fix: respect no-cache/no-store TTL=0 from parseCacheTTL

sangwa · claude · sangwa · commit 8b20cae9341c · 2026-03-25T18:37:15.000-07:00
parseCacheTTL returns 0 to signal "do not cache" (no-cache, no-store,
or expired Expires header). The ttl &lt;= 0 guard in endorsements.go and
cosign.go was overriding this with the default TTL, causing responses
that should not be cached to be cached. Changed to ttl &lt; 0 so only
truly invalid values get the fallback.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/internal/cosign.go b/internal/cosign.go
@@ -131,7 +131,7 @@ func (s *Server) fetchCosignSignatures(ctx context.Context, urls []*url.URL, cli
 			ttl = t
 		}
 	}
-	if ttl <= 0 {
+	if ttl < 0 {
 		ttl = s.cfg.HTTPCacheDefaultTTL
 	}
 
diff --git a/internal/endorsements.go b/internal/endorsements.go
@@ -101,7 +101,7 @@ func (s *Server) fetchEndorsementDocumentsWithClient(ctx context.Context, urls [
 			ttl = t
 		}
 	}
-	if ttl <= 0 {
+	if ttl < 0 {
 		ttl = s.cfg.HTTPCacheDefaultTTL
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -131,7 +131,7 @@ func (s Server) fetchCosignSignatures(ctx context.Context, urls []url.URL, cli`
`131`	`131`	`ttl = t`
`132`	`132`	`}`
`133`	`133`	`}`
`134`		`- if ttl <= 0 {`
	`134`	`+ if ttl < 0 {`
`135`	`135`	`ttl = s.cfg.HTTPCacheDefaultTTL`
`136`	`136`	`}`
`137`	`137`
Original file line number	Diff line number	Diff line change
`@@ -101,7 +101,7 @@ func (s *Server) fetchEndorsementDocumentsWithClient(ctx context.Context, urls [`
`101`	`101`	`ttl = t`
`102`	`102`	`}`
`103`	`103`	`}`
`104`		`- if ttl <= 0 {`
	`104`	`+ if ttl < 0 {`
`105`	`105`	`ttl = s.cfg.HTTPCacheDefaultTTL`
`106`	`106`	`}`
`107`	`107`