2 files changed, 200 insertions, 209 deletions
diff --git a/grasp-audit/src/fixtures.rs b/grasp-audit/src/fixtures.rs
index d894ed8..5e8c50a 100644
--- a/grasp-audit/src/fixtures.rs
+++ b/grasp-audit/src/fixtures.rs
@@ -222,6 +222,31 @@ pub enum FixtureKind {
    /// - Points to MAINTAINER_DETERMINISTIC_COMMIT_HASH
    /// - Git push verified to succeed (force push with maintainer's state event authorizes the commit)
    MaintainerStateDataPushed,
+    /// Recursive maintainer's state event with git data successfully pushed (full 4-stage fixture)
+    ///
+    /// This fixture tests that a recursive maintainer (authorized via maintainer chain) can
+    /// authorize pushes. The recursive maintainer is listed in the maintainer's announcement,
+    /// not the owner's announcement, so this tests the recursive maintainer traversal.
+    ///
+    /// GRASP-01: "respecting the recursive maintainer set"
+    ///
+    /// Chain: Owner -> Maintainer -> RecursiveMaintainer
+    ///
+    /// Stages:
+    /// 1. **Generated**: Creates MaintainerStateDataPushed (includes ValidRepo + OwnerStateDataPushed)
+    ///                   + MaintainerAnnouncement (maintainer's announcement listing recursive maintainer)
+    ///                   + RecursiveMaintainerState (recursive maintainer's state event)
+    /// 2. **Sent**: Sends events to relay
+    /// 3. **Verified**: Confirms events accepted by relay
+    /// 4. **DataPushed**: Clones repo, creates recursive maintainer deterministic commit, pushes to relay
+    ///
+    /// - Requires MaintainerStateDataPushed (establishes Owner -> Maintainer chain with git data)
+    /// - Sends MaintainerAnnouncement (establishes Maintainer -> RecursiveMaintainer connection)
+    /// - State event signed by recursive maintainer keys (`client.recursive_maintainer_keys()`)
+    /// - Points to RECURSIVE_MAINTAINER_DETERMINISTIC_COMMIT_HASH
+    /// - Git push verified to succeed (recursive maintainer's state event authorizes the commit)
+    RecursiveMaintainerStateDataPushed,
 }
 impl FixtureKind {
@@ -251,6 +276,10 @@ impl FixtureKind {
            // MaintainerStateDataPushed depends on OwnerStateDataPushed
            // (maintainer force-pushes over owner's data)
            Self::MaintainerStateDataPushed => vec![Self::OwnerStateDataPushed],
+            
+            // RecursiveMaintainerStateDataPushed depends on MaintainerStateDataPushed
+            // (recursive maintainer force-pushes over maintainer's data)
+            Self::RecursiveMaintainerStateDataPushed => vec![Self::MaintainerStateDataPushed],
        }
    }
@@ -264,6 +293,7 @@ impl FixtureKind {
            // These fixtures send events and push git data internally
            Self::OwnerStateDataPushed => true,
            Self::MaintainerStateDataPushed => true,
+            Self::RecursiveMaintainerStateDataPushed => true,
            // RecursiveMaintainerRepoAndState sends multiple events internally
            Self::RecursiveMaintainerRepoAndState => true,
            // All other fixtures return a single event for the caller to send
@@ -730,6 +760,10 @@ impl<'a> TestContext<'a> {
            FixtureKind::MaintainerStateDataPushed => {
                self.build_maintainer_state_data_pushed().await
            }
+            FixtureKind::RecursiveMaintainerStateDataPushed => {
+                self.build_recursive_maintainer_state_data_pushed().await
+            }
        }
    }
@@ -1189,6 +1223,153 @@ impl<'a> TestContext<'a> {
        }
    }
+    /// Build RecursiveMaintainerStateDataPushed fixture: full 4-stage fixture for recursive maintainer push authorization
+    ///
+    /// This tests that a recursive maintainer (authorized via maintainer chain) can authorize pushes.
+    /// The recursive maintainer is listed in the maintainer's announcement, not the owner's announcement,
+    /// so this tests the recursive maintainer traversal (Owner -> Maintainer -> RecursiveMaintainer).
