toiljs 0.0.33 → 0.0.36

package/test/assembly/cookie.spec.ts

@@ -0,0 +1,302 @@
+// Pure cookie logic (builder, parser, codec, validation, Request/Response
+// integration). Imports the specific modules rather than the runtime index so
+// `securecookies.ts` is not pulled into the as-pect graph: it depends on the
+// toilscript crypto std (`crypto` / `data` / `bindings/webcrypto`), which the
+// as-pect compiler (`@btc-vision/assemblyscript`) does not ship. `SecureCookies`
+// is exercised end-to-end against the real toilscript-compiled wasm in
+// `test/devserver.test.ts`.
+import { Method, Request, Header } from '../../server/runtime/request';
+import { Response } from '../../server/runtime/response';
+import { Cookie, SameSite, CookieEncoding } from '../../server/runtime/http/cookie';
+import { Cookies } from '../../server/runtime/http/cookies';
+
+// --- helpers ----------------------------------------------------------------
+
+function headerValue(r: Response, name: string): string {
+    for (let i = 0; i < r.headers.length; i++) {
+        if (r.headers[i].name == name) return r.headers[i].value;
+    }
+    return '';
+}
+
+function headerCount(r: Response, name: string): i32 {
+    let n = 0;
+    for (let i = 0; i < r.headers.length; i++) {
+        if (r.headers[i].name == name) n++;
+    }
+    return n;
+}
+
+function reqWithCookie(value: string): Request {
+    const headers = new Array<Header>();
+    headers.push(new Header('Cookie', value));
+    return new Request(Method.GET, '/', headers, new Uint8Array(0));
+}
+
+// --- Cookie builder / serialize --------------------------------------------
+
+describe('Cookie.serialize', () => {
+    it('serializes a bare name=value', () => {
+        expect<string>(Cookie.create('a', 'b').serialize()).toStrictEqual('a=b');
+    });
+
+    it('percent-encodes the value by default', () => {
+        expect<string>(Cookie.create('x', 'hello world').serialize()).toStrictEqual('x=hello%20world');
+    });
+
+    it('leaves a Raw value untouched', () => {
+        expect<string>(
+            Cookie.create('x', 'abc').withEncoding(CookieEncoding.Raw).serialize(),
+        ).toStrictEqual('x=abc');
+    });
+
+    it('base64url-encodes when asked', () => {
+        expect<string>(
+            Cookie.create('x', 'hi').withEncoding(CookieEncoding.Base64Url).serialize(),
+        ).toStrictEqual('x=aGk');
+    });
+
+    it('emits attributes in a stable order', () => {
+        const s = Cookie.create('a', 'b')
+            .domain('example.com')
+            .path('/p')
+            .secure()
+            .httpOnly()
+            .sameSite(SameSite.Lax)
+            .maxAge(60)
+            .serialize();
+        expect<string>(s).toStrictEqual('a=b; Domain=example.com; Path=/p; Max-Age=60; SameSite=Lax; Secure; HttpOnly');
+    });
+
+    it('auto-adds Secure for SameSite=None', () => {
+        expect<string>(Cookie.create('a', 'b').sameSite(SameSite.None).serialize()).toStrictEqual(
+            'a=b; SameSite=None; Secure',
+        );
+    });
+
+    it('auto-adds Secure for Partitioned (CHIPS)', () => {
+        expect<string>(Cookie.create('a', 'b').partitioned().serialize()).toStrictEqual(
+            'a=b; Secure; Partitioned',
+        );
+    });
+
+    it('formats Expires from epoch seconds as an IMF-fixdate', () => {
+        expect<string>(Cookie.create('a', 'b').expires(784111777).serialize()).toStrictEqual(
+            'a=b; Expires=Sun, 06 Nov 1994 08:49:37 GMT',
+        );
+    });
+
+    it('formats the epoch as the IMF-fixdate zero point', () => {
+        expect<string>(Cookie.create('a', 'b').expires(0).serialize()).toStrictEqual(
+            'a=b; Expires=Thu, 01 Jan 1970 00:00:00 GMT',
+        );
+    });
+
+    it('clamps Max-Age to the 400-day cap', () => {
