@checkstack/script-packages-backend 0.2.0

package/src/registry-client.test.ts

@@ -0,0 +1,314 @@
+import { afterEach, describe, expect, mock, test } from "bun:test";
+import {
+  searchPackages,
+  getPackageVersions,
+  registryUrlForName,
+  RegistryClientError,
+  type PackageSearchResult,
+} from "./registry-client";
+import type { RegistryRequestConfig } from "./registry-request-config";
+
+const npmRegistry: RegistryRequestConfig = {
+  registryUrl: "https://registry.npmjs.org/",
+  scopedRegistries: [],
+};
+
+const realFetch = globalThis.fetch;
+
+afterEach(() => {
+  globalThis.fetch = realFetch;
+});
+
+/**
+ * Read a header from the recorded `RequestInit` without a type cast: the
+ * client always passes a plain object of string headers, so narrow `unknown`
+ * with zod rather than asserting the type.
+ */
+function headerValue(init: RequestInit | undefined, key: string): string | undefined {
+  const headers = init?.headers;
+  if (!headers) return undefined;
+  if (headers instanceof Headers) return headers.get(key) ?? undefined;
+  if (Array.isArray(headers)) {
+    return headers.find(([k]) => k === key)?.[1];
+  }
+  const value: unknown = headers[key];
+  return typeof value === "string" ? value : undefined;
+}
+
+/** Install a fetch mock that records calls and returns a JSON body. */
+function mockFetch(
+  handler: (url: string, init?: RequestInit) => {
+    ok?: boolean;
+    status?: number;
+    json: unknown;
+  } | Promise<never>,
+) {
+  const calls: { url: string; init?: RequestInit }[] = [];
+  globalThis.fetch = mock(async (input: RequestInfo | URL, init?: RequestInit) => {
+    const url = typeof input === "string" ? input : input.toString();
+    calls.push({ url, init });
+    const result = await handler(url, init);
+    return {
+      ok: result.ok ?? true,
+      status: result.status ?? 200,
+      json: async () => result.json,
+    } as Response;
+  }) as unknown as typeof fetch;
+  return calls;
+}
+
+describe("searchPackages", () => {
+  test("maps objects[].package to name/version/description", async () => {
+    mockFetch(() => ({
+      json: {
+        objects: [
+          { package: { name: "lodash", version: "4.17.21", description: "utils" } },
+          { package: { name: "lodash-es", version: "4.17.21" } },
+        ],
+      },
+    }));
+    const items = await searchPackages({
+      registry: npmRegistry,
+      text: "lodash",
+      now: 1,
+    });
+    expect(items).toEqual([
+      { name: "lodash", version: "4.17.21", description: "utils" },
+      { name: "lodash-es", version: "4.17.21", description: undefined },
+    ]);
+  });
+
+  test("hits the -/v1/search endpoint and caps size at 25", async () => {
+    const calls = mockFetch(() => ({ json: { objects: [] } }));
+    await searchPackages({
+      registry: npmRegistry,
+      text: "react",
+      size: 1000,
+      now: 1,
+    });
+    expect(calls[0].url).toBe(
+      "https://registry.npmjs.org/-/v1/search?text=react&size=25",
+    );
+  });
+
+  test("does NOT send Authorization when no token", async () => {
+    const calls = mockFetch(() => ({ json: { objects: [] } }));
+    await searchPackages({ registry: npmRegistry, text: "no-auth", now: 1 });
+    expect(headerValue(calls[0].init, "authorization")).toBeUndefined();
+  });
+
+  test("sends Authorization: Bearer when a token is set", async () => {
+    const calls = mockFetch(() => ({ json: { objects: [] } }));
+    await searchPackages({
+      registry: { ...npmRegistry, authToken: "s3cret" },
+      text: "with-auth",
+      now: 1,
+    });
+    expect(headerValue(calls[0].init, "authorization")).toBe("Bearer s3cret");
+  });
+
+  test("non-200 → RegistryClientError without the token", async () => {
+    mockFetch(() => ({ ok: false, status: 503, json: {} }));
+    const promise = searchPackages({
+      registry: { ...npmRegistry, authToken: "TOPSECRET" },
+      text: "non-200-case",
+      now: 1,
+    });
+    await expect(promise).rejects.toBeInstanceOf(RegistryClientError);
+    await promise.catch((error: unknown) => {
+      const message = error instanceof Error ? error.message : String(error);
+      expect(message).not.toContain("TOPSECRET");
+    });
+  });
+
+  test("timeout (abort) → RegistryClientError without the token", async () => {
+    // Honor the AbortController: reject only once the signal fires, exactly
+    // as a real timed-out fetch would, so the client sees `signal.aborted`.
