@openparachute/hub 0.5.14-rc.2 → 0.5.14-rc.21

package/src/__tests__/oauth-ui.test.ts

@@ -20,6 +20,7 @@ const PARAMS: AuthorizeFormParams = {
   codeChallenge: "ch",
   codeChallengeMethod: "S256",
   state: "xyz",
+  resource: null,
 };
 
 const CSRF = "csrf-token-fixture";
@@ -50,9 +51,19 @@ describe("renderHiddenInputs", () => {
   });
 
   test("escapes hostile values into hidden inputs", () => {
-    const html = renderHiddenInputs({ ...PARAMS, state: `"><script>alert(1)</script>` });
+    const html = renderHiddenInputs({
+      ...PARAMS,
+      state: `"><script>alert(1)</script>`,
+      // RFC 8707 resource is round-tripped through a hidden input too, so a
+      // hostile value must be escaped the same way.
+      resource: `"><script>alert(2)</script>`,
+    });
     expect(html).not.toContain("<script>alert(1)</script>");
+    expect(html).not.toContain("<script>alert(2)</script>");
     expect(html).toContain("&lt;script&gt;");
+    // The resource value is emitted as a hidden input (escaped).
+    expect(html).toContain('name="resource"');
+    expect(html).toContain("alert(2)");
   });
 });
 

package/src/__tests__/operator-token-issuer-self-heal.test.ts

@@ -0,0 +1,412 @@
+/**
+ * hub#481 — `selfHealOperatorTokenIssuer` re-mints a genuine-but-stale
+ * operator token under the hub's current issuer.
+ *
+ * Background: a box that ran init/setup at loopback and was LATER exposed
+ * publicly carries an `operator.token` whose `iss` (e.g. `http://127.0.0.1:1939`)
+ * no longer matches the hub's current issuer. The hub rejects it on every CLI
+ * auth flow. The self-heal re-issues the hub's OWN credential under the new
+ * issuer, preserving scope-set + sub, gated on the token's signature verifying
+ * against this hub's current keys (no privilege-escalation surface).
+ *
+ * Mirrors the existing `operator-token.test.ts` harness shape.
+ */
+import { describe, expect, test } from "bun:test";
+import { mkdtempSync, rmSync } from "node:fs";
+import { readFile } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { hubDbPath, openHubDb } from "../hub-db.ts";
+import { signAccessToken, validateAccessToken } from "../jwt-sign.ts";
+import {
+  OPERATOR_TOKEN_AUDIENCE,
+  OPERATOR_TOKEN_CLIENT_ID,
+  OPERATOR_TOKEN_FILENAME,
+  OPERATOR_TOKEN_SCOPE_SET_CLAIM,
+  issueOperatorToken,
+  operatorTokenPath,
+  readOperatorTokenFile,
+  selfHealOperatorTokenIssuer,
+  writeOperatorTokenFile,
+} from "../operator-token.ts";
+import { rotateSigningKey } from "../signing-keys.ts";
+
+interface Harness {
+  dir: string;
+  cleanup: () => void;
+}
+
+function makeHarness(): Harness {
+  const dir = mkdtempSync(join(tmpdir(), "phub-op-heal-"));
+  return { dir, cleanup: () => rmSync(dir, { recursive: true, force: true }) };
+}
+
+const LOOPBACK_ISSUER = "http://127.0.0.1:1939";
+const PUBLIC_ISSUER = "https://gitcoin-parachute.unforced.dev";
+
+describe("selfHealOperatorTokenIssuer", () => {
+  test("stale-iss genuine token + non-loopback new issuer → rotated, scope-set preserved, valid under new issuer", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        // Mint at loopback issuer with a non-default scope-set ("start").
+        await issueOperatorToken(db, "user-abc", {
+          dir: h.dir,
+          issuer: LOOPBACK_ISSUER,
+          scopeSet: "start",
+        });
+
+        const status = await selfHealOperatorTokenIssuer(db, {
+          issuer: PUBLIC_ISSUER,
+          configDir: h.dir,
+        });
+        expect(status.kind).toBe("rotated");
+        if (status.kind === "rotated") {
+          expect(status.scopeSet).toBe("start");
+          expect(status.path).toBe(operatorTokenPath(h.dir));
+        }
+
+        // The on-disk token now has iss=PUBLIC_ISSUER, scope-set preserved,
+        // and validates under the new issuer.