+        expect<string>(Cookie.create('a', 'b').maxAge(99999999).serialize()).toStrictEqual(
+            'a=b; Max-Age=34560000',
+        );
+    });
+
+    it('applies the __Host- prefix with its required attributes', () => {
+        expect<string>(Cookie.create('sid', 'x').asHostPrefixed().serialize()).toStrictEqual(
+            '__Host-sid=x; Path=/; Secure',
+        );
+    });
+
+    it('applies the __Secure- prefix', () => {
+        expect<string>(Cookie.create('sid', 'x').asSecurePrefixed().serialize()).toStrictEqual(
+            '__Secure-sid=x; Secure',
+        );
+    });
+
+    it('emits Priority and extension attributes', () => {
+        expect<string>(
+            Cookie.create('a', 'b').priority('High').extension('CustomFlag').serialize(),
+        ).toStrictEqual('a=b; Priority=High; CustomFlag');
+    });
+
+    it('percent-encodes CR/LF in a default-encoded value (no header injection)', () => {
+        expect<string>(Cookie.create('a', 'b\r\nc').serialize()).toStrictEqual('a=b%0D%0Ac');
+    });
+
+    it('strips control characters from a raw value', () => {
+        expect<string>(
+            Cookie.create('a', 'b\r\nInjected').withEncoding(CookieEncoding.Raw).serialize(),
+        ).toStrictEqual('a=bInjected');
+    });
+
+    it('strips control characters from the name', () => {
+        expect<string>(new Cookie('a\r\nb', 'v').serialize()).toStrictEqual('ab=v');
+    });
+
+    it('strips semicolons from a raw value (no attribute injection)', () => {
+        expect<string>(
+            Cookie.create('a', 'b; Secure').withEncoding(CookieEncoding.Raw).serialize(),
+        ).toStrictEqual('a=b Secure');
+    });
+
+    it('reduces the name to token chars (no attribute injection)', () => {
+        expect<string>(new Cookie('a;Domain=evil', 'v').serialize()).toStrictEqual('aDomainevil=v');
+    });
+});
+
+// --- validation -------------------------------------------------------------
+
+describe('Cookie.validate', () => {
+    it('accepts a well-formed cookie', () => {
+        expect<bool>(Cookie.create('ok', 'v').validate().valid).toBe(true);
+    });
+
+    it('rejects a name that is not a token', () => {
+        expect<bool>(Cookie.create('bad name', 'v').validate().valid).toBe(false);
+    });
+
+    it('rejects an empty name', () => {
+        expect<bool>(Cookie.create('', 'v').validate().valid).toBe(false);
+    });
+
+    it('rejects a Path that does not start with /', () => {
+        expect<bool>(Cookie.create('a', 'b').path('nope').validate().valid).toBe(false);
+    });
+
+    it('rejects name+value over 4096 bytes', () => {
+        expect<bool>(Cookie.create('a', 'x'.repeat(5000)).validate().valid).toBe(false);
+    });
+
+    it('rejects a __Host- name without its required attributes', () => {
+        const v = new Cookie('__Host-x', 'v').validate();
+        expect<bool>(v.valid).toBe(false);
+        expect<bool>(v.errors.length > 0).toBe(true);
+    });
+
+    it('accepts a correctly-formed __Host- cookie', () => {
+        expect<bool>(Cookie.create('x', 'v').asHostPrefixed().validate().valid).toBe(true);
+    });
+
+    it('flags a Max-Age beyond the 400-day cap', () => {
+        expect<bool>(Cookie.create('a', 'b').maxAge(99999999).validate().valid).toBe(false);
+    });
+});
+
+// --- Cookies.parse ----------------------------------------------------------
+
+describe('Cookies.parse', () => {
+    it('parses multiple cookies', () => {
+        const m = Cookies.parse('a=1; b=2');
+        expect<i32>(m.size).toBe(2);
+        expect<string>(m.get('a')!).toStrictEqual('1');
+        expect<string>(m.get('b')!).toStrictEqual('2');
+    });
+
+    it('returns null for a missing cookie', () => {
+        expect<bool>(Cookies.parse('a=1').get('x') == null).toBe(true);
+    });
+
+    it('keeps everything after the first = in the value', () => {
