mizan-fastapi e2e — example app + Playwright harness, 14/14 green

Demonstration milestone. The substrate work earlier in the session
established that mizan-fastapi can dispatch RPC, bundle context
fetches, and emit invalidation envelopes via TestClient (in-process
ASGI). This commit closes the demonstration gap: a real FastAPI server
on port 8001 + a real React harness on port 5175 + Playwright in real
Chromium, exercising generated hooks.

What ships:

backends/mizan-fastapi/src/mizan_fastapi/cli.py — schema-export CLI:
- `python -m mizan_fastapi.cli <module>` imports the named module
  (triggering @client decorations + register() side effects), then
  prints the OpenAPI schema to stdout. Mirrors mizan-django's
  `manage.py export_mizan_schema` so the codegen consumes either
  backend the same subprocess way.

backends/mizan-django/generate/generator/lib/fetch.mjs — codegen now
dispatches on source.django vs source.fastapi. Refactored the
subprocess plumbing into a shared runSubprocess helper. The codegen
package is still named "mizan-django" by historical accident — it's
the framework-agnostic CLI now (a rename for later).

backends/mizan-fastapi/src/mizan_fastapi/executor.py — bug fix:
mizan_core's @client decorator normalizes auth=True to
meta['auth']='required'. The executor's match was only handling True,
not 'required', so any auth-required endpoint failed with
INTERNAL_ERROR. Now matches both. Caught when wiring up the FastAPI
example backend's whoami fixture; would have surfaced first time any
real FastAPI app used auth=True.

backends/mizan-fastapi/tests/test_dispatch.py — added AuthTests
covering the auth=True path so the bug fix has unit coverage. Suite
now 12/12.

examples/fastapi-react-site/ — parallel to examples/django-react-site/:
- backend/main.py: FastAPI app with 11 @client fixtures matching the
  harness surface (echo, add, multiply, whoami, staff/superuser/
  verified-only, notImplementedFn, buggyFn, permissionCheckFn,
  current_user context). Drops Django-only stuff (forms, channels,
  ws-whoami, session-bound JWT).
- harness/: vite proxy → FastAPI on 8001; generated api/ produced by
  the codegen against fastapi.config.mjs.
- mizan.spec.ts: Playwright suite, 14 tests covering the same axes
  as Django minus channel-chat.
- ContextCurrentUser fixture renders 'loading' until data arrives
  rather than emitting <pre>null</pre> — fixes a race the Django
  harness has too (just doesn't trip in practice).

Verified:
- mizan-fastapi unit:    12/12 (incl. new auth=True coverage)
- mizan-fastapi e2e:     14/14 (Playwright via real Chromium)
- mizan-core unit:       15/15
- mizan-django unit:     348 pass, 21 skip
- AFI conformance:        3/3
- mizan-django e2e:      14/15 (1 skip — channels, deferred)

What remains for FastAPI side:
- Dockerfile.test + docker-compose.test.yml so CI can run the e2e
  in the same containerized way as the Django example.
- Makefile test-integration target for symmetry.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

