@alteran/astro 0.1.0

package/src/pages/xrpc/com.atproto.server.createSession.ts

@@ -0,0 +1,92 @@
+import type { APIContext } from 'astro';
+import { signJwt } from '@alteran/lib/jwt';
+import { readJson } from '@alteran/lib/util';
+import { drizzle } from 'drizzle-orm/d1';
+import { login_attempts } from '@alteran/db/schema';
+import { eq } from 'drizzle-orm';
+
+export const prerender = false;
+
+const MAX_LOGIN_ATTEMPTS = 5;
+const LOCKOUT_DURATION_SEC = 15 * 60; // 15 minutes
+
+export async function POST({ locals, request }: APIContext) {
+  const { env } = locals.runtime;
+  const clientIp = request.headers.get('cf-connecting-ip') || request.headers.get('x-forwarded-for') || 'unknown';
+
+  const db = drizzle(env.DB);
+  const now = Math.floor(Date.now() / 1000);
+
+  // Check if IP is locked out
+  const attempt = await db.select().from(login_attempts).where(eq(login_attempts.ip, clientIp)).get();
+  if (attempt && attempt.locked_until && attempt.locked_until > now) {
+    const remainingSeconds = attempt.locked_until - now;
+    return new Response(
+      JSON.stringify({
+        error: 'RateLimitExceeded',
+        message: `Account locked due to too many failed attempts. Try again in ${Math.ceil(remainingSeconds / 60)} minutes.`
+      }),
+      { status: 429, headers: { 'Content-Type': 'application/json' } }
+    );
+  }
+
+  const { identifier, password } = await readJson(request).catch(() => ({ identifier: '', password: '' }));
+  const ok = !!password && password === (env.USER_PASSWORD ?? 'changeme');
+
+  if (!ok) {
+    // Track failed attempt
+    const currentAttempts = (attempt?.attempts || 0) + 1;
+    const lockedUntil = currentAttempts >= MAX_LOGIN_ATTEMPTS ? now + LOCKOUT_DURATION_SEC : null;
+
+    if (attempt) {
+      await db.update(login_attempts)
+        .set({
+          attempts: currentAttempts,
+          locked_until: lockedUntil,
+          last_attempt: now
+        })
+        .where(eq(login_attempts.ip, clientIp))
+        .run();
+    } else {
+      await db.insert(login_attempts).values({
+        ip: clientIp,
+        attempts: currentAttempts,
+        locked_until: lockedUntil,
+        last_attempt: now,
+      }).run();
+    }
+
+    if (lockedUntil) {
+      return new Response(
+        JSON.stringify({
+          error: 'RateLimitExceeded',
+          message: 'Too many failed login attempts. Account locked for 15 minutes.'
+        }),
+        { status: 429, headers: { 'Content-Type': 'application/json' } }
+      );
+    }
+
+    return new Response(
+      JSON.stringify({
+        error: 'AuthRequired',
+        message: 'Invalid credentials'
+      }),
+      { status: 401, headers: { 'Content-Type': 'application/json' } }
+    );
+  }
+
+  // Successful login - reset attempts
+  if (attempt) {
+    await db.delete(login_attempts).where(eq(login_attempts.ip, clientIp)).run();
+  }
+
+  const did = env.PDS_DID ?? 'did:example:single-user';
+  const handle = env.PDS_HANDLE ?? identifier ?? 'user.example';
+  const jti = crypto.randomUUID();
+  const accessJwt = await signJwt(env, { sub: did, handle, t: 'access' }, 'access');
+  const refreshJwt = await signJwt(env, { sub: did, handle, t: 'refresh', jti }, 'refresh');
+
+  return new Response(JSON.stringify({ did, handle, accessJwt, refreshJwt }), {
+    headers: { 'Content-Type': 'application/json' },
+  });
+}

package/src/pages/xrpc/com.atproto.server.deleteSession.ts

@@ -0,0 +1,25 @@
+import type { APIContext } from 'astro';
+
+export const prerender = false;
+
+/**
+ * com.atproto.server.deleteSession
+ * Delete the current session (logout)
+ */
+export async function POST({ locals }: APIContext) {
+  const { env } = locals.runtime;
+
+  // TODO: Implement proper session revocation
+  // For single-user PDS, we just return success
+  // In a full implementation, this would:
+  // 1. Extract refresh token from Authorization header
+  // 2. Add it to a blacklist/revocation list
+  // 3. Invalidate associated access tokens
+
+  return new Response(JSON.stringify({}), {
+    status: 200,
+    headers: {
+      'Content-Type': 'application/json',
+    },
+  });
+}