+        expect<string>(Cookies.parse('token=ab=cd').get('token')!).toStrictEqual('ab=cd');
+    });
+
+    it('trims surrounding whitespace around name and value', () => {
+        expect<string>(Cookies.parse('  a = 1 ; b=2').get('a')!).toStrictEqual('1');
+    });
+
+    it('strips one layer of surrounding quotes', () => {
+        expect<string>(Cookies.parse('a="hello"').get('a')!).toStrictEqual('hello');
+    });
+
+    it('percent-decodes values', () => {
+        expect<string>(Cookies.parse('x=hello%20world').get('x')!).toStrictEqual('hello world');
+    });
+
+    it('keeps the first occurrence of a duplicate name', () => {
+        expect<string>(Cookies.parse('a=1; a=2').get('a')!).toStrictEqual('1');
+    });
+
+    it('handles an empty header', () => {
+        expect<i32>(Cookies.parse('').size).toBe(0);
+    });
+
+    it('handles a valueless cookie', () => {
+        const m = Cookies.parse('flag');
+        expect<bool>(m.has('flag')).toBe(true);
+        expect<string>(m.get('flag')!).toStrictEqual('');
+    });
+});
+
+// --- value codec ------------------------------------------------------------
+
+describe('Cookies value codec', () => {
+    it('percent-encodes special characters', () => {
+        expect<string>(Cookies.encodeValue('a b&c')).toStrictEqual('a%20b%26c');
+    });
+
+    it('round-trips arbitrary UTF-8', () => {
+        const original = 'héllo, world! +/=';
+        expect<string>(Cookies.decodeValue(Cookies.encodeValue(original))).toStrictEqual(original);
+    });
+});
+
+// --- parseSetCookie ---------------------------------------------------------
+
+describe('Cookies.parseSetCookie', () => {
+    it('round-trips a serialized cookie', () => {
+        const wire = Cookie.create('a', 'hello world')
+            .domain('x.com')
+            .path('/')
+            .secure()
+            .httpOnly()
+            .sameSite(SameSite.Lax)
+            .maxAge(60)
+            .serialize();
+        expect<string>(Cookies.parseSetCookie(wire).serialize()).toStrictEqual(wire);
+    });
+
+    it('parses individual attributes', () => {
+        const c = Cookies.parseSetCookie('sid=abc; Path=/; HttpOnly; SameSite=Strict');
+        expect<string>(c.name).toStrictEqual('sid');
+        expect<string>(c.value).toStrictEqual('abc');
+    });
+});
+
+// --- Request / Response integration -----------------------------------------
+
+describe('Request cookies', () => {
+    it('reads a cookie by name', () => {
+        expect<string>(reqWithCookie('a=1; b=2').cookie('a')!).toStrictEqual('1');
+    });
+
+    it('returns null for a missing cookie', () => {
+        expect<bool>(reqWithCookie('a=1').cookie('missing') == null).toBe(true);
+    });
+
+    it('exposes the full jar', () => {
+        expect<i32>(reqWithCookie('a=1; b=2; c=3').cookies().size).toBe(3);
+    });
+});
+
+describe('Response cookies', () => {
+    it('adds a Set-Cookie header', () => {
+        const r = Response.text('x').setCookie(Cookie.create('a', 'b'));
+        expect<string>(headerValue(r, 'set-cookie')).toStrictEqual('a=b');
+    });
+
+    it('emits one Set-Cookie header per cookie (never folded)', () => {
+        const r = Response.empty(200)
+            .setCookie(Cookie.create('a', 'b'))
+            .setCookie(Cookie.create('c', 'd'));
+        expect<i32>(headerCount(r, 'set-cookie')).toBe(2);
+    });
+
+    it('setCookieKV is a shorthand', () => {
+        const r = Response.empty(200).setCookieKV('a', 'b');
+        expect<string>(headerValue(r, 'set-cookie')).toStrictEqual('a=b');
+    });
+
+    it('clearCookie emits an expired cookie', () => {
+        const r = Response.empty(200).clearCookie('a');
+        expect<string>(headerValue(r, 'set-cookie')).toStrictEqual(
+            'a=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Max-Age=0',
+        );
+    });
+});