+        const onDisk = await readOperatorTokenFile(h.dir);
+        expect(onDisk).not.toBeNull();
+        const validated = await validateAccessToken(db, onDisk as string, PUBLIC_ISSUER);
+        expect(validated.payload.iss).toBe(PUBLIC_ISSUER);
+        expect(validated.payload.sub).toBe("user-abc");
+        expect(validated.payload[OPERATOR_TOKEN_SCOPE_SET_CLAIM]).toBe("start");
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("iss already current → fresh, on-disk file byte-identical", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        await issueOperatorToken(db, "user-abc", {
+          dir: h.dir,
+          issuer: PUBLIC_ISSUER,
+          scopeSet: "admin",
+        });
+        const before = await readFile(operatorTokenPath(h.dir));
+
+        const status = await selfHealOperatorTokenIssuer(db, {
+          issuer: PUBLIC_ISSUER,
+          configDir: h.dir,
+        });
+        expect(status.kind).toBe("fresh");
+
+        const after = await readFile(operatorTokenPath(h.dir));
+        expect(after.equals(before)).toBe(true);
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("absent token file → absent, no throw", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        const status = await selfHealOperatorTokenIssuer(db, {
+          issuer: PUBLIC_ISSUER,
+          configDir: h.dir,
+        });
+        expect(status.kind).toBe("absent");
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("bad signature (corrupt token) → skipped:unverifiable, disk untouched", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        // Mint a real token at loopback, then corrupt its signature segment so
+        // it no longer verifies against the hub's keys.
+        const issued = await issueOperatorToken(db, "user-abc", {
+          dir: h.dir,
+          issuer: LOOPBACK_ISSUER,
+          scopeSet: "start",
+        });
+        const parts = issued.token.split(".");
+        const hdr = parts[0] ?? "";
+        const body = parts[1] ?? "";
+        const sig = parts[2] ?? "";
+        // Flip a character in the MIDDLE of the signature, keeping it
+        // base64url-shaped. Corrupting the last char is unreliable: the final
+        // base64url char of an RS256 signature encodes only padding bits, so a
+        // flip there can decode to identical bytes and leave the signature
+        // valid (~25% of mints). A mid-signature char sits in a full 4-char
+        // group with no padding, so any single-char change deterministically
+        // alters the decoded bytes and invalidates the signature.
+        const mid = Math.floor(sig.length / 2);
+        const flipped = sig[mid] === "A" ? "B" : "A";
+        const tampered = `${hdr}.${body}.${sig.slice(0, mid)}${flipped}${sig.slice(mid + 1)}`;
+        await writeOperatorTokenFile(tampered, h.dir);
+
+        const status = await selfHealOperatorTokenIssuer(db, {
+          issuer: PUBLIC_ISSUER,
+          configDir: h.dir,
+        });
+        expect(status.kind).toBe("skipped");
+        if (status.kind === "skipped") expect(status.reason).toBe("unverifiable");
+
+        const onDisk = await readOperatorTokenFile(h.dir);
+        expect(onDisk).toBe(tampered);
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("expired token (exp in the past) → skipped:unverifiable (jose throws), disk untouched", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        // Mint a token that expired in the past — jose's exp check throws on
+        // validate, so the self-heal must classify it unverifiable.
+        const issued = await issueOperatorToken(db, "user-abc", {
+          dir: h.dir,
+          issuer: LOOPBACK_ISSUER,
+          scopeSet: "start",
+          ttlSeconds: 60,
+          now: () => new Date("2026-01-01T00:00:00Z"),
+        });
+
+        const status = await selfHealOperatorTokenIssuer(db, {
+          issuer: PUBLIC_ISSUER,
+          configDir: h.dir,
+        });
+        expect(status.kind).toBe("skipped");
+        if (status.kind === "skipped") expect(status.reason).toBe("unverifiable");
+
+        const onDisk = await readOperatorTokenFile(h.dir);
+        expect(onDisk).toBe(issued.token);
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("aud != operator (aud=scribe, valid sig, stale iss) → skipped:aud-mismatch, untouched", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        // A hub-signed token with the WRONG audience must not be re-minted as
+        // an operator token (privilege guard).
+        const signed = await signAccessToken(db, {
+          sub: "user-abc",
+          scopes: ["scribe:transcribe"],
+          audience: "scribe",
+          clientId: OPERATOR_TOKEN_CLIENT_ID,
+          issuer: LOOPBACK_ISSUER,
+          extraClaims: { [OPERATOR_TOKEN_SCOPE_SET_CLAIM]: "admin" },
+        });
+        await writeOperatorTokenFile(signed.token, h.dir);
+
+        const status = await selfHealOperatorTokenIssuer(db, {
+          issuer: PUBLIC_ISSUER,
+          configDir: h.dir,
+        });
+        expect(status.kind).toBe("skipped");
+        if (status.kind === "skipped") expect(status.reason).toBe("aud-mismatch");
+
+        const onDisk = await readOperatorTokenFile(h.dir);
+        expect(onDisk).toBe(signed.token);
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("missing/invalid pa_scope_set (stale iss, aud=operator) → skipped:no-scope-set, NOT widened to admin", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        // aud=operator + stale iss + NO pa_scope_set claim. Falling back to a
+        // default scope-set would silently widen to admin (hub#224); refuse.