package/src/pages/xrpc/com.atproto.server.describeServer.ts

@@ -0,0 +1,17 @@
+import type { APIContext } from 'astro';
+
+export const prerender = false;
+
+export function GET({ locals }: APIContext) {
+  const { env } = locals.runtime;
+  const body = {
+    version: 'experimental',
+    did: env.PDS_DID ?? null,
+    handle: env.PDS_HANDLE ?? null,
+    inviteCodeRequired: false,
+    links: {},
+  };
+  return new Response(JSON.stringify(body), {
+    headers: { 'Content-Type': 'application/json' },
+  });
+}

package/src/pages/xrpc/com.atproto.server.getSession.ts

@@ -0,0 +1,46 @@
+import type { APIContext } from 'astro';
+
+export const prerender = false;
+
+/**
+ * com.atproto.server.getSession
+ * Get information about the current session
+ */
+export async function GET({ locals }: APIContext) {
+  const { env } = locals.runtime;
+
+  // TODO: Implement proper session validation from Authorization header
+  // For now, return basic session info for single-user PDS
+
+  const did = env.PDS_DID ?? 'did:example:single-user';
+  const handle = env.PDS_HANDLE ?? 'user.example.com';
+
+  return new Response(
+    JSON.stringify({
+      did,
+      handle,
+      email: 'user@example.com', // Single-user PDS doesn't have email
+      emailConfirmed: true,
+      emailAuthFactor: false,
+      didDoc: {
+        '@context': ['https://www.w3.org/ns/did/v1'],
+        id: did,
+        alsoKnownAs: [`at://${handle}`],
+        verificationMethod: [],
+        service: [
+          {
+            id: '#atproto_pds',
+            type: 'AtprotoPersonalDataServer',
+            serviceEndpoint: `https://${handle}`,
+          },
+        ],
+      },
+    }),
+    {
+      status: 200,
+      headers: {
+        'Content-Type': 'application/json',
+      },
+    }
+  );
+};

package/src/pages/xrpc/com.atproto.server.refreshSession.ts

@@ -0,0 +1,67 @@
+import type { APIContext } from 'astro';
+import { signJwt, verifyJwt } from '@alteran/lib/jwt';
+import { bearerToken } from '@alteran/lib/util';
+import { lazyCleanupExpiredTokens } from '@alteran/lib/token-cleanup';
+import { drizzle } from 'drizzle-orm/d1';
+import { token_revocation } from '@alteran/db/schema';
+import { eq } from 'drizzle-orm';
+
+export const prerender = false;
+
+export async function POST({ locals, request }: APIContext) {
+  const { env } = locals.runtime;
+  const token = bearerToken(request);
+  if (!token) {
+    return new Response(
+      JSON.stringify({ error: 'AuthRequired', message: 'No authorization token provided' }),
+      { status: 401, headers: { 'Content-Type': 'application/json' } }
+    );
+  }
+
+  const ver = await verifyJwt(env, token).catch(() => null);
+  if (!ver || ver.payload.t !== 'refresh') {
+    return new Response(
+      JSON.stringify({ error: 'InvalidToken', message: 'Invalid or expired refresh token' }),
+      { status: 401, headers: { 'Content-Type': 'application/json' } }
+    );
+  }
+
+  // Reject if JTI is revoked (single-use refresh tokens)
+  const jtiOld = String(ver.payload.jti || '');
+  if (jtiOld) {
+    const db = drizzle(env.DB);
+    const revoked = await db.select().from(token_revocation).where(eq(token_revocation.jti, jtiOld)).get();
+    if (revoked) {
+      return new Response(
+        JSON.stringify({ error: 'InvalidToken', message: 'Refresh token has already been used' }),
+        { status: 401, headers: { 'Content-Type': 'application/json' } }
+      );
+    }
+  }
+
+  const did = String(ver.payload.sub || (env.PDS_DID ?? 'did:example:single-user'));
+  const handle = String(ver.payload.handle || env.PDS_HANDLE || 'user.example');
+
+  // Rotate: generate new token pair with new JTI
+  const jtiNew = crypto.randomUUID();
+  const accessJwt = await signJwt(env, { sub: did, handle, t: 'access' }, 'access');
+  const refreshJwt = await signJwt(env, { sub: did, handle, t: 'refresh', jti: jtiNew }, 'refresh');
+
+  // Revoke old refresh token by inserting into revocation table
+  if (jtiOld && ver.payload.exp) {
+    const db = drizzle(env.DB);
+    const now = Math.floor(Date.now() / 1000);
+    await db.insert(token_revocation).values({
+      jti: jtiOld,
+      exp: Number(ver.payload.exp),
+      revoked_at: now,
+    }).run();
+  }
+
+  // Lazy cleanup of expired tokens (runs 1% of the time)
+  lazyCleanupExpiredTokens(env).catch(console.error);
+
+  return new Response(JSON.stringify({ did, handle, accessJwt, refreshJwt }), {
+    headers: { 'Content-Type': 'application/json' },
+  });
+}