+    ///
+    /// Depends on MaintainerStateDataPushed - the maintainer's data has already been pushed.
+    /// We then send the MaintainerAnnouncement (which lists the recursive maintainer), and the
+    /// recursive maintainer force-pushes their commit on top.
+    ///
+    /// # Returns
+    /// The recursive maintainer's state event (kind 30618) after all stages complete successfully
+    async fn build_recursive_maintainer_state_data_pushed(&self) -> Result<Event> {
+        use nostr_sdk::prelude::*;
+        // ============================================================
+        // Stage 1: MaintainerStateDataPushed is ensured by ensure_fixture before this is called
+        // The owner's repo, owner's state event, and maintainer's state event are already on the relay,
+        // and maintainer's git data is pushed
+        // ============================================================
+        let maintainer_state = self.get_cached_dependency(FixtureKind::MaintainerStateDataPushed)?;
+        
+        // Extract repo_id from maintainer's state event (same d-tag structure)
+        let repo_id = self.extract_repo_id(&maintainer_state)?;
+        
+        // Get the repo (ValidRepo, also cached) for the owner's npub
+        let repo = self.get_cached_dependency(FixtureKind::ValidRepo)?;
+        // ============================================================
+        // Stage 2: Send MaintainerAnnouncement (establishes Maintainer -> RecursiveMaintainer chain)
+        // ============================================================
+        let maintainer_announcement = self.build_maintainer_announcement(&repo_id).await?;
+        self.client.send_event(maintainer_announcement).await?;
+        // Build recursive maintainer's state event
+        let base_time = Timestamp::now().as_u64();
+        let recursive_maintainer_timestamp = Timestamp::from(base_time - 2); // 2 seconds ago (most recent)
+        let recursive_maintainer_state_event = self
+            .client
+            .event_builder(Kind::Custom(30618), "")
+            .tag(Tag::identifier(&repo_id))
+            .tag(Tag::custom(
+                TagKind::custom("refs/heads/main"),
+                vec![RECURSIVE_MAINTAINER_DETERMINISTIC_COMMIT_HASH.to_string()],
+            ))
+            .tag(Tag::custom(
+                TagKind::custom("HEAD"),
+                vec!["ref: refs/heads/main".to_string()],
+            ))
+            .custom_time(recursive_maintainer_timestamp)
+            .build(self.client.recursive_maintainer_keys())
+            .map_err(|e| anyhow::anyhow!("Failed to build recursive maintainer state event: {}", e))?;
+        // Send recursive maintainer state event to relay
+        self.client.send_event(recursive_maintainer_state_event.clone()).await?;
+        // ============================================================
+        // Stage 3: Verify state event was accepted
+        // ============================================================
+        tokio::time::sleep(std::time::Duration::from_millis(200)).await;
+        // ============================================================
+        // Stage 4: DataPushed - Clone repo, create recursive maintainer commit, push
+        // ============================================================
+        
+        // Get relay domain from connected relay
+        let relay_domain = self.get_relay_domain().await?;
+        // Use owner's npub for cloning (repo belongs to owner)
+        let npub = repo
+            .pubkey
+            .to_bech32()
+            .map_err(|e| anyhow::anyhow!("Failed to convert pubkey to bech32: {}", e))?;
+        // Clone the repository
+        let clone_path = clone_repo(&relay_domain, &npub, &repo_id)
+            .map_err(|e| anyhow::anyhow!("Failed to clone repo: {}", e))?;
+        // Cleanup helper (always clean up on error or success)
+        let cleanup = |path: &PathBuf| {
+            let _ = fs::remove_dir_all(path);
+        };
+        // Reset to orphan state and create deterministic root commit
+        // Step 1: Create orphan branch (removes all history)
+        let _ = Command::new("git")
+            .args(["checkout", "--orphan", "main-new"])
+            .current_dir(&clone_path)
+            .output();
+        // Step 2: Clear staged files (orphan keeps files staged from previous branch)
+        let _ = Command::new("git")
+            .args(["rm", "-rf", "--cached", "."])
