({});
   });
 
   it("returns null path for path traversal attempts", () => {
     const result = resolveDeepLink("vexpo://app/../etc/passwd");
     expect(result.path).toBeNull();
+    expect(result.href).toBeNull();
   });
 
   it("handles empty input", () => {
-    expect(resolveDeepLink("")).toEqual({ path: null, params: {} });
+    expect(resolveDeepLink("")).toEqual({ path: null, href: null, params: {} });
   });
 
   it("handles garbage input without throwing", () => {
     expect(() => resolveDeepLink("not a url")).not.toThrow();
     const result = resolveDeepLink("not a url");
     expect(result.path).toBeNull();
+    expect(result.href).toBeNull();
   });
 
   it("normalizes trailing slashes", () => {
     const result = resolveDeepLink("vexpo://app/linked/");
     expect(result.path).toBe("/linked");
+    expect(result.href).toBe("/linked");
+  });
+
+  it("drops nullish query values and joins array values", () => {
+    // URLSearchParams only yields strings, so the real source's `value == null`
+    // skip and `Array.isArray` join branches are unreachable through a real URL.
+    // Drive them directly via the parse mock.
+    parseMock.mockReturnValueOnce({
+      scheme: "vexpo",
+      hostname: "app",
+      path: "/linked",
+      queryParams: { a: "1", b: null, tags: ["x", "y"] },
+    });
+    const result = resolveDeepLink("vexpo://app/linked");
+    expect(result.params).toEqual({ a: "1", tags: "x,y" });
+  });
+});
+
+describe("redirectSystemPath (native-intent)", () => {
+  it("reattaches the query so params reach the route on the router's own navigation", () => {
+    expect(redirect("vexpo://app/linked?foo=bar&n=1")).toBe("/linked?foo=bar&n=1");
+  });
+
+  it("returns the bare href when there's no query", () => {
+    expect(redirect("vexpo://app/about")).toBe("/help");
+  });
+
+  it("carries the query across an alias rewrite", () => {
+    expect(redirect("vexpo://app/about?ref=email")).toBe("/help?ref=email");
   });
 
-  it("drops nullish query values", () => {
-    const result = resolveDeepLink("vexpo://app/linked?x=1");
-    expect(result.params).toEqual({ x: "1" });
+  it("blocks unknown paths to /", () => {
+    expect(redirect("vexpo://app/admin")).toBe("/");
   });
 });

