Fix httpx.Timeout configuration in PyPI proxy

CHANGELOG.md

@@ -10,6 +10,34 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added S3 bucket provisioning terraform configuration (#59)
   - Creates an S3 bucket to be used for anything Orchard
   - Creates a log bucket for any logs tracking the S3 bucket
+- Added auto-fetch capability to dependency resolution endpoint
+  - `GET /api/v1/project/{project}/{package}/+/{ref}/resolve?auto_fetch=true` fetches missing dependencies from upstream registries
+  - PyPI registry client queries PyPI JSON API to resolve version constraints
+  - Fetched artifacts are cached and included in response `fetched` field
+  - Missing dependencies show `fetch_attempted` and `fetch_error` status
+  - Configurable max fetch depth via `ORCHARD_AUTO_FETCH_MAX_DEPTH` (default: 3)
+- Added `backend/app/registry_client.py` with extensible registry client abstraction
+  - `RegistryClient` ABC for implementing upstream registry clients
+  - `PyPIRegistryClient` implementation using PyPI JSON API
+  - `get_registry_client()` factory function for future npm/maven support
+- Added `fetch_and_cache_pypi_package()` reusable function for PyPI package fetching
+- Added HTTP connection pooling infrastructure for improved PyPI proxy performance
+  - `HttpClientManager` with configurable pool size, timeouts, and thread pool executor
+  - Eliminates per-request connection overhead (~100-500ms → ~5ms)
+- Added Redis caching layer with category-aware TTL for hermetic builds
+  - `CacheService` with graceful fallback when Redis unavailable
+  - Immutable data (artifact metadata, dependencies) cached forever
+  - Mutable data (package index, versions) uses configurable TTL
+- Added `ArtifactRepository` for batch database operations
+  - `batch_upsert_dependencies()` reduces N+1 queries to single INSERT
+  - `get_or_create_artifact()` uses atomic ON CONFLICT upsert
+- Added infrastructure status to health endpoint (`/health`)
+  - Reports HTTP pool size and worker threads
+  - Reports Redis cache connection status
+- Added new configuration settings for HTTP client, Redis, and cache TTL
+  - `ORCHARD_HTTP_MAX_CONNECTIONS`, `ORCHARD_HTTP_CONNECT_TIMEOUT`, etc.
+  - `ORCHARD_REDIS_HOST`, `ORCHARD_REDIS_PORT`, `ORCHARD_REDIS_ENABLED`
+  - `ORCHARD_CACHE_TTL_INDEX`, `ORCHARD_CACHE_TTL_VERSIONS`, etc.
 - Added transparent PyPI proxy implementing PEP 503 Simple API (#108)
   - `GET /pypi/simple/` - package index (proxied from upstream)
   - `GET /pypi/simple/{package}/` - version list with rewritten download links
@@ -17,35 +45,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - Allows `pip install --index-url https://orchard.../pypi/simple/ <package>`
   - Artifacts cached on first access through configured upstream sources
 - Added `POST /api/v1/cache/resolve` endpoint to cache packages by coordinates instead of URL (#108)
-
-### Changed
-- Upstream sources table text is now centered under column headers (#108)
-- ENV badge now appears inline with source name instead of separate column (#108)
-- Test and Edit buttons now have more prominent button styling (#108)
-- Reduced footer padding for cleaner layout (#108)
-
-### Fixed
-- Fixed purge_seed_data crash when deleting access permissions - was comparing UUID to VARCHAR column (#107)
-
-### Changed
-- Upstream source connectivity test no longer follows redirects, fixing "Exceeded maximum allowed redirects" error with Artifactory proxies (#107)
-- Test runs automatically after saving a new or updated upstream source (#107)
-- Test status now shows as colored dots (green=success, red=error) instead of text badges (#107)
-- Clicking red dot shows error details in a modal (#107)
-- Source name column no longer wraps text for better table layout (#107)
-- Renamed "Cache Management" page to "Upstream Sources" (#107)
-- Moved Delete button from table row to edit modal for cleaner table layout (#107)
-
-### Removed
-- Removed `is_public` field from upstream sources - all sources are now treated as internal/private (#107)
-- Removed `allow_public_internet` (air-gap mode) setting from cache settings - not needed for enterprise proxy use case (#107)
-- Removed seeding of public registry URLs (npm-public, pypi-public, maven-central, docker-hub) (#107)
-- Removed "Public" badge and checkbox from upstream sources UI (#107)
-- Removed "Allow Public Internet" toggle from cache settings UI (#107)
-- Removed "Global Settings" section from cache management UI - auto-create system projects is always enabled (#107)
-- Removed unused CacheSettings frontend types and API functions (#107)
-
-### Added
 - Added `ORCHARD_PURGE_SEED_DATA` environment variable support to stage helm values to remove seed data from long-running deployments (#107)
 - Added frontend system projects visual distinction (#105)
   - "Cache" badge for system projects in project list
@@ -212,6 +211,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added comprehensive integration tests for all dependency features
 
