fix grasp-audit test isolation to prevent cross-spec relay state corruption

Add Purgatory-prefixed fixture variants (PurgatoryValidRepoSent,
PurgatoryOwnerStateDataPushed) that create independent repos never
shared with the main fixture chain. Purgatory tests that mutate relay
state (replacement announcements, new state events, deletions) now use
these isolated fixtures so they cannot corrupt the repo that
push-authorization tests depend on.

Run purgatory tests before push-auth in the full suite, since push-auth
sends new replaceable state events (kind 30618) for the shared repo_id
that would displace the original served state event.

1 files changed, 30 insertions, 25 deletions

diff --git a/grasp-audit/src/bin/grasp-audit.rs b/grasp-audit/src/bin/grasp-audit.rs
index b3fa0db..d192f04 100644
--- a/grasp-audit/src/bin/grasp-audit.rs
+++ b/grasp-audit/src/bin/grasp-audit.rs
@@ -144,51 +144,56 @@ async fn main() -> Result<()> {
                     println!("Running all tests...\n");
                     let mut all_results = AuditResult::new("All GRASP-01 Tests");
 
-                    // Repository creation tests
+                    // NIP-01 smoke tests (stateless - no shared fixture dependencies)
+                    println!("  → NIP-01 smoke tests...");
+                    let nip01_results = specs::Nip01SmokeTests::run_all(&client).await;
+                    all_results.merge(nip01_results);
+
+                    // NIP-11 document tests (stateless)
+                    println!("  → NIP-11 document tests...");
+                    let nip11_results = specs::Nip11DocumentTests::run_all(&client).await;
+                    all_results.merge(nip11_results);
+
+                    // CORS tests (stateless HTTP checks)
+                    println!("  → CORS tests...");
+                    let cors_results = specs::CorsTests::run_all(&client, &relay_domain).await;
+                    all_results.merge(cors_results);
+
+                    // Repository creation tests (uses ValidRepoSent only - no state events)
                     println!("  → Repository creation tests...");
                     let repo_results = specs::RepositoryCreationTests::run_all(&client, &relay_domain).await;
                     all_results.merge(repo_results);
 
-                    // Git clone tests
+                    // Git clone tests (uses ValidRepoSent only - no state events)
                     println!("  → Git clone tests...");
                     let clone_results = specs::GitCloneTests::run_all(&client, &relay_domain).await;
                     all_results.merge(clone_results);
 
-                    // Git filter capability tests
+                    // Git filter capability tests (uses ValidRepoSent only - no state events)
                     println!("  → Git filter capability tests...");
                     let filter_results = specs::GitFilterTests::run_all(&client, &relay_domain).await;
                     all_results.merge(filter_results);
 
-                    // Push authorization tests
-                    println!("  → Push authorization tests...");
-                    let push_results = specs::PushAuthorizationTests::run_all(&client, &relay_domain).await;
-                    all_results.merge(push_results);
-
-                    // Event acceptance policy tests
+                    // Event acceptance policy tests (uses ValidRepoServed - no extra state events)
                     println!("  → Event acceptance policy tests...");
                     let event_results = specs::EventAcceptancePolicyTests::run_all(&client).await;
                     all_results.merge(event_results);
 
-                    // NIP-01 smoke tests
-                    println!("  → NIP-01 smoke tests...");
-                    let nip01_results = specs::Nip01SmokeTests::run_all(&client).await;
-                    all_results.merge(nip01_results);
-
-                    // NIP-11 document tests
-                    println!("  → NIP-11 document tests...");
-                    let nip11_results = specs::Nip11DocumentTests::run_all(&client).await;
-                    all_results.merge(nip11_results);
-
-                    // CORS tests
-                    println!("  → CORS tests...");
-                    let cors_results = specs::CorsTests::run_all(&client, &relay_domain).await;
-                    all_results.merge(cors_results);
-
-                    // Purgatory tests
+                    // Purgatory tests MUST run before push-auth.
+                    // Push-auth sends new replaceable state events (kind 30618) for the same
+                    // repo_id as OwnerStateDataPushed (e.g. test_head_set_after_git_push_with_required_oids
+                    // sends a develop1 state event that displaces the original). If purgatory ran
+                    // after push-auth, is_event_on_relay(original_id) would return false because
+                    // the original state event has been replaced on the relay.
                     println!("  → Purgatory tests...");
                     let purgatory_results = specs::PurgatoryTests::run_all(&client).await;
                     all_results.merge(purgatory_results);
 
+                    // Push authorization tests (mutates shared state - must run last among git specs)
+                    println!("  → Push authorization tests...");
+                    let push_results = specs::PushAuthorizationTests::run_all(&client, &relay_domain).await;
+                    all_results.merge(push_results);
+
                     println!();
                     all_results
                 }