+            .current_dir(&clone_path)
+            .output();
+        // Step 3: Create deterministic commit using recursive maintainer variant
+        let commit_hash = match create_deterministic_commit_with_variant(
+            &clone_path,
+            CommitVariant::RecursiveMaintainer,
+        ) {
+            Ok(h) => h,
+            Err(e) => {
+                cleanup(&clone_path);
+                return Err(anyhow::anyhow!("Failed to create recursive maintainer commit: {}", e));
+            }
+        };
+        // Step 4: Replace main branch with our new orphan branch
+        let _ = Command::new("git")
+            .args(["branch", "-D", "main"])
+            .current_dir(&clone_path)
+            .output();
+        let _ = Command::new("git")
+            .args(["branch", "-m", "main"])
+            .current_dir(&clone_path)
+            .output();
+        // Verify commit hash matches expected
+        if commit_hash != RECURSIVE_MAINTAINER_DETERMINISTIC_COMMIT_HASH {
+            cleanup(&clone_path);
+            return Err(anyhow::anyhow!(
+                "Recursive maintainer commit hash mismatch: got {}, expected {}",
+                commit_hash,
+                RECURSIVE_MAINTAINER_DETERMINISTIC_COMMIT_HASH
+            ));
+        }
+        // Push to relay
+        let push_result = try_push(&clone_path);
+        cleanup(&clone_path);
+        match push_result {
+            Ok(true) => Ok(recursive_maintainer_state_event),
+            Ok(false) => Err(anyhow::anyhow!(
+                "Push was rejected but should have been accepted. \
+                The recursive maintainer published a state event with commit {}, \
+                and the relay should authorize pushes matching this state event \
+                through recursive maintainer traversal (Owner -> Maintainer -> RecursiveMaintainer).",
+                RECURSIVE_MAINTAINER_DETERMINISTIC_COMMIT_HASH
+            )),
+            Err(e) => Err(anyhow::anyhow!("Push error: {}", e)),
+        }
+    }
    /// Get relay domain (host:port) from the connected relay
    ///
    /// Extracts the domain from the relay URL for git HTTP operations.
diff --git a/grasp-audit/src/specs/grasp01/push_authorization.rs b/grasp-audit/src/specs/grasp01/push_authorization.rs
index f6a2314..2e14953 100644
--- a/grasp-audit/src/specs/grasp01/push_authorization.rs
+++ b/grasp-audit/src/specs/grasp01/push_authorization.rs
@@ -35,7 +35,7 @@ use crate::{
    clone_repo, create_commit, create_deterministic_commit,
    create_deterministic_commit_with_variant, try_push, try_push_to_ref, AuditClient,
    CommitVariant, FixtureKind, TestContext, TestResult, DETERMINISTIC_COMMIT_HASH,
-    MAINTAINER_DETERMINISTIC_COMMIT_HASH, RECURSIVE_MAINTAINER_DETERMINISTIC_COMMIT_HASH,
+    MAINTAINER_DETERMINISTIC_COMMIT_HASH,
 };
 use nostr_sdk::prelude::*;
 use std::fs;
@@ -814,234 +814,44 @@ impl PushAuthorizationTests {
    /// Test push authorized by recursive maintainer state event
    ///
    /// GRASP-01: "respecting the recursive maintainer set"
-    /// This tests recursive maintainer chains: Owner -> MaintainerA -> MaintainerB
+    /// This tests recursive maintainer chains: Owner -> Maintainer -> RecursiveMaintainer
    ///
-    /// ## Fixture-First Pattern
+    /// This test uses the RecursiveMaintainerStateDataPushed fixture which handles all 4 stages:
-    ///
+    /// 1. **Generated**: Creates MaintainerStateDataPushed (owner's + maintainer's data pushed)
-    /// 1. **Generate**: Create TestContext and get fixture chain:
+    ///                   + MaintainerAnnouncement (maintainer lists recursive maintainer)
-    ///    - RepoState (owner's repo announcement + state event)
+    ///                   + RecursiveMaintainerState (recursive maintainer's state event)
-    ///    - MaintainerAnnouncement (maintainer lists recursive-maintainer)
+    /// 2. **Sent**: Sends events to relay
-    ///    - MaintainerState (maintainer's state event)
+    /// 3. **Verified**: Confirms events accepted by relay
-    ///    - RecursiveMaintainerRepoAndState (recursive maintainer's announcement + state)
+    /// 4. **DataPushed**: Clones repo, creates recursive maintainer deterministic commit, pushes to relay
-    /// 2. **Send**: Clone repo, create recursive maintainer deterministic commit, push
-    /// 3. **Verify**: Push should succeed because recursive maintainer's state event authorizes it
    ///
-    /// The fixture chain establishes: Owner -> Maintainer -> RecursiveMaintainer
+    /// The test wraps the fixture result in pass/fail using the error message.
