Mirror api key handling

Author: isTravis

.env.enc

@@ -1,22 +1,24 @@
-#ENC[AES256_GCM,data:5YN6f+XIQasY,iv:70tE+1xTurmic6fcjiuDCVovEbYVhDbp2lvbONhNW5A=,tag:LkAy0bLDgDhNgwrGdqmp4Q==,type:comment]
-DATABASE_URL=ENC[AES256_GCM,data:/28bqrOFc9GcQH4Dv4spSwNgD71BzEOzm8rKN7nlwY9qQckHL76YOvBHNToU0sZqC9v5DT4=,iv:F4oswhOvlREkllYVooBIELUjM4WECckSwdRDxcu6E8I=,tag:V7+Hxt0Veij5+52PdyvSAQ==,type:str]
-SESSION_SECRET=ENC[AES256_GCM,data:MirMFVzowHq3jnaGrNPe82EKONv5XOppyhg3BI7R3h4=,iv:ehkoryGJcEL2c830LD9hZt/Uf6U3brbZlaJPNyJLiVE=,tag:oP/na2LsYuQhc4vGDc4ACw==,type:str]
-APP_PORT=ENC[AES256_GCM,data:o8oBKw==,iv:9lXQy+YaVb3um42QaHKKH2EXA6p9VzgX4cF4yZq17qE=,tag:QK+7vAQw4Q7qHk113pM6Qw==,type:str]
-API_PORT=ENC[AES256_GCM,data:QNqN5Q==,iv:3ChZ+9fWEUUFab4f8MFanSJcrRLEMO1yaCy+tCajWH8=,tag:xyA9zZepwJFt1pWvml67Eg==,type:str]
-#ENC[AES256_GCM,data:MrMg,iv:hdJ+cS1GtNPfpcsDoAI1TdjRW4tQTDhxhD59VFKlC3w=,tag:00P1/zjgi4mUztzvc8WXRw==,type:comment]
-S3_BUCKET=ENC[AES256_GCM,data:x6ZvFtFlBn4oGjSjBCbJ,iv:Fs+ehEL+6ZJH0LFz8RL2Vlr3PTSNTRhLOrqTCFMJchY=,tag:8V95MpTnaj6GbTn3YEYBsw==,type:str]
-S3_ENDPOINT=ENC[AES256_GCM,data:cyqC2I4kUYrdGw/9OTv88LQptYbKWzDrgc3Bbz7ag1GmzdWBPS/CAf7mIkDm/X2qWyecEg3MvNvYjCM8KKXDEfE=,iv:MKalw/HDyJ5au6Q7bia6pr7aUc3UQK+QuyuVXfctTI8=,tag:ieN8kXP02mQK/D+aqTS/Ng==,type:str]
-S3_ACCESS_KEY=ENC[AES256_GCM,data:L0XFIxbE/yu45PhMh5pIfc2PDun6t+hppD2mb2DQVno=,iv:fCDNYLqpW1gblgQjRSWxNtDpH3Wvk/bF4AZ+SX/qSCg=,tag:J4DA77pMJbAKUOphfyGtww==,type:str]
-S3_SECRET_KEY=ENC[AES256_GCM,data:T+uXZRXKFhwkkeEAzGtfNaeQbPKQrQmLgo4ekWMSR84rcMh3T8mul/Fmr6zQai1bvYRDR/RqXjVB8+grN33NtA==,iv:h0AG9TD66pZP5xGJmavBuH03nHbVz+t75ePqUP/M9O4=,tag:6iCaK84XTQ4sD9o0DjuvKg==,type:str]
-sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuUGFGMFFlT04wMmVSNHpm\ncUJTREVQeUsxM25hT3VOQWRTY3hMa2Q0U0VNCm9NeFMwVWRtdDVXT3l0dnRaUUNT\nTXZMZXBTWEozMCszMjQwQXp2SXYzTGMKLS0tICtWbWdZNUFEZVNXQlhlWnRkdWx0\nQjU5R0k4cVZ0akJiOTFhdnYwSVVFZHMKDbZsZkRamBqEZoKh1GqeTEETECW0FNwW\ne5jgJjK0t/uLa2GASecSGI0ONRM4n7J50jsBdtmb6lqaAgY3mDQWbA==\n-----END AGE ENCRYPTED FILE-----\n
+#ENC[AES256_GCM,data:OTvS9wE/1Y8D,iv:TH6FV7DEWuEFrHRUbPxWDn2wQH91kRdR7GiiIIbXZXM=,tag:mFIxqN+HaHJFBXmV9HwhmQ==,type:comment]
+DATABASE_URL=ENC[AES256_GCM,data:peVeoz3PtbZ/FDYyiYUYeGd12nv+CehcxL+PZPnCDTH0m2jC8hUoK7ORyX24gget6nmGYRI=,iv:dm3yToRlLYxawPyqukiAqQ5pL7SZzMUeC/UqLpc8yfU=,tag:w+O5b+8mpL0mUL1+QgEEjw==,type:str]
+SESSION_SECRET=ENC[AES256_GCM,data:UszhKBt+K7a9Rvm0RCb32XIPewEpavJgITzdvihqbM4=,iv:yJTgIzaZKSmYR2H8y5ZbtqGNj5WrG+MIYvLVqhQbCGI=,tag:9Vg0EbMoj7mkq3FEQ31/5g==,type:str]
