@checkstack/script-packages-backend 0.2.1 → 0.3.0

package/src/sandbox-policy-router.test.ts

@@ -0,0 +1,105 @@
+import { describe, expect, it } from "bun:test";
+import { call } from "@orpc/server";
+import {
+  createMockRpcContext,
+  resolveDefaultSandboxProfile,
+  type SafeDatabase,
+} from "@checkstack/backend-api";
+import { scriptSandboxAccess } from "@checkstack/script-packages-common";
+import type { SandboxPolicy } from "@checkstack/common";
+import { createScriptPackagesRouter } from "./router";
+import type { SandboxPolicyService } from "./sandbox-policy";
+import * as schema from "./schema";
+
+/**
+ * Router-level permission-gating test: a real `getSandboxPolicy` /
+ * `setSandboxPolicy` call through `autoAuthMiddleware` must be REJECTED for a
+ * user lacking `script-packages.script-sandbox.manage`, and accepted for one
+ * who holds it. This proves the admin gate end-to-end (not just the contract
+ * meta).
+ */
+
+const QUALIFIED = `script-packages.${scriptSandboxAccess.manage.id}`;
+
+function buildRouter(service: SandboxPolicyService) {
+  // Only the sandbox-policy deps are exercised; the rest are unused stubs.
+  const unused = () => {
+    throw new Error("not used in this test");
+  };
+  return createScriptPackagesRouter({
+    db: {} as unknown as SafeDatabase<typeof schema>,
+    blobStores: { ids: () => [], has: () => false } as never,
+    logger: { debug() {}, info() {}, warn() {}, error() {} } as never,
+    triggerInstall: unused as never,
+    triggerMigration: unused as never,
+    triggerBlobGc: unused as never,
+    triggerAudit: unused as never,
+    registryToken: {} as never,
+    sandboxPolicy: service,
+    onSandboxPolicyChanged: async () => {},
+  });
+}
+
+function stubService(): SandboxPolicyService & { written: SandboxPolicy[] } {
+  const written: SandboxPolicy[] = [];
+  return {
+    written,
+    read: async () => resolveDefaultSandboxProfile(),
+    write: async () => {
+      const resolved = resolveDefaultSandboxProfile();
+      written.push(resolved);
+      return resolved;
+    },
+  };
+}
+
+describe("getSandboxPolicy / setSandboxPolicy permission gating", () => {
+  it("REJECTS read for a user without the dedicated permission", async () => {
+    const router = buildRouter(stubService());
+    const ctx = createMockRpcContext({
+      pluginMetadata: { pluginId: "script-packages" },
+      user: { type: "user", id: "u1", accessRules: [] },
+    });
+    expect(
+      call(router.getSandboxPolicy, undefined, { context: ctx }),
+    ).rejects.toThrow();
+  });
+
+  it("REJECTS write for a user without the dedicated permission", async () => {
+    const router = buildRouter(stubService());
+    const ctx = createMockRpcContext({
+      pluginMetadata: { pluginId: "script-packages" },
+      // Holds the OTHER script-packages permission but NOT script-sandbox.manage.
+      user: {
+        type: "user",
+        id: "u1",
+        accessRules: ["script-packages.script-packages.manage"],
+      },
+    });
+    expect(
+      call(router.setSandboxPolicy, { enabled: false }, { context: ctx }),
+    ).rejects.toThrow();
+  });
+
+  it("ALLOWS read+write for a user holding the dedicated permission", async () => {
+    const service = stubService();
+    const router = buildRouter(service);
+    const ctx = createMockRpcContext({
+      pluginMetadata: { pluginId: "script-packages" },
+      user: { type: "user", id: "admin", accessRules: [QUALIFIED] },
+    });
+
+    const policy = await call(router.getSandboxPolicy, undefined, {
+      context: ctx,
+    });
+    expect(policy.enabled).toBe(true);
+
+    const written = await call(
+      router.setSandboxPolicy,
+      { network: { mode: "deny" } },
+      { context: ctx },
+    );
+    expect(written).toBeDefined();
+    expect(service.written.length).toBe(1);
+  });
+});

