Fix metadata caching, 404 propagation, mirror progress, and registry stubs

- ProxyCached now stores upstream Last-Modified in the cache and uses it
  (along with ETag) for conditional request handling, returning 304 when
  client validators match. Adds Content-Length to cached responses.

- Handlers calling FetchOrCacheMetadata (pypi, composer, pub, nuget) now
  check for ErrUpstreamNotFound and return 404 instead of 502, matching
  the existing npm and cargo behavior.

- Mirror jobs report live progress via a periodic callback while running,
  so API polls return real counts instead of zeroed progress.

- Registry mirroring removed from CLI flags, API acceptance, README, and
  docs since every enumerator was a stub returning "not yet implemented".

- Added tests for the conditional metadata path (ETag/If-None-Match,
  Last-Modified/If-Modified-Since, 304 responses, header omission).

Author: andrew

README.md

@@ -474,9 +474,6 @@ proxy mirror pkg:npm/lodash
 # Mirror from a CycloneDX or SPDX SBOM
 proxy mirror --sbom sbom.cdx.json
 
-# Full registry mirror (npm, pypi, cargo supported)
-proxy mirror --registry npm
-
 # Preview what would be mirrored
 proxy mirror --dry-run pkg:npm/lodash
 
@@ -579,7 +576,7 @@ Recently cached:
 
 | Endpoint | Description |
 |----------|-------------|
-| `POST /api/mirror` | Start a mirror job (JSON body with `purls` or `registry`) |
+| `POST /api/mirror` | Start a mirror job (JSON body with `purls`) |
 | `GET /api/mirror/{id}` | Get job status and progress |
 | `DELETE /api/mirror/{id}` | Cancel a running job |
 

cmd/proxy/main.go

@@ -358,7 +358,6 @@ func runMirror() {
 	databasePath := fs.String("database-path", "", "Path to SQLite database file")
 	databaseURL := fs.String("database-url", "", "PostgreSQL connection URL")
 	sbomPath := fs.String("sbom", "", "Path to CycloneDX or SPDX SBOM file")
-	registry := fs.String("registry", "", "Ecosystem name for full registry mirror")
 	concurrency := fs.Int("concurrency", 4, "Number of parallel downloads") //nolint:mnd // default concurrency
 	dryRun := fs.Bool("dry-run", false, "Show what would be mirrored without downloading")
 
@@ -368,8 +367,7 @@ func runMirror() {
 		fmt.Fprintf(os.Stderr, "Examples:\n")
 		fmt.Fprintf(os.Stderr, "  proxy mirror pkg:npm/lodash@4.17.21\n")
 		fmt.Fprintf(os.Stderr, "  proxy mirror --sbom sbom.cdx.json\n")
-		fmt.Fprintf(os.Stderr, "  proxy mirror pkg:npm/lodash  # all versions\n")
-		fmt.Fprintf(os.Stderr, "  proxy mirror --registry npm\n\n")
+		fmt.Fprintf(os.Stderr, "  proxy mirror pkg:npm/lodash  # all versions\n\n")
 		fmt.Fprintf(os.Stderr, "Flags:\n")
 		fs.PrintDefaults()
 	}
@@ -382,12 +380,10 @@ func runMirror() {
 	switch {
 	case *sbomPath != "":
 		source = &mirror.SBOMSource{Path: *sbomPath}
-	case *registry != "":
-		source = &mirror.RegistrySource{Ecosystem: *registry}
 	case len(purls) > 0:
 		source = &mirror.PURLSource{PURLs: purls}
 	default:
-		fmt.Fprintf(os.Stderr, "error: provide PURLs, --sbom, or --registry\n")
+		fmt.Fprintf(os.Stderr, "error: provide PURLs or --sbom\n")
 		fs.Usage()
 		os.Exit(1)
 	}

docs/configuration.md

@@ -244,7 +244,6 @@ The `proxy mirror` command pre-populates the cache from various sources. It acce
 | Flag | Default | Description |
 |------|---------|-------------|
 | `--sbom` | | Path to CycloneDX or SPDX SBOM file |
-| `--registry` | | Ecosystem name for full registry mirror |
 | `--concurrency` | `4` | Number of parallel downloads |
 | `--dry-run` | `false` | Show what would be mirrored without downloading |
 | `--config` | | Path to configuration file |