+    globalThis.fetch = mock(
+      (_input: RequestInfo | URL, init?: RequestInit) =>
+        new Promise<never>((_resolve, reject) => {
+          init?.signal?.addEventListener("abort", () =>
+            reject(new Error("aborted")),
+          );
+        }),
+    ) as unknown as typeof fetch;
+    const promise = searchPackages({
+      registry: { ...npmRegistry, authToken: "TOPSECRET" },
+      text: "abort-case",
+      now: 1,
+      timeoutMs: 5,
+    });
+    await expect(promise).rejects.toBeInstanceOf(RegistryClientError);
+    await promise.catch((error: unknown) => {
+      const message = error instanceof Error ? error.message : String(error);
+      expect(message).toContain("timed out");
+      expect(message).not.toContain("TOPSECRET");
+    });
+  });
+
+  test("cache returns within TTL, refetches after it expires", async () => {
+    let hits = 0;
+    mockFetch(() => {
+      hits += 1;
+      return {
+        json: {
+          objects: [{ package: { name: `pkg-${hits}`, version: "1.0.0" } }],
+        },
+      };
+    });
+    const a = await searchPackages({
+      registry: npmRegistry,
+      text: "cache-me",
+      now: 1000,
+    });
+    const b = await searchPackages({
+      registry: npmRegistry,
+      text: "cache-me",
+      now: 2000,
+    });
+    expect(hits).toBe(1);
+    expect(b).toEqual(a);
+
+    // Past the 45s TTL → refetch.
+    const c = await searchPackages({
+      registry: npmRegistry,
+      text: "cache-me",
+      now: 1000 + 46_000,
+    });
+    expect(hits).toBe(2);
+    expect(c).not.toEqual(a);
+  });
+});
+
+describe("getPackageVersions", () => {
+  test("returns versions newest-first and parses dist-tags", async () => {
+    mockFetch(() => ({
+      json: {
+        versions: {
+          "1.0.0": {},
+          "1.2.0": {},
+          "1.10.0": {},
+          "2.0.0-rc.1": {},
+        },
+        "dist-tags": { latest: "1.10.0", next: "2.0.0-rc.1" },
+      },
+    }));
+    const result = await getPackageVersions({
+      registry: npmRegistry,
+      name: "lodash",
+      now: 1,
+    });
+    expect(result.versions).toEqual([
+      "2.0.0-rc.1",
+      "1.10.0",
+      "1.2.0",
+      "1.0.0",
+    ]);
+    expect(result.distTags).toEqual({ latest: "1.10.0", next: "2.0.0-rc.1" });
+  });
+
+  test("a release outranks its prerelease of the same core version", async () => {
+    mockFetch(() => ({
+      json: {
+        versions: { "2.0.0": {}, "2.0.0-rc.1": {} },
+        "dist-tags": {},
+      },
+    }));
+    const result = await getPackageVersions({
+      registry: npmRegistry,
+      name: "release-vs-pre",
+      now: 1,
+    });
+    expect(result.versions).toEqual(["2.0.0", "2.0.0-rc.1"]);
+    expect(result.distTags).toBeUndefined();
+  });
+
+  test("tolerates an odd version string instead of discarding the response", async () => {
+    mockFetch(() => ({
+      json: {
+        versions: { "1.0.0": {}, latest: {}, "2.0.0": {} },
+        "dist-tags": {},
+      },
+    }));
+    const result = await getPackageVersions({
+      registry: npmRegistry,
+      name: "odd-version",
+      now: 1,
+    });
+    // Parseable versions first (desc), the odd one ("latest") sorted last.