package/src/sandbox-policy.test.ts

@@ -0,0 +1,119 @@
+import { describe, expect, it, beforeEach } from "bun:test";
+import type { z } from "zod";
+import {
+  type ConfigService,
+  type Migration,
+  resolveActiveSandboxPolicy,
+  resetSandboxPolicyProvider,
+  FAIL_CLOSED_SANDBOX_PROFILE,
+  resolveDefaultSandboxProfile,
+} from "@checkstack/backend-api";
+import {
+  createSandboxPolicyService,
+  registerScriptPackagesSandboxProvider,
+} from "./sandbox-policy";
+
+/**
+ * In-memory ConfigService over a SHARED backing store, simulating the durable
+ * Postgres `plugin_configs` row owned by the `script-packages` plugin. This is
+ * the SINGLE source of truth: the settings-page write and every runner's read
+ * go through this one row.
+ */
+function fakeConfigService(store: Map<string, unknown>): ConfigService {
+  return {
+    async set<T>(
+      configId: string,
+      _schema: z.ZodType<T>,
+      _version: number,
+      data: T,
+      _migrations?: Migration<unknown, unknown>[],
+    ): Promise<void> {
+      store.set(configId, data);
+    },
+    async get<T>(
+      configId: string,
+      _schema: z.ZodType<T>,
+      _version: number,
+      _migrations?: Migration<unknown, unknown>[],
+    ): Promise<T | undefined> {
+      return store.has(configId) ? (store.get(configId) as T) : undefined;
+    },
+    async getRedacted<T>(): Promise<Partial<T> | undefined> {
+      throw new Error("not used in these tests");
+    },
+    async delete(configId: string): Promise<void> {
+      store.delete(configId);
+    },
+    async list(): Promise<string[]> {
+      return [...store.keys()];
+    },
+  };
+}
+
+describe("createSandboxPolicyService", () => {
+  it("read falls back to the shipped safe default when nothing is stored", async () => {
+    const service = createSandboxPolicyService({
+      configService: fakeConfigService(new Map()),
+    });
+    const policy = await service.read();
+    expect(policy).toEqual(resolveDefaultSandboxProfile());
+  });
+
+  it("write persists a partial over the safe default and read returns it", async () => {
+    const store = new Map<string, unknown>();
+    const service = createSandboxPolicyService({
+      configService: fakeConfigService(store),
+    });
+    const written = await service.write({ network: { mode: "deny" } });
+    expect(written.network.mode).toBe("deny");
+    // Unspecified layers preserved from the safe default (not re-widened).
+    expect(written.filesystem.mode).toBe("scratch-plus-ro");
+
+    const readBack = await service.read();
+    expect(readBack).toEqual(written);
+  });
+});
+
+describe("single source of truth across both script plugins", () => {
+  beforeEach(() => {
+    resetSandboxPolicyProvider();
+  });
+
+  it("both runners resolve the SAME stored row via the one registered provider", async () => {
+    // ONE shared store = the single durable row owned by script-packages.
+    const store = new Map<string, unknown>();
+    const service = createSandboxPolicyService({
+      configService: fakeConfigService(store),
+    });
+
+    // Admin sets a distinctive policy through the (single) write path.
+    await service.write({ resources: { cpuSeconds: 17 } });
+
+    // script-packages registers the ONE process-wide provider.
+    registerScriptPackagesSandboxProvider({ service });
+
+    // Whichever script plugin's runner resolves the active policy gets the
+    // identical row - there is no second, divergent source.
+    const a = await resolveActiveSandboxPolicy();
+    const b = await resolveActiveSandboxPolicy();
+    expect(a.failedClosed).toBe(false);
+    expect(a.policy.resources.cpuSeconds).toBe(17);
+    expect(b.policy).toEqual(a.policy);
+  });
+
+  it("a provider read error fails closed (does not widen the sandbox)", async () => {
+    resetSandboxPolicyProvider();
+    const service = {
+      read: async () => {
+        throw new Error("transient db error");
+      },
+      write: async () => {
+        throw new Error("unused");
+      },
+    };
+    registerScriptPackagesSandboxProvider({ service });
+    const resolved = await resolveActiveSandboxPolicy();
+    expect(resolved.failedClosed).toBe(true);
+    expect(resolved.policy).toEqual(FAIL_CLOSED_SANDBOX_PROFILE);
+  });
+});

