Why
proxy mirror can pre-populate the cache from PURLs or SBOMs, but there is no decision point before artifacts are fetched and stored.
Mirroring makes artifacts available from the proxy cache. For security-sensitive environments, some checks need to happen before that point, not after. Examples include threat-intel checks, malware verdicts, vulnerability policy, license policy, internal allow/deny lists, and manual approval workflows. Once an artifact is mirrored, it becomes available from cache, so the check needs to happen before download/cache, not after.
While security is the primary use case for this feature request, the decision hook could support any workflow that requires an explicit decision before mirroring proceeds.
Current Workaround
Current workaround is to wrap proxy mirror outside the tool, but that does not cover the Mirror API cleanly and duplicates mirror resolution logic.
Possible Direction
Introduce a pre-mirror decision hook, similar in spirit to Git’s pre-commit / pre-push hooks.
The goal is to provide a blocking decision point before proxy mirror downloads and caches artifacts. This would allow operators to call an external security or policy service and wait for an explicit allow/deny decision before the mirror proceeds.
Add a configurable pre-mirror hook that runs after mirror input is resolved to package versions, but before artifact fetch/cache begins.
This feature request is intentionally limited to the concept and use case. The exact API shape, timeout behavior, need for polling, request/response schema, and implementation details can be discussed separately.
Why
proxy mirror can pre-populate the cache from PURLs or SBOMs, but there is no decision point before artifacts are fetched and stored.
Mirroring makes artifacts available from the proxy cache. For security-sensitive environments, some checks need to happen before that point, not after. Examples include threat-intel checks, malware verdicts, vulnerability policy, license policy, internal allow/deny lists, and manual approval workflows. Once an artifact is mirrored, it becomes available from cache, so the check needs to happen before download/cache, not after.
While security is the primary use case for this feature request, the decision hook could support any workflow that requires an explicit decision before mirroring proceeds.
Current Workaround
Current workaround is to wrap proxy mirror outside the tool, but that does not cover the Mirror API cleanly and duplicates mirror resolution logic.
Possible Direction
Introduce a pre-mirror decision hook, similar in spirit to Git’s pre-commit / pre-push hooks.
The goal is to provide a blocking decision point before proxy mirror downloads and caches artifacts. This would allow operators to call an external security or policy service and wait for an explicit allow/deny decision before the mirror proceeds.
Add a configurable pre-mirror hook that runs after mirror input is resolved to package versions, but before artifact fetch/cache begins.
This feature request is intentionally limited to the concept and use case. The exact API shape, timeout behavior, need for polling, request/response schema, and implementation details can be discussed separately.