package/test/assembly/example.spec.ts

@@ -1,4 +1,8 @@
-import { Method, Response } from '../../server/runtime';
+// Imports the specific modules rather than the runtime index: the index
+// re-exports `SecureCookies`, which depends on the toilscript crypto std the
+// as-pect compiler does not ship (see test/assembly/cookie.spec.ts).
+import { Method } from '../../server/runtime/request';
+import { Response } from '../../server/runtime/response';
 
 describe('server runtime', () => {
     it('numbers the HTTP methods per the wire contract', () => {

package/test/assembly/ssr.spec.ts

@@ -0,0 +1,94 @@
+// Imports specific SSR modules (not the runtime index, which pulls in the
+// crypto std the as-pect compiler does not ship). These modules are pure
+// (escaping + buffer building + linear-memory encode), so they run under
+// as-pect; the full `render` export is exercised via the example wasm in
+// test/devserver.test.ts.
+import { escapeHtml, escapeJsonForScript } from '../../server/runtime/ssr/escape';
+import { HASH_LEN, HtmlBuilder, SlotKind, SlotValues } from '../../server/runtime/ssr/slots';
+import { encodeValues } from '../../server/runtime/ssr/encode';
+
+function bytesToStr(b: Uint8Array): string {
+    return String.UTF8.decodeUnsafe(changetype<usize>(b.dataStart), b.length);
+}
+
+describe('ssr escape (react-dom byte-identity)', () => {
+    it('passes clean text through unchanged', () => {
+        expect<string>(escapeHtml('hello world')).toStrictEqual('hello world');
+    });
+
+    it('escapes the five React characters with React entities', () => {
+        // React uses &#x27; for the apostrophe and &quot; for the quote.
+        expect<string>(escapeHtml('<a href="x">A&B\'s</a>')).toStrictEqual(
+            '&lt;a href=&quot;x&quot;&gt;A&amp;B&#x27;s&lt;/a&gt;',
+        );
+    });
+
+    it('escapes ampersand first-class (not double-encoding)', () => {
+        expect<string>(escapeHtml('a & b')).toStrictEqual('a &amp; b');
+        expect<string>(escapeHtml('&amp;')).toStrictEqual('&amp;amp;');
+    });
+
+    it('escapes script-context json delimiters', () => {
+        expect<string>(escapeJsonForScript('{"x":"</script>"}')).toStrictEqual(
+            '{"x":"\\u003c/script\\u003e"}',
+        );
+        expect<string>(escapeJsonForScript('{"a":1}')).toStrictEqual('{"a":1}');
+    });
+});
+
+describe('ssr SlotValues', () => {
+    it('escapes text holes and leaves raw holes verbatim', () => {
+        const v = new SlotValues(new StaticArray<u8>(HASH_LEN));
+        v.setText(0, '<b>');
+        v.setRaw(1, '<b>ok</b>');
+        expect<i32>(v.slots.length).toBe(2);
+        expect<i32>(<i32>v.slots[0].kind).toBe(<i32>SlotKind.TEXT);
+        expect<string>(bytesToStr(v.slots[0].bytes)).toStrictEqual('&lt;b&gt;');
+        expect<i32>(<i32>v.slots[1].kind).toBe(<i32>SlotKind.RAW);
+        expect<string>(bytesToStr(v.slots[1].bytes)).toStrictEqual('<b>ok</b>');
+    });
+
+    it('stamps repeat rows by interleaving raw chunks and escaped values', () => {
+        const v = new SlotValues(new StaticArray<u8>(HASH_LEN));
+        const rows = new HtmlBuilder();
+        const items = ['a&b', 'c'];
+        for (let i = 0; i < items.length; i++) {
+            rows.raw('<li>').text(items[i]).raw('</li>');
+        }
+        v.setRepeat(2, rows);
+        expect<i32>(<i32>v.slots[0].kind).toBe(<i32>SlotKind.REPEAT);
+        expect<string>(bytesToStr(v.slots[0].bytes)).toStrictEqual(
+            '<li>a&amp;b</li><li>c</li>',
+        );
+    });
+});
+
+describe('ssr encodeValues wire format', () => {
+    it('round-trips status, hash, and one text slot', () => {
+        const hash = new StaticArray<u8>(HASH_LEN);
+        hash[0] = 0xaa;
+        hash[31] = 0xbb;
+        const v = new SlotValues(hash);
+        v.setStatus(200);
+        v.setText(7, 'hi');
+
+        const buf = new Uint8Array(128);
+        const base = changetype<usize>(buf.dataStart);
+        const n = encodeValues(v, base);
+        // status(2) + hash(32) + n_headers(2) + n_slots(2) + slot[id(2)+kind(1)+len(4)+"hi"(2)]
+        expect<i32>(<i32>n).toBe(2 + 32 + 2 + 2 + 2 + 1 + 4 + 2);
+
+        expect<i32>(<i32>load<u16>(base)).toBe(200); // status
+        expect<i32>(<i32>load<u8>(base + 2)).toBe(0xaa); // hash[0]
+        expect<i32>(<i32>load<u8>(base + 2 + 31)).toBe(0xbb); // hash[31]
+        const afterHash = base + 2 + 32;
+        expect<i32>(<i32>load<u16>(afterHash)).toBe(0); // n_headers
+        expect<i32>(<i32>load<u16>(afterHash + 2)).toBe(1); // n_slots
+        const slot = afterHash + 4;
+        expect<i32>(<i32>load<u16>(slot)).toBe(7); // slot_id
+        expect<i32>(<i32>load<u8>(slot + 2)).toBe(<i32>SlotKind.TEXT); // kind
+        expect<i32>(<i32>load<u32>(slot + 3)).toBe(2); // value_len
+        expect<i32>(<i32>load<u8>(slot + 7)).toBe(0x68); // 'h'
+        expect<i32>(<i32>load<u8>(slot + 8)).toBe(0x69); // 'i'
+    });
+});