package/src/sandbox-policy.ts

@@ -0,0 +1,68 @@
+import {
+  type ConfigService,
+  readGlobalSandboxDefault,
+  writeGlobalSandboxDefault,
+  registerSandboxPolicyProvider,
+  type SandboxPolicy,
+  type SandboxPolicyInput,
+} from "@checkstack/backend-api";
+
+/**
+ * The GLOBAL script-sandbox policy, owned by the `script-packages` plugin.
+ *
+ * SINGLE SOURCE OF TRUTH (state-and-scale rule):
+ *  1. WHERE IT LIVES: one durable row in the shared Postgres `plugin_configs`
+ *     table, scoped to the `script-packages` plugin id (this plugin's own
+ *     {@link ConfigService}). It is NOT pod-local and NOT duplicated.
+ *  2. SAME ANSWER ON EVERY POD: every core pod reads the same row, so the
+ *     resolved policy is identical everywhere.
+ *  3. NOT DUPLICATED: previously BOTH script plugins
+ *     (`integration-script-backend`, `healthcheck-script-backend`) registered a
+ *     policy provider that read THEIR OWN plugin-scoped row, so the
+ *     process-global provider was last-writer-wins and each plugin read a
+ *     different row. That is fixed here: `script-packages` is the single owner.
+ *     It registers the one process-wide provider (see
+ *     {@link registerScriptPackagesSandboxProvider}); the script plugins read
+ *     this same value over RPC (`getSandboxPolicy`) for their own startup logs
+ *     and no longer register a competing provider on the core pod.
+ */
+export interface SandboxPolicyService {
+  /** Resolve the durable global policy (safe default when nothing stored). */
+  read(): Promise<SandboxPolicy>;
+  /**
+   * Persist a PARTIAL policy override (merged over the safe default so
+   * unspecified layers are preserved) and return the fully-resolved policy.
+   */
+  write(policy: SandboxPolicyInput): Promise<SandboxPolicy>;
+}
+
+/**
+ * Build the global sandbox-policy service over the `script-packages` plugin's
+ * {@link ConfigService}. Thin wrapper around the platform read/write helpers so
+ * the single owning row is the only place the policy is read or written.
+ */
+export function createSandboxPolicyService({
+  configService,
+}: {
+  configService: ConfigService;
+}): SandboxPolicyService {
+  return {
+    read: () => readGlobalSandboxDefault({ configService }),
+    write: (policy) => writeGlobalSandboxDefault({ configService, policy }),
+  };
+}
+
+/**
+ * Register the ONE process-wide active sandbox policy provider, backed by the
+ * single owning row. Called once from `script-packages` init on the core pod.
+ * The runners resolve the active policy through this provider and FAIL CLOSED
+ * if it throws (transient DB error), so a read failure never widens the
+ * sandbox.
+ */
+export function registerScriptPackagesSandboxProvider({
+  service,
+}: {
+  service: Pick<SandboxPolicyService, "read">;
+}): void {
+  registerSandboxPolicyProvider(() => service.read());
+}

