Fix httpx.Timeout configuration in PyPI proxy

- Add POST /api/v1/cache/resolve endpoint that caches artifacts by package
  coordinates (source_type, package, version) instead of requiring a URL
- Server finds download URL from configured upstream sources (PyPI supported)
- Reduces footer padding from 24px to 12px for cleaner layout

backend/app/dependencies.py

@@ -10,23 +10,11 @@ Handles:
 - Conflict detection
 """
 
-import logging
-import re
 import yaml
-
-logger = logging.getLogger(__name__)
 from typing import List, Dict, Any, Optional, Set, Tuple
 from sqlalchemy.orm import Session
 from sqlalchemy import and_
 
-# Import packaging for PEP 440 version matching
-try:
-    from packaging.specifiers import SpecifierSet, InvalidSpecifier
-    from packaging.version import Version, InvalidVersion
-    HAS_PACKAGING = True
-except ImportError:
-    HAS_PACKAGING = False
-
 from .models import (
     Project,
     Package,
@@ -316,87 +304,6 @@ def get_reverse_dependencies(
     )
 
 
-def _is_version_constraint(version_str: str) -> bool:
-    """Check if a version string contains constraint operators."""
-    if not version_str:
-        return False
-    # Check for common constraint operators
-    return any(op in version_str for op in ['>=', '<=', '!=', '~=', '>', '<', '==', '*'])
-
-
-def _resolve_version_constraint(
-    db: Session,
-    package: Package,
-    constraint: str,
-) -> Optional[Tuple[str, str, int]]:
-    """
-    Resolve a version constraint (e.g., '>=1.9') to a specific version.
-
-    Uses PEP 440 version matching to find the best matching version.
-
-    Args:
-        db: Database session
-        package: Package to search versions in
-        constraint: Version constraint string (e.g., '>=1.9', '<2.0,>=1.5')
-
-    Returns:
-        Tuple of (artifact_id, resolved_version, size) or None if not found
-    """
-    if not HAS_PACKAGING:
-        # Fallback: if packaging not available, can't do constraint matching
-        return None
-
-    # Handle wildcard - return latest version
-    if constraint == '*':
-        # Get the latest version by created_at
-        latest = db.query(PackageVersion).filter(
-            PackageVersion.package_id == package.id,
-        ).order_by(PackageVersion.created_at.desc()).first()
-        if latest:
-            artifact = db.query(Artifact).filter(Artifact.id == latest.artifact_id).first()
-            if artifact:
-                return (artifact.id, latest.version, artifact.size)
-        return None
-
-    try:
-        specifier = SpecifierSet(constraint)
-    except InvalidSpecifier:
-        # Invalid constraint, try as exact version
-        return None
-
-    # Get all versions for this package
-    all_versions = db.query(PackageVersion).filter(
-        PackageVersion.package_id == package.id,
-    ).all()
-
-    if not all_versions:
-        return None
-
-    # Find matching versions
-    matching = []
-    for pv in all_versions:
-        try:
-            v = Version(pv.version)
-            if v in specifier:
-                matching.append((pv, v))
-        except InvalidVersion:
-            # Skip invalid versions
-            continue
-
-    if not matching:
-        return None
-
-    # Sort by version (descending) and return the latest matching
-    matching.sort(key=lambda x: x[1], reverse=True)
-    best_match = matching[0][0]
-
-    artifact = db.query(Artifact).filter(Artifact.id == best_match.artifact_id).first()
-    if artifact:
-        return (artifact.id, best_match.version, artifact.size)
-
-    return None
-
-
 def _resolve_dependency_to_artifact(
     db: Session,
     project_name: str,
@@ -407,17 +314,11 @@ def _resolve_dependency_to_artifact(
     """
     Resolve a dependency constraint to an artifact ID.
 
-    Supports:
-    - Exact version matching (e.g., '1.2.3')
-    - Version constraints (e.g., '>=1.9', '<2.0,>=1.5')
-    - Tag matching
-    - Wildcard ('*' for any version)
-
     Args:
         db: Database session
         project_name: Project name
         package_name: Package name
-        version: Version or version constraint
+        version: Version constraint (exact)
         tag: Tag constraint
 
     Returns:
@@ -435,16 +336,8 @@ def _resolve_dependency_to_artifact(
     if not package:
         return None
 
-    logger.info(f"_resolve_dependency_to_artifact: package_id={package.id}, version={version!r}, tag={tag!r}")
-
     if version:
-        # Check if this is a version constraint (>=, <, etc.) or exact version
-        if _is_version_constraint(version):
-            result = _resolve_version_constraint(db, package, version)
-            if result:
-                return result
-        else:
-            # Look up by exact version
+        # Look up by version
         pkg_version = db.query(PackageVersion).filter(
             PackageVersion.package_id == package.id,
             PackageVersion.version == version,
@@ -454,7 +347,6 @@ def _resolve_dependency_to_artifact(
                 Artifact.id == pkg_version.artifact_id
             ).first()
             if artifact:
-                    logger.info(f"_resolve_dependency_to_artifact: found by version {version}")
                 return (artifact.id, version, artifact.size)
 
         # Also check if there's a tag with this exact name
@@ -462,7 +354,6 @@ def _resolve_dependency_to_artifact(
             Tag.package_id == package.id,
             Tag.name == version,
         ).first()
-        logger.info(f"_resolve_dependency_to_artifact: tag lookup by version name, found={tag_record is not None}")
         if tag_record:
             artifact = db.query(Artifact).filter(
                 Artifact.id == tag_record.artifact_id
@@ -476,7 +367,6 @@ def _resolve_dependency_to_artifact(
             Tag.package_id == package.id,
             Tag.name == tag,
         ).first()
-        logger.info(f"_resolve_dependency_to_artifact: tag lookup by tag param, found={tag_record is not None}")
         if tag_record:
             artifact = db.query(Artifact).filter(
                 Artifact.id == tag_record.artifact_id
@@ -484,9 +374,6 @@ def _resolve_dependency_to_artifact(
             if artifact:
                 return (artifact.id, tag, artifact.size)
 
-    # Debug: list actual tags
-    sample_tags = db.query(Tag).filter(Tag.package_id == package.id).limit(3).all()
-    logger.info(f"_resolve_dependency_to_artifact: NOT FOUND. Sample tags: {[t.name for t in sample_tags]}")
     return None
 
 
@@ -670,12 +557,9 @@ def resolve_dependencies(
         CircularDependencyError: If circular dependencies are detected
         DependencyConflictError: If conflicting versions are required
     """
-    logger.info(f"resolve_dependencies: project={project_name}, package={package_name}, ref={ref!r}")
-
     # Resolve the initial artifact
     project = db.query(Project).filter(Project.name == project_name).first()
     if not project:
-        logger.warning(f"resolve_dependencies: project '{project_name}' not found")
         raise DependencyNotFoundError(project_name, package_name, ref)
 
     package = db.query(Package).filter(
@@ -683,11 +567,8 @@ def resolve_dependencies(
         Package.name == package_name,
     ).first()
     if not package:
-        logger.warning(f"resolve_dependencies: package '{package_name}' not found in project '{project_name}'")
         raise DependencyNotFoundError(project_name, package_name, ref)
 
-    logger.info(f"resolve_dependencies: found package id={package.id}")
-
     # Try to find artifact by tag or version
     resolved = _resolve_dependency_to_artifact(
         db, project_name, package_name, ref, ref

backend/app/pypi_proxy.py

@@ -8,10 +8,7 @@ Artifacts are cached on first access through configured upstream sources.
 import hashlib
 import logging
 import re
-import tarfile
-import zipfile
-from io import BytesIO
-from typing import Optional, List, Tuple
+from typing import Optional
 from urllib.parse import urljoin, urlparse, quote, unquote
 
 import httpx
@@ -20,183 +17,26 @@ from fastapi.responses import StreamingResponse, HTMLResponse
 from sqlalchemy.orm import Session
 
 from .database import get_db
-from .models import UpstreamSource, CachedUrl, Artifact, Project, Package, Tag, PackageVersion, ArtifactDependency
+from .models import UpstreamSource, CachedUrl, Artifact, Project, Package, Tag
 from .storage import S3Storage, get_storage
+from .upstream import (
+    UpstreamClient,
+    UpstreamClientConfig,
+    UpstreamHTTPError,
+    UpstreamConnectionError,
+    UpstreamTimeoutError,
+)
 from .config import get_env_upstream_sources
 
 logger = logging.getLogger(__name__)
 
 router = APIRouter(prefix="/pypi", tags=["pypi-proxy"])
 