package/src/pages/xrpc/com.atproto.sync.getBlocks.json.ts

@@ -0,0 +1,16 @@
+import type { APIContext } from 'astro';
+import { getRecordsByCids as dalGetByCids } from '@alteran/db/dal';
+import { tryParse } from '@alteran/lib/util';
+
+export const prerender = false;
+
+export async function GET({ locals, request }: APIContext) {
+  const { env } = locals.runtime;
+  const url = new URL(request.url);
+  const cids = (url.searchParams.get('cids') ?? '').split(',').map((s) => s.trim()).filter(Boolean);
+  const rows = await dalGetByCids(env, cids);
+  const blocks = rows.map((r) => ({ cid: r.cid, value: tryParse(r.json) }));
+  return new Response(JSON.stringify({ blocks }), {
+    headers: { 'Content-Type': 'application/json' },
+  });
+}

package/src/pages/xrpc/com.atproto.sync.getBlocks.ts

@@ -0,0 +1,56 @@
+import type { APIContext } from 'astro';
+import { NotFound } from '@alteran/lib/errors';
+import { D1Blockstore } from '@alteran/lib/mst';
+import { CID } from 'multiformats/cid';
+import { encodeExistingBlocksToCAR } from '@alteran/services/car';
+
+export const prerender = false;
+
+export async function GET({ locals, request }: APIContext) {
+  const { env } = locals.runtime;
+  const url = new URL(request.url);
+  const cids = (url.searchParams.get('cids') ?? '').split(',').map((s) => s.trim()).filter(Boolean);
+
+  if (!cids.length) {
+    return new Response(
+      JSON.stringify({ error: 'InvalidRequest', message: 'cids parameter required' }),
+      { status: 400, headers: { 'Content-Type': 'application/json' } }
+    );
+  }
+
+  const blockstore = new D1Blockstore(env);
+  const roots: CID[] = [];
+  const blocks: { cid: CID; bytes: Uint8Array }[] = [];
+  const missingCids: string[] = [];
+
+  for (const c of cids) {
+    try {
+      const cid = CID.parse(c);
+      const bytes = await blockstore.get(cid);
+      if (bytes) {
+        roots.push(cid);
+        blocks.push({ cid, bytes });
+      } else {
+        missingCids.push(c);
+      }
+    } catch {
+      missingCids.push(c);
+    }
+  }
+
+  if (missingCids.length > 0) {
+    return new NotFound(
+      `Blocks not found: ${missingCids.join(', ')}`,
+      { missingCids }
+    ).toResponse(locals.requestId);
+  }
+
+  const carBytes = encodeExistingBlocksToCAR(roots, blocks);
+
+  return new Response(carBytes as any, {
+    headers: {
+      'Content-Type': 'application/vnd.ipld.car; version=1',
+      'Content-Disposition': 'inline; filename="blocks.car"',
+    },
+  });
+}