 ### Changed
+- Removed Usage section from Package page (curl command examples)
+- PyPI proxy now uses shared HTTP connection pool instead of per-request clients
+- PyPI proxy now caches upstream source configuration in Redis
+- Dependency storage now uses batch INSERT instead of individual queries
+- Increased default database pool size from 5 to 20 connections
+- Increased default database max overflow from 10 to 30 connections
+- Enabled Redis in Helm chart values for dev, stage, and prod environments
+- Upstream sources table text is now centered under column headers (#108)
+- ENV badge now appears inline with source name instead of separate column (#108)
+- Test and Edit buttons now have more prominent button styling (#108)
+- Reduced footer padding for cleaner layout (#108)
+- Upstream source connectivity test no longer follows redirects, fixing "Exceeded maximum allowed redirects" error with Artifactory proxies (#107)
+- Test runs automatically after saving a new or updated upstream source (#107)
+- Test status now shows as colored dots (green=success, red=error) instead of text badges (#107)
+- Clicking red dot shows error details in a modal (#107)
+- Source name column no longer wraps text for better table layout (#107)
+- Renamed "Cache Management" page to "Upstream Sources" (#107)
+- Moved Delete button from table row to edit modal for cleaner table layout (#107)
 - Added pre-test stage reset to ensure known environment state before integration tests (#54)
 - Upload endpoint now accepts optional `ensure` file parameter for declaring dependencies
 - Updated upload API documentation with ensure file format and examples
@@ -220,8 +237,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added orchard logo icon and dot separator to footer
 
 ### Fixed
+- Fixed purge_seed_data crash when deleting access permissions - was comparing UUID to VARCHAR column (#107)
 - Fixed dark theme styling for team pages - modals, forms, and dropdowns now use correct theme variables
 - Fixed UserAutocomplete and TeamSelector dropdown backgrounds for dark theme
+- Fixed PyPI proxy filtering platform-specific dependencies (pyobjc on macOS, pywin32 on Windows)
+- Fixed bare version constraints being treated as wildcards (e.g., `certifi@2025.10.5` now fetches exact version)
+
+### Removed
+- Removed `is_public` field from upstream sources - all sources are now treated as internal/private (#107)
+- Removed `allow_public_internet` (air-gap mode) setting from cache settings - not needed for enterprise proxy use case (#107)
+- Removed seeding of public registry URLs (npm-public, pypi-public, maven-central, docker-hub) (#107)
+- Removed "Public" badge and checkbox from upstream sources UI (#107)
+- Removed "Allow Public Internet" toggle from cache settings UI (#107)
+- Removed "Global Settings" section from cache management UI - auto-create system projects is always enabled (#107)
+- Removed unused CacheSettings frontend types and API functions (#107)
 
 ## [0.5.1] - 2026-01-23
 ### Changed