-
-def _parse_requires_dist(requires_dist: str) -> Tuple[str, Optional[str]]:
-    """Parse a Requires-Dist line into (package_name, version_constraint).
-
-    Examples:
-        "requests (>=2.25.0)" -> ("requests", ">=2.25.0")
-        "typing-extensions; python_version < '3.8'" -> ("typing-extensions", None)
-        "numpy>=1.21.0" -> ("numpy", ">=1.21.0")
-        "certifi" -> ("certifi", None)
-
-    Returns:
-        Tuple of (normalized_package_name, version_constraint or None)
-    """
-    # Remove any environment markers (after semicolon)
-    if ';' in requires_dist:
-        requires_dist = requires_dist.split(';')[0].strip()
-
-    # Match patterns like "package (>=1.0)" or "package>=1.0" or "package"
-    # Pattern breakdown: package name, optional whitespace, optional version in parens or directly
-    match = re.match(
-        r'^([a-zA-Z0-9][-a-zA-Z0-9._]*)\s*(?:\(([^)]+)\)|([<>=!~][^\s;]+))?',
-        requires_dist.strip()
-    )
-
-    if not match:
-        return None, None
-
-    package_name = match.group(1)
-    # Version can be in parentheses (group 2) or directly after name (group 3)
-    version_constraint = match.group(2) or match.group(3)
-
-    # Normalize package name (PEP 503)
-    normalized_name = re.sub(r'[-_.]+', '-', package_name).lower()
-
-    # Clean up version constraint
-    if version_constraint:
-        version_constraint = version_constraint.strip()
-
-    return normalized_name, version_constraint
-
-
-def _extract_requires_from_metadata(metadata_content: str) -> List[Tuple[str, Optional[str]]]:
-    """Extract all Requires-Dist entries from METADATA/PKG-INFO content.
-
-    Args:
-        metadata_content: The content of a METADATA or PKG-INFO file
-
-    Returns:
-        List of (package_name, version_constraint) tuples
-    """
-    dependencies = []
-
-    for line in metadata_content.split('\n'):
-        if line.startswith('Requires-Dist:'):
-            # Extract the value after "Requires-Dist:"
-            value = line[len('Requires-Dist:'):].strip()
-            pkg_name, version = _parse_requires_dist(value)
-            if pkg_name:
-                dependencies.append((pkg_name, version))
-
-    return dependencies
-
-
-def _extract_metadata_from_wheel(content: bytes) -> Optional[str]:
-    """Extract METADATA file content from a wheel (zip) file.
-
-    Wheel files have structure: {package}-{version}.dist-info/METADATA
-
-    Args:
-        content: The wheel file content as bytes
-
-    Returns:
-        METADATA file content as string, or None if not found
-    """
-    try:
-        with zipfile.ZipFile(BytesIO(content)) as zf:
-            # Find the .dist-info directory
-            for name in zf.namelist():
-                if name.endswith('.dist-info/METADATA'):
-                    return zf.read(name).decode('utf-8', errors='replace')
-    except Exception as e:
-        logger.warning(f"Failed to extract metadata from wheel: {e}")
-    return None
-
-
-def _extract_metadata_from_sdist(content: bytes, filename: str) -> Optional[str]:
-    """Extract PKG-INFO file content from a source distribution (.tar.gz).
-
-    Source distributions have structure: {package}-{version}/PKG-INFO
-
-    Args:
-        content: The tarball content as bytes
-        filename: The original filename (used to determine package name)
-
-    Returns:
-        PKG-INFO file content as string, or None if not found
-    """
-    try:
-        with tarfile.open(fileobj=BytesIO(content), mode='r:gz') as tf:
-            # Find PKG-INFO in the root directory of the archive
-            for member in tf.getmembers():
-                if member.name.endswith('/PKG-INFO') and member.name.count('/') == 1:
-                    f = tf.extractfile(member)
-                    if f:
-                        return f.read().decode('utf-8', errors='replace')
-    except Exception as e:
-        logger.warning(f"Failed to extract metadata from sdist {filename}: {e}")
-    return None
-
-
-def _extract_dependencies(content: bytes, filename: str) -> List[Tuple[str, Optional[str]]]:
-    """Extract dependencies from a PyPI package file.
-
-    Supports wheel (.whl) and source distribution (.tar.gz) formats.
-
-    Args:
-        content: The package file content as bytes
-        filename: The original filename
-
-    Returns:
-        List of (package_name, version_constraint) tuples
-    """
-    metadata = None
-
-    if filename.endswith('.whl'):
-        metadata = _extract_metadata_from_wheel(content)
-    elif filename.endswith('.tar.gz'):
-        metadata = _extract_metadata_from_sdist(content, filename)
-
-    if metadata:
-        return _extract_requires_from_metadata(metadata)
-
-    return []
-
 # Timeout configuration for proxy requests
 PROXY_CONNECT_TIMEOUT = 30.0
 PROXY_READ_TIMEOUT = 60.0
 
 
-def _extract_pypi_version(filename: str) -> Optional[str]:
-    """Extract version from PyPI filename.
-
-    Handles formats like:
-    - cowsay-6.1-py3-none-any.whl
-    - cowsay-1.0.tar.gz
-    - some_package-1.2.3.post1-cp39-cp39-linux_x86_64.whl
-    """
-    # Remove extension
-    if filename.endswith('.whl'):
-        # Wheel: name-version-pytag-abitag-platform.whl
-        parts = filename[:-4].split('-')
-        if len(parts) >= 2:
-            return parts[1]
-    elif filename.endswith('.tar.gz'):
-        # Source: name-version.tar.gz
-        base = filename[:-7]
-        # Find the last hyphen that precedes a version-like string
-        match = re.match(r'^(.+)-(\d+.*)$', base)
-        if match:
-            return match.group(2)
-    elif filename.endswith('.zip'):
-        # Egg/zip: name-version.zip
-        base = filename[:-4]
-        match = re.match(r'^(.+)-(\d+.*)$', base)
-        if match:
-            return match.group(2)
-    return None
-
-
 def _get_pypi_upstream_sources(db: Session) -> list[UpstreamSource]:
     """Get all enabled upstream sources configured for PyPI."""
     # Get database sources
@@ -248,27 +88,7 @@ def _get_basic_auth(source) -> Optional[tuple[str, str]]:
     return None
 
 
-def _get_base_url(request: Request) -> str:
-    """
-    Get the external base URL, respecting X-Forwarded-Proto header.
-
-    When behind a reverse proxy that terminates SSL, the request.base_url
-    will show http:// even though the external URL is https://. This function
-    checks the X-Forwarded-Proto header to determine the correct scheme.
-    """
-    base_url = str(request.base_url).rstrip('/')
-
-    # Check for X-Forwarded-Proto header (set by reverse proxies)
-    forwarded_proto = request.headers.get('x-forwarded-proto')
-    if forwarded_proto:
-        # Replace the scheme with the forwarded protocol
-        parsed = urlparse(base_url)
-        base_url = f"{forwarded_proto}://{parsed.netloc}{parsed.path}"
-
-    return base_url
-
-
-def _rewrite_package_links(html: str, base_url: str, package_name: str, upstream_base_url: str) -> str:
+def _rewrite_package_links(html: str, base_url: str, package_name: str) -> str:
     """
     Rewrite download links in a PyPI simple page to go through our proxy.
 
@@ -276,7 +96,6 @@ def _rewrite_package_links(html: str, base_url: str, package_name: str, upstream
         html: The HTML content from upstream
         base_url: Our server's base URL
         package_name: The package name for the URL path
-        upstream_base_url: The upstream URL used to fetch this page (for resolving relative URLs)
 
     Returns:
         HTML with rewritten download links
@@ -284,31 +103,19 @@ def _rewrite_package_links(html: str, base_url: str, package_name: str, upstream
     # Pattern to match href attributes in anchor tags
     # PyPI simple pages have links like:
     # <a href="https://files.pythonhosted.org/packages/.../file.tar.gz#sha256=...">file.tar.gz</a>
-    # Or relative URLs from Artifactory like:
-    # <a href="../../packages/packages/62/35/.../requests-0.10.0.tar.gz#sha256=...">
 
     def replace_href(match):
         original_url = match.group(1)
-
-        # Resolve relative URLs to absolute using the upstream base URL
-        if not original_url.startswith(('http://', 'https://')):
-            # Split off fragment before resolving
-            url_without_fragment = original_url.split('#')[0]
-            fragment_part = original_url[len(url_without_fragment):]
-            absolute_url = urljoin(upstream_base_url, url_without_fragment) + fragment_part
-        else:
-            absolute_url = original_url
-
         # Extract the filename from the URL
-        parsed = urlparse(absolute_url)
+        parsed = urlparse(original_url)
         path_parts = parsed.path.split('/')
         filename = path_parts[-1] if path_parts else ''
 
         # Keep the hash fragment if present
         fragment = f"#{parsed.fragment}" if parsed.fragment else ""
 
-        # Encode the absolute URL (without fragment) for safe transmission
-        encoded_url = quote(absolute_url.split('#')[0], safe='')
+        # Encode the original URL for safe transmission
+        encoded_url = quote(original_url.split('#')[0], safe='')
 
         # Build new URL pointing to our proxy
         new_url = f"{base_url}/pypi/simple/{package_name}/{filename}?upstream={encoded_url}{fragment}"
@@ -347,8 +154,7 @@ async def pypi_simple_index(
             headers.update(_build_auth_headers(source))
             auth = _get_basic_auth(source)
 
-            # Use URL as-is - users should provide full path including /simple
-            simple_url = source.url.rstrip('/') + '/'
+            simple_url = source.url.rstrip('/') + '/simple/'
 
             timeout = httpx.Timeout(PROXY_READ_TIMEOUT, connect=PROXY_CONNECT_TIMEOUT)
 
@@ -377,7 +183,7 @@ async def pypi_simple_index(
                     content = response.text
 
                     # Rewrite package links to go through our proxy
-                    base_url = _get_base_url(request)
+                    base_url = str(request.base_url).rstrip('/')
                     content = re.sub(
                         r'href="([^"]+)/"',
                         lambda m: f'href="{base_url}/pypi/simple/{m.group(1)}/"',
@@ -423,7 +229,7 @@ async def pypi_package_versions(
             detail="No PyPI upstream sources configured"
         )
 
-    base_url = _get_base_url(request)
+    base_url = str(request.base_url).rstrip('/')
 
     # Normalize package name (PEP 503)
     normalized_name = re.sub(r'[-_.]+', '-', package_name).lower()
@@ -436,9 +242,7 @@ async def pypi_package_versions(
             headers.update(_build_auth_headers(source))
             auth = _get_basic_auth(source)
 
-            # Use URL as-is - users should provide full path including /simple
-            package_url = source.url.rstrip('/') + f'/{normalized_name}/'
-            final_url = package_url  # Track final URL after redirects
+            package_url = source.url.rstrip('/') + f'/simple/{normalized_name}/'
 
             timeout = httpx.Timeout(PROXY_READ_TIMEOUT, connect=PROXY_CONNECT_TIMEOUT)
 
@@ -458,9 +262,7 @@ async def pypi_package_versions(
 
                     # Make redirect URL absolute if needed
                     if not redirect_url.startswith('http'):
-                        redirect_url = urljoin(final_url, redirect_url)
-
-                    final_url = redirect_url  # Update final URL
+                        redirect_url = urljoin(package_url, redirect_url)
 
                     response = client.get(
                         redirect_url,
@@ -474,8 +276,7 @@ async def pypi_package_versions(
                     content = response.text
 
                     # Rewrite download links to go through our proxy
-                    # Pass final_url so relative URLs can be resolved correctly
-                    content = _rewrite_package_links(content, base_url, normalized_name, final_url)
+                    content = _rewrite_package_links(content, base_url, normalized_name)
 
                     return HTMLResponse(content=content)
 