package/dist/templates/default/__tests__/lib/schemas.test.ts

@@ -0,0 +1,205 @@
+import { describe, expect, it } from "vitest";
+
+import {
+  PASSWORD_MAX_LENGTH,
+  PASSWORD_MIN_LENGTH,
+  firstError,
+  firstErrorField,
+  forgotPasswordSchema,
+  profileUpdateSchema,
+  resetPasswordSchema,
+  signInEmailSchema,
+  signInSchema,
+  signInUsernameSchema,
+  signUpSchema,
+} from "@/lib/schemas";
+
+// Validation behind the auth and profile forms. The screens render
+// @expo/ui SwiftUI (which Maestro can't drive), so this is where the form
+// logic is actually verified: transforms, bounds, format, reserved names,
+// cross-field matching, and the inline-error helpers.
+
+const validPassword = "a".repeat(PASSWORD_MIN_LENGTH);
+
+describe("email validation", () => {
+  it("trims and lowercases a valid email", () => {
+    const r = forgotPasswordSchema.safeParse({ email: "  Foo@Bar.COM  " });
+    expect(r.success).toBe(true);
+    if (r.success) expect(r.data.email).toBe("foo@bar.com");
+  });
+
+  it("rejects a malformed email with the inline message", () => {
+    const r = forgotPasswordSchema.safeParse({ email: "not-an-email" });
+    expect(r.success).toBe(false);
+    expect(firstError(r)).toBe("Enter a valid email address");
+  });
+});
+
+describe("password bounds", () => {
+  it(`rejects shorter than ${PASSWORD_MIN_LENGTH}`, () => {
+    const r = signUpSchema.safeParse({
+      name: "Ray",
+      username: "",
+      email: "r@example.com",
+      password: "a".repeat(PASSWORD_MIN_LENGTH - 1),
+    });
+    expect(r.success).toBe(false);
+    expect(firstError(r)).toBe(`Password must be at least ${PASSWORD_MIN_LENGTH} characters`);
+  });
+
+  it(`rejects longer than ${PASSWORD_MAX_LENGTH}`, () => {
+    const r = signUpSchema.safeParse({
+      name: "Ray",
+      username: "",
+      email: "r@example.com",
+      password: "a".repeat(PASSWORD_MAX_LENGTH + 1),
+    });
+    expect(r.success).toBe(false);
+    expect(firstError(r)).toBe(`Password must be ${PASSWORD_MAX_LENGTH} characters or fewer`);
+  });
+
+  it("accepts a password at the minimum length", () => {
+    const r = signUpSchema.safeParse({
+      name: "Ray",
+      username: "",
+      email: "r@example.com",
+      password: validPassword,
+    });
+    expect(r.success).toBe(true);
+  });
+});
+
+describe("required username (profileUpdateSchema)", () => {
+  it("lowercases and trims a valid username", () => {
+    const r = profileUpdateSchema.safeParse({
+      name: "Ray",
+      username: "  RayC  ",
+      email: "r@example.com",
+    });
+    expect(r.success).toBe(true);
+    if (r.success) expect(r.data.username).toBe("rayc");
+  });
+
+  it("rejects too-short usernames", () => {
+    const r = profileUpdateSchema.safeParse({
+      name: "Ray",
+      username: "ab",
+      email: "r@example.com",
+    });
+    expect(r.success).toBe(false);
+    expect(firstErrorField(r)).toBe("username");
+  });
+
+  it("rejects invalid characters with the format message", () => {
+    const r = profileUpdateSchema.safeParse({
+      name: "Ray",
+      username: "bad name!",
+      email: "r@example.com",
+    });
+    expect(firstError(r)).toBe("Letters, numbers, dots, and underscores only");
+  });
+
+  it("rejects a reserved username, case-insensitively", () => {
+    const r = profileUpdateSchema.safeParse({
+      name: "Ray",
+      username: "ADMIN",
+      email: "r@example.com",
+    });
+    expect(firstError(r)).toBe("That username is reserved");
+  });
+
+  it("rejects an empty username (required here, unlike sign-up)", () => {
+    const r = profileUpdateSchema.safeParse({ name: "Ray", username: "", email: "r@example.com" });
+    expect(r.success).toBe(false);
+  });
+});
+
+describe("optional username (signUpSchema)", () => {
+  it("accepts an empty username", () => {
+    const r = signUpSchema.safeParse({
+      name: "Ray",
+      username: "",
+      email: "r@example.com",
+      password: validPassword,
+    });
+    expect(r.success).toBe(true);
+  });
+
+  it("still rejects a non-empty reserved username", () => {
+    const r = signUpSchema.safeParse({
+      name: "Ray",
+      username: "root",
+      email: "r@example.com",
+      password: validPassword,
+    });
+    expect(firstError(r)).toBe("That username is reserved");
+  });
+
+  it("requires a non-empty name", () => {
+    const r = signUpSchema.safeParse({
+      name: "   ",
+      username: "",
+      email: "r@example.com",
+      password: validPassword,
+    });
+    expect(r.success).toBe(false);
+    expect(firstError(r)).toBe("Name is required");
+  });
+});
+
+describe("sign-in schemas", () => {
+  it("signInSchema requires identifier and password", () => {
+    const r = signInSchema.safeParse({ identifier: "", password: "" });
+    expect(r.success).toBe(false);
+    expect(firstError(r)).toBe("Username or email is required");
+  });
+
+  it("signInEmailSchema validates the email but takes any non-empty password", () => {
+    expect(signInEmailSchema.safeParse({ email: "r@example.com", password: "x" }).success).toBe(
+      true,
+    );
+    expect(signInEmailSchema.safeParse({ email: "nope", password: "x" }).success).toBe(false);
+    expect(signInEmailSchema.safeParse({ email: "r@example.com", password: "" }).success).toBe(
+      false,
+    );
+  });
+
+  it("signInUsernameSchema enforces the username minimum", () => {
+    expect(signInUsernameSchema.safeParse({ username: "ab", password: "x" }).success).toBe(false);
+    expect(signInUsernameSchema.safeParse({ username: "abc", password: "x" }).success).toBe(true);
+  });
+});
+
+describe("resetPasswordSchema", () => {
+  const base = { email: "r@example.com", otp: "123456", password: validPassword };
+
+  it("rejects an OTP that is not 6 digits", () => {
+    const r = resetPasswordSchema.safeParse({
+      ...base,
+      otp: "12345",
+      confirmPassword: validPassword,
+    });
+    expect(r.success).toBe(false);
+    expect(firstError(r)).toBe("Enter the 6-digit code");
+  });
+
+  it("rejects mismatched passwords, flagged on confirmPassword", () => {
+    const r = resetPasswordSchema.safeParse({ ...base, confirmPassword: `${validPassword}x` });
+    expect(r.success).toBe(false);
+    expect(firstError(r)).toBe("Passwords do not match");
+    expect(firstErrorField(r)).toBe("confirmPassword");
+  });
+
+  it("accepts a valid reset with matching passwords", () => {
+    const r = resetPasswordSchema.safeParse({ ...base, confirmPassword: validPassword });
+    expect(r.success).toBe(true);
+  });
+});
+
+describe("error helpers", () => {
+  it("firstError and firstErrorField return null on success", () => {
+    const r = forgotPasswordSchema.safeParse({ email: "r@example.com" });
+    expect(firstError(r)).toBeNull();
+    expect(firstErrorField(r)).toBeNull();
+  });
+});