Fix review issues in mirror feature

- Fix race where runJob could overwrite canceled state set by Cancel()
- Fix Debian ecosystem name inconsistency ("deb" -> "debian")
- Stream metadata responses when caching is disabled to avoid buffering
- Add metadata_cache table to initial schema strings for consistency
- Gate mirror API behind mirror_api config flag (disabled by default)
- Fix goconst lint in metadata_cache_test.go

Author: andrew

docs/configuration.md

@@ -225,6 +225,18 @@ Or via environment variable: `PROXY_CACHE_METADATA=true`.
 
 The `proxy mirror` command always enables metadata caching regardless of this setting.
 
+## Mirror API
+
+The `/api/mirror` endpoints are disabled by default. Enable them to allow starting mirror jobs via HTTP:
+
+```yaml
+mirror_api: true
+```
+
+Or via environment variable: `PROXY_MIRROR_API=true`.
+
+When disabled, the endpoints are not registered and return 404.
+
 ## Mirror Command
 
 The `proxy mirror` command pre-populates the cache from various sources. It accepts the same storage and database flags as `serve`.

internal/config/config.go

@@ -88,6 +88,10 @@ type Config struct {
 	// When enabled, metadata is stored in the database and storage backend.
 	// The mirror command always enables this regardless of this setting.
 	CacheMetadata bool `json:"cache_metadata" yaml:"cache_metadata"`
+
+	// MirrorAPI enables the /api/mirror endpoints for starting mirror jobs via HTTP.
+	// Disabled by default to prevent unauthenticated users from triggering downloads.
+	MirrorAPI bool `json:"mirror_api" yaml:"mirror_api"`
 }
 
 // CooldownConfig configures version cooldown periods.
@@ -314,6 +318,9 @@ func (c *Config) LoadFromEnv() {
 	if v := os.Getenv("PROXY_CACHE_METADATA"); v != "" {
 		c.CacheMetadata = v == "true" || v == "1"
 	}
+	if v := os.Getenv("PROXY_MIRROR_API"); v != "" {
+		c.MirrorAPI = v == "true" || v == "1"
+	}
 }
 
 // Validate checks the configuration for errors.

internal/handler/debian.go

@@ -94,7 +94,7 @@ func (h *DebianHandler) handlePackageDownload(w http.ResponseWriter, r *http.Req
 // These change frequently so we don't cache them.
 func (h *DebianHandler) handleMetadata(w http.ResponseWriter, r *http.Request, path string) {
 	cacheKey := strings.ReplaceAll(path, "/", "_")
-	h.proxy.ProxyCached(w, r, fmt.Sprintf("%s/%s", h.upstreamURL, path), "deb", cacheKey, "*/*")
+	h.proxy.ProxyCached(w, r, fmt.Sprintf("%s/%s", h.upstreamURL, path), "debian", cacheKey, "*/*")
 }
 
 // proxyFile proxies any file directly without caching.

internal/handler/handler.go

@@ -517,7 +517,15 @@ func (p *Proxy) cacheMetadataBlob(ctx context.Context, ecosystem, cacheKey, stor
 
 // ProxyCached fetches metadata from upstream (with optional caching for offline fallback)
 // and writes it to the response. Optional acceptHeaders specify the Accept header to send.
+// When metadata caching is disabled, the response is streamed directly to avoid buffering
+// large metadata responses (e.g. npm packages with many versions) in memory.
 func (p *Proxy) ProxyCached(w http.ResponseWriter, r *http.Request, upstreamURL, ecosystem, cacheKey string, acceptHeaders ...string) {
+	if !p.CacheMetadata {
+		// Stream directly without buffering when caching is off.
+		p.proxyMetadataStream(w, r, upstreamURL, acceptHeaders...)
+		return
+	}
+
 	body, contentType, err := p.FetchOrCacheMetadata(r.Context(), ecosystem, cacheKey, upstreamURL, acceptHeaders...)
 	if err != nil {
 		if errors.Is(err, ErrUpstreamNotFound) {
@@ -534,6 +542,44 @@ func (p *Proxy) ProxyCached(w http.ResponseWriter, r *http.Request, upstreamURL,
 	_, _ = w.Write(body)
 }
 
