mizan-fastapi e2e — example app + Playwright harness, 14/14 green

Demonstration milestone. The substrate work earlier in the session
established that mizan-fastapi can dispatch RPC, bundle context
fetches, and emit invalidation envelopes via TestClient (in-process
ASGI). This commit closes the demonstration gap: a real FastAPI server
on port 8001 + a real React harness on port 5175 + Playwright in real
Chromium, exercising generated hooks.

What ships:

backends/mizan-fastapi/src/mizan_fastapi/cli.py — schema-export CLI:
- `python -m mizan_fastapi.cli <module>` imports the named module
  (triggering @client decorations + register() side effects), then
  prints the OpenAPI schema to stdout. Mirrors mizan-django's
  `manage.py export_mizan_schema` so the codegen consumes either
  backend the same subprocess way.

backends/mizan-django/generate/generator/lib/fetch.mjs — codegen now
dispatches on source.django vs source.fastapi. Refactored the
subprocess plumbing into a shared runSubprocess helper. The codegen
package is still named "mizan-django" by historical accident — it's
the framework-agnostic CLI now (a rename for later).

backends/mizan-fastapi/src/mizan_fastapi/executor.py — bug fix:
mizan_core's @client decorator normalizes auth=True to
meta['auth']='required'. The executor's match was only handling True,
not 'required', so any auth-required endpoint failed with
INTERNAL_ERROR. Now matches both. Caught when wiring up the FastAPI
example backend's whoami fixture; would have surfaced first time any
real FastAPI app used auth=True.

backends/mizan-fastapi/tests/test_dispatch.py — added AuthTests
covering the auth=True path so the bug fix has unit coverage. Suite
now 12/12.

examples/fastapi-react-site/ — parallel to examples/django-react-site/:
- backend/main.py: FastAPI app with 11 @client fixtures matching the
  harness surface (echo, add, multiply, whoami, staff/superuser/
  verified-only, notImplementedFn, buggyFn, permissionCheckFn,
  current_user context). Drops Django-only stuff (forms, channels,
  ws-whoami, session-bound JWT).
- harness/: vite proxy → FastAPI on 8001; generated api/ produced by
  the codegen against fastapi.config.mjs.
- mizan.spec.ts: Playwright suite, 14 tests covering the same axes
  as Django minus channel-chat.
- ContextCurrentUser fixture renders 'loading' until data arrives
  rather than emitting <pre>null</pre> — fixes a race the Django
  harness has too (just doesn't trip in practice).

Verified:
- mizan-fastapi unit:    12/12 (incl. new auth=True coverage)
- mizan-fastapi e2e:     14/14 (Playwright via real Chromium)
- mizan-core unit:       15/15
- mizan-django unit:     348 pass, 21 skip
- AFI conformance:        3/3
- mizan-django e2e:      14/15 (1 skip — channels, deferred)

What remains for FastAPI side:
- Dockerfile.test + docker-compose.test.yml so CI can run the e2e
  in the same containerized way as the Django example.
- Makefile test-integration target for symmetry.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backends/mizan-fastapi/src/mizan_fastapi/cli.py

@@ -0,0 +1,45 @@
+"""
+Schema-export CLI for codegen consumption.
+
+Usage:
+    python -m mizan_fastapi.cli <module>
+
+Imports the named module (whose import side effects must register every
+@client function with mizan_core.registry — typically by `@client` plus
+`register(...)` calls at module top level), then prints the OpenAPI
+schema to stdout as JSON.
+
+Mirrors mizan-django's `manage.py export_mizan_schema` so the codegen
+CLI can fetch from either backend the same subprocess way.
+"""
+
+from __future__ import annotations
+
+import importlib
+import json
+import sys
+
+from .schema import build_schema
+
+
+def main(argv: list[str] | None = None) -> int:
+    args = list(sys.argv[1:] if argv is None else argv)
+    if len(args) != 1:
+        print("usage: python -m mizan_fastapi.cli <module>", file=sys.stderr)
+        return 2
+
+    module_name = args[0]
+    try:
+        importlib.import_module(module_name)
+    except Exception as e:
+        print(f"failed to import {module_name!r}: {e}", file=sys.stderr)
+        return 1
+
+    schema = build_schema()
+    json.dump(schema, sys.stdout)
+    sys.stdout.write("\n")
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())

backends/mizan-fastapi/src/mizan_fastapi/executor.py

@@ -84,7 +84,7 @@ def _enforce_auth(request: Any, requirement: Any) -> None:
     user = _user(request)
 
     match requirement:
-        case True:
+        case True | "required":
             if not _is_authenticated(user):
                 raise Unauthorized("Authentication required")
         case "staff":

backends/mizan-fastapi/tests/test_dispatch.py

@@ -59,11 +59,16 @@ def app():
     def update_email(request, email: str) -> EchoOutput:
         return EchoOutput(message=f"updated: {email}")
 
+    @client(auth=True)
+    def whoami(request) -> UserOutput:
+        return UserOutput(email="real@example.com", authenticated=True)
+
     register(echo, "echo")
     register(add, "add")
     register(current_user, "current_user")
     register(user_count, "user_count")
     register(update_email, "update_email")
+    register(whoami, "whoami")
 
     fastapi_app = FastAPI()
     fastapi_app.include_router(mizan_router, prefix="/api/mizan")
@@ -147,6 +152,15 @@ class ContextFetchTests:
 # ─── Invalidation ───────────────────────────────────────────────────────────
 
 
+class AuthTests:
+    """The decorator normalizes auth=True → meta['auth']='required'; executor must match both."""
+
+    def test_anonymous_request_to_auth_required_returns_401(self, http):
+        r = http.post("/api/mizan/call/", json={"fn": "whoami", "args": {}})
+        assert r.status_code == 401
+        assert r.json()["error"]["code"] == "UNAUTHORIZED"
+
+
 class InvalidationTests:
     def test_mutation_emits_invalidate_list(self, http):
         r = http.post(