fix: align cache controls with config

Remove unused head-check config, make TTL overrides explicit, and tighten revalidation to avoid stale cache behavior.

internal/config/types.go

@@ -64,16 +64,15 @@ type GlobalConfig struct {
 
 // HubConfig 决定单个代理实例如何与下游/上游交互。
 type HubConfig struct {
-	Name            string   `mapstructure:"Name"`
-	Domain          string   `mapstructure:"Domain"`
-	Upstream        string   `mapstructure:"Upstream"`
-	Proxy           string   `mapstructure:"Proxy"`
-	Type            string   `mapstructure:"Type"`
-	Username        string   `mapstructure:"Username"`
-	Password        string   `mapstructure:"Password"`
-	CacheTTL        Duration `mapstructure:"CacheTTL"`
-	ValidationMode  string   `mapstructure:"ValidationMode"`
-	EnableHeadCheck bool     `mapstructure:"EnableHeadCheck"`
+	Name           string   `mapstructure:"Name"`
+	Domain         string   `mapstructure:"Domain"`
+	Upstream       string   `mapstructure:"Upstream"`
+	Proxy          string   `mapstructure:"Proxy"`
+	Type           string   `mapstructure:"Type"`
+	Username       string   `mapstructure:"Username"`
+	Password       string   `mapstructure:"Password"`
+	CacheTTL       Duration `mapstructure:"CacheTTL"`
+	ValidationMode string   `mapstructure:"ValidationMode"`
 }
 
 // Config 是 TOML 文件映射的整体结构。
@@ -109,11 +108,12 @@ func CredentialModes(hubs []HubConfig) []string {
 
 // StrategyOverrides 将 hub 层的 TTL/Validation 配置映射为模块策略覆盖项。
 func (h HubConfig) StrategyOverrides(ttl time.Duration) hubmodule.StrategyOptions {
-	opts := hubmodule.StrategyOptions{
-		TTLOverride: ttl,
-	}
+	opts := hubmodule.StrategyOptions{}
 	if mode := strings.TrimSpace(h.ValidationMode); mode != "" {
 		opts.ValidationOverride = hubmodule.ValidationMode(mode)
 	}
+	if h.CacheTTL.DurationValue() > 0 {
+		opts.TTLOverride = ttl
+	}
 	return opts
 }

internal/hubmodule/debian/hooks.go

@@ -37,7 +37,14 @@ func cachePolicy(_ *hooks.RequestContext, locatorPath string, current hooks.Cach
 		// 索引类（Release/Packages/Contents）需要 If-None-Match/If-Modified-Since 再验证。
 		if strings.HasSuffix(clean, "/release") ||
 			strings.HasSuffix(clean, "/inrelease") ||
-			strings.HasSuffix(clean, "/release.gpg") {
+			strings.HasSuffix(clean, "/release.gpg") ||
+			strings.HasSuffix(clean, "/packages") ||
+			strings.HasSuffix(clean, "/packages.gz") ||
+			strings.HasSuffix(clean, "/packages.xz") ||
+			strings.HasSuffix(clean, "/sources") ||
+			strings.HasSuffix(clean, "/sources.gz") ||
+			strings.HasSuffix(clean, "/sources.xz") ||
+			strings.Contains(clean, "/contents-") {
 			current.AllowCache = true
 			current.AllowStore = true
 			current.RequireRevalidate = true

internal/hubmodule/strategy.go

@@ -11,13 +11,14 @@ type StrategyOptions struct {
 // ResolveStrategy 将模块的默认策略与 hub 级覆盖合并。
 func ResolveStrategy(meta ModuleMetadata, opts StrategyOptions) CacheStrategyProfile {
 	strategy := meta.CacheStrategy
-	if strategy.TTLHint > 0 && opts.TTLOverride > 0 {
-		strategy.TTLHint = opts.TTLOverride
-	}
 	if opts.ValidationOverride != "" {
 		strategy.ValidationMode = opts.ValidationOverride
 	}
-	return normalizeStrategy(strategy)
+	strategy = normalizeStrategy(strategy)
+	if opts.TTLOverride > 0 {
+		strategy.TTLHint = opts.TTLOverride
+	}
+	return strategy
 }
 
 func normalizeStrategy(profile CacheStrategyProfile) CacheStrategyProfile {

internal/proxy/handler.go

@@ -3,7 +3,7 @@ package proxy
 import (
 	"bytes"
 	"context"
-	"crypto/sha1"
+	"crypto/sha256"
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
@@ -202,10 +202,25 @@ func (h *Handler) serveCache(
 	c.Status(status)
 
 	if method == http.MethodHead {
-		// 对 HEAD 请求仍向上游发起一次 HEAD，以满足“显式请求 + 再验证”的期望。
 		if route != nil && route.UpstreamURL != nil {
-			if resp, err := h.revalidateRequest(c, route, resolveUpstreamURL(route, route.UpstreamURL, c, hook), result.Entry.Locator, ""); err == nil {
-				resp.Body.Close()
+			shouldRevalidate := true
+			if hook != nil && hook.hasHooks && hook.def.CachePolicy != nil {
+				policy := hook.def.CachePolicy(hook.ctx, result.Entry.Locator.Path, hooks.CachePolicy{
+					AllowCache:        true,
+					AllowStore:        true,
+					RequireRevalidate: true,
+				})
+				if !policy.AllowCache || !policy.AllowStore {
+					shouldRevalidate = false
+				} else {
+					shouldRevalidate = policy.RequireRevalidate
+				}
+			}
+
+			if shouldRevalidate {
+				if resp, err := h.revalidateRequest(c, route, resolveUpstreamURL(route, route.UpstreamURL, c, hook), result.Entry.Locator, ""); err == nil {
+					resp.Body.Close()
+				}
 			}
 		}
 		result.Reader.Close()
@@ -571,7 +586,7 @@ func resolveContentType(route *server.HubRoute, locator cache.Locator, hook *hoo
 func buildLocator(route *server.HubRoute, c fiber.Ctx, clean string, rawQuery []byte) cache.Locator {
 	query := rawQuery
 	if len(query) > 0 {
-		sum := sha1.Sum(query)
+		sum := sha256.Sum256(query)
 		clean = fmt.Sprintf("%s/__qs/%s", clean, hex.EncodeToString(sum[:]))
 	}
 	loc := cache.Locator{
@@ -791,7 +806,7 @@ func (h *Handler) isCacheFresh(
 		return true, nil
 	case http.StatusOK:
 		if resp.Header.Get("Etag") == "" && resp.Header.Get("Docker-Content-Digest") == "" && resp.Header.Get("Last-Modified") == "" {
-			return true, nil
+			return false, nil
 		}
 		h.rememberETag(route, locator, resp)
 		remote := extractModTime(resp.Header)

internal/server/hub_registry_test.go

@@ -15,11 +15,10 @@ func TestHubRegistryLookupByHost(t *testing.T) {
 		},
 		Hubs: []config.HubConfig{
 			{
-				Name:            "docker",
-				Domain:          "docker.hub.local",
-				Type:            "docker",
-				Upstream:        "https://registry-1.docker.io",
-				EnableHeadCheck: true,
+				Name:     "docker",
+				Domain:   "docker.hub.local",
+				Type:     "docker",
+				Upstream: "https://registry-1.docker.io",
 			},
 			{
 				Name:     "npm",