package/src/sandbox-startup-log.test.ts

@@ -0,0 +1,128 @@
+import { describe, expect, it } from "bun:test";
+import type { SandboxCapabilities, SandboxPolicy } from "@checkstack/backend-api";
+import { resolveDefaultSandboxProfile } from "@checkstack/backend-api";
+import { logSandboxStartupReadiness } from "./sandbox-startup-log";
+
+/**
+ * Linux capabilities with every OS-level primitive available, so
+ * `assessSandboxHostReadiness` reports `enforceable: true`.
+ */
+const LINUX_READY: SandboxCapabilities = {
+  platform: "linux",
+  euidIsRoot: false,
+  hasPrlimit: true,
+  rlimitNative: true,
+  wrapper: "bwrap",
+  userNamespaces: true,
+  netNamespaces: true,
+  userNsCreatable: true,
+  netEgressIface: null,
+  netEgressAddressing: null,
+  netEgressRootless: true,
+};
+
+/** A non-Linux host: OS-level isolation is not enforceable. */
+const MACOS_HOST: SandboxCapabilities = {
+  ...LINUX_READY,
+  platform: "darwin",
+};
+
+interface LogCall {
+  level: "info" | "warn" | "debug";
+  message: string;
+  args: unknown[];
+}
+
+function recordingLogger() {
+  const calls: LogCall[] = [];
+  return {
+    calls,
+    logger: {
+      info: (message: string, ...args: unknown[]) =>
+        calls.push({ level: "info", message, args }),
+      warn: (message: string, ...args: unknown[]) =>
+        calls.push({ level: "warn", message, args }),
+      debug: (message: string, ...args: unknown[]) =>
+        calls.push({ level: "debug", message, args }),
+    },
+  };
+}
+
+describe("logSandboxStartupReadiness", () => {
+  it("reads the policy IN-PROCESS (no RPC) and logs the capability line", async () => {
+    let reads = 0;
+    const policy: SandboxPolicy = resolveDefaultSandboxProfile();
+    const { logger, calls } = recordingLogger();
+
+    await logSandboxStartupReadiness({
+      logger,
+      readPolicy: async () => {
+        reads += 1;
+        return policy;
+      },
+      caps: LINUX_READY,
+    });
+
+    // The policy was resolved through the supplied in-process reader, NOT an
+    // RPC round-trip. This is the regression guard: the startup readiness log
+    // no longer depends on the `getSandboxPolicy` route being mounted.
+    expect(reads).toBe(1);
+
+    const capabilityLog = calls.find(
+      (c) => c.message === "script sandbox capabilities",
+    );
+    expect(capabilityLog).toBeDefined();
+    expect(capabilityLog?.level).toBe("info");
+  });
+
+  it("does not throw when the in-process read fails (best-effort log)", async () => {
+    const { logger, calls } = recordingLogger();
+
+    await logSandboxStartupReadiness({
+      logger,
+      readPolicy: async () => {
+        throw new Error("transient db error");
+      },
+      caps: LINUX_READY,
+    });
+
+    // A failed read must not crash startup; it warns and moves on. Crucially it
+    // does NOT surface a "Not Found" / 404 (the old RPC failure mode).
+    const warned = calls.find((c) => c.level === "warn");
+    expect(warned).toBeDefined();
+    expect(warned?.message).not.toContain("Not Found");
+    expect(warned?.message).not.toContain("404");
+  });
+
+  it("emits the high-visibility readiness banner on a host that cannot enforce", async () => {
+    const { logger, calls } = recordingLogger();
+
+    await logSandboxStartupReadiness({
+      logger,
+      readPolicy: async () => resolveDefaultSandboxProfile(),
+      caps: MACOS_HOST,
+    });
+
+    const banner = calls.find(
+      (c) =>
+        c.level === "warn" &&
+        c.message.includes("OS-LEVEL ISOLATION UNAVAILABLE"),
+    );
+    expect(banner).toBeDefined();
+  });
+
+  it("logs the positive readiness line at debug on an enforceable host", async () => {
+    const { logger, calls } = recordingLogger();
+
+    await logSandboxStartupReadiness({
+      logger,
+      readPolicy: async () => resolveDefaultSandboxProfile(),
+      caps: LINUX_READY,
+    });
+
+    const ok = calls.find(
+      (c) => c.level === "debug" && c.message.includes("OS-level isolation"),
+    );
+    expect(ok).toBeDefined();
+  });
+});