internal/database/queries.go

@@ -894,7 +894,7 @@ func (db *DB) GetMetadataCache(ecosystem, name string) (*MetadataCacheEntry, err
 	var entry MetadataCacheEntry
 	query := db.Rebind(`
 		SELECT id, ecosystem, name, storage_path, etag, content_type,
-		       size, fetched_at, created_at, updated_at
+		       size, last_modified, fetched_at, created_at, updated_at
 		FROM metadata_cache WHERE ecosystem = ? AND name = ?
 	`)
 	err := db.Get(&entry, query, ecosystem, name)
@@ -914,34 +914,36 @@ func (db *DB) UpsertMetadataCache(entry *MetadataCacheEntry) error {
 	if db.dialect == DialectPostgres {
 		query = `
 			INSERT INTO metadata_cache (ecosystem, name, storage_path, etag, content_type,
-			                            size, fetched_at, created_at, updated_at)
-			VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
+			                            size, last_modified, fetched_at, created_at, updated_at)
+			VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)
 			ON CONFLICT(ecosystem, name) DO UPDATE SET
 				storage_path = EXCLUDED.storage_path,
 				etag = EXCLUDED.etag,
 				content_type = EXCLUDED.content_type,
 				size = EXCLUDED.size,
+				last_modified = EXCLUDED.last_modified,
 				fetched_at = EXCLUDED.fetched_at,
 				updated_at = EXCLUDED.updated_at
 		`
 	} else {
 		query = `
 			INSERT INTO metadata_cache (ecosystem, name, storage_path, etag, content_type,
-			                            size, fetched_at, created_at, updated_at)
-			VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+			                            size, last_modified, fetched_at, created_at, updated_at)
+			VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
 			ON CONFLICT(ecosystem, name) DO UPDATE SET
 				storage_path = excluded.storage_path,
 				etag = excluded.etag,
 				content_type = excluded.content_type,
 				size = excluded.size,
+				last_modified = excluded.last_modified,
 				fetched_at = excluded.fetched_at,
 				updated_at = excluded.updated_at
 		`
 	}
 
 	_, err := db.Exec(query,
 		entry.Ecosystem, entry.Name, entry.StoragePath, entry.ETag,
-		entry.ContentType, entry.Size, entry.FetchedAt, now, now,
+		entry.ContentType, entry.Size, entry.LastModified, entry.FetchedAt, now, now,
 	)
 	if err != nil {
 		return fmt.Errorf("upserting metadata cache: %w", err)

internal/database/schema.go

@@ -99,6 +99,7 @@ CREATE TABLE IF NOT EXISTS metadata_cache (
 	etag TEXT,
 	content_type TEXT,
 	size INTEGER,
+	last_modified DATETIME,
 	fetched_at DATETIME,
 	created_at DATETIME,
 	updated_at DATETIME
@@ -198,6 +199,7 @@ CREATE TABLE IF NOT EXISTS metadata_cache (
 	etag TEXT,
 	content_type TEXT,
 	size BIGINT,
+	last_modified TIMESTAMP,
 	fetched_at TIMESTAMP,
 	created_at TIMESTAMP,
 	updated_at TIMESTAMP
@@ -596,6 +598,7 @@ func (db *DB) EnsureMetadataCacheTable() error {
 				etag TEXT,
 				content_type TEXT,
 				size BIGINT,
+				last_modified TIMESTAMP,
 				fetched_at TIMESTAMP,
 				created_at TIMESTAMP,
 				updated_at TIMESTAMP
@@ -612,6 +615,7 @@ func (db *DB) EnsureMetadataCacheTable() error {
 				etag TEXT,
 				content_type TEXT,
 				size INTEGER,
+				last_modified DATETIME,
 				fetched_at DATETIME,
 				created_at DATETIME,
 				updated_at DATETIME

internal/database/types.go

@@ -78,16 +78,17 @@ func (a *Artifact) IsCached() bool {
 
 // MetadataCacheEntry represents a cached metadata blob for offline serving.
 type MetadataCacheEntry struct {
-	ID          int64          `db:"id" json:"id"`
-	Ecosystem   string         `db:"ecosystem" json:"ecosystem"`
-	Name        string         `db:"name" json:"name"`
-	StoragePath string         `db:"storage_path" json:"storage_path"`
-	ETag        sql.NullString `db:"etag" json:"etag,omitempty"`
-	ContentType sql.NullString `db:"content_type" json:"content_type,omitempty"`
-	Size        sql.NullInt64  `db:"size" json:"size,omitempty"`
-	FetchedAt   sql.NullTime   `db:"fetched_at" json:"fetched_at,omitempty"`
-	CreatedAt   time.Time      `db:"created_at" json:"created_at"`
-	UpdatedAt   time.Time      `db:"updated_at" json:"updated_at"`
+	ID           int64          `db:"id" json:"id"`
+	Ecosystem    string         `db:"ecosystem" json:"ecosystem"`
+	Name         string         `db:"name" json:"name"`
+	StoragePath  string         `db:"storage_path" json:"storage_path"`
+	ETag         sql.NullString `db:"etag" json:"etag,omitempty"`
+	ContentType  sql.NullString `db:"content_type" json:"content_type,omitempty"`
+	Size         sql.NullInt64  `db:"size" json:"size,omitempty"`
+	LastModified sql.NullTime   `db:"last_modified" json:"last_modified,omitempty"`
+	FetchedAt    sql.NullTime   `db:"fetched_at" json:"fetched_at,omitempty"`
+	CreatedAt    time.Time      `db:"created_at" json:"created_at"`
+	UpdatedAt    time.Time      `db:"updated_at" json:"updated_at"`
 }
 