+    expect(result.versions).toEqual(["2.0.0", "1.0.0", "latest"]);
+  });
+
+  test("encodes a scoped name and selects its scoped registry", async () => {
+    const calls = mockFetch(() => ({
+      json: { versions: { "1.0.0": {} }, "dist-tags": {} },
+    }));
+    await getPackageVersions({
+      registry: {
+        registryUrl: "https://registry.npmjs.org/",
+        scopedRegistries: [
+          { scope: "@acme", registryUrl: "https://npm.acme.com/" },
+        ],
+      },
+      name: "@acme/utils",
+      now: 1,
+    });
+    expect(calls[0].url).toBe("https://npm.acme.com/@acme%2Futils");
+  });
+
+  test("falls back to the base registry for an unmatched scope", async () => {
+    const calls = mockFetch(() => ({
+      json: { versions: { "1.0.0": {} }, "dist-tags": {} },
+    }));
+    await getPackageVersions({
+      registry: npmRegistry,
+      name: "@other/thing",
+      now: 1,
+    });
+    expect(calls[0].url).toBe(
+      "https://registry.npmjs.org/@other%2Fthing",
+    );
+  });
+
+  test("caches versions within the TTL keyed by registry+name", async () => {
+    let hits = 0;
+    mockFetch(() => {
+      hits += 1;
+      return { json: { versions: { "1.0.0": {} }, "dist-tags": {} } };
+    });
+    await getPackageVersions({ registry: npmRegistry, name: "cached-pkg", now: 5000 });
+    await getPackageVersions({ registry: npmRegistry, name: "cached-pkg", now: 6000 });
+    expect(hits).toBe(1);
+    await getPackageVersions({
+      registry: npmRegistry,
+      name: "cached-pkg",
+      now: 5000 + 46_000,
+    });
+    expect(hits).toBe(2);
+  });
+});
+
+describe("registryUrlForName", () => {
+  test("unscoped name uses the base registry", () => {
+    expect(
+      registryUrlForName({ name: "lodash", registry: npmRegistry }),
+    ).toBe("https://registry.npmjs.org/");
+  });
+
+  test("scoped name uses a matching scoped registry", () => {
+    const url = registryUrlForName({
+      name: "@acme/x",
+      registry: {
+        ...npmRegistry,
+        scopedRegistries: [
+          { scope: "@acme", registryUrl: "https://npm.acme.com/" },
+        ],
+      },
+    });
+    expect(url).toBe("https://npm.acme.com/");
+  });
+});
+
+// Type-level guard: the exported result shape stays mappable.
+const _typeCheck: PackageSearchResult = { name: "x" };
+void _typeCheck;

package/src/registry-request-config.ts

@@ -0,0 +1,63 @@
+import { extractErrorMessage } from "@checkstack/common";
+import type { Logger } from "@checkstack/backend-api";
+import type { RegistryTokenStore } from "./registry-token";
+
+/**
+ * The registry request shape shared by the install path (resolver / npmrc
+ * renderer) and the live registry-client (search / version lookup): the
+ * configured registry URL, scoped-registry overrides, and the resolved
+ * plaintext auth token (undefined for an anonymous registry).
+ *
+ * The token is NEVER returned to the client; it only ever flows into a
+ * server-side `.npmrc` (install) or an `Authorization` header (live lookup).
+ */
+export interface RegistryRequestConfig {
+  registryUrl: string;
+  scopedRegistries: { scope: string; registryUrl: string }[];
+  /** Resolved plaintext token, or undefined for an anonymous registry. */
+  authToken?: string;
+}
+
+/**
+ * Resolve the registry + auth token exactly the way the install path does:
+ * read the registry config, look up the stored secret ref, then resolve the
+ * plaintext token (platform marker or legacy inline ciphertext) via the
+ * token store. A failure to resolve the token is logged and treated as
+ * anonymous (the registry may still allow public reads) rather than throwing.
+ *
+ * Factored out of the inline install wiring so the RPC handlers and the
+ * installer share one source of truth for "how do we talk to the registry".