package/src/sandbox-startup-log.ts

@@ -0,0 +1,83 @@
+import {
+  assessSandboxHostReadiness,
+  detectSandboxCapabilities,
+  formatSandboxReadinessBanner,
+  logSandboxCapabilitiesAtStartup,
+  type SandboxCapabilities,
+  type SandboxLogger,
+  type SandboxPolicy,
+} from "@checkstack/backend-api";
+
+/**
+ * The startup logger surface this module needs: the narrow {@link SandboxLogger}
+ * (`info` / `warn`) plus a `debug` channel for the positive readiness line.
+ */
+export interface SandboxStartupLogger extends SandboxLogger {
+  debug(message: string, ...args: unknown[]): void;
+}
+
+/**
+ * Emit the one-time, per-pod script-sandbox startup observability — the host
+ * readiness banner AND the capability/enforcement line for the configured
+ * global default — entirely IN PROCESS.
+ *
+ * WHY THIS LIVES HERE (and not in the script plugins): `script-packages` is the
+ * single owner of the global sandbox policy (it holds the durable row and
+ * registers the one process-wide provider). It can therefore read the policy
+ * directly via `readPolicy` — the in-process {@link SandboxPolicyService.read}
+ * closure — with NO HTTP RPC round-trip.
+ *
+ * The previous design had BOTH script plugins
+ * (`healthcheck-script-backend`, `integration-script-backend`) call the
+ * `getSandboxPolicy` oRPC during their own init to log this line. That route is
+ * only mounted once `script-packages` init runs `rpc.registerRouter`, and the
+ * plugin init order is topologically derived from runtime service-provider
+ * edges (NOT npm package deps) — the script plugins consume no service that
+ * `script-packages` provides, so nothing forces `script-packages` to init
+ * first. When a script plugin initialised first, the route was absent and the
+ * self-loop POST returned `404 Not Found`, producing the noisy
+ * "Could not log script sandbox capabilities at startup: Error: Not Found"
+ * warnings. Reading in-process removes that ordering dependency, removes the
+ * duplicate (two plugins logging the same host/policy), and never touches the
+ * enforcement path (runners still resolve via `resolveActiveSandboxPolicy`).
+ *
+ * Best-effort: a read failure is logged as a warning and swallowed so a
+ * transient DB error never crashes boot.
+ */
+export async function logSandboxStartupReadiness({
+  logger,
+  readPolicy,
+  caps = detectSandboxCapabilities(),
+}: {
+  logger: SandboxStartupLogger;
+  /** In-process read of the durable global default policy. */
+  readPolicy: () => Promise<SandboxPolicy>;
+  /** Detected host capabilities; injectable for tests. */
+  caps?: SandboxCapabilities;
+}): Promise<void> {
+  // Surface, once at startup, whether this host can enforce the OS-level
+  // sandbox. Under the secure fail-closed default every run would otherwise
+  // fail with an opaque "sandbox unavailable" error on a non-Linux / unprimed
+  // host; the banner points the developer at the supported paths. It does NOT
+  // relax enforcement — the durable global policy stays the single source of
+  // truth.
+  const readiness = assessSandboxHostReadiness({ caps });
+  if (readiness.enforceable) {
+    logger.debug(
+      "✅ Script sandbox: OS-level isolation is available on this host.",
+    );
+  } else {
+    logger.warn(formatSandboxReadinessBanner({ readiness }));
+  }
+
+  // The detailed capability + effective-enforcement line for the configured
+  // global default. Best-effort: a read failure must not crash startup.
+  try {
+    const globalDefault = await readPolicy();
+    logSandboxCapabilitiesAtStartup({ logger, globalDefault, caps });
+  } catch (error) {
+    logger.warn(
+      `Could not log script sandbox capabilities at startup: ${String(error)}`,
+    );
+  }
+}