+// proxyMetadataStream forwards an upstream metadata response by streaming it to the client
+// without buffering the full body in memory.
+func (p *Proxy) proxyMetadataStream(w http.ResponseWriter, r *http.Request, upstreamURL string, acceptHeaders ...string) {
+	req, err := http.NewRequestWithContext(r.Context(), http.MethodGet, upstreamURL, nil)
+	if err != nil {
+		http.Error(w, "failed to create request", http.StatusInternalServerError)
+		return
+	}
+
+	accept := contentTypeJSON
+	if len(acceptHeaders) > 0 && acceptHeaders[0] != "" {
+		accept = acceptHeaders[0]
+	}
+	req.Header.Set("Accept", accept)
+
+	for _, header := range []string{"Accept-Encoding", "If-Modified-Since", "If-None-Match"} {
+		if v := r.Header.Get(header); v != "" {
+			req.Header.Set(header, v)
+		}
+	}
+
+	resp, err := p.HTTPClient.Do(req)
+	if err != nil {
+		http.Error(w, "failed to fetch from upstream", http.StatusBadGateway)
+		return
+	}
+	defer func() { _ = resp.Body.Close() }()
+
+	for _, header := range []string{"Content-Type", "Content-Length", "Last-Modified", "ETag"} {
+		if v := resp.Header.Get(header); v != "" {
+			w.Header().Set(header, v)
+		}
+	}
+
+	w.WriteHeader(resp.StatusCode)
+	_, _ = io.Copy(w, resp.Body)
+}
+
 // GetOrFetchArtifactFromURL retrieves an artifact from cache or fetches from a specific URL.
 // This is useful for registries where download URLs are determined from metadata.
 func (p *Proxy) GetOrFetchArtifactFromURL(ctx context.Context, ecosystem, name, version, filename, downloadURL string) (*CacheResult, error) {

internal/mirror/job.go

@@ -151,6 +151,10 @@ func (js *JobStore) runJob(ctx context.Context, cancel context.CancelFunc, job *
 	defer cancel()
 
 	js.mu.Lock()
+	if job.State == JobStateCanceled {
+		js.mu.Unlock()
+		return
+	}
 	job.State = JobStateRunning
 	js.mu.Unlock()
 
@@ -159,6 +163,11 @@ func (js *JobStore) runJob(ctx context.Context, cancel context.CancelFunc, job *
 	js.mu.Lock()
 	defer js.mu.Unlock()
 
+	// Cancel() may have already set the state; don't overwrite it.
+	if job.State == JobStateCanceled {
+		return
+	}
+
 	if err != nil {
 		job.State = JobStateFailed
 		job.Error = err.Error()

internal/mirror/job_test.go

@@ -149,6 +149,31 @@ func TestJobStoreCleanup(t *testing.T) {
 	}
 }
 
+func TestJobStoreCancelPreservesStateAfterRunJob(t *testing.T) {
+	m := setupTestMirror(t, 1)
+	js := NewJobStore(context.Background(), m)
+
+	// Create a job that will fail (registry enumeration is not implemented)
+	id, err := js.Create(JobRequest{Registry: "npm"})
+	if err != nil {
+		t.Fatalf("Create() error = %v", err)
+	}
+
+	// Cancel immediately -- the job may already be running
+	js.Cancel(id)
+
+	// Wait for runJob goroutine to finish
+	time.Sleep(200 * time.Millisecond)
+
+	job := js.Get(id)
+	if job == nil {
+		t.Fatal("Get() returned nil")
+	}
+	if job.State != JobStateCanceled {
+		t.Errorf("state = %q, want %q (cancel should not be overwritten by runJob)", job.State, JobStateCanceled)
+	}
+}
+
 func TestNewJobIDUnique(t *testing.T) {
 	ids := make(map[string]bool)
 	for range 100 {

internal/server/server.go

@@ -235,13 +235,16 @@ func (s *Server) Start() error {
 	bgCtx, bgCancel := context.WithCancel(context.Background())
 	s.cancel = bgCancel
 
-	// Mirror API endpoints
-	mirrorSvc := mirror.New(proxy, s.db, s.storage, s.logger, 4) //nolint:mnd // default concurrency
-	jobStore := mirror.NewJobStore(bgCtx, mirrorSvc)
-	mirrorAPI := NewMirrorAPIHandler(jobStore)
-	r.Post("/api/mirror", mirrorAPI.HandleCreate)
-	r.Get("/api/mirror/{id}", mirrorAPI.HandleGet)
-	r.Delete("/api/mirror/{id}", mirrorAPI.HandleCancel)
+	// Mirror API endpoints (opt-in via mirror_api config or PROXY_MIRROR_API env)
+	if s.cfg.MirrorAPI {
+		mirrorSvc := mirror.New(proxy, s.db, s.storage, s.logger, 4) //nolint:mnd // default concurrency
+		jobStore := mirror.NewJobStore(bgCtx, mirrorSvc)
+		mirrorAPI := NewMirrorAPIHandler(jobStore)
+		r.Post("/api/mirror", mirrorAPI.HandleCreate)
+		r.Get("/api/mirror/{id}", mirrorAPI.HandleGet)
+		r.Delete("/api/mirror/{id}", mirrorAPI.HandleCancel)
+		go jobStore.StartCleanup(bgCtx)
+	}
 
 	s.http = &http.Server{
 		Addr:         s.cfg.Listen,
@@ -257,7 +260,6 @@ func (s *Server) Start() error {
 		"storage", s.storage.URL(),
 		"database", s.cfg.Database.Path)
 	go s.updateCacheStatsMetrics()
-	go jobStore.StartCleanup(bgCtx)
 
 	return s.http.ListenAndServe()
 }