+APP_PORT=ENC[AES256_GCM,data:Vb96ZA==,iv:y/sUKEViCx0lX6kAzrpiD8yICK+bOVA+5xF6yzdNneQ=,tag:bygtiSSg3NCc4tlULR3Mlg==,type:str]
+API_PORT=ENC[AES256_GCM,data:cimBEw==,iv:niHYZoy2P/an06znHc6M3P0sySyBdZRhnzanirhMbyE=,tag:7HIoxyhPNwuTyywt4cZMJA==,type:str]
+#ENC[AES256_GCM,data:nP8u,iv:kuXejWrfQYWksTiLT2YQ07WfsrRU6/UimFBCjgPG8iU=,tag:bdyvKXmUUrgjKKnQVcks5w==,type:comment]
+S3_BUCKET=ENC[AES256_GCM,data:MzahjK+0uTqAw/WhA8Se,iv:xLvpcYYV/1frYiTnwrOjHo3b8TCjgpgQ5QRLg1lhAc0=,tag:+DfZ2lWTi6S1lcJVJ+XjfQ==,type:str]
+S3_ENDPOINT=ENC[AES256_GCM,data:ybBuRodzg5hI5fa/iWmBkzCVimT+JHinLT3/6cZ2AIEWPWRcWeQcug4A+MDoWasYsWt9w2lRSHfxS355Pr3l4wA=,iv:9n/By1VXaIPODj/R5KqZgNEz1RUirJh+cHvvLci8344=,tag:aVx8J2V7+PMOvkqhYm79FQ==,type:str]
+S3_ACCESS_KEY=ENC[AES256_GCM,data:rOdXiMeBLu/3K8il8ayx9Rur3IlbrjQ4FnRAKKIMPgU=,iv:S5WiEHRCf3dBn2aVLCglnfc62qkLwyRoM+6QzoRWTTw=,tag:AaVNv6uSuKMbS2xdYpK35Q==,type:str]
+S3_SECRET_KEY=ENC[AES256_GCM,data:Feenm4pAlv8eglOUaU/1aPIf81WzdNzoqprB87jxzEfLJPc1BxKab7AqMaJOqQqOpQ7hNrK+I2dr01gFv6x/SA==,iv:kNTslAmOSNH3wSKtnE2qg1pIoASKUnZh6EW/kdrTxiQ=,tag:VdpCsHZ75yW0kDVaNxhMnw==,type:str]
+#ENC[AES256_GCM,data:z6C0FEY22W4af3lK1mx1BE3j,iv:BGNFYqhy/ySTaL9y9Bth4WqaaqUOTjDr6PigI2+zljc=,tag:C1+HDy9Vfopz3cwJn+NDFg==,type:comment]
+UNDERLAY_UPSTREAM_API_KEY=ENC[AES256_GCM,data:21NDl9yy4rvWiZOLBh6U5HrgzsAq5B2firmYYUxr9XCSemM=,iv:C4HYm3IF6cZEo5ZicNvCIcXo5qARHWKkZ4vwVTkn0Jk=,tag:GVB3atYFyk1p4Yr9j7u1Kg==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsenFsVmhwbU1rc3ZJWTAw\nZTl5L0xKYmJaMVVyTEZFb2pmdm5jVlV4bUZvCldtVlg5czFrdndPZmxIYVBCb3FC\nM21SY2JYTkxoQ214dGRlNitWcGhOcHcKLS0tIDJtcmVRSEs4amlraURZVjlnS3dr\nQnBaZHVTeElrTFNINGo4aVNRSmxPYVEKsiCgHDdHEyg1dK4+liXapmPIov3Twl3p\nL3JuNxYs7D2KUdvsxYjpl0gd9LKHo8BnR4x4ltOIJZS84NQEDyyE9A==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_0__map_recipient=age1wravpjmed26772xfjhawmnsnc4933htapg6y5xseqml0jdv8z9hqemzhcr
-sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSYnhoQ3hOL1V3TWVERmFy\nQ1hFNjYrK1RiS0R0T3RSbDJqRzYrcENLUTFvCnRhSmdIMCtvbkEyWlBLbkxGaFFS\nR3RiY2FnMzVRaVpXaHRYT0dITmZIMUkKLS0tIGRpRDBXSGlVRUdlYVNMeW90NGdS\nMWxuT01hRG4zWnFoOTFkYjlPNFVIRFEKc47+5w5UkcZn/cDQhoW1EqCqJ81fSU9s\nhmP2+FMkXl2iC8DvMXxvmv54lr0yVK4DH6g9NxpVR4ai/dWdEjvl9w==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBON0xxSDVqQ1hJU2NxWTRY\na1pFcmdPWE1EQ29oZDNiMXNjMzVHYmxGaVU0CjAvNTMrTzhGSndBWGVKeHNJM0hR\nckhWN0V0ZkgxcEFmNmNoYWI1aDZ1L0kKLS0tIHIrdjBBU25VWEh6SG5kZVNNTFdQ\nRDVuYjIwTUdyRHJRQU1wVExGVFJOU00KhSPc1Jd8ujgNKbddWNl5sOi4h+1t5/zw\n3Bd9k3ZZd+saU/PfOrxh9QUbR4RXS85sRGOPH54tIYhH8QoffthtJg==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_1__map_recipient=age1ysddqggsx3h8zkv7xn3z26sjak5pqms6pyqhnky9ukrvpk7es5jsayz8w7
-sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKbUxwNE1PRkhMNnFVM1dH\neERReFZWL0toSUg2ekRoNUFZQ1ZFL1YvVlU0CjRPN2NlNWpPakp4UWp6NURvZm1D\nblJmOFRka0I0NEorU2tNMFh2aWYzMFEKLS0tIDZhbmFoTERXNzgzVW82b094OVAr\nQmtTdTV1K0hkZXpIbkxRck1TVjZVTm8Kl2hj5e7mv0wRWLZaYCoqW/CZwncB9+vO\niUcostwDMBHR7Q9Iln+OcZnmhIQtyawZ5OU/ARynG9ps/yF++J+RGg==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuNitEVzFDNVBjZ054TWts\nNEpNQXpaS3BvWjRPY2ZTNG1BSVNwMmo5OWc4CjhQWTBtYkVQa3R6c3hsenNJTTRS\nYUgzbmtxaEtDODVqYWxaL1ZTVDNBK3MKLS0tIDR6VjNqNklRb2grN2hBdG9BbENn\nYUhFMXlkb3RsRjFmMWRXOCttN0h6WHcKqwZGyeJiTbMWS5V56EBidSOOba/eGGMM\nD1LUwZmdUKivD3gOfK1STO6M7mEvJMUdzUebJR7IyC6Ibt0vyV5Afg==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_2__map_recipient=age1pgxk292zq30wafwg03gge7hu5dlu3h7yfldp2y8kqekfaljjky7s752uwy
-sops_age__list_3__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBETDZhR3E3NUNPR3ZOTzBE\nY1kxRlRWY3dEeDM1TmJOOW45Ump1TWVUaUFnCkkrNEErYmRINEQ3c2UvQjFTcnJv\nOHJZbk1oUGpRWm5hM2wweGc4V1lSU2sKLS0tIEJCWTVRMzhhM0ZpYWl6aVliN1dk\nMDYzN01GUGtBRWI5NFRQdWJncUl2SGMKH2tGAaN0aTAz575Q39S4uorUjD/BO8Oa\n/aHc/ytU9Jpj2tdMkPx/dD39Tv0ZO/z+rPZijv3Oirzk/FmDeV8/2g==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_3__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUK3ZWeVRHS0VscmdpYXJt\naG5WaG13Si9JdnZaS1IxQWdvWWY3QzJSVHhnCmxpdW9WQmRBWHVPNFljeVg2c0Ry\nVCtoRkxsdXM5RGFxUUloYXhFU1g2cEUKLS0tIExCOHlXUzRKYndSYVJxVmZzcUhp\nRWJab3ZWRVlNME9sckIycUxwQ0JvRVUKr0F/Zd4TY448DpFc2+oqHybprN43ydKS\n3WmdCCHYY8GhmxgIlTSN7LCaJ2eTtOQaEX12Fhj5+JY5vmisW/cygg==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_3__map_recipient=age1qn0x93jhqjpqwvx5tgxnrwq5e3vuzur9whrkdnrvapd58esm45rqfkuxqh
-sops_lastmodified=2026-05-01T02:33:52Z
-sops_mac=ENC[AES256_GCM,data:5fsji5DmNyZFgmyV23bBj+OxmlFo0aBIH4w5Vz7gFVnYOv3p+TuResFll2aXzFPWLt02/spwhXeqwkDx/korefkL0zzKIuASRtS05UtAln098hL96zdWblP5TVzSORA2sDHvyz488EpV3BPywLvDPHRrKQu9TmEzlEBlmsWvHxo=,iv:RXQuKcZ4ybhhXPbaZUIDvGzwjZxjLTXarj7Zm84fepQ=,tag:/fPOM7H5B8bH7oGdfg/Sag==,type:str]
+sops_lastmodified=2026-05-02T02:32:16Z
+sops_mac=ENC[AES256_GCM,data:setdDRn3+KnoAJf43iTmzKRK4AG9Mgwp/jFY09FQQshVDUAB5STtH63nKB1GAOGHoDqUK53w+Fb1plFCMuHwn1/AWGisQ3pdkg9I13OhqhRAdsvsW9hI9Bx5C953K8t6GQdpvdO/kh3qDfh0RDpTQ9scv13Mmf8n7BqBj/gW9Fg=,iv:O+94d6Sy+d9pRiUp0f4njS6Eb8CouWHDqACppkAU2Gw=,tag:IWLf41HYQqMps9bjxR2wJg==,type:str]
 sops_unencrypted_suffix=_unencrypted
 sops_version=3.11.0