package/test/devserver.test.ts

@@ -155,10 +155,10 @@ describe.skipIf(!fs.existsSync(EXAMPLE_WASM))('dispatch into the example server
         });
 
     it('serves a plain route', () => {
-        const r = get(load(), '/');
+        const r = get(load(), '/json');
         expect(r.status).toBe(200);
         expect(r.unhandled).toBe(false);
-        expect(Buffer.from(r.body).toString()).toBe('hello from toiljs\n');
+        expect(Buffer.from(r.body).toString()).toBe('{"hello":"toiljs"}\n');
     });
 
     it('serves a @rest route with its content-type', () => {
@@ -186,8 +186,10 @@ describe.skipIf(!fs.existsSync(EXAMPLE_WASM))('dispatch into the example server
             body: new TextEncoder().encode('{"name":"ada"}'),
         });
         expect(r.unhandled).toBe(false);
-        expect(r.status).toBeGreaterThanOrEqual(200);
-        expect(r.status).toBeLessThan(500);
+        expect(r.status).toBe(200);
+        // u256 id and i64 score cross JSON as decimal strings, exact at any size (3 seeded
+        // players, so the new player's id is 4).
+        expect(Buffer.from(r.body).toString()).toBe('{"id":"4","name":"ada","score":"0"}');
     });
 
     it('keeps requests isolated across instances (fresh state per dispatch)', () => {
@@ -196,4 +198,46 @@ describe.skipIf(!fs.existsSync(EXAMPLE_WASM))('dispatch into the example server
         const b = get(m, '/json');
         expect(Buffer.from(a.body).toString()).toBe(Buffer.from(b.body).toString());
     });
+
+    // Exercises `SecureCookies` (HMAC-SHA256) end-to-end through the real
+    // toilscript-compiled wasm with the Node-backed `env.crypto.*` host imports:
+    // `/api/cookies/set` seals a signed `__Host-session`, `/api/cookies/inspect`
+    // parses + verifies it. (as-pect cannot compile the crypto std, so this is its coverage.)
+    const sessionCookie = (m: WasmServerModule): string => {
+        const res = get(m, '/api/cookies/set');
+        expect(res.status).toBe(200);
+        const pair = res.headers
+            .filter(([n]) => n === 'set-cookie')
+            .map(([, v]) => v.split(';')[0])
+            .find((v) => v.startsWith('__Host-session='));
+        expect(pair).toBeDefined();
+        return pair!; // "__Host-session=<sealed>"
+    };
+    const inspect = (m: WasmServerModule, cookie: string): string =>
+        Buffer.from(
+            m.dispatch({
+                method: 'GET',
+                path: '/api/cookies/inspect',
+                headers: [
+                    ['host', 'localhost:3000'],
+                    ['cookie', cookie],
+                ],
+                body: new Uint8Array(0),
+            }).body,
+        ).toString();
+
+    it('round-trips a signed cookie (SecureCookies sign -> unsign)', () => {
+        const m = load();
+        expect(inspect(m, sessionCookie(m))).toContain('"session":"user-42"');
+    });
+
+    it('rejects a tampered signed cookie', () => {
+        const m = load();
+        const pair = sessionCookie(m);
+        const eq = pair.indexOf('=');
+        const name = pair.slice(0, eq);
+        const val = pair.slice(eq + 1);
+        const tampered = `${name}=${val[0] === 'A' ? 'B' : 'A'}${val.slice(1)}`;
+        expect(inspect(m, tampered)).toContain('"session":null');
+    });
 });