@@ -540,22 +341,14 @@ async def pypi_download_file(
 
             # Stream from S3
             try:
-                stream, content_length, _ = storage.get_stream(artifact.s3_key)
-
-                def stream_content():
-                    """Generator that yields chunks from the S3 stream."""
-                    try:
-                        for chunk in stream.iter_chunks():
-                            yield chunk
-                    finally:
-                        stream.close()
+                content_stream = storage.get_artifact_stream(artifact.id)
 
                 return StreamingResponse(
-                    stream_content(),
+                    content_stream,
                     media_type=artifact.content_type or "application/octet-stream",
                     headers={
                         "Content-Disposition": f'attachment; filename="{filename}"',
-                        "Content-Length": str(content_length),
+                        "Content-Length": str(artifact.size),
                         "X-Checksum-SHA256": artifact.id,
                         "X-Cache": "HIT",
                     }
@@ -567,10 +360,18 @@ async def pypi_download_file(
     # Not cached - fetch from upstream
     sources = _get_pypi_upstream_sources(db)
 
-    # Use the first available source for authentication headers
-    # Note: The upstream URL may point to files.pythonhosted.org or other CDNs,
-    # not the configured source URL directly, so we can't strictly validate the host
-    matched_source = sources[0] if sources else None
+    # Find a source that matches the upstream URL
+    matched_source = None
+    for source in sources:
+        source_url = getattr(source, 'url', '')
+        # Check if the upstream URL could come from this source
+        # (This is a loose check - the URL might be from files.pythonhosted.org)
+        if urlparse(upstream_url).netloc in source_url or True:  # Allow any source for now
+            matched_source = source
+            break
+
+    if not matched_source and sources:
+        matched_source = sources[0]  # Use first source for auth if available
 
     try:
         headers = {"User-Agent": "Orchard-PyPI-Proxy/1.0"}
@@ -626,14 +427,20 @@ async def pypi_download_file(
             content = response.content
             content_type = response.headers.get('content-type', 'application/octet-stream')
 
-        # Store in S3 (computes hash and deduplicates automatically)
-        from io import BytesIO
-        result = storage.store(BytesIO(content))
-        sha256 = result.sha256
-        size = result.size
+        # Compute hash
+        sha256 = hashlib.sha256(content).hexdigest()
+        size = len(content)
 
         logger.info(f"PyPI proxy: downloaded {filename}, {size} bytes, sha256={sha256[:12]}")
 
+        # Store in S3
+        from io import BytesIO
+        artifact = storage.store_artifact(
+            file_obj=BytesIO(content),
+            filename=filename,
+            content_type=content_type,
+        )
+
         # Check if artifact already exists
         existing = db.query(Artifact).filter(Artifact.id == sha256).first()
         if existing:
@@ -644,15 +451,10 @@ async def pypi_download_file(
             # Create artifact record
             new_artifact = Artifact(
                 id=sha256,
-                original_name=filename,
+                filename=filename,
                 content_type=content_type,
                 size=size,
                 ref_count=1,
-                created_by="pypi-proxy",
-                s3_key=result.s3_key,
-                checksum_md5=result.md5,
-                checksum_sha1=result.sha1,
-                s3_etag=result.s3_etag,
             )
             db.add(new_artifact)
             db.flush()
@@ -663,16 +465,10 @@ async def pypi_download_file(
             system_project = Project(
                 name="_pypi",
                 description="System project for cached PyPI packages",
-                is_public=True,
-                is_system=True,
-                created_by="pypi-proxy",
+                visibility="private",
             )
             db.add(system_project)
             db.flush()
-        elif not system_project.is_system:
-            # Ensure existing project is marked as system
-            system_project.is_system = True
-            db.flush()
 
         # Normalize package name
         normalized_name = re.sub(r'[-_.]+', '-', package_name).lower()
@@ -686,7 +482,6 @@ async def pypi_download_file(
                 project_id=system_project.id,
                 name=normalized_name,
                 description=f"PyPI package: {normalized_name}",
-                format="pypi",
             )
             db.add(package)
             db.flush()
@@ -701,29 +496,9 @@ async def pypi_download_file(
                 package_id=package.id,
                 name=filename,
                 artifact_id=sha256,
-                created_by="pypi-proxy",
             )
             db.add(tag)
 
-        # Extract and create version
-        # Only create version for actual package files, not .metadata files
-        version = _extract_pypi_version(filename)
-        if version and not filename.endswith('.metadata'):
-            # Check by version string (the unique constraint is on package_id + version)
-            existing_version = db.query(PackageVersion).filter(
-                PackageVersion.package_id == package.id,
-                PackageVersion.version == version,
-            ).first()
-            if not existing_version:
-                pkg_version = PackageVersion(
-                    package_id=package.id,
-                    artifact_id=sha256,
-                    version=version,
-                    version_source="filename",
-                    created_by="pypi-proxy",
-                )
-                db.add(pkg_version)
-
         # Cache the URL mapping
         existing_cached = db.query(CachedUrl).filter(CachedUrl.url_hash == url_hash).first()
         if not existing_cached:
@@ -734,27 +509,6 @@ async def pypi_download_file(
             )
             db.add(cached_url_record)
 
-        # Extract and store dependencies
-        dependencies = _extract_dependencies(content, filename)
-        if dependencies:
-            logger.info(f"PyPI proxy: extracted {len(dependencies)} dependencies from {filename}")
-            for dep_name, dep_version in dependencies:
-                # Check if this dependency already exists for this artifact
-                existing_dep = db.query(ArtifactDependency).filter(
-                    ArtifactDependency.artifact_id == sha256,
-                    ArtifactDependency.dependency_project == "_pypi",
-                    ArtifactDependency.dependency_package == dep_name,
-                ).first()
-
-                if not existing_dep:
-                    dep = ArtifactDependency(
-                        artifact_id=sha256,
-                        dependency_project="_pypi",
-                        dependency_package=dep_name,
-                        version_constraint=dep_version if dep_version else "*",
-                    )
-                    db.add(dep)
-
         db.commit()
 
         # Return the file

backend/app/routes.py

@@ -1680,7 +1680,6 @@ def create_project(
         name=db_project.name,
         description=db_project.description,
         is_public=db_project.is_public,
-        is_system=db_project.is_system,
         created_at=db_project.created_at,
         updated_at=db_project.updated_at,
         created_by=db_project.created_by,
@@ -1705,7 +1704,6 @@ def get_project(
         name=project.name,
         description=project.description,
         is_public=project.is_public,
-        is_system=project.is_system,
         created_at=project.created_at,
         updated_at=project.updated_at,
         created_by=project.created_by,
@@ -2706,7 +2704,6 @@ def list_team_projects(
                 name=p.name,
                 description=p.description,
                 is_public=p.is_public,
-                is_system=p.is_system,
                 created_at=p.created_at,
                 updated_at=p.updated_at,
                 created_by=p.created_by,
@@ -2830,15 +2827,14 @@ def list_packages(
             db.query(func.count(Tag.id)).filter(Tag.package_id == pkg.id).scalar() or 0
         )
 
-        # Get unique artifact count and total size via tags
-        # (PyPI proxy creates tags without uploads, so query from tags)
+        # Get unique artifact count and total size via uploads
         artifact_stats = (
             db.query(
-                func.count(func.distinct(Tag.artifact_id)),
+                func.count(func.distinct(Upload.artifact_id)),
                 func.coalesce(func.sum(Artifact.size), 0),
             )
-            .join(Artifact, Tag.artifact_id == Artifact.id)
-            .filter(Tag.package_id == pkg.id)
+            .join(Artifact, Upload.artifact_id == Artifact.id)
+            .filter(Upload.package_id == pkg.id)
             .first()
         )
         artifact_count = artifact_stats[0] if artifact_stats else 0
@@ -2934,15 +2930,14 @@ def get_package(
         db.query(func.count(Tag.id)).filter(Tag.package_id == pkg.id).scalar() or 0
     )
 
-    # Get unique artifact count and total size via tags
-    # (PyPI proxy creates tags without uploads, so query from tags)
+    # Get unique artifact count and total size via uploads
     artifact_stats = (
         db.query(
-            func.count(func.distinct(Tag.artifact_id)),
+            func.count(func.distinct(Upload.artifact_id)),
             func.coalesce(func.sum(Artifact.size), 0),
         )
-        .join(Artifact, Tag.artifact_id == Artifact.id)
-        .filter(Tag.package_id == pkg.id)
+        .join(Artifact, Upload.artifact_id == Artifact.id)
+        .filter(Upload.package_id == pkg.id)
         .first()
     )
     artifact_count = artifact_stats[0] if artifact_stats else 0
@@ -6285,14 +6280,14 @@ def get_package_stats(
         db.query(func.count(Tag.id)).filter(Tag.package_id == package.id).scalar() or 0
     )
 
-    # Artifact stats via tags (tags exist for both user uploads and PyPI proxy)
+    # Artifact stats via uploads
     artifact_stats = (
         db.query(
-            func.count(func.distinct(Tag.artifact_id)),
+            func.count(func.distinct(Upload.artifact_id)),
             func.coalesce(func.sum(Artifact.size), 0),
         )
-        .join(Artifact, Tag.artifact_id == Artifact.id)
-        .filter(Tag.package_id == package.id)
+        .join(Artifact, Upload.artifact_id == Artifact.id)
+        .filter(Upload.package_id == package.id)
         .first()
     )
     artifact_count = artifact_stats[0] if artifact_stats else 0

backend/app/schemas.py

@@ -33,7 +33,6 @@ class ProjectResponse(BaseModel):
     name: str
     description: Optional[str]
     is_public: bool
-    is_system: bool = False
     created_at: datetime
     updated_at: datetime
     created_by: str