.github/workflows/deploy-mirror.yml

@@ -87,14 +87,9 @@ jobs:
           GHCR_USER: ${{ secrets.GHCR_USER }}
           GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}
           IMAGE_TAG: mirror-${{ github.sha }}
-          S3_ENDPOINT: ${{ secrets.S3_ENDPOINT }}
-          S3_REGION: ${{ secrets.S3_REGION }}
-          S3_ACCESS_KEY: ${{ secrets.S3_ACCESS_KEY }}
-          S3_SECRET_KEY: ${{ secrets.S3_SECRET_KEY }}
-          S3_BUCKET: ${{ secrets.S3_BUCKET }}
         run: |
           ssh "${SSH_USER}@${SSH_HOST}" \
-            "env GHCR_USER='${GHCR_USER}' GHCR_TOKEN='${GHCR_TOKEN}' IMAGE_TAG='${IMAGE_TAG}' S3_ENDPOINT='${S3_ENDPOINT}' S3_REGION='${S3_REGION}' S3_ACCESS_KEY='${S3_ACCESS_KEY}' S3_SECRET_KEY='${S3_SECRET_KEY}' S3_BUCKET='${S3_BUCKET}' bash -s -- '${REPO}' '${BRANCH}'" <<'EOS'
+            "env GHCR_USER='${GHCR_USER}' GHCR_TOKEN='${GHCR_TOKEN}' IMAGE_TAG='${IMAGE_TAG}' bash -s -- '${REPO}' '${BRANCH}'" <<'EOS'
           set -euo pipefail
 