 // Vulnerability represents a cached vulnerability record.

internal/handler/composer.go

@@ -2,6 +2,7 @@ package handler
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -91,6 +92,10 @@ func (h *ComposerHandler) handlePackageMetadata(w http.ResponseWriter, r *http.R
 
 	body, _, err := h.proxy.FetchOrCacheMetadata(r.Context(), "composer", packageName, upstreamURL)
 	if err != nil {
+		if errors.Is(err, ErrUpstreamNotFound) {
+			http.Error(w, "not found", http.StatusNotFound)
+			return
+		}
 		h.proxy.Logger.Error("upstream request failed", "error", err)
 		http.Error(w, "upstream request failed", http.StatusBadGateway)
 		return

internal/handler/handler.go

@@ -10,6 +10,7 @@ import (
 	"io"
 	"log/slog"
 	"net/http"
+	"strconv"
 	"strings"
 	"time"
 
@@ -394,14 +395,14 @@ func (p *Proxy) FetchOrCacheMetadata(ctx context.Context, ecosystem, cacheKey, u
 	}
 
 	// Try upstream
-	body, contentType, etag, err := p.fetchUpstreamMetadata(ctx, upstreamURL, entry, accept)
+	body, contentType, etag, lastModified, err := p.fetchUpstreamMetadata(ctx, upstreamURL, entry, accept)
 	if errors.Is(err, errStale304) {
 		// 304 but cached file is gone; retry without ETag
-		body, contentType, etag, err = p.fetchUpstreamMetadata(ctx, upstreamURL, nil, accept)
+		body, contentType, etag, lastModified, err = p.fetchUpstreamMetadata(ctx, upstreamURL, nil, accept)
 	}
 	if err == nil {
 		if p.CacheMetadata {
-			p.cacheMetadataBlob(ctx, ecosystem, cacheKey, storagePath, body, contentType, etag)
+			p.cacheMetadataBlob(ctx, ecosystem, cacheKey, storagePath, body, contentType, etag, lastModified)
 		}
 		return body, contentType, nil
 	}
@@ -435,11 +436,13 @@ func (p *Proxy) FetchOrCacheMetadata(ctx context.Context, ecosystem, cacheKey, u
 }
 
 // fetchUpstreamMetadata fetches metadata from upstream, using ETag for conditional revalidation.
-// Returns the body, content type, ETag, and any error.
-func (p *Proxy) fetchUpstreamMetadata(ctx context.Context, upstreamURL string, entry *database.MetadataCacheEntry, accept string) ([]byte, string, string, error) {
+// Returns the body, content type, ETag, upstream Last-Modified time, and any error.
+func (p *Proxy) fetchUpstreamMetadata(ctx context.Context, upstreamURL string, entry *database.MetadataCacheEntry, accept string) ([]byte, string, string, time.Time, error) {
+	var zeroTime time.Time
+
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, upstreamURL, nil)
 	if err != nil {
-		return nil, "", "", fmt.Errorf("creating request: %w", err)
+		return nil, "", "", zeroTime, fmt.Errorf("creating request: %w", err)
 	}
 	req.Header.Set("Accept", accept)
 
@@ -449,38 +452,42 @@ func (p *Proxy) fetchUpstreamMetadata(ctx context.Context, upstreamURL string, e
 
 	resp, err := p.HTTPClient.Do(req)
 	if err != nil {
-		return nil, "", "", fmt.Errorf("fetching metadata: %w", err)
+		return nil, "", "", zeroTime, fmt.Errorf("fetching metadata: %w", err)
 	}
 	defer func() { _ = resp.Body.Close() }()
 
 	// 304 Not Modified -- our cached copy is still good
 	if resp.StatusCode == http.StatusNotModified && entry != nil {
 		cached, readErr := p.Storage.Open(ctx, entry.StoragePath)
 		if readErr != nil {
-			return nil, "", "", errStale304
+			return nil, "", "", zeroTime, errStale304
 		}
 		defer func() { _ = cached.Close() }()
 		data, readErr := ReadMetadata(cached)
 		if readErr != nil {
-			return nil, "", "", errStale304
+			return nil, "", "", zeroTime, errStale304
 		}
 		ct := contentTypeJSON
 		if entry.ContentType.Valid {
 			ct = entry.ContentType.String
 		}
-		return data, ct, entry.ETag.String, nil
+		lm := zeroTime
+		if entry.LastModified.Valid {
+			lm = entry.LastModified.Time
+		}
+		return data, ct, entry.ETag.String, lm, nil
 	}
 