backend/scripts/__init__.py

@@ -1 +0,0 @@
-# Scripts package

backend/scripts/backfill_pypi_dependencies.py

@@ -1,262 +0,0 @@
-#!/usr/bin/env python3
-"""
-Backfill script to extract dependencies from cached PyPI packages.
-
-This script scans all artifacts in the _pypi project and extracts
-Requires-Dist metadata from wheel and sdist files that don't already
-have dependencies recorded.
-
-Usage:
-    # From within the container:
-    python -m scripts.backfill_pypi_dependencies
-
-    # Or with docker exec:
-    docker exec orchard_orchard-server_1 python -m scripts.backfill_pypi_dependencies
-
-    # Dry run (preview only):
-    docker exec orchard_orchard-server_1 python -m scripts.backfill_pypi_dependencies --dry-run
-"""
-
-import argparse
-import logging
-import re
-import sys
-import tarfile
-import zipfile
-from io import BytesIO
-from typing import List, Optional, Tuple
-
-# Add parent directory to path for imports
-sys.path.insert(0, "/app")
-
-from sqlalchemy import create_engine
-from sqlalchemy.orm import sessionmaker
-
-from backend.app.config import get_settings
-from backend.app.models import (
-    Artifact,
-    ArtifactDependency,
-    Package,
-    Project,
-    Tag,
-)
-from backend.app.storage import get_storage
-
-logging.basicConfig(
-    level=logging.INFO,
-    format="%(asctime)s - %(levelname)s - %(message)s",
-)
-logger = logging.getLogger(__name__)
-
-
-def parse_requires_dist(requires_dist: str) -> Tuple[Optional[str], Optional[str]]:
-    """Parse a Requires-Dist line into (package_name, version_constraint)."""
-    # Remove any environment markers (after semicolon)
-    if ";" in requires_dist:
-        requires_dist = requires_dist.split(";")[0].strip()
-
-    # Match patterns like "package (>=1.0)" or "package>=1.0" or "package"
-    match = re.match(
-        r"^([a-zA-Z0-9][-a-zA-Z0-9._]*)\s*(?:\(([^)]+)\)|([<>=!~][^\s;]+))?",
-        requires_dist.strip(),
-    )
-
-    if not match:
-        return None, None
-
-    package_name = match.group(1)
-    version_constraint = match.group(2) or match.group(3)
-
-    # Normalize package name (PEP 503)
-    normalized_name = re.sub(r"[-_.]+", "-", package_name).lower()
-
-    if version_constraint:
-        version_constraint = version_constraint.strip()
-
-    return normalized_name, version_constraint
-
-
-def extract_requires_from_metadata(metadata_content: str) -> List[Tuple[str, Optional[str]]]:
-    """Extract all Requires-Dist entries from METADATA/PKG-INFO content."""
-    dependencies = []
-
-    for line in metadata_content.split("\n"):
-        if line.startswith("Requires-Dist:"):
-            value = line[len("Requires-Dist:"):].strip()
-            pkg_name, version = parse_requires_dist(value)
-            if pkg_name:
-                dependencies.append((pkg_name, version))
-
-    return dependencies
-
-
-def extract_metadata_from_wheel(content: bytes) -> Optional[str]:
-    """Extract METADATA file content from a wheel (zip) file."""
-    try:
-        with zipfile.ZipFile(BytesIO(content)) as zf:
-            for name in zf.namelist():
-                if name.endswith(".dist-info/METADATA"):
-                    return zf.read(name).decode("utf-8", errors="replace")
-    except Exception as e:
-        logger.warning(f"Failed to extract metadata from wheel: {e}")
-    return None
-
-
-def extract_metadata_from_sdist(content: bytes) -> Optional[str]:
-    """Extract PKG-INFO file content from a source distribution (.tar.gz)."""
-    try:
-        with tarfile.open(fileobj=BytesIO(content), mode="r:gz") as tf:
-            for member in tf.getmembers():
-                if member.name.endswith("/PKG-INFO") and member.name.count("/") == 1:
-                    f = tf.extractfile(member)
-                    if f:
-                        return f.read().decode("utf-8", errors="replace")
-    except Exception as e:
-        logger.warning(f"Failed to extract metadata from sdist: {e}")
-    return None
-
-
-def extract_dependencies(content: bytes, filename: str) -> List[Tuple[str, Optional[str]]]:
-    """Extract dependencies from a PyPI package file."""
-    metadata = None
-
-    if filename.endswith(".whl"):
-        metadata = extract_metadata_from_wheel(content)
-    elif filename.endswith(".tar.gz"):
-        metadata = extract_metadata_from_sdist(content)
-
-    if metadata:
-        return extract_requires_from_metadata(metadata)
-
-    return []
-
-
-def backfill_dependencies(dry_run: bool = False):
-    """Main backfill function."""
-    settings = get_settings()
-
-    # Create database connection
-    engine = create_engine(settings.database_url)
-    Session = sessionmaker(bind=engine)
-    db = Session()
-
-    # Create storage client
-    storage = get_storage()
-
-    try:
-        # Find the _pypi project
-        pypi_project = db.query(Project).filter(Project.name == "_pypi").first()
-        if not pypi_project:
-            logger.info("No _pypi project found. Nothing to backfill.")
-            return
-
-        # Get all packages in _pypi
-        packages = db.query(Package).filter(Package.project_id == pypi_project.id).all()
-        logger.info(f"Found {len(packages)} packages in _pypi project")
-
-        total_artifacts = 0
-        artifacts_with_deps = 0
-        artifacts_processed = 0
-        dependencies_added = 0
-
-        for package in packages:
-            # Get all tags (each tag points to an artifact)
-            tags = db.query(Tag).filter(Tag.package_id == package.id).all()
-
-            for tag in tags:
-                total_artifacts += 1
-                filename = tag.name
-
-                # Skip non-package files (like .metadata files)
-                if not (filename.endswith(".whl") or filename.endswith(".tar.gz")):
-                    continue
-
-                # Check if this artifact already has dependencies
-                existing_deps = db.query(ArtifactDependency).filter(
-                    ArtifactDependency.artifact_id == tag.artifact_id
-                ).count()
-
-                if existing_deps > 0:
-                    artifacts_with_deps += 1
-                    continue
-
-                # Get the artifact
-                artifact = db.query(Artifact).filter(Artifact.id == tag.artifact_id).first()
-                if not artifact:
-                    logger.warning(f"Artifact {tag.artifact_id} not found for tag {filename}")
-                    continue
-
-                logger.info(f"Processing {package.name}/{filename}...")
-
-                if dry_run:
-                    logger.info(f"  [DRY RUN] Would extract dependencies from {filename}")
-                    artifacts_processed += 1
-                    continue
-
-                # Download the artifact from S3
-                try:
-                    content = storage.get(artifact.s3_key)
-                except Exception as e:
-                    logger.error(f"  Failed to download {filename}: {e}")
-                    continue
-
-                # Extract dependencies
-                deps = extract_dependencies(content, filename)
-
-                if deps:
-                    logger.info(f"  Found {len(deps)} dependencies")
-                    for dep_name, dep_version in deps:
-                        # Check if already exists (race condition protection)
-                        existing = db.query(ArtifactDependency).filter(
-                            ArtifactDependency.artifact_id == tag.artifact_id,
-                            ArtifactDependency.dependency_project == "_pypi",
-                            ArtifactDependency.dependency_package == dep_name,
-                        ).first()
-
-                        if not existing:
-                            dep = ArtifactDependency(
-                                artifact_id=tag.artifact_id,
-                                dependency_project="_pypi",
-                                dependency_package=dep_name,
-                                version_constraint=dep_version if dep_version else "*",
-                            )
-                            db.add(dep)
-                            dependencies_added += 1
-                            logger.info(f"    + {dep_name} {dep_version or '*'}")
-
-                    db.commit()
-                else:
-                    logger.info(f"  No dependencies found")
-
-                artifacts_processed += 1
-
-        logger.info("")
-        logger.info("=" * 50)
-        logger.info("Backfill complete!")
-        logger.info(f"  Total artifacts: {total_artifacts}")
-        logger.info(f"  Already had deps: {artifacts_with_deps}")
-        logger.info(f"  Processed: {artifacts_processed}")
-        logger.info(f"  Dependencies added: {dependencies_added}")
-        if dry_run:
-            logger.info("  (DRY RUN - no changes made)")
-
-    finally:
-        db.close()
-
-
-def main():
-    parser = argparse.ArgumentParser(
-        description="Backfill dependencies for cached PyPI packages"
-    )
-    parser.add_argument(
-        "--dry-run",
-        action="store_true",
-        help="Preview what would be done without making changes",
-    )
-    args = parser.parse_args()
-
-    backfill_dependencies(dry_run=args.dry_run)
-
-
-if __name__ == "__main__":
-    main()

backend/tests/integration/test_projects_api.py

@@ -128,9 +128,7 @@ class TestProjectListingFilters:
         assert response.status_code == 200
 
         data = response.json()
-        # Filter out system projects (names starting with "_") as they may have
-        # collation-specific sort behavior and aren't part of the test data
-        names = [p["name"] for p in data["items"] if not p["name"].startswith("_")]
+        names = [p["name"] for p in data["items"]]
         assert names == sorted(names)
 
 

backend/tests/integration/test_pypi_proxy.py

@@ -17,30 +17,20 @@ class TestPyPIProxyEndpoints:
     """
 
     @pytest.mark.integration
-    def test_pypi_simple_index(self):
-        """Test that /pypi/simple/ returns HTML response."""
+    def test_pypi_simple_index_no_sources(self):
+        """Test that /pypi/simple/ returns 503 when no sources configured."""
         with httpx.Client(base_url=get_base_url(), timeout=30.0) as client:
             response = client.get("/pypi/simple/")
-            # Returns 200 if sources configured, 503 if not
-            assert response.status_code in (200, 503)
-            if response.status_code == 200:
-                assert "text/html" in response.headers.get("content-type", "")
-            else:
+            # Should return 503 when no PyPI upstream sources are configured
+            assert response.status_code == 503
             assert "No PyPI upstream sources configured" in response.json()["detail"]
 
     @pytest.mark.integration
-    def test_pypi_package_endpoint(self):
-        """Test that /pypi/simple/{package}/ returns appropriate response."""
+    def test_pypi_package_no_sources(self):
+        """Test that /pypi/simple/{package}/ returns 503 when no sources configured."""
         with httpx.Client(base_url=get_base_url(), timeout=30.0) as client:
             response = client.get("/pypi/simple/requests/")
-            # Returns 200 if sources configured and package found,
-            # 404 if package not found, 503 if no sources
-            assert response.status_code in (200, 404, 503)
-            if response.status_code == 200:
-                assert "text/html" in response.headers.get("content-type", "")
-            elif response.status_code == 404:
-                assert "not found" in response.json()["detail"].lower()
-            else:  # 503
+            assert response.status_code == 503
             assert "No PyPI upstream sources configured" in response.json()["detail"]
 
     @pytest.mark.integration
@@ -68,13 +58,7 @@ class TestPyPILinkRewriting:
         </html>
         '''
 