package/src/schema.ts

@@ -7,8 +7,13 @@ import {
   boolean,
   timestamp,
   index,
+  doublePrecision,
+  primaryKey,
 } from "drizzle-orm/pg-core";
-import type { ManifestEntry } from "@checkstack/script-packages-common";
+import type {
+  AuditSeverity,
+  ManifestEntry,
+} from "@checkstack/script-packages-common";
 
 /**
  * Drizzle schema for the script-packages plugin.
@@ -152,6 +157,53 @@ export const scriptPackageBlobGcState = pgTable(
   },
 );
 
+/**
+ * Vulnerability advisories found by the scheduled `bun audit` pass, keyed by
+ * the audited `lockfile_hash` + advisory id. This is the cluster-wide source
+ * of truth for the audit findings (the on-disk node_modules tree is pod-local
+ * and ephemeral; advisories live here so every pod returns the same answer).
+ * The elected runner replaces the whole row set for a given hash on each run.
+ *
+ * `first_seen_at` / `notified` let the delta logic suppress repeat-notify:
+ * `notified` records that holders were already told about this advisory at
+ * (at least) its current severity, so a subsequent unchanged run stays quiet
+ * even across a redeploy.
+ */
+export const scriptPackageAuditAdvisory = pgTable(
+  "script_package_audit_advisory",
+  {
+    lockfileHash: text("lockfile_hash").notNull(),
+    advisoryId: text("advisory_id").notNull(),
+    packageName: text("package_name").notNull(),
+    title: text("title").notNull().default(""),
+    /** "low" | "moderate" | "high" | "critical" */
+    severity: text("severity").$type<AuditSeverity>().notNull(),
+    vulnerableVersions: text("vulnerable_versions").notNull().default(""),
+    url: text("url"),
+    cvssScore: doublePrecision("cvss_score"),
+    /** Whether holders were already notified at the current severity. */
+    notified: boolean("notified").notNull().default(false),
+    firstSeenAt: timestamp("first_seen_at").defaultNow().notNull(),
+  },
+  (t) => ({
+    pk: primaryKey({ columns: [t.lockfileHash, t.advisoryId, t.packageName] }),
+    hashIdx: index("script_package_audit_advisory_hash_idx").on(t.lockfileHash),
+  }),
+);
+
+/** Singleton audit last-run summary (for the settings UI). */
+export const scriptPackageAuditState = pgTable("script_package_audit_state", {
+  id: text("id").primaryKey().default("singleton"),
+  lastRunAt: timestamp("last_run_at"),
+  lockfileHash: text("lockfile_hash"),
+  total: integer("total").notNull().default(0),
+  countLow: integer("count_low").notNull().default(0),
+  countModerate: integer("count_moderate").notNull().default(0),
+  countHigh: integer("count_high").notNull().default(0),
+  countCritical: integer("count_critical").notNull().default(0),
+  errorMessage: text("error_message"),
+});
+
 /** Per-satellite reconcile state (satellites are individually addressable). */
 export const scriptPackageSatelliteState = pgTable(
   "script_package_satellite_state",

