Block a user
fix: e2e suite fails to build (stale server.New call)
epic: authentication & authorization system (Vault dynamic secrets, service accounts, users, path ACLs)
fix: serveFromStore does a guaranteed-miss S3 lookup on every cache hit
feat: cache upstream bearer tokens
feat: wire the circuit breaker into the proxy fetch path
fix: coalesce concurrent cache-miss fetches (thundering herd)
perf: batch access-log writes instead of goroutine+insert per request
fix: blocklist fails open when a regex fails to compile
fix: isNetworkError should use errors.As, not a bare type assertion
fix: getenv treats an explicitly-empty value as unset
fix: HEAD requests fetch and stream the full body
fix: GC has no grace period (TOCTOU with dedup uploads)
perf: compile remote match patterns once instead of per-request
fix: set timeouts on the upstream HTTP client
perf: stream proxied artifacts instead of buffering the full body in memory