-        # upstream_base_url is used to resolve relative URLs (not needed here since URLs are absolute)
-        result = _rewrite_package_links(
-            html,
-            "http://localhost:8080",
-            "requests",
-            "https://pypi.org/simple/requests/"
-        )
+        result = _rewrite_package_links(html, "http://localhost:8080", "requests")
 
         # Links should be rewritten to go through our proxy
         assert "/pypi/simple/requests/requests-2.31.0.tar.gz?upstream=" in result
@@ -85,53 +69,25 @@ class TestPyPILinkRewriting:
         assert "#sha256=abc123" in result
         assert "#sha256=def456" in result
 
-    def test_rewrite_relative_links(self):
-        """Test that relative URLs are resolved to absolute URLs."""
-        from app.pypi_proxy import _rewrite_package_links
-
-        # Artifactory-style relative URLs
-        html = '''
-        <html>
-        <body>
-        <a href="../../packages/ab/cd/requests-2.31.0.tar.gz#sha256=abc123">requests-2.31.0.tar.gz</a>
-        </body>
-        </html>
-        '''
-
-        result = _rewrite_package_links(
-            html,
-            "https://orchard.example.com",
-            "requests",
-            "https://artifactory.example.com/api/pypi/pypi-remote/simple/requests/"
-        )
-
-        # The relative URL should be resolved to absolute
-        # ../../packages/ab/cd/... from /api/pypi/pypi-remote/simple/requests/ resolves to /api/pypi/pypi-remote/packages/ab/cd/...
-        assert "upstream=https%3A%2F%2Fartifactory.example.com%2Fapi%2Fpypi%2Fpypi-remote%2Fpackages" in result
-        # Hash fragment should be preserved
-        assert "#sha256=abc123" in result
-
 
 class TestPyPIPackageNormalization:
     """Tests for PyPI package name normalization."""
 
     @pytest.mark.integration
     def test_package_name_normalized(self):
-        """Test that package names are normalized per PEP 503.
+        """Test that package names are normalized per PEP 503."""
+        # These should all be treated the same:
+        # requests, Requests, requests_, requests-
+        # The endpoint normalizes to lowercase with hyphens
 
-        Different capitalizations/separators should all be valid paths.
-        The endpoint normalizes to lowercase with hyphens before lookup.
-        """
         with httpx.Client(base_url=get_base_url(), timeout=30.0) as client:
-            # Test various name formats - all should be valid endpoint paths
-            for package_name in ["Requests", "some_package", "some-package"]:
-                response = client.get(f"/pypi/simple/{package_name}/")
-                # 200 = found, 404 = not found, 503 = no sources configured
-                assert response.status_code in (200, 404, 503), \
-                    f"Unexpected status {response.status_code} for {package_name}"
+            # Without upstream sources, we get 503, but the normalization
+            # happens before the source lookup
+            response = client.get("/pypi/simple/Requests/")
+            assert response.status_code == 503  # No sources, but path was valid
 
-                # Verify response is appropriate for the status code
-                if response.status_code == 200:
-                    assert "text/html" in response.headers.get("content-type", "")
-                elif response.status_code == 503:
-                    assert "No PyPI upstream sources configured" in response.json()["detail"]
+            response = client.get("/pypi/simple/some_package/")
+            assert response.status_code == 503
+
+            response = client.get("/pypi/simple/some-package/")
+            assert response.status_code == 503

frontend/src/pages/AdminCachePage.css

@@ -132,12 +132,6 @@
   color: #c62828;
 }
 
-.coming-soon-badge {
-  color: #9e9e9e;
-  font-style: italic;
-  font-size: 0.85em;
-}
-
 /* Actions */
 .actions-cell {
   white-space: nowrap;

frontend/src/pages/AdminCachePage.tsx

@@ -12,7 +12,6 @@ import { UpstreamSource, SourceType, AuthType } from '../types';
 import './AdminCachePage.css';
 
 const SOURCE_TYPES: SourceType[] = ['npm', 'pypi', 'maven', 'docker', 'helm', 'nuget', 'deb', 'rpm', 'generic'];
-const SUPPORTED_SOURCE_TYPES: Set<SourceType> = new Set(['pypi', 'generic']);
 const AUTH_TYPES: AuthType[] = ['none', 'basic', 'bearer', 'api_key'];
 
 function AdminCachePage() {
@@ -286,12 +285,7 @@ function AdminCachePage() {
                       <span className="env-badge" title="Defined via environment variable">ENV</span>
                     )}
                   </td>
-                  <td>
-                    {source.source_type}
-                    {!SUPPORTED_SOURCE_TYPES.has(source.source_type) && (
-                      <span className="coming-soon-badge"> (coming soon)</span>
-                    )}
-                  </td>
+                  <td>{source.source_type}</td>
                   <td className="url-cell" title={source.url}>{source.url}</td>
                   <td>{source.priority}</td>
                   <td>
@@ -365,7 +359,7 @@ function AdminCachePage() {
                   >
                     {SOURCE_TYPES.map((type) => (
                       <option key={type} value={type}>
-                        {type}{!SUPPORTED_SOURCE_TYPES.has(type) ? ' (coming soon)' : ''}
+                        {type}
                       </option>
                     ))}
                   </select>

frontend/src/pages/Home.tsx

@@ -249,7 +249,7 @@ function Home() {
               key: 'created_by',
               header: 'Owner',
               className: 'cell-owner',
-              render: (project) => project.team_name || project.created_by,
+              render: (project) => project.created_by,
             },
             ...(user
               ? [

frontend/src/pages/PackagePage.css

@@ -642,11 +642,6 @@ tr:hover .copy-btn {
   padding: 20px;
 }
 
-/* Ensure file modal needs higher z-index when opened from deps modal */
-.modal-overlay:has(.ensure-file-modal) {
-  z-index: 1100;
-}
-
 .ensure-file-modal {
   background: var(--bg-secondary);
   border: 1px solid var(--border-primary);
@@ -798,194 +793,4 @@ tr:hover .copy-btn {
   .ensure-file-modal {
     max-height: 90vh;
   }
-
-  .action-menu-dropdown {
-    right: 0;
-    left: auto;
-  }
-}
-
-/* Header upload button */
-.header-upload-btn {
-  margin-left: auto;
-}
-
-/* Tag/Version cell */
-.tag-version-cell {
-  display: flex;
-  flex-direction: column;
-  gap: 4px;
-}
-
-.tag-version-cell .version-badge {
-  font-size: 0.75rem;
-  color: var(--text-muted);
-}
-
-/* Icon buttons */
-.btn-icon {
-  display: flex;
-  align-items: center;
-  justify-content: center;
-  width: 32px;
-  height: 32px;
-  padding: 0;
-  background: transparent;
-  border: 1px solid transparent;
-  border-radius: var(--radius-sm);
-  color: var(--text-secondary);
-  cursor: pointer;
-  transition: all var(--transition-fast);
-}
-
-.btn-icon:hover {
-  background: var(--bg-hover);
-  color: var(--text-primary);
-}
-
-/* Action menu */
-.action-buttons {
-  display: flex;
-  align-items: center;
-  gap: 4px;
-}
-
-.action-menu {
-  position: relative;
-}
-
-/* Action menu backdrop for click-outside */
-.action-menu-backdrop {
-  position: fixed;
-  top: 0;
-  left: 0;
-  right: 0;
-  bottom: 0;
-  z-index: 999;
-}
-
-.action-menu-dropdown {
-  position: fixed;
-  z-index: 1000;
-  min-width: 180px;
-  padding: 4px 0;
-  background: var(--bg-secondary);
-  border: 1px solid var(--border-primary);
-  border-radius: var(--radius-md);
-  box-shadow: 0 4px 12px rgba(0, 0, 0, 0.15);
-}
-
-.action-menu-dropdown button {
-  display: block;
-  width: 100%;
-  padding: 8px 12px;
-  background: none;
-  border: none;
-  text-align: left;
-  font-size: 0.875rem;
-  color: var(--text-primary);
-  cursor: pointer;
-  transition: background var(--transition-fast);
-}
-
-.action-menu-dropdown button:hover {
-  background: var(--bg-hover);
-}
-
-/* Upload Modal */
-.upload-modal,
-.create-tag-modal {
-  background: var(--bg-secondary);
-  border-radius: var(--radius-lg);
-  width: 90%;
-  max-width: 500px;
-  max-height: 90vh;
-  overflow: hidden;
-}
-
-.modal-header {
-  display: flex;
-  align-items: center;
-  justify-content: space-between;
-  padding: 16px 20px;
-  border-bottom: 1px solid var(--border-primary);
-}
-
-.modal-header h3 {
-  margin: 0;
-  font-size: 1.125rem;
-  font-weight: 600;
-}
-
-.modal-body {
-  padding: 20px;
-}
-
-.modal-description {
-  margin-bottom: 16px;
-  color: var(--text-secondary);
-  font-size: 0.875rem;
-}
-
-.modal-actions {
-  display: flex;
-  justify-content: flex-end;
-  gap: 12px;
-  margin-top: 20px;
-  padding-top: 16px;
-  border-top: 1px solid var(--border-primary);
-}
-
-/* Dependencies Modal */
-.deps-modal {
-  background: var(--bg-secondary);
-  border-radius: var(--radius-lg);
-  width: 90%;
-  max-width: 600px;
-  max-height: 80vh;
-  overflow: hidden;
-  display: flex;
-  flex-direction: column;
-}
-
-.deps-modal .modal-body {
-  overflow-y: auto;
-  flex: 1;
-}
-
-.deps-modal-controls {
-  display: flex;
-  gap: 8px;
-  margin-bottom: 16px;
-}
-
-/* Artifact ID Modal */
-.artifact-id-modal {
-  background: var(--bg-secondary);
-  border-radius: var(--radius-lg);
-  width: 90%;
-  max-width: 500px;
-}
-
-.artifact-id-display {
-  display: flex;
-  align-items: center;
-  gap: 12px;
-  padding: 16px;
-  background: var(--bg-tertiary);
-  border-radius: var(--radius-md);
-  border: 1px solid var(--border-primary);
-}
-
-.artifact-id-display code {
-  font-family: 'JetBrains Mono', 'Fira Code', 'Consolas', monospace;
-  font-size: 0.8125rem;
-  color: var(--text-primary);
-  word-break: break-all;
-  flex: 1;
-}
-
-.artifact-id-display .copy-btn {
-  opacity: 1;
-  flex-shrink: 0;
 }

frontend/src/pages/PackagePage.tsx

@@ -63,17 +63,12 @@ function PackagePage() {
   const [accessDenied, setAccessDenied] = useState(false);
   const [uploadTag, setUploadTag] = useState('');
   const [uploadSuccess, setUploadSuccess] = useState<string | null>(null);
+  const [artifactIdInput, setArtifactIdInput] = useState('');
   const [accessLevel, setAccessLevel] = useState<AccessLevel | null>(null);
   const [createTagName, setCreateTagName] = useState('');
   const [createTagArtifactId, setCreateTagArtifactId] = useState('');
   const [createTagLoading, setCreateTagLoading] = useState(false);
 