+ */
+export async function resolveRegistryRequestConfig({
+  registry,
+  registryToken,
+  logger,
+}: {
+  registry: {
+    get(): Promise<{
+      registryUrl: string;
+      scopedRegistries: { scope: string; registryUrl: string }[];
+    }>;
+    authSecretRef(): Promise<string | null>;
+  };
+  registryToken: RegistryTokenStore;
+  logger: Logger;
+}): Promise<RegistryRequestConfig> {
+  const reg = await registry.get();
+  const secretRef = await registry.authSecretRef();
+  let authToken: string | undefined;
+  if (secretRef) {
+    try {
+      authToken = await registryToken.resolve(secretRef);
+    } catch (error) {
+      logger.error(
+        `Failed to resolve registry auth token: ${extractErrorMessage(error)}`,
+      );
+    }
+  }
+  return {
+    registryUrl: reg.registryUrl,
+    scopedRegistries: reg.scopedRegistries,
+    authToken,
+  };
+}

package/src/registry-token.test.ts

@@ -0,0 +1,124 @@
+// AES-256 master key for the legacy-ciphertext path. Set before importing
+// the encryption module so encrypt()/decrypt() succeed.
+process.env.ENCRYPTION_MASTER_KEY = "22".repeat(32);
+
+import { describe, it, expect } from "bun:test";
+import { encrypt } from "@checkstack/backend-api";
+import { internalSecretName } from "@checkstack/secrets-common";
+import type { InternalSecretsService } from "@checkstack/secrets-backend";
+import {
+  createRegistryTokenStore,
+  migrateRegistryTokenToPlatform,
+  REGISTRY_TOKEN_MARKER,
+  isRegistryTokenMarker,
+} from "./registry-token";
+
+function fakeInternalSecrets(): InternalSecretsService & {
+  store: Map<string, string>;
+} {
+  const store = new Map<string, string>();
+  return {
+    store,
+    set: async ({ parts, value }) => {
+      store.set(internalSecretName(...parts), value);
+    },
+    get: async ({ parts }) => store.get(internalSecretName(...parts)),
+    delete: async ({ parts }) => {
+      store.delete(internalSecretName(...parts));
+    },
+  };
+}
+
+describe("REGISTRY_TOKEN_MARKER", () => {
+  it("is the reserved internal name for the token", () => {
+    expect(REGISTRY_TOKEN_MARKER).toBe(
+      internalSecretName("script-packages", "registry-auth-token"),
+    );
+    expect(isRegistryTokenMarker(REGISTRY_TOKEN_MARKER)).toBe(true);
+    expect(isRegistryTokenMarker("iv:tag:ct")).toBe(false);
+  });
+});
+
+describe("RegistryTokenStore", () => {
+  it("store() persists the token and returns the marker; resolve() reads it back", async () => {
+    const internal = fakeInternalSecrets();
+    const tokenStore = createRegistryTokenStore({ internalSecrets: internal });
+
+    const marker = await tokenStore.store("npm_realToken");
+    expect(marker).toBe(REGISTRY_TOKEN_MARKER);
+    expect(await tokenStore.resolve(marker)).toBe("npm_realToken");
+  });
+
+  it("resolve() decrypts a legacy inline ciphertext (backward-compat)", async () => {
+    const internal = fakeInternalSecrets();
+    const tokenStore = createRegistryTokenStore({ internalSecrets: internal });
+    const legacy = encrypt("legacy_token_value");
+    expect(await tokenStore.resolve(legacy)).toBe("legacy_token_value");
+  });
+
+  it("resolve() returns undefined for null / unrecognized refs", async () => {
+    const internal = fakeInternalSecrets();
+    const tokenStore = createRegistryTokenStore({ internalSecrets: internal });
+    expect(await tokenStore.resolve(null)).toBeUndefined();
+    expect(await tokenStore.resolve("not-encrypted-not-marker")).toBeUndefined();
+  });
+
+  it("clear() removes the stored token", async () => {
+    const internal = fakeInternalSecrets();
+    const tokenStore = createRegistryTokenStore({ internalSecrets: internal });
+    await tokenStore.store("x");
+    await tokenStore.clear();
+    expect(await tokenStore.resolve(REGISTRY_TOKEN_MARKER)).toBeUndefined();
+  });
+});
+
+describe("migrateRegistryTokenToPlatform", () => {
+  it("migrates legacy ciphertext: stores it on the platform + rewrites the column to the marker (parity-verified)", async () => {
+    const internal = fakeInternalSecrets();
+    const tokenStore = createRegistryTokenStore({ internalSecrets: internal });
+    const legacy = encrypt("token-to-migrate");
+
+    let rewritten: string | undefined;
+    const outcome = await migrateRegistryTokenToPlatform({
+      currentRef: legacy,
+      tokenStore,
+      rewrite: async (marker) => {
+        rewritten = marker;
+      },
+    });
+
+    expect(outcome).toBe("migrated");
+    expect(rewritten).toBe(REGISTRY_TOKEN_MARKER);
+    // The platform now resolves the same plaintext.