+        const signed = await signAccessToken(db, {
+          sub: "user-abc",
+          scopes: ["scribe:transcribe"],
+          audience: OPERATOR_TOKEN_AUDIENCE,
+          clientId: OPERATOR_TOKEN_CLIENT_ID,
+          issuer: LOOPBACK_ISSUER,
+        });
+        await writeOperatorTokenFile(signed.token, h.dir);
+
+        const status = await selfHealOperatorTokenIssuer(db, {
+          issuer: PUBLIC_ISSUER,
+          configDir: h.dir,
+        });
+        expect(status.kind).toBe("skipped");
+        if (status.kind === "skipped") expect(status.reason).toBe("no-scope-set");
+
+        // On-disk file unchanged — no widening occurred.
+        const onDisk = await readOperatorTokenFile(h.dir);
+        expect(onDisk).toBe(signed.token);
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("missing sub (stale iss, aud=operator, valid scope-set) → skipped:no-sub, untouched", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        // aud=operator + recognized scope-set + stale iss but NO sub — we can't
+        // re-mint a token we can't attribute.
+        const signed = await signAccessToken(db, {
+          sub: "",
+          scopes: ["parachute:host:start"],
+          audience: OPERATOR_TOKEN_AUDIENCE,
+          clientId: OPERATOR_TOKEN_CLIENT_ID,
+          issuer: LOOPBACK_ISSUER,
+          extraClaims: { [OPERATOR_TOKEN_SCOPE_SET_CLAIM]: "start" },
+        });
+        await writeOperatorTokenFile(signed.token, h.dir);
+
+        const status = await selfHealOperatorTokenIssuer(db, {
+          issuer: PUBLIC_ISSUER,
+          configDir: h.dir,
+        });
+        expect(status.kind).toBe("skipped");
+        if (status.kind === "skipped") expect(status.reason).toBe("no-sub");
+
+        const onDisk = await readOperatorTokenFile(h.dir);
+        expect(onDisk).toBe(signed.token);
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("target issuer loopback (public token on disk) → skipped:issuer-loopback, public token preserved", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        // A good PUBLIC-issuer token; calling self-heal with a loopback target
+        // must never downgrade it.
+        const issued = await issueOperatorToken(db, "user-abc", {
+          dir: h.dir,
+          issuer: PUBLIC_ISSUER,
+          scopeSet: "admin",
+        });
+
+        const status = await selfHealOperatorTokenIssuer(db, {
+          issuer: LOOPBACK_ISSUER,
+          configDir: h.dir,
+        });
+        expect(status.kind).toBe("skipped");
+        if (status.kind === "skipped") expect(status.reason).toBe("issuer-loopback");
+
+        const onDisk = await readOperatorTokenFile(h.dir);
+        expect(onDisk).toBe(issued.token);
+        // Still a public-issuer token.
+        const validated = await validateAccessToken(db, onDisk as string, PUBLIC_ISSUER);
+        expect(validated.payload.iss).toBe(PUBLIC_ISSUER);
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("scope-set preserved verbatim — 'auth' set stays 'auth', not widened to admin", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        await issueOperatorToken(db, "user-xyz", {
+          dir: h.dir,
+          issuer: LOOPBACK_ISSUER,
+          scopeSet: "auth",
+        });
+
+        const status = await selfHealOperatorTokenIssuer(db, {
+          issuer: PUBLIC_ISSUER,
+          configDir: h.dir,
+        });
+        expect(status.kind).toBe("rotated");
+        if (status.kind === "rotated") expect(status.scopeSet).toBe("auth");
+
+        const onDisk = await readOperatorTokenFile(h.dir);
+        const validated = await validateAccessToken(db, onDisk as string, PUBLIC_ISSUER);
+        expect(validated.payload[OPERATOR_TOKEN_SCOPE_SET_CLAIM]).toBe("auth");
+        // The minted scopes are the "auth" set, NOT the admin superset.