-  // UI state
-  const [showUploadModal, setShowUploadModal] = useState(false);
-  const [showCreateTagModal, setShowCreateTagModal] = useState(false);
-  const [openMenuId, setOpenMenuId] = useState<string | null>(null);
-  const [menuPosition, setMenuPosition] = useState<{ top: number; left: number } | null>(null);
-
   // Dependencies state
   const [selectedTag, setSelectedTag] = useState<TagDetail | null>(null);
   const [dependencies, setDependencies] = useState<Dependency[]>([]);
@@ -91,13 +86,6 @@ function PackagePage() {
   // Dependency graph modal state
   const [showGraph, setShowGraph] = useState(false);
 
-  // Dependencies modal state
-  const [showDepsModal, setShowDepsModal] = useState(false);
-
-  // Artifact ID modal state
-  const [showArtifactIdModal, setShowArtifactIdModal] = useState(false);
-  const [viewArtifactId, setViewArtifactId] = useState<string | null>(null);
-
   // Ensure file modal state
   const [showEnsureFile, setShowEnsureFile] = useState(false);
   const [ensureFileContent, setEnsureFileContent] = useState<string | null>(null);
@@ -108,9 +96,6 @@ function PackagePage() {
   // Derived permissions
   const canWrite = accessLevel === 'write' || accessLevel === 'admin';
 
-  // Detect system projects (convention: name starts with "_")
-  const isSystemProject = projectName?.startsWith('_') ?? false;
-
   // Get params from URL
   const page = parseInt(searchParams.get('page') || '1', 10);
   const search = searchParams.get('search') || '';
@@ -338,91 +323,7 @@ function PackagePage() {
     setSelectedTag(tag);
   };
 
-  const handleMenuOpen = (e: React.MouseEvent, tagId: string) => {
-    e.stopPropagation();
-    if (openMenuId === tagId) {
-      setOpenMenuId(null);
-      setMenuPosition(null);
-    } else {
-      const rect = e.currentTarget.getBoundingClientRect();
-      setMenuPosition({ top: rect.bottom + 4, left: rect.right - 180 });
-      setOpenMenuId(tagId);
-    }
-  };
-
-  // System projects show Version first, regular projects show Tag first
-  const columns = isSystemProject
-    ? [
-        // System project columns: Version first, then Filename
-        {
-          key: 'version',
-          header: 'Version',
-          sortable: true,
-          render: (t: TagDetail) => (
-            <strong
-              className={`tag-name-link ${selectedTag?.id === t.id ? 'selected' : ''}`}
-              onClick={() => handleTagSelect(t)}
-              style={{ cursor: 'pointer' }}
-            >
-              <span className="version-badge">{t.version || t.name}</span>
-            </strong>
-          ),
-        },
-        {
-          key: 'artifact_original_name',
-          header: 'Filename',
-          className: 'cell-truncate',
-          render: (t: TagDetail) => (
-            <span title={t.artifact_original_name || t.name}>{t.artifact_original_name || t.name}</span>
-          ),
-        },
-        {
-          key: 'artifact_size',
-          header: 'Size',
-          render: (t: TagDetail) => <span>{formatBytes(t.artifact_size)}</span>,
-        },
-        {
-          key: 'created_at',
-          header: 'Cached',
-          sortable: true,
-          render: (t: TagDetail) => (
-            <span>{new Date(t.created_at).toLocaleDateString()}</span>
-          ),
-        },
-        {
-          key: 'actions',
-          header: '',
-          render: (t: TagDetail) => (
-            <div className="action-buttons">
-              <a
-                href={getDownloadUrl(projectName!, packageName!, t.name)}
-                className="btn btn-icon"
-                download
-                title="Download"
-              >
-                <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
-                  <path d="M21 15v4a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2v-4" />
-                  <polyline points="7 10 12 15 17 10" />
-                  <line x1="12" y1="15" x2="12" y2="3" />
-                </svg>
-              </a>
-              <button
-                className="btn btn-icon"
-                onClick={(e) => handleMenuOpen(e, t.id)}
-                title="More actions"
-              >
-                <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
-                  <circle cx="12" cy="12" r="1" />
-                  <circle cx="12" cy="5" r="1" />
-                  <circle cx="12" cy="19" r="1" />
-                </svg>
-              </button>
-            </div>
-          ),
-        },
-      ]
-    : [
-        // Regular project columns: Tag, Version, Filename
+  const columns = [
     {
       key: 'name',
       header: 'Tag',
@@ -441,15 +342,17 @@ function PackagePage() {
       key: 'version',
       header: 'Version',
       render: (t: TagDetail) => (
-            <span className="version-badge">{t.version || '—'}</span>
+        <span className="version-badge">{t.version || '-'}</span>
       ),
     },
     {
-          key: 'artifact_original_name',
-          header: 'Filename',
-          className: 'cell-truncate',
+      key: 'artifact_id',
+      header: 'Artifact ID',
       render: (t: TagDetail) => (
-            <span title={t.artifact_original_name || undefined}>{t.artifact_original_name || '—'}</span>
+        <div className="artifact-id-cell">
+          <code className="artifact-id">{t.artifact_id.substring(0, 12)}...</code>
+          <CopyButton text={t.artifact_id} />
+        </div>
       ),
     },
     {
@@ -457,94 +360,56 @@ function PackagePage() {
       header: 'Size',
       render: (t: TagDetail) => <span>{formatBytes(t.artifact_size)}</span>,
     },
+    {
+      key: 'artifact_content_type',
+      header: 'Type',
+      render: (t: TagDetail) => (
+        <span className="content-type">{t.artifact_content_type || '-'}</span>
+      ),
+    },
+    {
+      key: 'artifact_original_name',
+      header: 'Filename',
+      className: 'cell-truncate',
+      render: (t: TagDetail) => (
+        <span title={t.artifact_original_name || undefined}>{t.artifact_original_name || '-'}</span>
+      ),
+    },
     {
       key: 'created_at',
       header: 'Created',
       sortable: true,
       render: (t: TagDetail) => (
-            <span title={`by ${t.created_by}`}>{new Date(t.created_at).toLocaleDateString()}</span>
+        <div className="created-cell">
+          <span>{new Date(t.created_at).toLocaleString()}</span>
+          <span className="created-by">by {t.created_by}</span>
+        </div>
       ),
     },
     {
       key: 'actions',
-          header: '',
+      header: 'Actions',
       render: (t: TagDetail) => (
         <div className="action-buttons">
+          <button
+            className="btn btn-secondary btn-small"
+            onClick={() => fetchEnsureFileForTag(t.name)}
+            title="View orchard.ensure file"
+          >
+            Ensure
+          </button>
           <a
             href={getDownloadUrl(projectName!, packageName!, t.name)}
-                className="btn btn-icon"
+            className="btn btn-secondary btn-small"
             download
-                title="Download"
           >
-                <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
-                  <path d="M21 15v4a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2v-4" />
-                  <polyline points="7 10 12 15 17 10" />
-                  <line x1="12" y1="15" x2="12" y2="3" />
-                </svg>
+            Download
           </a>
-              <button
-                className="btn btn-icon"
-                onClick={(e) => handleMenuOpen(e, t.id)}
-                title="More actions"
-              >
-                <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
-                  <circle cx="12" cy="12" r="1" />
-                  <circle cx="12" cy="5" r="1" />
-                  <circle cx="12" cy="19" r="1" />
-                </svg>
-              </button>
         </div>
       ),
     },
   ];
 
-  // Find the tag for the open menu
-  const openMenuTag = tags.find(t => t.id === openMenuId);
-
-  // Close menu when clicking outside
-  const handleClickOutside = () => {
-    if (openMenuId) {
-      setOpenMenuId(null);
-      setMenuPosition(null);
-    }
-  };
-
-  // Render dropdown menu as a portal-like element
-  const renderActionMenu = () => {
-    if (!openMenuId || !menuPosition || !openMenuTag) return null;
-    const t = openMenuTag;
-    return (
-      <div
-        className="action-menu-backdrop"
-        onClick={handleClickOutside}
-      >
-        <div
-          className="action-menu-dropdown"
-          style={{ top: menuPosition.top, left: menuPosition.left }}
-          onClick={(e) => e.stopPropagation()}
-        >
-          <button onClick={() => { setViewArtifactId(t.artifact_id); setShowArtifactIdModal(true); setOpenMenuId(null); setMenuPosition(null); }}>
-            View Artifact ID
-          </button>
-          <button onClick={() => { navigator.clipboard.writeText(t.artifact_id); setOpenMenuId(null); setMenuPosition(null); }}>
-            Copy Artifact ID
-          </button>
-          <button onClick={() => { fetchEnsureFileForTag(t.name); setOpenMenuId(null); setMenuPosition(null); }}>
-            View Ensure File
-          </button>
-          {canWrite && !isSystemProject && (
-            <button onClick={() => { setCreateTagArtifactId(t.artifact_id); setShowCreateTagModal(true); setOpenMenuId(null); setMenuPosition(null); }}>
-              Create/Update Tag
-            </button>
-          )}
-          <button onClick={() => { handleTagSelect(t); setShowDepsModal(true); setOpenMenuId(null); setMenuPosition(null); }}>
-            View Dependencies
-          </button>
-        </div>
-      </div>
-    );
-  };
-
   if (loading && !tagsData) {
     return <div className="loading">Loading...</div>;
   }
@@ -586,19 +451,6 @@ function PackagePage() {
           <div className="page-header__title-row">
             <h1>{packageName}</h1>
             {pkg && <Badge variant="default">{pkg.format}</Badge>}
-            {user && canWrite && !isSystemProject && (
-              <button
-                className="btn btn-primary btn-small header-upload-btn"
-                onClick={() => setShowUploadModal(true)}
-              >
-                <svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2" style={{ marginRight: '6px' }}>
-                  <path d="M21 15v4a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2v-4" />
-                  <polyline points="17 8 12 3 7 8" />
-                  <line x1="12" y1="3" x2="12" y2="15" />
-                </svg>
-                Upload
-              </button>
-            )}
           </div>
           {pkg?.description && <p className="description">{pkg.description}</p>}
           <div className="page-header__meta">
@@ -616,14 +468,14 @@ function PackagePage() {
           </div>
           {pkg && (pkg.tag_count !== undefined || pkg.artifact_count !== undefined) && (
             <div className="package-header-stats">
-              {!isSystemProject && pkg.tag_count !== undefined && (
+              {pkg.tag_count !== undefined && (
                 <span className="stat-item">
                   <strong>{pkg.tag_count}</strong> tags
                 </span>
               )}
               {pkg.artifact_count !== undefined && (
                 <span className="stat-item">
-                  <strong>{pkg.artifact_count}</strong> {isSystemProject ? 'versions' : 'artifacts'}
+                  <strong>{pkg.artifact_count}</strong> artifacts
                 </span>
               )}
               {pkg.total_size !== undefined && pkg.total_size > 0 && (
@@ -631,7 +483,7 @@ function PackagePage() {
                   <strong>{formatBytes(pkg.total_size)}</strong> total
                 </span>
               )}
-              {!isSystemProject && pkg.latest_tag && (
+              {pkg.latest_tag && (
                 <span className="stat-item">
                   Latest: <strong className="accent">{pkg.latest_tag}</strong>
                 </span>
@@ -644,9 +496,44 @@ function PackagePage() {
       {error && <div className="error-message">{error}</div>}
       {uploadSuccess && <div className="success-message">{uploadSuccess}</div>}
 
