fix: skip direct GitHub API validation when PROXY_REGISTRY_ONLY is set

CHANGELOG.md

@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+- Fixed direct GitHub API and ADO/GHES `git ls-remote` calls not respecting `PROXY_REGISTRY_ONLY` mode; all four validation code paths (virtual package, GitHub.com API, ADO/GHES git, and parse-failure fallback) now skip outbound network probes and return `True` when proxy-only mode is active. (#615)
 - Fixed Claude hook ownership metadata lost due to `additionalProperties` schema restriction: ownership is now stored in a `.claude/apm-hooks.json` sidecar file and re-injected on read, so APM can track which hooks it owns without violating the Claude settings schema. (#1279)
 - `apm pack` no longer prints a misleading `No plugin.json found` warning for marketplace-publishing projects (`marketplace:` block in `apm.yml`, no `dependencies:`); the synthesis path is the APM-native source of truth and is reported as an `[i]` info line when authoring a bare plugin, suppressed otherwise. (#1348)
 - `apm marketplace init` and `apm init --marketplace` now scaffold the snake-case `# tag_pattern: "{name}-v{version}"` per package instead of the schema-invalid camelCase `tagPattern` example. (#1348)

src/apm_cli/install/validation.py

@@ -183,6 +183,8 @@ def _validate_package_exists(package, verbose=False, auth_resolver=None, logger=
 
         from apm_cli.utils.github_host import is_azure_devops_hostname, is_github_hostname
 
+        from ..deps.registry_proxy import is_enforce_only
+
         virtual_subdir_repo_probe = (
             dep_ref.is_virtual
             and dep_ref.is_virtual_subdirectory()
@@ -194,6 +196,15 @@ def _validate_package_exists(package, verbose=False, auth_resolver=None, logger=
         # the virtual path is a subdirectory on a non-GitHub host. Those should
         # validate the clone root with git, preserving SSH/credential-helper flows.
         if dep_ref.is_virtual and not virtual_subdir_repo_probe:
+            if is_enforce_only():
+                # PROXY_REGISTRY_ONLY=1: skip virtual package validation probe.
+                # The download step will surface a proxy 404 if the package is absent.
+                if logger:
+                    logger.info(
+                        "Skipping virtual package validation for"
+                        f" {dep_ref.host or 'remote'}: proxy-only mode is active"
+                    )
+                return True
             ctx = auth_resolver.resolve_for_dep(dep_ref)
             host = dep_ref.host or default_host()
             org = (
@@ -260,6 +271,16 @@ def _warn(msg: str) -> None:
             or dep_ref.is_azure_devops()
             or (dep_ref.host and dep_ref.host != "github.com")
         ):
+            if is_enforce_only():
+                # PROXY_REGISTRY_ONLY=1: skip direct git ls-remote probe for ADO/GHES.
+                # The download step will surface a proxy 404 if the package is absent.
+                if logger:
+                    logger.info(
+                        "Skipping direct git ls-remote for"
+                        f" {dep_ref.host or 'remote'}: proxy-only mode is active"
+                    )
+                return True
+
             # Determine host type before building the URL so we know whether to
             # embed a token.  Generic (non-GitHub, non-ADO) hosts are excluded
             # from APM-managed auth; they rely on git credential helpers via the
@@ -509,6 +530,16 @@ def _log_attempt_result(probe_url: str, run_result):
         )
         host_info = auth_resolver.classify_host(host, port=port)
 
+        if is_enforce_only():
+            # PROXY_REGISTRY_ONLY=1: skip the GitHub API probe.
+            # Marketplace/lockfile resolution already ran through the proxy;
+            # the download step will surface a proxy 404 if absent.
+            if logger:
+                logger.info(
+                    f"Skipping direct GitHub API probe for {host}: proxy-only mode is active"
+                )
+            return True
+
         if verbose_log:
             ctx = auth_resolver.resolve(host, org=org, port=port)
             verbose_log(
@@ -596,6 +627,18 @@ def _check_repo(token, git_env):
         if not re.fullmatch(r"[A-Za-z0-9._-]+/[A-Za-z0-9._-]+", repo_path):
             return False
 
+        from ..deps.registry_proxy import is_enforce_only
+
+        if is_enforce_only():
+            # PROXY_REGISTRY_ONLY=1: skip the GitHub API fallback probe.
+            # The download step will surface a proxy 404 if the package is absent.
+            if logger:
+                logger.info(
+                    f"Skipping direct GitHub API fallback probe for {host}:"
+                    " proxy-only mode is active"
+                )
+            return True
+
         def _check_repo_fallback(token, git_env):
             host_info = auth_resolver.classify_host(host)
             api_url = f"{host_info.api_base}/repos/{repo_path}"