+    expect(await tokenStore.resolve(REGISTRY_TOKEN_MARKER)).toBe(
+      "token-to-migrate",
+    );
+  });
+
+  it("is idempotent: re-running with the marker is a no-op", async () => {
+    const internal = fakeInternalSecrets();
+    const tokenStore = createRegistryTokenStore({ internalSecrets: internal });
+    let rewrites = 0;
+    const outcome = await migrateRegistryTokenToPlatform({
+      currentRef: REGISTRY_TOKEN_MARKER,
+      tokenStore,
+      rewrite: async () => {
+        rewrites++;
+      },
+    });
+    expect(outcome).toBe("already");
+    expect(rewrites).toBe(0);
+  });
+
+  it("no-ops for an empty column", async () => {
+    const internal = fakeInternalSecrets();
+    const tokenStore = createRegistryTokenStore({ internalSecrets: internal });
+    expect(
+      await migrateRegistryTokenToPlatform({
+        currentRef: null,
+        tokenStore,
+        rewrite: async () => {},
+      }),
+    ).toBe("empty");
+  });
+});

package/src/registry-token.ts

@@ -0,0 +1,104 @@
+import { decrypt, isEncrypted } from "@checkstack/backend-api";
+import { internalSecretName } from "@checkstack/secrets-common";
+import type { InternalSecretsService } from "@checkstack/secrets-backend";
+
+/**
+ * The script-package registry auth token, consolidated onto the secrets
+ * platform's internal secrets (always local-backed, AES-GCM, UI-hidden).
+ *
+ * The `script_package_registry_config.authSecretRef` column historically
+ * held the AES-GCM ciphertext of the token directly. It now holds a
+ * stable MARKER (the internal secret name) when the token lives in the
+ * secrets platform. A one-time, idempotent, parity-verified migration moves
+ * any legacy ciphertext into the internal store and rewrites the column to
+ * the marker. Resolution falls back to decrypting legacy ciphertext until
+ * the migration runs, so behavior is unchanged throughout.
+ */
+const TOKEN_PARTS = ["script-packages", "registry-auth-token"] as const;
+
+/** Stable marker stored in `authSecretRef` once the token is in the platform. */
+export const REGISTRY_TOKEN_MARKER = internalSecretName(...TOKEN_PARTS);
+
+/** Whether a stored `authSecretRef` value is the platform marker. */
+export function isRegistryTokenMarker(ref: string): boolean {
+  return ref === REGISTRY_TOKEN_MARKER;
+}
+
+export interface RegistryTokenStore {
+  /** Store / rotate the token; returns the marker to persist in the column. */
+  store(token: string): Promise<string>;
+  /** Clear the stored token. */
+  clear(): Promise<void>;
+  /**
+   * Resolve the plaintext token from a stored `authSecretRef` value. Handles
+   * both the platform marker (resolve via internal secrets) and legacy
+   * inline ciphertext (decrypt directly). Returns undefined when absent.
+   */
+  resolve(ref: string | null): Promise<string | undefined>;
+}
+
+export function createRegistryTokenStore({
+  internalSecrets,
+}: {
+  internalSecrets: InternalSecretsService;
+}): RegistryTokenStore {
+  return {
+    async store(token) {
+      await internalSecrets.set({ parts: [...TOKEN_PARTS], value: token });
+      return REGISTRY_TOKEN_MARKER;
+    },
+
+    async clear() {
+      await internalSecrets.delete({ parts: [...TOKEN_PARTS] });
+    },
+
+    async resolve(ref) {
+      if (!ref) return;
+      if (isRegistryTokenMarker(ref)) {
+        return internalSecrets.get({ parts: [...TOKEN_PARTS] });
+      }
+      // Legacy inline ciphertext (pre-migration). Decrypt directly.
+      if (isEncrypted(ref)) {
+        return decrypt(ref);
+      }
+      return;
+    },
+  };
+}
+
+/**
+ * One-time, idempotent migration: if `authSecretRef` holds legacy
+ * ciphertext, decrypt it, store it as the internal platform secret, verify
+ * the platform read-back matches, then rewrite the column to the marker.