-    /// Each level publishes announcements that authorize the next level.
+    #[allow(unused_variables)]  // relay_domain is now handled by fixture
    pub async fn test_push_authorized_by_recursive_maintainer_state(
        client: &AuditClient,
        relay_domain: &str,
    ) -> TestResult {
-        use std::process::Command;
        let test_name = "test_push_authorized_by_recursive_maintainer_state";
-        // ============================================================
-        // Step 1: GENERATE - Create TestContext and get fixture chain
-        // ============================================================
        let ctx = TestContext::new(client);
-        // Get RepoState fixture (owner's repo announcement + state event)
+        // The RecursiveMaintainerStateDataPushed fixture handles all stages:
-        let state_event = match ctx.get_fixture(FixtureKind::RepoState).await {
+        // Generate → Send → Verify → DataPush
-            Ok(e) => e,
+        match ctx.get_fixture(FixtureKind::RecursiveMaintainerStateDataPushed).await {
-            Err(e) => {
+            Ok(_recursive_maintainer_state_event) => {
-                return TestResult::new(
+                TestResult::new(
-                    test_name,
-                    "GRASP-01",
-                    "Push authorized by recursive maintainer state event",
-                )
-                .fail(format!("Failed to create RepoState fixture: {}", e));
-            }
-        };
-        // Get MaintainerAnnouncement fixture (maintainer's repo announcement listing recursive maintainer)
-        match ctx.get_fixture(FixtureKind::MaintainerAnnouncement).await {
-            Ok(_) => {}
-            Err(e) => {
-                return TestResult::new(
-                    test_name,
-                    "GRASP-01",
-                    "Push authorized by recursive maintainer state event",
-                )
-                .fail(format!(
-                    "Failed to create MaintainerAnnouncement fixture: {}",
-                    e
-                ));
-            }
-        };
-        // Get MaintainerState fixture (maintainer's state event)
-        match ctx.get_fixture(FixtureKind::MaintainerState).await {
-            Ok(_) => {}
-            Err(e) => {
-                return TestResult::new(
-                    test_name,
-                    "GRASP-01",
-                    "Push authorized by recursive maintainer state event",
-                )
-                .fail(format!("Failed to create MaintainerState fixture: {}", e));
-            }
-        };
-        // Get RecursiveMaintainerRepoAndState fixture (completes 3-level delegation chain)
-        match ctx
-            .get_fixture(FixtureKind::RecursiveMaintainerRepoAndState)
-            .await
-        {
-            Ok(_) => {}
-            Err(e) => {
-                return TestResult::new(
-                    test_name,
-                    "GRASP-01",
-                    "Push authorized by recursive maintainer state event",
-                )
-                .fail(format!(
-                    "Failed to create RecursiveMaintainerRepoAndState fixture: {}",
-                    e
-                ));
-            }
-        };
-        tokio::time::sleep(std::time::Duration::from_millis(200)).await;
-        // Extract repo_id and npub from owner's state event
-        let repo_id = match state_event
-            .tags
-            .iter()
-            .find(|t| t.kind() == TagKind::d())
-            .and_then(|t| t.content())
-        {
-            Some(id) => id.to_string(),
-            None => {
-                return TestResult::new(
-                    test_name,
-                    "GRASP-01",
-                    "Push authorized by recursive maintainer state event",
-                )
-                .fail("Missing repo_id in state event");
-            }
-        };
-        let npub = match state_event.pubkey.to_bech32() {
-            Ok(n) => n,
-            Err(e) => {
-                return TestResult::new(
-                    test_name,
-                    "GRASP-01",
-                    "Push authorized by recursive maintainer state event",
-                )
-                .fail(format!("Failed to convert pubkey to bech32: {}", e));
-            }
-        };
