This is a submission for the GitHub Finish-Up-A-Thon Challenge
Delay Mirror is a supply chain security gateway for package managers (npm, pip, go, brew). It sits between developers and upstream registries, blocking downloads of packages published within the last N days (default: 3).
Most malicious packages are discovered and taken down within hours of publication. A 3-day cooldown is enough for the security community to complete the find→report→remove cycle—without requiring a full audit or package repository.
The project started in April 2026, the week attackers pushed malicious code into @antfu/ni
and eslint-plugin-*
through a compromised npm token. Hundreds of thousands of downloads before anyone noticed.
Existing tools didn't fit:
I wanted something lighter: a mirror with a time gate. No storage. No auditing. No subscription. Just one check on every download—is this version old enough?
npm install -g delay-mirror
eval "$(delay-mirror hook zsh)"
npm install lodash # Automatically proxied
pip install requests # Automatically proxied
go install github.com/foo/bar@latest # Automatically proxied
brew install wget # Automatically proxied
🔗 GitHub: github.com/Fz0x00/delayMirror
I picked Rust because it compiles to WebAssembly, which runs on Cloudflare Workers. Same codebase, two targets: native binary for local use, WASM for edge deployment.
The project had two parts—CLI and Server—with dedicated handlers for npm, pip, go, and brew.
It broke immediately. CF Workers cold start: 800-1200ms. Warm requests: 50-150ms. Direct registry access: 30-80ms. Users couldn't tolerate 10x latency on npm install
. The default *.workers.dev
domain also failed in corporate networks.
I pivoted to local proxy. It still broke. Rust compile times (2-5 minutes per release build) made debugging painfully slow. Production was choking on Connection timeout
and Connection reset
errors. The same requests worked locally but failed under real network conditions.
I spent a day dumping error logs and performance data into GitHub Copilot and asked for the root cause. Its answer stopped me:
"These timeouts aren't caused by your logic. Rust's async HTTP stack isn't the best fit for a concurrent proxy gateway. For IO-bound workloads like this, Go's goroutine model and standard library
net/http
are more mature—battle-tested at Google for over a decade. And Go's compile time will 10x your debugging throughput."
I was skeptical. But desperate. I spent one day porting the core proxy logic to Go.
Same logic, drastically different results:
| Metric | Rust | Go |
|---|---|---|
| Requests/sec | 45,234 | 52,100 (+15%) |
| Avg latency | 2.1ms | 1.8ms (-14%) |
| Timeout rate | ~0.2% | 0.02% (10x improvement) |
| Compile time | 4min 32s | 28s (10x faster) |
Production stability improved immediately. The 502s stopped. The timeouts dropped to near zero.
Architecture refactoring: I split the monolithic binary into clean CLI/Server separation, added TOML configuration (RFC 001), shell hook support (zsh/bash/fish), Homebrew proxy, and 480+ tests (the Rust version had zero).
Developer UX design: Copilot suggested shell wrapper functions that transparently intercept package manager commands—users add one line to their shell config and forget the tool exists. This replaced the old approach of manually setting 7 environment variables.
Before vs after:
| Aspect | Before (Rust/Workers) | After (Go/Local) |
|---|---|---|
| Deployment | Remote Worker | Local binary |
| Latency | 50-500ms | <2ms |
| Reliability | Frequent timeouts | Stable |
| Compile time | 2-5 minutes | <30 seconds |
| Lines of code | 9,476 | 5,508 |
| Tests | 0 | 480+ |
Copilot contributed far more than code generation:
Root cause analysis. I fed it logs and code. It identified that the issue wasn't my logic, but Rust's async HTTP stack's behavior under concurrent load—something I would have spent weeks debugging alone.
Code review caught 13 bugs. A double @
in the Go Modules @latest
URL. O(n²) version filtering. Hardcoded HTTPS breaking local development. PyPI filename parsing edge cases. All would have shipped to production.
Product design, not just code. The shell hook UX (graceful degradation, port auto-discovery, selective hooking) was Copilot's architecture suggestion. It solved a problem I hadn't fully articulated: how to make security invisible.
Pattern-matched boilerplate. After my first npm shell wrapper, Copilot generated pip, go, brew, and uv versions automatically—each with the correct environment variables.
RFC generation. I described the config file requirements in plain English; Copilot structured it into a formal RFC with search paths, schema design, and backward compatibility strategy.
Production tells the truth. Benchmarks don't reveal compile-time debugging overhead or real-world network edge cases.
Developer experience is a feature. The shell hook turned a "set 7 env vars" tool into "one line in .zshrc, then forget it." Night and day adoption.
AI designs products, not just code. The most valuable Copilot contribution wasn't code—it was the Shell Hook architecture.
Sometimes "right" beats "best." Rust is excellent. For this proxy needing fast iteration and simple deployment, Go was the better fit.
Supply chain security isn't a one-time fix. Since April, we've seen PyPI typosquatting and Go Module domain hijacking. Delay Mirror won't stop every attack. But if it saves one team during the next mass poisoning—that's enough.
Ever deployed something and realized your tech stack was the wrong call? How did you figure it out? Comments welcome.