+        expect(validated.payload.scope).toBe("parachute:host:auth");
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("file path is the canonical operator.token under configDir", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        await issueOperatorToken(db, "user-abc", {
+          dir: h.dir,
+          issuer: LOOPBACK_ISSUER,
+          scopeSet: "start",
+        });
+        const status = await selfHealOperatorTokenIssuer(db, {
+          issuer: PUBLIC_ISSUER,
+          configDir: h.dir,
+        });
+        if (status.kind === "rotated") {
+          expect(status.path).toBe(join(h.dir, OPERATOR_TOKEN_FILENAME));
+        } else {
+          throw new Error(`expected rotated, got ${status.kind}`);
+        }
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+});

package/src/__tests__/proxy-error-ui.test.ts

@@ -0,0 +1,212 @@
+import { describe, expect, test } from "bun:test";
+import {
+  ADMIN_MODULES_URL,
+  ERROR_TYPE_PERSISTENT,
+  ERROR_TYPE_TRANSIENT,
+  TRANSIENT_MAX_ATTEMPTS,
+  TRANSIENT_RETRY_MS,
+  renderProxyError,
+  renderProxyErrorHtml,
+  renderProxyErrorJson,
+  statusForState,
+  toResponse,
+  wantsHtml,
+} from "../proxy-error-ui.ts";
+
+function req(accept?: string): Request {
+  const headers: Record<string, string> = {};
+  if (accept !== undefined) headers.accept = accept;
+  return new Request("http://127.0.0.1/vault/default/health", { headers });
+}
+
+describe("wantsHtml — Accept-header negotiation", () => {
+  test("text/html → HTML", () => {
+    expect(wantsHtml(req("text/html"))).toBe(true);
+  });
+  test("application/json → JSON", () => {
+    expect(wantsHtml(req("application/json"))).toBe(false);
+  });
+  test("missing Accept → HTML (browser-ish default)", () => {
+    expect(wantsHtml(req())).toBe(true);
+  });
+  test("*/* alone → HTML", () => {
+    expect(wantsHtml(req("*/*"))).toBe(true);
+  });
+  test("text/html,application/xhtml+xml,application/xml → HTML", () => {
+    expect(wantsHtml(req("text/html,application/xhtml+xml,application/xml"))).toBe(true);
+  });
+  test("application/json with text/html present → HTML", () => {
+    // If a client sends both, we lean HTML — matches the hub's existing
+    // one-line accept check at the 404 fallthrough.
+    expect(wantsHtml(req("application/json, text/html"))).toBe(true);
+  });
+});
+
+describe("statusForState", () => {
+  test("transient → 503", () => {
+    expect(statusForState("transient")).toBe(503);
+  });
+  test("persistent → 502", () => {
+    expect(statusForState("persistent")).toBe(502);
+  });
+});
+
+describe("renderProxyErrorJson", () => {
+  test("transient → 503 JSON with retry_after_ms + max_attempts + no admin_url", () => {
+    const out = renderProxyErrorJson({
+      short: "vault",
+      serviceLabel: "parachute-vault",
+      state: "transient",
+      upstreamError: "ECONNREFUSED",
+    });
+    expect(out.status).toBe(503);
+    expect(out.contentType).toBe("application/json");
+    expect(out.retryAfter).toBe("2");
+    const body = JSON.parse(out.body) as {
+      error: string;
+      error_type: string;
+      retry_after_ms: number;
+      max_attempts: number;
+      admin_url?: string;
+      service: string;
+    };
+    expect(body.error).toBe(ERROR_TYPE_TRANSIENT);
+    expect(body.error_type).toBe(ERROR_TYPE_TRANSIENT);
+    expect(body.retry_after_ms).toBe(TRANSIENT_RETRY_MS);
+    expect(body.max_attempts).toBe(TRANSIENT_MAX_ATTEMPTS);
+    expect(body.admin_url).toBeUndefined();
+    expect(body.service).toBe("vault");
+  });
+
+  test("persistent → 502 JSON with admin_url + no retry_after_ms", () => {
+    const out = renderProxyErrorJson({
+      short: "scribe",
+      serviceLabel: "scribe",
+      state: "persistent",
+      upstreamError: "ECONNREFUSED",
+    });
+    expect(out.status).toBe(502);
+    expect(out.contentType).toBe("application/json");
+    expect(out.retryAfter).toBeUndefined();
+    const body = JSON.parse(out.body) as {
+      error: string;
+      error_type: string;
+      retry_after_ms?: number;
+      admin_url?: string;
+    };
+    expect(body.error).toBe(ERROR_TYPE_PERSISTENT);
+    expect(body.error_type).toBe(ERROR_TYPE_PERSISTENT);
+    expect(body.admin_url).toBe(ADMIN_MODULES_URL);
