Age-gate proxy quality gate for npm and PyPI

[RajatGarga]

The goal is to give teams a buffer period before newly published packages are automatically available, reducing exposure to supply-chain attacks that exploit the window between a package's first publish and widespread adoption scrutiny.

How it works

When age-gate is enabled on a remote (proxy) repository:

1. Packument / index filtering — when a client requests package metadata (npm packument or PyPI simple index), versions younger than min_age_days are stripped from the response. The client sees only versions old enough to have passed the threshold, or the most recent approved version.
2. Download check — if a tarball / wheel is requested directly for a young version, the proxy returns HTTP 451 with a JSON body containing the review_id so the client knows a review is pending.
3. Review queue — blocked versions are queued automatically. Admins can approve or reject reviews via the API or the web UI. A rejected version stays blocked even after it crosses the age threshold.
4. Lazy auto-approve — if a version was blocked but later crosses the threshold with no admin action, it is automatically approved on the next check. This keeps the queue clean for busy registries without requiring manual intervention for every package.

Supported formats

• npm — packument filtering + per-tarball check
• PyPI — simple-index HTML filtering + per-file check

Other formats pass through unchanged (the gate is a no-op when disabled or for unsupported formats). This is what we need right now but more can be added as and when required.

Configuration

Age-gate is off by default. It is enabled per repository:

# Enable with a 7-day threshold
curl -X PUT http://localhost:8080/api/v1/repositories/my-npm-proxy/age-gate \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"enabled": true, "min_age_days": 7}'

[RajatGarga]

I created MRs in the backend and web repositories for this feature
#1403
artifact-keeper/artifact-keeper-web#452

Also tested the entire flow locally for npm as well as PyPI

[RajatGarga]

Hey @brandonrc, just wanted to check if you've had a chance to look at this. Happy to make any changes needed on the PRs.