-        // ============================================================
-        // Step 2: SEND - Clone, create recursive maintainer commit, push
-        // ============================================================
-        let clone_path = match clone_repo(relay_domain, &npub, &repo_id) {
-            Ok(p) => p,
-            Err(e) => {
-                return TestResult::new(
                    test_name,
                    "GRASP-01",
                    "Push authorized by recursive maintainer state event",
                )
-                .fail(&e);
+                .pass()
            }
-        };
-        let cleanup = || {
-            let _ = fs::remove_dir_all(&clone_path);
-        };
-        // Reset to orphan state and create deterministic root commit
-        // Step 1: Create orphan branch (removes all history)
-        let _ = Command::new("git")
-            .args(["checkout", "--orphan", "main-new"])
-            .current_dir(&clone_path)
-            .output();
-        // Step 2: Clear staged files (orphan keeps files staged from previous branch)
-        let _ = Command::new("git")
-            .args(["rm", "-rf", "--cached", "."])
-            .current_dir(&clone_path)
-            .output();
-        // Step 3: Create recursive maintainer deterministic commit
-        let commit_hash = match create_deterministic_commit_with_variant(
-            &clone_path,
-            CommitVariant::RecursiveMaintainer,
-        ) {
-            Ok(h) => h,
            Err(e) => {
-                cleanup();
+                TestResult::new(
-                return TestResult::new(
                    test_name,
                    "GRASP-01",
                    "Push authorized by recursive maintainer state event",
                )
-                .fail(format!(
+                .fail(format!("{}", e))
-                    "Failed to create recursive maintainer commit: {}",
-                    e
-                ));
            }
-        };
-        // Step 4: Replace main branch with our new orphan branch
-        let _ = Command::new("git")
-            .args(["branch", "-D", "main"])
-            .current_dir(&clone_path)
-            .output();
-        let _ = Command::new("git")
-            .args(["branch", "-m", "main"])
-            .current_dir(&clone_path)
-            .output();
-        // Verify commit hash matches expected
-        if commit_hash != RECURSIVE_MAINTAINER_DETERMINISTIC_COMMIT_HASH {
-            cleanup();
-            return TestResult::new(
-                test_name,
-                "GRASP-01",
-                "Push authorized by recursive maintainer state event",
-            )
-            .fail(format!(
-                "Recursive maintainer commit hash mismatch: got {}, expected {}",
-                commit_hash, RECURSIVE_MAINTAINER_DETERMINISTIC_COMMIT_HASH
-            ));
-        }
-        // ============================================================
-        // Step 3: VERIFY - Push should succeed because recursive
-        // maintainer's state event authorizes this commit
-        // ============================================================
-        let push_result = try_push(&clone_path);
-        cleanup();
-        match push_result {
-            Ok(true) => TestResult::new(
-                test_name,
-                "GRASP-01",
-                "Push authorized by recursive maintainer state event",
-            )
-            .pass(),
-            Ok(false) => TestResult::new(
-                test_name,
-                "GRASP-01",
-                "Push authorized by recursive maintainer state event",
-            )
-            .fail(format!(
-                "Push was rejected but should have been accepted. \
-                The recursive maintainer published a state event with commit {}, \
-                and the relay should authorize pushes matching this state event \
-                through recursive maintainer traversal (Owner -> Maintainer -> RecursiveMaintainer).",
-                RECURSIVE_MAINTAINER_DETERMINISTIC_COMMIT_HASH
-            )),
-            Err(e) => TestResult::new(
-                test_name,
-                "GRASP-01",
-                "Push authorized by recursive maintainer state event",
-            )
-            .fail(format!("Push error: {}", e)),
        }
    }