+    expect(body.retry_after_ms).toBeUndefined();
+  });
+
+  test("persistent JSON folds upstreamError into error_description", () => {
+    const out = renderProxyErrorJson({
+      short: "vault",
+      serviceLabel: "parachute-vault",
+      state: "persistent",
+      upstreamError: "ECONNREFUSED 127.0.0.1:1940",
+    });
+    const body = JSON.parse(out.body) as { error_description: string };
+    expect(body.error_description).toContain("ECONNREFUSED");
+    expect(body.error_description).toContain("parachute-vault");
+  });
+});
+
+describe("renderProxyErrorHtml", () => {
+  test("transient HTML → 503 + meta-refresh + Retry-After + poll script", () => {
+    const out = renderProxyErrorHtml({
+      short: "vault",
+      serviceLabel: "parachute-vault",
+      state: "transient",
+      upstreamError: "ECONNREFUSED",
+    });
+    expect(out.status).toBe(503);
+    expect(out.contentType).toBe("text/html; charset=utf-8");
+    expect(out.retryAfter).toBe("2");
+    expect(out.body).toContain(`<meta http-equiv="refresh" content="2">`);
+    expect(out.body).toContain("Just a moment");
+    expect(out.body).toContain("/api/ready");
+    expect(out.body).toContain("ready_modules");
+    expect(out.body).toContain(`maxAttempts = ${TRANSIENT_MAX_ATTEMPTS}`);
+    // Transient page MUST NOT include an admin link (Aaron design (d)).
+    expect(out.body).not.toContain("/admin/modules");
+  });
+
+  test("persistent HTML → 502 + no meta-refresh + admin link + manual refresh", () => {
+    const out = renderProxyErrorHtml({
+      short: "vault",
+      serviceLabel: "parachute-vault",
+      state: "persistent",
+      upstreamError: "ECONNREFUSED",
+    });
+    expect(out.status).toBe(502);
+    expect(out.contentType).toBe("text/html; charset=utf-8");
+    expect(out.retryAfter).toBeUndefined();
+    expect(out.body).not.toContain(`http-equiv="refresh"`);
+    expect(out.body).toContain("Module unreachable");
+    expect(out.body).toContain("/admin/modules");
+    expect(out.body).toContain("View module status");
+    // No periodic poll on the persistent page — only the manual-refresh
+    // listener. Assert by checking that maxAttempts/intervalMs constants
+    // aren't emitted into the script.
+    expect(out.body).not.toContain("maxAttempts");
+  });
+
+  test("HTML escapes the service short name into the body", () => {
+    // Constructing a malicious short shouldn't break the page. ServiceEntry
+    // names are validated upstream but the renderer is defense-in-depth.
+    const out = renderProxyErrorHtml({
+      short: "<script>alert(1)</script>",
+      serviceLabel: "<malicious>",
+      state: "persistent",
+      upstreamError: "x",
+    });
+    expect(out.body).not.toContain("<script>alert(1)</script>");
+    expect(out.body).toContain("&lt;script&gt;");
+  });
+});
+
+describe("renderProxyError — Accept-driven dispatch", () => {
+  test("JSON-accepting request → JSON renderer", () => {
+    const out = renderProxyError(req("application/json"), {
+      short: "vault",
+      serviceLabel: "parachute-vault",
+      state: "transient",
+      upstreamError: "x",
+    });
+    expect(out.contentType).toBe("application/json");
+  });
+  test("HTML-accepting request → HTML renderer", () => {
+    const out = renderProxyError(req("text/html"), {
+      short: "vault",
+      serviceLabel: "parachute-vault",
+      state: "transient",
+      upstreamError: "x",
+    });
+    expect(out.contentType).toBe("text/html; charset=utf-8");
+  });
+});
+
+describe("toResponse", () => {
+  test("attaches Retry-After when present", () => {
+    const out = toResponse({
+      body: "{}",
+      status: 503,
+      contentType: "application/json",
+      retryAfter: "2",
+    });
+    expect(out.status).toBe(503);
+    expect(out.headers.get("retry-after")).toBe("2");
+    expect(out.headers.get("content-type")).toBe("application/json");
+    expect(out.headers.get("cache-control")).toBe("no-store");
+  });
+  test("omits Retry-After when absent", () => {
+    const out = toResponse({
+      body: "{}",
+      status: 502,
+      contentType: "application/json",
+    });
+    expect(out.headers.get("retry-after")).toBeNull();
+  });
+});