           REPO="${1:?missing repo}"
@@ -107,6 +102,7 @@ jobs:
           STACK_NAME="underlay-mirror"
           REPO_NAME="${REPO##*/}"
           APP_DIR="/srv/${REPO_NAME}-mirror"
+          PROD_DIR="/srv/${REPO_NAME}"
           REPO_SSH="git@github.com:${REPO}.git"
 
           ssh-keyscan -H github.com >> ~/.ssh/known_hosts 2>/dev/null
@@ -123,6 +119,17 @@ jobs:
           git checkout "${BRANCH}"
           git pull origin "${BRANCH}"
 
+          # Load secrets from prod's .env (already decrypted on the server)
+          # This gives us S3_*, UNDERLAY_UPSTREAM_API_KEY, etc.
+          if [[ -f "${PROD_DIR}/.env" ]]; then
+            set -a
+            source <(grep -v '^#' "${PROD_DIR}/.env" | grep -v '^$')
+            set +a
+          else
+            echo "ERROR: ${PROD_DIR}/.env not found — run a prod deploy first"
+            exit 1
+          fi
+
           # Init swarm if not already active
           if ! sudo docker info --format '{{.Swarm.LocalNodeState}}' | grep -qx active; then
             sudo docker swarm init
@@ -132,13 +139,14 @@ jobs:
 
           sudo docker pull "ghcr.io/${REPO}:${IMAGE_TAG}"
 
-          # Deploy using docker-compose.mirror.yml — Postgres is self-contained,
-          # only S3 credentials need to be passed through for file storage.
+          # Deploy using docker-compose.mirror.yml — Postgres is self-contained.
+          # S3 creds and API key are sourced from prod .env above.
           sudo env \
             IMAGE="ghcr.io/${REPO}" IMAGE_TAG="$IMAGE_TAG" \
-            S3_ENDPOINT="$S3_ENDPOINT" S3_REGION="$S3_REGION" \
-            S3_ACCESS_KEY="$S3_ACCESS_KEY" S3_SECRET_KEY="$S3_SECRET_KEY" \
+            S3_ENDPOINT="${S3_ENDPOINT:-}" S3_REGION="${S3_REGION:-auto}" \
+            S3_ACCESS_KEY="${S3_ACCESS_KEY:-}" S3_SECRET_KEY="${S3_SECRET_KEY:-}" \
             S3_BUCKET="${S3_BUCKET:-underlay}" \
+            UNDERLAY_UPSTREAM_API_KEY="${UNDERLAY_UPSTREAM_API_KEY:-}" \
             SESSION_SECRET="$(openssl rand -hex 32)" \
             docker stack deploy -c docker-compose.mirror.yml \
             --with-registry-auth --resolve-image always --prune "${STACK_NAME}"

docker-compose.mirror.yml

@@ -21,6 +21,8 @@ services:
       S3_ACCESS_KEY: ${S3_ACCESS_KEY:-}
       S3_SECRET_KEY: ${S3_SECRET_KEY:-}
       S3_BUCKET: ${S3_BUCKET:-underlay}
+      # Upstream API key (for authenticated sync — higher rate limit)
+      UNDERLAY_UPSTREAM_API_KEY: ${UNDERLAY_UPSTREAM_API_KEY:-}
       # Session (for admin login)
       SESSION_SECRET: ${SESSION_SECRET:-mirror-secret-change-me}
     ports:
@@ -73,6 +75,7 @@ services:
       S3_ACCESS_KEY: ${S3_ACCESS_KEY:-}
       S3_SECRET_KEY: ${S3_SECRET_KEY:-}
       S3_BUCKET: ${S3_BUCKET:-underlay}
+      UNDERLAY_UPSTREAM_API_KEY: ${UNDERLAY_UPSTREAM_API_KEY:-}
     command: ["node", "--import", "tsx/esm", "tools/cron.ts"]
     networks:
       - mirrornet