+      {user && (
+        <div className="upload-section card">
+          <h3>Upload Artifact</h3>
+          {canWrite ? (
+            <div className="upload-form">
+              <div className="form-group">
+                <label htmlFor="upload-tag">Tag (optional)</label>
+                <input
+                  id="upload-tag"
+                  type="text"
+                  value={uploadTag}
+                  onChange={(e) => setUploadTag(e.target.value)}
+                  placeholder="v1.0.0, latest, stable..."
+                />
+              </div>
+              <DragDropUpload
+                projectName={projectName!}
+                packageName={packageName!}
+                tag={uploadTag || undefined}
+                onUploadComplete={handleUploadComplete}
+                onUploadError={handleUploadError}
+              />
+            </div>
+          ) : (
+            <DragDropUpload
+              projectName={projectName!}
+              packageName={packageName!}
+              disabled={true}
+              disabledReason="You have read-only access to this project and cannot upload artifacts."
+              onUploadComplete={handleUploadComplete}
+              onUploadError={handleUploadError}
+            />
+          )}
+        </div>
+      )}
 
       <div className="section-header">
-        <h2>{isSystemProject ? 'Versions' : 'Tags / Versions'}</h2>
+        <h2>Tags / Versions</h2>
       </div>
 
       <div className="list-controls">
@@ -690,6 +577,110 @@ function PackagePage() {
         />
       )}
 
+      {/* Dependencies Section */}
+      {tags.length > 0 && (
+        <div className="dependencies-section card">
+          <div className="dependencies-header">
+            <h3>Dependencies</h3>
+            <div className="dependencies-controls">
+              {selectedTag && (
+                <>
+                  <button
+                    className="btn btn-secondary btn-small"
+                    onClick={fetchEnsureFile}
+                    disabled={ensureFileLoading}
+                    title="View orchard.ensure file"
+                  >
+                    <svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2" style={{ marginRight: '6px' }}>
+                      <path d="M14 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V8z"></path>
+                      <polyline points="14 2 14 8 20 8"></polyline>
+                      <line x1="16" y1="13" x2="8" y2="13"></line>
+                      <line x1="16" y1="17" x2="8" y2="17"></line>
+                      <polyline points="10 9 9 9 8 9"></polyline>
+                    </svg>
+                    {ensureFileLoading ? 'Loading...' : 'View Ensure File'}
+                  </button>
+                  <button
+                    className="btn btn-secondary btn-small"
+                    onClick={() => setShowGraph(true)}
+                    title="View full dependency tree"
+                  >
+                    <svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2" style={{ marginRight: '6px' }}>
+                      <circle cx="12" cy="12" r="3"></circle>
+                      <circle cx="4" cy="4" r="2"></circle>
+                      <circle cx="20" cy="4" r="2"></circle>
+                      <circle cx="4" cy="20" r="2"></circle>
+                      <circle cx="20" cy="20" r="2"></circle>
+                      <line x1="9.5" y1="9.5" x2="5.5" y2="5.5"></line>
+                      <line x1="14.5" y1="9.5" x2="18.5" y2="5.5"></line>
+                      <line x1="9.5" y1="14.5" x2="5.5" y2="18.5"></line>
+                      <line x1="14.5" y1="14.5" x2="18.5" y2="18.5"></line>
+                    </svg>
+                    View Graph
+                  </button>
+                </>
+              )}
+            </div>
+          </div>
+          <div className="dependencies-tag-select">
+            {selectedTag && (
+              <select
+                className="tag-selector"
+                value={selectedTag.id}
+                onChange={(e) => {
+                  const tag = tags.find(t => t.id === e.target.value);
+                  if (tag) setSelectedTag(tag);
+                }}
+              >
+                {tags.map(t => (
+                  <option key={t.id} value={t.id}>
+                    {t.name}{t.version ? ` (${t.version})` : ''}
+                  </option>
+                ))}
+              </select>
+            )}
+          </div>
+
+          {depsLoading ? (
+            <div className="deps-loading">Loading dependencies...</div>
+          ) : depsError ? (
+            <div className="deps-error">{depsError}</div>
+          ) : dependencies.length === 0 ? (
+            <div className="deps-empty">
+              {selectedTag ? (
+                <span><strong>{selectedTag.name}</strong> has no dependencies</span>
+              ) : (
+                <span>No dependencies</span>
+              )}
+            </div>
+          ) : (
+            <div className="deps-list">
+              <div className="deps-summary">
+                <strong>{selectedTag?.name}</strong> has {dependencies.length} {dependencies.length === 1 ? 'dependency' : 'dependencies'}:
+              </div>
+              <ul className="deps-items">
+                {dependencies.map((dep) => (
+                  <li key={dep.id} className="dep-item">
+                    <Link
+                      to={`/project/${dep.project}/${dep.package}`}
+                      className="dep-link"
+                    >
+                      {dep.project}/{dep.package}
+                    </Link>
+                    <span className="dep-constraint">
+                      @ {dep.version || dep.tag}
+                    </span>
+                    <span className="dep-status dep-status--ok" title="Package exists">
+                      &#10003;
+                    </span>
+                  </li>
+                ))}
+              </ul>
+            </div>
+          )}
+        </div>
+      )}
+
       {/* Used By (Reverse Dependencies) Section */}
       <div className="used-by-section card">
         <h3>Used By</h3>
@@ -746,6 +737,78 @@ function PackagePage() {
         )}
       </div>
 
+      <div className="download-by-id-section card">
+        <h3>Download by Artifact ID</h3>
+        <div className="download-by-id-form">
+          <input
+            type="text"
+            value={artifactIdInput}
+            onChange={(e) => setArtifactIdInput(e.target.value.toLowerCase().replace(/[^a-f0-9]/g, '').slice(0, 64))}
+            placeholder="Enter SHA256 artifact ID (64 hex characters)"
+            className="artifact-id-input"
+          />
+          <a
+            href={artifactIdInput.length === 64 ? getDownloadUrl(projectName!, packageName!, `artifact:${artifactIdInput}`) : '#'}
+            className={`btn btn-primary ${artifactIdInput.length !== 64 ? 'btn-disabled' : ''}`}
+            download
+            onClick={(e) => {
+              if (artifactIdInput.length !== 64) {
+                e.preventDefault();
+              }
+            }}
+          >
+            Download
+          </a>
+        </div>
+        {artifactIdInput.length > 0 && artifactIdInput.length !== 64 && (
+          <p className="validation-hint">Artifact ID must be exactly 64 hex characters ({artifactIdInput.length}/64)</p>
+        )}
+      </div>
+
+      {user && canWrite && (
+        <div className="create-tag-section card">
+          <h3>Create / Update Tag</h3>
+          <p className="section-description">Point a tag at any existing artifact by its ID</p>
+          <form onSubmit={handleCreateTag} className="create-tag-form">
+            <div className="form-row">
+              <div className="form-group">
+                <label htmlFor="create-tag-name">Tag Name</label>
+                <input
+                  id="create-tag-name"
+                  type="text"
+                  value={createTagName}
+                  onChange={(e) => setCreateTagName(e.target.value)}
+                  placeholder="latest, stable, v1.0.0..."
+                  disabled={createTagLoading}
+                />
+              </div>
+              <div className="form-group form-group--wide">
+                <label htmlFor="create-tag-artifact">Artifact ID</label>
+                <input
+                  id="create-tag-artifact"
+                  type="text"
+                  value={createTagArtifactId}
+                  onChange={(e) => setCreateTagArtifactId(e.target.value.toLowerCase().replace(/[^a-f0-9]/g, '').slice(0, 64))}
+                  placeholder="SHA256 hash (64 hex characters)"
+                  className="artifact-id-input"
+                  disabled={createTagLoading}
+                />
+              </div>
+              <button
+                type="submit"
+                className="btn btn-primary"
+                disabled={createTagLoading || !createTagName.trim() || createTagArtifactId.length !== 64}
+              >
+                {createTagLoading ? 'Creating...' : 'Create Tag'}
+              </button>
+            </div>
+            {createTagArtifactId.length > 0 && createTagArtifactId.length !== 64 && (
+              <p className="validation-hint">Artifact ID must be exactly 64 hex characters ({createTagArtifactId.length}/64)</p>
+            )}
+          </form>
+        </div>
+      )}
+
       <div className="usage-section card">
         <h3>Usage</h3>
         <p>Download artifacts using:</p>
@@ -768,118 +831,6 @@ function PackagePage() {
         />
       )}
 