package/src/pages/xrpc/com.atproto.sync.getCheckout.json.ts

@@ -0,0 +1,20 @@
+import type { APIContext } from 'astro';
+import { getRoot as getRepoRoot } from '@alteran/db/repo';
+import { listRecords as dalListRecords } from '@alteran/db/dal';
+import { tryParse } from '@alteran/lib/util';
+
+export const prerender = false;
+
+export async function GET({ locals, request }: APIContext) {
+  const { env } = locals.runtime;
+  const url = new URL(request.url);
+  const did = url.searchParams.get('did') ?? (env.PDS_DID ?? 'did:example:single-user');
+  const head = await getRepoRoot(env);
+  const rows = await dalListRecords(env);
+  const records = rows
+    .filter((r) => r.uri.startsWith(`at://${did}/`))
+    .map((r) => ({ uri: r.uri, cid: r.cid, value: tryParse(r.json) }));
+  return new Response(JSON.stringify({ did, head: head?.commitCid ?? null, rev: head?.rev ?? 0, records }), {
+    headers: { 'Content-Type': 'application/json' },
+  });
+}

package/src/pages/xrpc/com.atproto.sync.getCheckout.ts

@@ -0,0 +1,43 @@
+import type { APIContext } from 'astro';
+import { buildRepoCar, buildRepoCarRange } from '@alteran/services/car';
+
+export const prerender = false;
+
+export async function GET({ locals, request }: APIContext) {
+  const { env } = locals.runtime;
+  const url = new URL(request.url);
+  const did = url.searchParams.get('did') ?? (env.PDS_DID ?? 'did:example:single-user');
+
+  // Support commit range queries
+  const fromParam = url.searchParams.get('from');
+  const toParam = url.searchParams.get('to');
+
+  let car;
+  if (fromParam && toParam) {
+    // Return commits in range [from, to]
+    const fromSeq = parseInt(fromParam, 10);
+    const toSeq = parseInt(toParam, 10);
+
+    if (isNaN(fromSeq) || isNaN(toSeq) || fromSeq < 0 || toSeq < fromSeq) {
+      return new Response(
+        JSON.stringify({
+          error: 'InvalidRequest',
+          message: 'Invalid commit range: from and to must be valid sequence numbers with from <= to'
+        }),
+        { status: 400, headers: { 'Content-Type': 'application/json' } }
+      );
+    }
+
+    car = await buildRepoCarRange(env, fromSeq, toSeq);
+  } else {
+    // Return full repo snapshot
+    car = await buildRepoCar(env, did);
+  }
+
+  return new Response(car.bytes as any, {
+    headers: {
+      'Content-Type': 'application/vnd.ipld.car; version=1',
+      'Content-Disposition': 'inline; filename="checkout.car"',
+    },
+  });
+}

package/src/pages/xrpc/com.atproto.sync.getHead.ts

@@ -0,0 +1,11 @@
+import type { APIContext } from 'astro';
+import { getRoot as getRepoRoot } from '@alteran/db/repo';
+
+export const prerender = false;
+
+export async function GET({ locals }: APIContext) {
+  const { env } = locals.runtime;
+  const root = await getRepoRoot(env);
+  if (!root) return new Response(JSON.stringify({ root: null, rev: 0 }), { headers: { 'Content-Type': 'application/json' } });
+  return new Response(JSON.stringify({ root: root.commitCid, rev: root.rev }), { headers: { 'Content-Type': 'application/json' } });
+}

package/src/pages/xrpc/com.atproto.sync.getLatestCommit.ts

@@ -0,0 +1,42 @@
+import type { APIContext } from 'astro';
+import { getRoot } from '@alteran/db/repo';
+
+export const prerender = false;
+
+/**
+ * com.atproto.sync.getLatestCommit
+ * Get the latest commit CID and revision for a repository
+ */
+export async function GET({ locals, url }: APIContext) {
+  const { env } = locals.runtime;
+
+  const did = url.searchParams.get('did') || env.PDS_DID || 'did:example:single-user';
+
+  try {
+    const root = await getRoot(env);
+
+    if (!root) {
+      return new Response(
+        JSON.stringify({ error: 'RepoNotFound' }),
+        { status: 404, headers: { 'Content-Type': 'application/json' } }
+      );
+    }
+
+    return new Response(
+      JSON.stringify({
+        cid: root.commitCid,
+        rev: root.rev.toString(),
+      }),
+      {
+        status: 200,
+        headers: { 'Content-Type': 'application/json' },
+      }
+    );
+  } catch (error) {
+    console.error('getLatestCommit error:', error);
+    return new Response(
+      JSON.stringify({ error: 'InternalServerError', message: String(error) }),
+      { status: 500, headers: { 'Content-Type': 'application/json' } }
+    );
+  }
+}