src/components/MirrorAdmin.tsx

@@ -36,6 +36,68 @@ interface SyncResult {
   errors: string[];
 }
 
+const PAGE_SIZE = 10;
+
+function PaginatedCollections({ collections }: { collections: MirrorStatus["collections"] }) {
+  const [page, setPage] = useState(0);
+  const totalPages = Math.ceil(collections.length / PAGE_SIZE);
+  const visible = collections.slice(page * PAGE_SIZE, (page + 1) * PAGE_SIZE);
+
+  return (
+    <div>
+      <table className="w-full text-sm">
+        <thead>
+          <tr className="border-b border-rule text-left text-ink-muted">
+            <th className="pb-2 font-medium">Collection</th>
+            <th className="pb-2 font-medium">Version</th>
+            <th className="pb-2 font-medium">Last Updated</th>
+          </tr>
+        </thead>
+        <tbody>
+          {visible.map((c) => (
+            <tr key={`${c.ownerSlug}/${c.slug}`} className="border-b border-rule/50">
+              <td className="py-2">
+                <a href={`/${c.ownerSlug}/${c.slug}`} className="text-ink hover:underline">
+                  {c.ownerSlug}/{c.slug}
+                </a>
+                <span className="text-ink-muted ml-2">— {c.name}</span>
+              </td>
+              <td className="py-2 font-mono">v{c.localVersion}</td>
+              <td className="py-2 text-ink-muted">
+                {new Date(c.updatedAt).toLocaleDateString()}
+              </td>
+            </tr>
+          ))}
+        </tbody>
+      </table>
+      {totalPages > 1 && (
+        <div className="flex items-center justify-between mt-3 text-xs text-ink-muted">
+          <span>{collections.length} collections</span>
+          <div className="flex items-center gap-2">
+            <button
+              onClick={() => setPage((p) => Math.max(0, p - 1))}
+              disabled={page === 0}
+              className="px-2 py-1 border border-rule rounded disabled:opacity-30 hover:bg-parchment-dark"
+            >
+              ← Prev
+            </button>
+            <span>
+              {page + 1} / {totalPages}
+            </span>
+            <button
+              onClick={() => setPage((p) => Math.min(totalPages - 1, p + 1))}
+              disabled={page >= totalPages - 1}
+              className="px-2 py-1 border border-rule rounded disabled:opacity-30 hover:bg-parchment-dark"
+            >
+              Next →
+            </button>
+          </div>
+        </div>
+      )}
+    </div>
+  );
+}
+
 export default function MirrorAdmin({ upstream, nodeName, syncSchedule }: Props) {
   const [status, setStatus] = useState<MirrorStatus | null>(null);
   const [testResult, setTestResult] = useState<TestResult | null>(null);
@@ -206,34 +268,7 @@ export default function MirrorAdmin({ upstream, nodeName, syncSchedule }: Props)
           Mirrored Collections
         </h2>
         {status && status.collections.length > 0 ? (
-          <table className="w-full text-sm">
-            <thead>
-              <tr className="border-b border-rule text-left text-ink-muted">
-                <th className="pb-2 font-medium">Collection</th>
-                <th className="pb-2 font-medium">Version</th>
-                <th className="pb-2 font-medium">Last Updated</th>
-              </tr>
-            </thead>
-            <tbody>
-              {status.collections.map((c) => (
-                <tr key={`${c.ownerSlug}/${c.slug}`} className="border-b border-rule/50">
-                  <td className="py-2">
-                    <a
-                      href={`/${c.ownerSlug}/${c.slug}`}
-                      className="text-ink hover:underline"
-                    >
-                      {c.ownerSlug}/{c.slug}
-                    </a>
-                    <span className="text-ink-muted ml-2">— {c.name}</span>
-                  </td>
-                  <td className="py-2 font-mono">v{c.localVersion}</td>
-                  <td className="py-2 text-ink-muted">
-                    {new Date(c.updatedAt).toLocaleDateString()}
-                  </td>
-                </tr>
-              ))}
-            </tbody>
-          </table>
+          <PaginatedCollections collections={status.collections} />
         ) : status ? (
           <p className="text-sm text-ink-muted">
             No collections mirrored yet. Click "Sync Now" to pull from upstream.