-      {/* Upload Modal */}
-      {showUploadModal && (
-        <div className="modal-overlay" onClick={() => setShowUploadModal(false)}>
-          <div className="upload-modal" onClick={(e) => e.stopPropagation()}>
-            <div className="modal-header">
-              <h3>Upload Artifact</h3>
-              <button
-                className="modal-close"
-                onClick={() => setShowUploadModal(false)}
-                title="Close"
-              >
-                <svg width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
-                  <line x1="18" y1="6" x2="6" y2="18"></line>
-                  <line x1="6" y1="6" x2="18" y2="18"></line>
-                </svg>
-              </button>
-            </div>
-            <div className="modal-body">
-              <div className="form-group">
-                <label htmlFor="upload-tag">Tag (optional)</label>
-                <input
-                  id="upload-tag"
-                  type="text"
-                  value={uploadTag}
-                  onChange={(e) => setUploadTag(e.target.value)}
-                  placeholder="v1.0.0, latest, stable..."
-                />
-              </div>
-              <DragDropUpload
-                projectName={projectName!}
-                packageName={packageName!}
-                tag={uploadTag || undefined}
-                onUploadComplete={(result) => {
-                  handleUploadComplete(result);
-                  setShowUploadModal(false);
-                  setUploadTag('');
-                }}
-                onUploadError={handleUploadError}
-              />
-            </div>
-          </div>
-        </div>
-      )}
-
-      {/* Create/Update Tag Modal */}
-      {showCreateTagModal && (
-        <div className="modal-overlay" onClick={() => setShowCreateTagModal(false)}>
-          <div className="create-tag-modal" onClick={(e) => e.stopPropagation()}>
-            <div className="modal-header">
-              <h3>Create / Update Tag</h3>
-              <button
-                className="modal-close"
-                onClick={() => { setShowCreateTagModal(false); setCreateTagName(''); setCreateTagArtifactId(''); }}
-                title="Close"
-              >
-                <svg width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
-                  <line x1="18" y1="6" x2="6" y2="18"></line>
-                  <line x1="6" y1="6" x2="18" y2="18"></line>
-                </svg>
-              </button>
-            </div>
-            <div className="modal-body">
-              <p className="modal-description">Point a tag at an artifact by its ID</p>
-              <form onSubmit={(e) => { handleCreateTag(e); setShowCreateTagModal(false); }}>
-                <div className="form-group">
-                  <label htmlFor="modal-tag-name">Tag Name</label>
-                  <input
-                    id="modal-tag-name"
-                    type="text"
-                    value={createTagName}
-                    onChange={(e) => setCreateTagName(e.target.value)}
-                    placeholder="latest, stable, v1.0.0..."
-                    disabled={createTagLoading}
-                  />
-                </div>
-                <div className="form-group">
-                  <label htmlFor="modal-artifact-id">Artifact ID</label>
-                  <input
-                    id="modal-artifact-id"
-                    type="text"
-                    value={createTagArtifactId}
-                    onChange={(e) => setCreateTagArtifactId(e.target.value.toLowerCase().replace(/[^a-f0-9]/g, '').slice(0, 64))}
-                    placeholder="SHA256 hash (64 hex characters)"
-                    className="artifact-id-input"
-                    disabled={createTagLoading}
-                  />
-                  {createTagArtifactId.length > 0 && createTagArtifactId.length !== 64 && (
-                    <p className="validation-hint">{createTagArtifactId.length}/64 characters</p>
-                  )}
-                </div>
-                <div className="modal-actions">
-                  <button
-                    type="button"
-                    className="btn btn-secondary"
-                    onClick={() => { setShowCreateTagModal(false); setCreateTagName(''); setCreateTagArtifactId(''); }}
-                  >
-                    Cancel
-                  </button>
-                  <button
-                    type="submit"
-                    className="btn btn-primary"
-                    disabled={createTagLoading || !createTagName.trim() || createTagArtifactId.length !== 64}
-                  >
-                    {createTagLoading ? 'Creating...' : 'Create Tag'}
-                  </button>
-                </div>
-              </form>
-            </div>
-          </div>
-        </div>
-      )}
-
       {/* Ensure File Modal */}
       {showEnsureFile && (
         <div className="modal-overlay" onClick={() => setShowEnsureFile(false)}>
@@ -921,107 +872,6 @@ function PackagePage() {
           </div>
         </div>
       )}
-
-      {/* Dependencies Modal */}
-      {showDepsModal && selectedTag && (
-        <div className="modal-overlay" onClick={() => setShowDepsModal(false)}>
-          <div className="deps-modal" onClick={(e) => e.stopPropagation()}>
-            <div className="modal-header">
-              <h3>Dependencies for {selectedTag.version || selectedTag.name}</h3>
-              <button
-                className="modal-close"
-                onClick={() => setShowDepsModal(false)}
-                title="Close"
-              >
-                <svg width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
-                  <line x1="18" y1="6" x2="6" y2="18"></line>
-                  <line x1="6" y1="6" x2="18" y2="18"></line>
-                </svg>
-              </button>
-            </div>
-            <div className="modal-body">
-              <div className="deps-modal-controls">
-                <button
-                  className="btn btn-secondary btn-small"
-                  onClick={fetchEnsureFile}
-                  disabled={ensureFileLoading}
-                >
-                  View Ensure File
-                </button>
-                <button
-                  className="btn btn-secondary btn-small"
-                  onClick={() => { setShowDepsModal(false); setShowGraph(true); }}
-                >
-                  View Graph
-                </button>
-              </div>
-              {depsLoading ? (
-                <div className="deps-loading">Loading dependencies...</div>
-              ) : depsError ? (
-                <div className="deps-error">{depsError}</div>
-              ) : dependencies.length === 0 ? (
-                <div className="deps-empty">No dependencies</div>
-              ) : (
-                <div className="deps-list">
-                  <div className="deps-summary">
-                    {dependencies.length} {dependencies.length === 1 ? 'dependency' : 'dependencies'}:
-                  </div>
-                  <ul className="deps-items">
-                    {dependencies.map((dep) => (
-                      <li key={dep.id} className="dep-item">
-                        <Link
-                          to={`/project/${dep.project}/${dep.package}`}
-                          className="dep-link"
-                          onClick={() => setShowDepsModal(false)}
-                        >
-                          {dep.project}/{dep.package}
-                        </Link>
-                        <span className="dep-constraint">
-                          @ {dep.version || dep.tag}
-                        </span>
-                        <span className="dep-status dep-status--ok" title="Package exists">
-                          &#10003;
-                        </span>
-                      </li>
-                    ))}
-                  </ul>
-                </div>
-              )}
-            </div>
-          </div>
-        </div>
-      )}
-
-      {/* Artifact ID Modal */}
-      {showArtifactIdModal && viewArtifactId && (
-        <div className="modal-overlay" onClick={() => setShowArtifactIdModal(false)}>
-          <div className="artifact-id-modal" onClick={(e) => e.stopPropagation()}>
-            <div className="modal-header">
-              <h3>Artifact ID</h3>
-              <button
-                className="modal-close"
-                onClick={() => setShowArtifactIdModal(false)}
-                title="Close"
-              >
-                <svg width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
-                  <line x1="18" y1="6" x2="6" y2="18"></line>
-                  <line x1="6" y1="6" x2="18" y2="18"></line>
-                </svg>
-              </button>
-            </div>
-            <div className="modal-body">
-              <p className="modal-description">SHA256 hash identifying this artifact:</p>
-              <div className="artifact-id-display">
-                <code>{viewArtifactId}</code>
-                <CopyButton text={viewArtifactId} />
-              </div>
-            </div>
-          </div>
-        </div>
-      )}
-
-      {/* Action Menu Dropdown */}
-      {renderActionMenu()}
     </div>
   );
 }

frontend/src/pages/ProjectPage.tsx

@@ -214,7 +214,7 @@ function ProjectPage() {
           </div>
         </div>
         <div className="page-header__actions">
-          {canAdmin && !project.team_id && !project.is_system && (
+          {canAdmin && !project.team_id && (
             <button
               className="btn btn-secondary"
               onClick={() => navigate(`/project/${projectName}/settings`)}
@@ -227,11 +227,11 @@ function ProjectPage() {
               Settings
             </button>
           )}
-          {canWrite && !project.is_system ? (
+          {canWrite ? (
             <button className="btn btn-primary" onClick={() => setShowForm(!showForm)}>
               {showForm ? 'Cancel' : '+ New Package'}
             </button>
-          ) : user && !project.is_system ? (
+          ) : user ? (
             <span className="text-muted" title="You have read-only access to this project">
               Read-only access
             </span>
@@ -294,7 +294,6 @@ function ProjectPage() {
           placeholder="Filter packages..."
           className="list-controls__search"
         />
-        {!project?.is_system && (
         <select
           className="list-controls__select"
           value={format}
@@ -307,7 +306,6 @@ function ProjectPage() {
             </option>
           ))}
         </select>
-        )}
       </div>
 
       {hasActiveFilters && (
@@ -343,19 +341,19 @@ function ProjectPage() {
               className: 'cell-description',
               render: (pkg) => pkg.description || '—',
             },
-            ...(!project?.is_system ? [{
+            {
               key: 'format',
               header: 'Format',
-              render: (pkg: Package) => <Badge variant="default">{pkg.format}</Badge>,
-            }] : []),
-            ...(!project?.is_system ? [{
+              render: (pkg) => <Badge variant="default">{pkg.format}</Badge>,
+            },
+            {
               key: 'tag_count',
               header: 'Tags',
-              render: (pkg: Package) => pkg.tag_count ?? '—',
-            }] : []),
+              render: (pkg) => pkg.tag_count ?? '—',
+            },
             {
               key: 'artifact_count',
-              header: project?.is_system ? 'Versions' : 'Artifacts',
+              header: 'Artifacts',
               render: (pkg) => pkg.artifact_count ?? '—',
             },
             {
@@ -364,12 +362,12 @@ function ProjectPage() {
               render: (pkg) =>
                 pkg.total_size !== undefined && pkg.total_size > 0 ? formatBytes(pkg.total_size) : '—',
             },
-            ...(!project?.is_system ? [{
+            {
               key: 'latest_tag',
               header: 'Latest',
-              render: (pkg: Package) =>
+              render: (pkg) =>
                 pkg.latest_tag ? <strong style={{ color: 'var(--accent-primary)' }}>{pkg.latest_tag}</strong> : '—',
-            }] : []),
+            },
             {
               key: 'created_at',
               header: 'Created',