examples/fastapi-react-site/backend/main.py

@@ -0,0 +1,167 @@
+"""
+Example FastAPI app for the e2e harness — mirrors the surface that
+examples/django-react-site/backend/testapp/clients.py exercises, minus
+Django-only features (forms, channels, ws-whoami, session-bound JWT).
+
+The fixture functions are designed to drive specific Playwright tests:
+- success-path RPC (echo, add, multiply)
+- auth requirements (whoami, staff_only, superuser_only, verified_only)
+- error codes (not_implemented_fn, buggy_fn, permission_check_fn)
+- a global context (current_user) for the bundled-fetch path
+
+Anonymous access is the default — request.state.user is left unset so
+the auth-required functions return UNAUTHORIZED, matching the harness
+expectations for an anonymous browser session.
+"""
+
+from __future__ import annotations
+
+from fastapi import FastAPI
+from fastapi.exceptions import RequestValidationError
+from pydantic import BaseModel
+
+from mizan_core.client.function import client
+from mizan_core.registry import register
+from mizan_fastapi import (
+    Forbidden,
+    MizanError,
+    mizan_exception_handler,
+    mizan_validation_handler,
+    router as mizan_router,
+)
+
+
+# ─── Output shapes ──────────────────────────────────────────────────────────
+
+
+class EchoOutput(BaseModel):
+    message: str
+
+
+class AddOutput(BaseModel):
+    result: int
+
+
+class MultiplyOutput(BaseModel):
+    product: int
+
+
+class UserOutput(BaseModel):
+    email: str
+    authenticated: bool
+    is_staff: bool = False
+
+
+class MessageOutput(BaseModel):
+    message: str
+
+
+# ─── Fixture functions ──────────────────────────────────────────────────────
+
+
+@client
+def echo(request, text: str) -> EchoOutput:
+    """Echoes the input text."""
+    return EchoOutput(message=text)
+
+
+@client
+def add(request, a: int, b: int) -> AddOutput:
+    """Returns a + b."""
+    return AddOutput(result=a + b)
+
+
+@client
+def multiply(request, x: int, y: int) -> MultiplyOutput:
+    """Returns x * y."""
+    return MultiplyOutput(product=x * y)
+
+
+@client(auth=True)
+def whoami(request) -> UserOutput:
+    """Returns the authenticated user's identity. Anonymous → UNAUTHORIZED."""
+    user = request.state.user
+    return UserOutput(
+        email=getattr(user, "email", ""),
+        authenticated=True,
+        is_staff=getattr(user, "is_staff", False),
+    )
+
+
+@client(auth="staff")
+def staff_only(request) -> MessageOutput:
+    """Staff-only endpoint."""
+    return MessageOutput(message="staff access ok")
+
+
+@client(auth="superuser")
+def superuser_only(request) -> MessageOutput:
+    """Superuser-only endpoint."""
+    return MessageOutput(message="superuser access ok")
+
+
+def _is_verified(request) -> bool:
+    user = getattr(getattr(request, "state", None), "user", None)
+    return bool(user) and getattr(user, "is_verified", False)
+
+
+@client(auth=_is_verified)
+def verified_only(request) -> MessageOutput:
+    """Verified-users-only endpoint. Anonymous → FORBIDDEN."""
+    return MessageOutput(message="verified access ok")
+
+
+@client
+def not_implemented_fn(request) -> MessageOutput:
+    """Always raises NotImplementedError → NOT_IMPLEMENTED."""
+    raise NotImplementedError("This function is intentionally not implemented")
+
+
+@client
+def buggy_fn(request) -> MessageOutput:
+    """Always raises a generic exception → INTERNAL_ERROR."""
+    raise RuntimeError("Intentional bug for e2e testing")
+
+
+@client
+def permission_check_fn(request, secret: str) -> MessageOutput:
+    """Wrong secret → FORBIDDEN; correct secret → success."""
+    if secret != "open-sesame":
+        raise Forbidden("Invalid secret")
+    return MessageOutput(message="access granted")
+
+
+@client(context="global")
+def current_user(request) -> UserOutput:
+    """The global context — auto-mounted at the React root."""
+    user = getattr(getattr(request, "state", None), "user", None)
+    return UserOutput(
+        email=getattr(user, "email", "") if user else "",
+        authenticated=bool(user) and getattr(user, "is_authenticated", False),
+        is_staff=getattr(user, "is_staff", False) if user else False,
+    )
+
+
+# ─── Registration ───────────────────────────────────────────────────────────
+
+
+register(echo, "echo")
+register(add, "add")
+register(multiply, "multiply")
+register(whoami, "whoami")
+register(staff_only, "staff_only")
+register(superuser_only, "superuser_only")
+register(verified_only, "verified_only")
+register(not_implemented_fn, "not_implemented_fn")
+register(buggy_fn, "buggy_fn")
+register(permission_check_fn, "permission_check_fn")
+register(current_user, "current_user")
+
+
+# ─── App ────────────────────────────────────────────────────────────────────
+
+
+app = FastAPI(title="mizan-fastapi e2e example")
+app.include_router(mizan_router, prefix="/api/mizan")
+app.add_exception_handler(MizanError, mizan_exception_handler)
+app.add_exception_handler(RequestValidationError, mizan_validation_handler)