testing/attack_surface.ts

Adversarial auth enforcement test runners and the standard attack surface suite.

The combinatorial test runner (describe_adversarial_auth) generates test suites for routes x auth levels. The standard suite (describe_standard_attack_surface_tests) composes all attack surface test groups into a single call.

Stubs, app factories, and assertion helpers live in focused submodules: - test_auth_stubs — stub factories and pre-built dep bundles - test_auth_apps — auth-level test app factories - test_auth_assertions — snapshot, public route, and middleware assertions

Declarations
#

5 declarations

view source

AdversarialTestOptions
#

testing/attack_surface.ts view source

AdversarialTestOptions

Options for adversarial test runners (auth enforcement and input validation).

build

Build the app surface bundle (surface + route specs + middleware specs).

type () => AppSurfaceSpec

roles

All roles in the app (e.g. ['admin', 'keeper']).

type Array<string>

describe_adversarial_auth
#

testing/attack_surface.ts view source

(options: AdversarialTestOptions): void

Generate adversarial HTTP auth enforcement test suites.

Describe blocks: - unauthenticated → 401 — every protected route - wrong role → 403 — every role route, tested with all non-matching roles - authenticated without role → 403 — every role route, no-role context - correct auth passes guard — every protected route, assert not 401/403

options

type AdversarialTestOptions

returns

void

describe_standard_attack_surface_tests
#

testing/attack_surface.ts view source

(options: StandardAttackSurfaceOptions): void

Run the standard attack surface test suite.

Generates 10 test groups: 1. Snapshot — live surface matches committed JSON 2. Determinism — building twice yields identical results 3. Public routes — bidirectional check (no unexpected, no missing) 4. Middleware stack — every API route has the full middleware chain 5. Surface invariants — structural assertions (error schemas, descriptions, duplicates, consistency) 6. Security policy — rate limiting on sensitive routes, no unexpected public mutations, method conventions 7. Error schema tightness — informational log of generic vs specific error schemas, plus assertion against DEFAULT_ERROR_SCHEMA_TIGHTNESS by default (opt out with error_schema_tightness: null) 8. Adversarial auth — unauthenticated/wrong-role/correct-auth enforcement 9. Adversarial input — input body and params validation 10. Adversarial 404 — stub 404 handlers, validate response bodies against declared schemas

Consumer test files call this with project-specific options, then add any project-specific assertions in additional describe blocks.

options

type StandardAttackSurfaceOptions

returns

void

resolve_standard_error_schema_tightness
#

testing/attack_surface.ts view source

(consumer: ErrorSchemaTightnessOptions | null | undefined): ErrorSchemaTightnessOptions | null

Merge a consumer's error_schema_tightness option with DEFAULT_ERROR_SCHEMA_TIGHTNESS so allowlist and ignore_statuses are additive rather than replacing.

- undefined → return the default as-is. - null → return null (opt out of the assertion). - object → spread the default, then consumer overrides for scalar fields (min_specificity), then concat stock-then-consumer for the list fields (allowlist, ignore_statuses) so consumer entries extend rather than replace.

Exported for direct use when a consumer calls assert_error_schema_tightness outside the standard suite but still wants the additive merge.

consumer

type ErrorSchemaTightnessOptions | null | undefined

returns

ErrorSchemaTightnessOptions | null

StandardAttackSurfaceOptions
#

testing/attack_surface.ts view source

StandardAttackSurfaceOptions

Options for the standard attack surface test suite.

build

Build the app surface bundle (surface + route specs + middleware specs).

type () => AppSurfaceSpec

snapshot_path

Absolute path to the committed snapshot JSON file.

type string

expected_public_routes

Expected public routes, e.g. ['GET /health', 'POST /api/account/login'].

type Array<string>

expected_api_middleware

Expected middleware names for API routes, e.g. ['origin', 'session', 'request_context', 'bearer_auth'].

type Array<string>

roles

All roles in the app (e.g. ['admin', 'keeper']).

type Array<string>

api_path_prefix

Path prefix for middleware stack assertion. Default '/api/'.

type string

security_policy

Security policy configuration. Omit for sensible defaults.

type SurfaceSecurityPolicyOptions

error_schema_tightness

Error schema tightness assertion config. Defaults to DEFAULT_ERROR_SCHEMA_TIGHTNESS (ignores 401/403/429, min_specificity: 'enum', allowlist seeded with FUZ_APP_STOCK_ROUTE_TIGHTNESS_ALLOWLIST).

Consumer-supplied allowlist and ignore_statuses are additive — the suite merges them underneath the stock defaults, so project-specific entries don't need to re-list fuz_app's own stock routes. Pass a narrower config to extend either list or tighten min_specificity; pass null to skip the assertion and keep the audit log informational-only.

type ErrorSchemaTightnessOptions | null

Depends on
#