+ * Reversible: the original plaintext is recoverable from the internal
+ * secret (same value), and the rewrite only happens AFTER parity is proven.
+ * No-ops when already migrated (marker) or empty.
+ *
+ * @returns "migrated" | "already" | "empty" | "skipped" (parity failed)
+ */
+export async function migrateRegistryTokenToPlatform({
+  currentRef,
+  tokenStore,
+  rewrite,
+}: {
+  currentRef: string | null;
+  tokenStore: RegistryTokenStore;
+  /** Persist the new `authSecretRef` (the marker). */
+  rewrite: (marker: string) => Promise<void>;
+}): Promise<"migrated" | "already" | "empty" | "skipped"> {
+  if (!currentRef) return "empty";
+  if (isRegistryTokenMarker(currentRef)) return "already";
+  if (!isEncrypted(currentRef)) return "skipped";
+
+  const plaintext = decrypt(currentRef);
+  await tokenStore.store(plaintext);
+
+  // Verify parity BEFORE rewriting the column (reversible guarantee: we
+  // never drop the legacy ref until the platform copy reads back correctly).
+  const readBack = await tokenStore.resolve(REGISTRY_TOKEN_MARKER);
+  if (readBack !== plaintext) {
+    return "skipped";
+  }
+  await rewrite(REGISTRY_TOKEN_MARKER);
+  return "migrated";
+}

package/src/resolution-root.test.ts

@@ -0,0 +1,82 @@
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+import { mkdtemp, mkdir, rm, symlink } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import path from "node:path";
+import { resolveResolutionRoot } from "./resolution-root";
+import { storePaths } from "./data-dir";
+
+describe("resolveResolutionRoot", () => {
+  let storeRoot: string;
+
+  beforeEach(async () => {
+    storeRoot = path.join(await mkdtemp(path.join(tmpdir(), "cs-resroot-")), "store");
+    await mkdir(storeRoot, { recursive: true });
+  });
+  afterEach(async () => {
+    await rm(path.dirname(storeRoot), { recursive: true, force: true });
+  });
+
+  async function materialize(hash: string) {
+    const paths = storePaths(storeRoot);
+    await mkdir(path.join(paths.trees, hash, "node_modules"), {
+      recursive: true,
+    });
+    await symlink(path.join("trees", hash), paths.current);
+  }
+
+  test("returns mode:none when no packages are configured", async () => {
+    const res = await resolveResolutionRoot({
+      desiredLockfileHash: null,
+      storeRoot,
+    });
+    expect(res.mode).toBe("none");
+  });
+
+  test("returns mode:ready with the current path when materialized", async () => {
+    await materialize("hash-1");
+    const res = await resolveResolutionRoot({
+      desiredLockfileHash: "hash-1",
+      storeRoot,
+    });
+    expect(res.mode).toBe("ready");
+    if (res.mode === "ready") {
+      expect(res.root).toBe(storePaths(storeRoot).current);
+    }
+  });
+
+  test("returns mode:notReady when packages desired but nothing materialized", async () => {
+    const res = await resolveResolutionRoot({
+      desiredLockfileHash: "hash-1",
+      storeRoot,
+      hostLabel: "satellite",
+    });
+    expect(res.mode).toBe("notReady");
+    if (res.mode === "notReady") {
+      expect(res.reason).toContain("not ready on this satellite");
+      expect(res.reason).toContain("none materialized");
+    }
+  });
+
+  test("returns mode:notReady when current points at a DIFFERENT hash", async () => {
+    await materialize("old-hash");
+    const res = await resolveResolutionRoot({
+      desiredLockfileHash: "new-hash",
+      storeRoot,
+    });
+    expect(res.mode).toBe("notReady");
+    if (res.mode === "notReady") {
+      expect(res.reason).toContain("have old-hash");
+    }
+  });
+
+  test("returns mode:notReady when current exists but the tree lacks node_modules", async () => {
+    const paths = storePaths(storeRoot);
+    await mkdir(path.join(paths.trees, "hash-1"), { recursive: true });
+    await symlink(path.join("trees", "hash-1"), paths.current);
+    const res = await resolveResolutionRoot({
+      desiredLockfileHash: "hash-1",
+      storeRoot,
+    });
+    expect(res.mode).toBe("notReady");
+  });
+});