 	if resp.StatusCode == http.StatusNotFound {
-		return nil, "", "", ErrUpstreamNotFound
+		return nil, "", "", zeroTime, ErrUpstreamNotFound
 	}
 	if resp.StatusCode != http.StatusOK {
-		return nil, "", "", fmt.Errorf("upstream returned %d", resp.StatusCode)
+		return nil, "", "", zeroTime, fmt.Errorf("upstream returned %d", resp.StatusCode)
 	}
 
 	body, err := ReadMetadata(resp.Body)
 	if err != nil {
-		return nil, "", "", fmt.Errorf("reading response: %w", err)
+		return nil, "", "", zeroTime, fmt.Errorf("reading response: %w", err)
 	}
 
 	contentType := resp.Header.Get("Content-Type")
@@ -489,11 +496,17 @@ func (p *Proxy) fetchUpstreamMetadata(ctx context.Context, upstreamURL string, e
 	}
 
 	etag := resp.Header.Get("ETag")
-	return body, contentType, etag, nil
+
+	var lastModified time.Time
+	if lm := resp.Header.Get("Last-Modified"); lm != "" {
+		lastModified, _ = http.ParseTime(lm)
+	}
+
+	return body, contentType, etag, lastModified, nil
 }
 
 // cacheMetadataBlob stores metadata bytes in storage and updates the database.
-func (p *Proxy) cacheMetadataBlob(ctx context.Context, ecosystem, cacheKey, storagePath string, data []byte, contentType, etag string) {
+func (p *Proxy) cacheMetadataBlob(ctx context.Context, ecosystem, cacheKey, storagePath string, data []byte, contentType, etag string, lastModified time.Time) {
 	if p.DB == nil || p.Storage == nil {
 		return
 	}
@@ -505,13 +518,14 @@ func (p *Proxy) cacheMetadataBlob(ctx context.Context, ecosystem, cacheKey, stor
 	}
 
 	_ = p.DB.UpsertMetadataCache(&database.MetadataCacheEntry{
-		Ecosystem:   ecosystem,
-		Name:        cacheKey,
-		StoragePath: storagePath,
-		ETag:        sql.NullString{String: etag, Valid: etag != ""},
-		ContentType: sql.NullString{String: contentType, Valid: contentType != ""},
-		Size:        sql.NullInt64{Int64: size, Valid: true},
-		FetchedAt:   sql.NullTime{Time: time.Now(), Valid: true},
+		Ecosystem:    ecosystem,
+		Name:         cacheKey,
+		StoragePath:  storagePath,
+		ETag:         sql.NullString{String: etag, Valid: etag != ""},
+		ContentType:  sql.NullString{String: contentType, Valid: contentType != ""},
+		Size:         sql.NullInt64{Int64: size, Valid: true},
+		LastModified: sql.NullTime{Time: lastModified, Valid: !lastModified.IsZero()},
+		FetchedAt:    sql.NullTime{Time: time.Now(), Valid: true},
 	})
 }
 
@@ -537,7 +551,44 @@ func (p *Proxy) ProxyCached(w http.ResponseWriter, r *http.Request, upstreamURL,
 		return
 	}
 
+	// Look up cache entry to get ETag and upstream Last-Modified for conditional response headers
+	var etag string
+	var lastModified time.Time
+	if p.DB != nil {
+		if entry, err := p.DB.GetMetadataCache(ecosystem, cacheKey); err == nil && entry != nil {
+			if entry.ETag.Valid {
+				etag = entry.ETag.String
+			}
+			if entry.LastModified.Valid {
+				lastModified = entry.LastModified.Time
+			}
+		}
+	}
+
+	// Honor client conditional request headers
+	if etag != "" {
+		if match := r.Header.Get("If-None-Match"); match != "" && match == etag {
+			w.WriteHeader(http.StatusNotModified)
+			return
+		}
+	}
+	if !lastModified.IsZero() {
+		if ims := r.Header.Get("If-Modified-Since"); ims != "" {
+			if t, err := http.ParseTime(ims); err == nil && !lastModified.After(t) {
+				w.WriteHeader(http.StatusNotModified)
+				return
+			}
+		}
+	}
+
 	w.Header().Set("Content-Type", contentType)
+	w.Header().Set("Content-Length", strconv.Itoa(len(body)))
+	if etag != "" {
+		w.Header().Set("ETag", etag)
+	}
+	if !lastModified.IsZero() {
+		w.Header().Set("Last-Modified", lastModified.UTC().Format(http.TimeFormat))
+	}
 	w.WriteHeader(http.StatusOK)
 	_, _ = w.Write(body)
 }