package/src/pages/xrpc/com.atproto.sync.getRecord.ts

@@ -0,0 +1,63 @@
+import type { APIContext } from 'astro';
+import { RepoManager } from '@alteran/services/repo-manager';
+import { encodeRecordBlock } from '@alteran/services/car';
+import * as dagCbor from '@ipld/dag-cbor';
+import { CID } from 'multiformats/cid';
+import { sha256 } from 'multiformats/hashes/sha2';
+
+export const prerender = false;
+
+/**
+ * com.atproto.sync.getRecord
+ * Get a single record as a CAR file
+ */
+export async function GET({ locals, url }: APIContext) {
+  const { env } = locals.runtime;
+
+  const did = url.searchParams.get('did') || env.PDS_DID || 'did:example:single-user';
+  const collection = url.searchParams.get('collection');
+  const rkey = url.searchParams.get('rkey');
+
+  if (!collection || !rkey) {
+    return new Response(
+      JSON.stringify({ error: 'InvalidRequest', message: 'collection and rkey required' }),
+      { status: 400, headers: { 'Content-Type': 'application/json' } }
+    );
+  }
+
+  try {
+    const repoManager = new RepoManager(env);
+    const record = await repoManager.getRecord(collection, rkey);
+
+    if (!record) {
+      return new Response(
+        JSON.stringify({ error: 'RecordNotFound' }),
+        { status: 404, headers: { 'Content-Type': 'application/json' } }
+      );
+    }
+
+    // Encode the record as a single-block CAR snapshot (root = record CID)
+    const { cid, bytes } = await encodeRecordBlock(record);
+
+    // Minimal CAR encoding (header + single block)
+    const header = dagCbor.encode({ version: 1, roots: [cid] });
+    const varint = (n: number) => { const a:number[]=[]; while(n>=0x80){a.push((n&0x7f)|0x80); n>>>=7;} a.push(n); return new Uint8Array(a); };
+    const concat = (parts: Uint8Array[]) => { const len = parts.reduce((n,p)=>n+p.byteLength,0); const out = new Uint8Array(len); let o=0; for(const p of parts){out.set(p,o); o+=p.byteLength;} return out; };
+    const block = concat([cid.bytes, bytes]);
+    const carBytes = concat([varint(header.byteLength), header, varint(block.byteLength), block]);
+
+    return new Response(carBytes as any, {
+      status: 200,
+      headers: {
+        'Content-Type': 'application/vnd.ipld.car; version=1',
+        'Content-Disposition': 'inline; filename="record.car"',
+      },
+    });
+  } catch (error) {
+    console.error('getRecord error:', error);
+    return new Response(
+      JSON.stringify({ error: 'InternalServerError', message: String(error) }),
+      { status: 500, headers: { 'Content-Type': 'application/json' } }
+    );
+  }
+}

package/src/pages/xrpc/com.atproto.sync.getRepo.json.ts

@@ -0,0 +1,20 @@
+import type { APIContext } from 'astro';
+import { getRoot as getRepoRoot } from '@alteran/db/repo';
+import { listRecords as dalListRecords } from '@alteran/db/dal';
+import { tryParse } from '@alteran/lib/util';
+
+export const prerender = false;
+
+export async function GET({ locals, request }: APIContext) {
+  const { env } = locals.runtime;
+  const url = new URL(request.url);
+  const did = url.searchParams.get('did') ?? (env.PDS_DID ?? 'did:example:single-user');
+  const head = await getRepoRoot(env);
+  const rows = await dalListRecords(env);
+  const records = rows
+    .filter((r) => r.uri.startsWith(`at://${did}/`))
+    .map((r) => ({ uri: r.uri, cid: r.cid, value: tryParse(r.json) }));
+  return new Response(JSON.stringify({ did, head: head?.commitCid ?? null, rev: head?.rev ?? 0, records }), {
+    headers: { 'Content-Type': 'application/json' },
+  });
+}