package/test/fixtures/bignum-wire/spec.ts

@@ -0,0 +1,27 @@
+// Fixture for the generated-client JSON wire-format test (test/rpc-bignum-wire.test.ts).
+// Compiled by the installed toilscript with --rpcModule, then the generated TS client is
+// imported and exercised. Covers every JSON bignum width plus a nested @data so the
+// recursive toJSONValue path is hit.
+
+@data
+class Wallet {
+    u: u64 = 0;
+    i: i64 = 0;
+    a: u128 = u128.Zero;
+    b: i128 = i128.Zero;
+    c: u256 = u256.Zero;
+    d: i256 = i256.Zero;
+    label: string = '';
+}
+
+@data
+class Account {
+    main: Wallet = new Wallet();
+    ids: u256[] = [];
+}
+
+// A free @remote so buildServerModule emits a surface (it returns null otherwise).
+@remote
+function touch(n: i32): i32 {
+    return n;
+}

package/test/rpc-bignum-wire.test.ts

@@ -0,0 +1,164 @@
+/**
+ * Regression test for the bignum JSON wire format. 64-bit-and-up integers
+ * (u64/i64/u128/i128/u256/i256) must cross JSON as DECIMAL STRINGS, not number tokens
+ * or limb arrays: JSON numbers ride through a browser client's JSON.parse as IEEE
+ * doubles, which silently corrupt any integer past 2^53.
+ *
+ * Compiles test/fixtures/bignum-wire/spec.ts with the installed toilscript (so it
+ * exercises the published compiler + generated client, not a hand-written stub), then
+ * imports the generated TS client and asserts the wire shape both directions, including
+ * values far above 2^53 and the legacy limb-array shape older servers emitted.
+ */
+import { spawnSync } from 'node:child_process';
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import { fileURLToPath, pathToFileURL } from 'node:url';
+
+import { beforeAll, describe, expect, it } from 'vitest';
+
+const here = path.dirname(fileURLToPath(import.meta.url));
+const spec = path.join(here, 'fixtures', 'bignum-wire', 'spec.ts');
+// The generated module imports DataWriter/DataReader from this specifier.
+const codec = path.join(here, '..', 'src', 'io', 'codec.ts');
+
+/** Resolves the installed toilscript CLI entry (no PATH / .bin assumptions). */
+function toilscriptBin(): string {
+    const pkgPath = require.resolve('toilscript/package.json');
+    const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8')) as { bin?: Record<string, string> };
+    const binRel = pkg.bin?.toilscript;
+    if (!binRel) throw new Error('toilscript declares no bin');
+    return path.join(path.dirname(pkgPath), binRel);
+}
+
+interface Wallet {
+    u: bigint;
+    i: bigint;
+    a: bigint;
+    b: bigint;
+    c: bigint;
+    d: bigint;
+    label: string;
+    toJSONValue(): Record<string, unknown>;
+}
+interface WalletStatic {
+    new (): Wallet;
+    fromJSONValue(v: unknown): Wallet;
+}
+interface AccountStatic {
+    new (): { main: Wallet; ids: bigint[]; toJSONValue(): Record<string, unknown> };
+    fromJSONValue(v: unknown): { main: Wallet; ids: bigint[] };
+}
+
+let Wallet: WalletStatic;
+let Account: AccountStatic;
+let tmp: string;
+
+beforeAll(async () => {
+    tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'bignum-wire-'));
+    fs.writeFileSync(path.join(tmp, 'package.json'), '{ "type": "module" }\n');
+    // vitest transforms the imported .ts through Vite/oxc, which walks up for a tsconfig.
+    fs.writeFileSync(
+        path.join(tmp, 'tsconfig.json'),
+        JSON.stringify({ compilerOptions: { target: 'esnext', module: 'esnext' } }),
+    );
+    const mod = path.join(tmp, 'server.ts');