package/src/sdk-types-route.test.ts

@@ -0,0 +1,121 @@
+import { describe, expect, test } from "bun:test";
+import type { AuthService, AuthUser, Logger } from "@checkstack/backend-api";
+import {
+  buildSdkTypesPath,
+  scriptPackagesAccess,
+  SDK_TYPES_PATH_PREFIX,
+} from "@checkstack/script-packages-common";
+import {
+  createSdkTypesHttpHandler,
+  SDK_BUNDLE_VIRTUAL_PATH,
+} from "./sdk-types-route";
+
+const RELEASE_VERSION = "0.93.0";
+const BUNDLE = 'declare module "@checkstack/sdk/healthcheck" {}\n';
+
+/** No-op logger satisfying the Logger interface. */
+const logger: Logger = {
+  info: () => {},
+  error: () => {},
+  warn: () => {},
+  debug: () => {},
+};
+
+/** Build an AuthService stub that authenticates to the given user. Only
+ * `authenticate` is exercised by the handler; the rest of the AuthService
+ * surface is irrelevant here, so we narrow through `unknown`. */
+function authStub(user: AuthUser | undefined): AuthService {
+  const stub: Pick<AuthService, "authenticate"> = {
+    authenticate: async () => user,
+  };
+  return stub as unknown as AuthService;
+}
+
+/** A reader user holding the global `script-packages.read` rule. */
+const readerUser: AuthUser = {
+  type: "application",
+  id: "app-1",
+  name: "tester",
+  accessRules: [scriptPackagesAccess.read.id],
+};
+
+function makeHandler(auth: AuthService) {
+  return createSdkTypesHttpHandler({
+    auth,
+    getReleaseVersion: () => RELEASE_VERSION,
+    getSdkBundle: () => BUNDLE,
+    logger,
+  });
+}
+
+function request(version: string, method = "GET"): Request {
+  const path = buildSdkTypesPath({ releaseVersion: version });
+  return new Request(`https://host/api/script-packages${path}`, { method });
+}
+
+describe("createSdkTypesHttpHandler", () => {
+  test("matching version returns 200 + immutable cache header + bundle", async () => {
+    const res = await makeHandler(authStub(readerUser))(
+      request(RELEASE_VERSION),
+    );
+    expect(res.status).toBe(200);
+    const cache = res.headers.get("Cache-Control") ?? "";
+    expect(cache).toContain("private");
+    expect(cache).toContain("immutable");
+    expect(cache).toContain("max-age=");
+    const body = (await res.json()) as {
+      files: { path: string; content: string }[];
+    };
+    expect(body.files).toHaveLength(1);
+    expect(body.files[0]?.path).toBe(SDK_BUNDLE_VIRTUAL_PATH);
+    expect(body.files[0]?.content).toBe(BUNDLE);
+  });
+
+  test("mismatched version returns 409 (stale, not cached)", async () => {
+    const res = await makeHandler(authStub(readerUser))(request("0.0.1"));
+    expect(res.status).toBe(409);
+    expect(res.headers.get("Cache-Control")).toBeNull();
+  });
+
+  test("unauthenticated returns 401", async () => {
+    const res = await makeHandler(authStub(undefined))(
+      request(RELEASE_VERSION),
+    );
+    expect(res.status).toBe(401);
+  });
+
+  test("authenticated without read access returns 403", async () => {
+    const noAccess: AuthUser = {
+      type: "application",
+      id: "app-2",
+      name: "no-access",
+      accessRules: [],
+    };
+    const res = await makeHandler(authStub(noAccess))(request(RELEASE_VERSION));
+    expect(res.status).toBe(403);
+  });
+
+  test("a service user is trusted (200)", async () => {
+    const service: AuthUser = { type: "service", pluginId: "svc" };
+    const res = await makeHandler(authStub(service))(request(RELEASE_VERSION));
+    expect(res.status).toBe(200);
+  });
+
+  test("non-GET method returns 405", async () => {
+    const res = await makeHandler(authStub(readerUser))(
+      request(RELEASE_VERSION, "POST"),
+    );
+    expect(res.status).toBe(405);
+  });
+
+  test("a wildcard access rule grants read", async () => {
+    const wildcard: AuthUser = {
+      type: "application",
+      id: "app-3",
+      name: "wild",
+      accessRules: ["*"],
+    };
+    const res = await makeHandler(authStub(wildcard))(request(RELEASE_VERSION));
+    expect(res.status).toBe(200);
+  });
+});