package/src/pages/xrpc/com.atproto.sync.getRepo.range.ts

@@ -0,0 +1,34 @@
+import type { APIContext } from 'astro';
+import { buildRepoCarRange } from '@alteran/services/car';
+
+export const prerender = false;
+
+/**
+ * Non-standard helper route used by tests to stream a CAR by commit seq range.
+ * Query: ?from=<seq>&to=<seq>
+ */
+export async function GET({ locals, request }: APIContext) {
+  const { env } = locals.runtime;
+  const url = new URL(request.url);
+
+  const fromParam = url.searchParams.get('from');
+  const toParam = url.searchParams.get('to');
+
+  const fromSeq = parseInt(String(fromParam ?? ''), 10);
+  const toSeq = parseInt(String(toParam ?? ''), 10);
+
+  if (!Number.isFinite(fromSeq) || !Number.isFinite(toSeq) || fromSeq < 0 || toSeq < fromSeq) {
+    return new Response(
+      JSON.stringify({ error: 'InvalidRequest', message: 'Provide valid numeric from <= to' }),
+      { status: 400, headers: { 'Content-Type': 'application/json' } },
+    );
+  }
+
+  const car = await buildRepoCarRange(env, fromSeq, toSeq);
+  return new Response(car.bytes as any, {
+    headers: {
+      'Content-Type': 'application/vnd.ipld.car; version=1',
+      'Content-Disposition': 'inline; filename="repo-range.car"',
+    },
+  });
+}

package/src/pages/xrpc/com.atproto.sync.getRepo.ts

@@ -0,0 +1,17 @@
+import type { APIContext } from 'astro';
+import { buildRepoCar } from '@alteran/services/car';
+
+export const prerender = false;
+
+export async function GET({ locals, request }: APIContext) {
+  const { env } = locals.runtime;
+  const url = new URL(request.url);
+  const did = url.searchParams.get('did') ?? (env.PDS_DID ?? 'did:example:single-user');
+  const car = await buildRepoCar(env, did);
+  return new Response(car.bytes as any, {
+    headers: {
+      'content-type': 'application/vnd.ipld.car; version=1',
+      'content-disposition': 'inline; filename="repo.car"',
+    },
+  });
+}

package/src/pages/xrpc/com.atproto.sync.listBlobs.ts

@@ -0,0 +1,53 @@
+import type { APIContext } from 'astro';
+import { drizzle } from 'drizzle-orm/d1';
+import { blob_ref } from '@alteran/db/schema';
+import { eq, gt, and } from 'drizzle-orm';
+
+export const prerender = false;
+
+/**
+ * com.atproto.sync.listBlobs
+ * List blob CIDs for a DID
+ */
+export async function GET({ locals, url }: APIContext) {
+  const { env } = locals.runtime;
+
+  const did = url.searchParams.get('did') || env.PDS_DID || 'did:example:single-user';
+  const since = url.searchParams.get('since') || '';
+  const limit = parseInt(url.searchParams.get('limit') || '500', 10);
+
+  try {
+    const db = drizzle(env.DB);
+
+    const blobs = since
+      ? await db
+          .select()
+          .from(blob_ref)
+          .where(and(eq(blob_ref.did, did), gt(blob_ref.cid, since)))
+          .limit(limit)
+          .all()
+      : await db
+          .select()
+          .from(blob_ref)
+          .where(eq(blob_ref.did, did))
+          .limit(limit)
+          .all();
+
+    return new Response(
+      JSON.stringify({
+        cids: blobs.map(b => b.cid),
+        cursor: blobs.length > 0 ? blobs[blobs.length - 1].cid : undefined,
+      }),
+      {
+        status: 200,
+        headers: { 'Content-Type': 'application/json' },
+      }
+    );
+  } catch (error) {
+    console.error('listBlobs error:', error);
+    return new Response(
+      JSON.stringify({ error: 'InternalServerError', message: String(error) }),
+      { status: 500, headers: { 'Content-Type': 'application/json' } }
+    );
+  }
+}

package/src/pages/xrpc/com.atproto.sync.listRepos.ts

@@ -0,0 +1,31 @@
+import type { APIContext } from 'astro';
+
+export const prerender = false;
+
+/**
+ * com.atproto.sync.listRepos
+ * List repositories (single-user PDS returns one repo)
+ */
+export async function GET({ locals, url }: APIContext) {
+  const { env } = locals.runtime;
+
+  const did = env.PDS_DID || 'did:example:single-user';
+  const handle = env.PDS_HANDLE || 'user.example.com';
+
+  return new Response(
+    JSON.stringify({
+      repos: [
+        {
+          did,
+          head: '', // TODO: Get from repo_root
+          rev: '', // TODO: Get from repo_root
+          active: true,
+        },
+      ],
+    }),
+    {
+      status: 200,
+      headers: { 'Content-Type': 'application/json' },
+    }
+  );
+}