+    const wasm = path.join(tmp, 'spec.wasm');
+    const res = spawnSync(
+        process.execPath,
+        [
+            toilscriptBin(),
+            spec,
+            '-o',
+            wasm,
+            '--runtime',
+            'stub',
+            '--initialMemory',
+            '32',
+            '--rpcModule',
+            mod,
+            '--rpcRuntime',
+            codec,
+        ],
+        { encoding: 'utf8' },
+    );
+    if (res.status !== 0) throw new Error('toilscript compile failed:\n' + res.stderr);
+    const gen = (await import(pathToFileURL(mod).href)) as {
+        Wallet: WalletStatic;
+        Account: AccountStatic;
+    };
+    Wallet = gen.Wallet;
+    Account = gen.Account;
+});
+
+// A few representative bignum types; `huge` is well past Number.MAX_SAFE_INTEGER.
+const huge = '123456789012345678901234567890';
+const u128Max = '340282366920938463463374607431768211455';
+const i64Min = '-9223372036854775808';
+
+describe('generated client bignum JSON wire format', () => {
+    it('serializes every 64-bit-and-up integer as a decimal string', () => {
+        const w = new Wallet();
+        w.u = BigInt(huge.slice(0, 19)); // fits u64
+        w.i = BigInt(i64Min);
+        w.a = BigInt(u128Max);
+        w.b = -123n;
+        w.c = BigInt(huge);
+        w.d = -1n;
+        w.label = 'x';
+        const json = w.toJSONValue();
+        // Each bignum field is a string, never a number or an array.
+        for (const k of ['u', 'i', 'a', 'b', 'c', 'd'] as const) {
+            expect(typeof json[k], `field ${k}`).toBe('string');
+        }
+        expect(json.a).toBe(u128Max);
+        expect(json.c).toBe(huge);
+        expect(json.i).toBe(i64Min);
+        expect(json.label).toBe('x');
+    });
+
+    it('revives a decimal string past 2^53 into an exact bigint', () => {
+        const w = Wallet.fromJSONValue({
+            u: '0',
+            i: i64Min,
+            a: u128Max,
+            b: '-123',
+            c: huge,
+            d: '-1',
+            label: 'y',
+        });
+        expect(w.c).toBe(BigInt(huge));
+        expect(w.a).toBe(BigInt(u128Max));
+        expect(w.i).toBe(BigInt(i64Min));
+        expect(w.d).toBe(-1n);
+    });
+
+    it('round-trips a value through send then revive without loss', () => {
+        const w = new Wallet();
+        w.c = BigInt(huge);
+        w.d = BigInt('-' + huge);
+        const back = Wallet.fromJSONValue(JSON.parse(JSON.stringify(w.toJSONValue())));
+        expect(back.c).toBe(BigInt(huge));
+        expect(back.d).toBe(BigInt('-' + huge));
+    });
+
+    it('still revives the legacy little-endian limb-array shape (back-compat)', () => {
+        // u256 [5,0,4,0] little-endian = 5 + 4*2^128.
+        const w = Wallet.fromJSONValue({ c: [5, 0, 4, 0], a: [9, 1] });
+        expect(w.c).toBe(2n ** 130n + 5n);
+        expect(w.a).toBe(2n ** 64n + 9n);
+    });
+
+    it('recurses into nested @data and arrays of bignums', () => {
+        const a = new Account();
+        a.main.c = BigInt(huge);
+        a.ids = [1n, BigInt(huge)];
+        const json = a.toJSONValue();
+        const main = json.main as Record<string, unknown>;
+        expect(main.c).toBe(huge);
+        expect(json.ids).toEqual(['1', huge]);
+        const back = Account.fromJSONValue(JSON.parse(JSON.stringify(json)));
+        expect(back.main.c).toBe(BigInt(huge));
+        expect(back.ids).toEqual([1n, BigInt(huge)]);
+    });
+});