src/lib/mirror-config.ts

@@ -10,6 +10,7 @@ export interface MirrorConfig {
   upstream: string;
   nodeName: string;
   syncSchedule: string;
+  apiKey: string;
 }
 
 export function getMirrorConfig(): MirrorConfig {
@@ -19,5 +20,6 @@ export function getMirrorConfig(): MirrorConfig {
     upstream: process.env.UNDERLAY_UPSTREAM ?? "",
     nodeName: process.env.UNDERLAY_NODE_NAME ?? "Mirror",
     syncSchedule: process.env.UNDERLAY_SYNC_SCHEDULE ?? "0 0 * * 0",
+    apiKey: process.env.UNDERLAY_UPSTREAM_API_KEY ?? "",
   };
 }

src/lib/mirror-sync.ts

@@ -66,16 +66,38 @@ async function ensureSchema(schemaBody: unknown): Promise<string> {
   return created!.id;
 }
 
-/** Fetch JSON from the upstream server */
+/** Sleep for a given number of milliseconds */
+function sleep(ms: number): Promise<void> {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+/** Fetch JSON from the upstream server with retry on 429 */
 async function fetchUpstream<T>(upstream: string, path: string): Promise<T> {
+  const config = getMirrorConfig();
   const url = `${upstream.replace(/\/$/, "")}${path}`;
-  const res = await fetch(url, {
-    headers: { Accept: "application/json" },
-  });
-  if (!res.ok) {
-    throw new Error(`Upstream ${url} returned ${res.status}: ${await res.text()}`);
+  const headers: Record<string, string> = { Accept: "application/json" };
+  if (config.apiKey) {
+    headers["Authorization"] = `Bearer ${config.apiKey}`;
+  }
+
+  for (let attempt = 0; attempt < 5; attempt++) {
+    const res = await fetch(url, { headers });
+
+    if (res.status === 429) {
+      const retryAfter = parseInt(res.headers.get("retry-after") ?? "60", 10);
+      const waitSec = Math.min(retryAfter + 2, 120);
+      console.log(`[mirror-sync] Rate limited, waiting ${waitSec}s before retry (attempt ${attempt + 1}/5)`);
+      await sleep(waitSec * 1000);
+      continue;
+    }
+
+    if (!res.ok) {
+      throw new Error(`Upstream ${url} returned ${res.status}: ${await res.text()}`);
+    }
+    return res.json() as Promise<T>;
   }
-  return res.json() as Promise<T>;
+
+  throw new Error(`Upstream ${url} rate limited after 5 retries`);
 }
 
 /** Download a file from upstream by hash */
@@ -85,14 +107,32 @@ async function downloadUpstreamFile(
   collSlug: string,
   fileHash: string,
 ): Promise<Buffer> {
+  const config = getMirrorConfig();
   const url = `${upstream.replace(/\/$/, "")}/api/collections/${owner}/${collSlug}/files/${fileHash}`;
-  const res = await fetch(url);
-  if (!res.ok) {
-    throw new Error(`File download failed: ${url} → ${res.status}`);
+  const headers: Record<string, string> = {};
+  if (config.apiKey) {
+    headers["Authorization"] = `Bearer ${config.apiKey}`;
   }
-  // Follow redirect to CDN or get bytes directly
-  const arrayBuffer = await res.arrayBuffer();
-  return Buffer.from(arrayBuffer);
+
+  for (let attempt = 0; attempt < 5; attempt++) {
+    const res = await fetch(url, { headers });
+
+    if (res.status === 429) {
+      const retryAfter = parseInt(res.headers.get("retry-after") ?? "60", 10);
+      const waitSec = Math.min(retryAfter + 2, 120);
+      console.log(`[mirror-sync] Rate limited on file download, waiting ${waitSec}s`);
+      await sleep(waitSec * 1000);
+      continue;
+    }
+
+    if (!res.ok) {
+      throw new Error(`File download failed: ${url} → ${res.status}`);
+    }
+    const arrayBuffer = await res.arrayBuffer();
+    return Buffer.from(arrayBuffer);
+  }
+
+  throw new Error(`File download rate limited after 5 retries: ${url}`);
 }
 
 interface UpstreamCollection {