axonops
diff --git a/‎internal/api/handlers/handlers.go‎
Lines changed: 63 additions & 9 deletions b/‎internal/api/handlers/handlers.go‎
Lines changed: 63 additions & 9 deletions
diff --git a/‎internal/api/handlers/handlers_test.go‎
Lines changed: 23 additions & 0 deletions b/‎internal/api/handlers/handlers_test.go‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎internal/api/server_test.go‎
Lines changed: 29 additions & 0 deletions b/‎internal/api/server_test.go‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎internal/api/types/types.go‎
Lines changed: 2 additions & 3 deletions b/‎internal/api/types/types.go‎
Lines changed: 2 additions & 3 deletions
@@ -67,14 +67,20 @@ func NewWithConfig(reg *registry.Registry, cfg Config) *Handler {
 }
 
 // checkModeForWrite checks if the current mode allows write operations for the given subject.
-// Returns an error message if writes are blocked, or empty string if allowed.
+// Returns:
+//   - mode string: non-empty if writes are blocked by READONLY or READONLY_OVERRIDE
+//   - error: non-nil if the mode check itself failed (e.g. storage unreachable)
+//
 // Both READONLY and READONLY_OVERRIDE block data and config writes.
-func (h *Handler) checkModeForWrite(r *http.Request, subject string) string {
-	mode, _ := h.registry.GetMode(r.Context(), subject)
+func (h *Handler) checkModeForWrite(r *http.Request, subject string) (string, error) {
+	mode, err := h.registry.GetMode(r.Context(), subject)
+	if err != nil {
+		return "", fmt.Errorf("failed to check mode: %w", err)
+	}
 	if mode == "READONLY" || mode == "READONLY_OVERRIDE" {
-		return mode
+		return mode, nil
 	}
-	return ""
+	return "", nil
 }
 
 // resolveAlias resolves a subject alias. If the subject has an alias configured,
@@ -319,6 +325,8 @@ func (h *Handler) GetVersion(w http.ResponseWriter, r *http.Request) {
 }
 
 // findDeletedVersion looks up a soft-deleted version by iterating all versions including deleted.
+// When version is -1 (the "latest" sentinel), it returns the highest-versioned schema
+// among all versions (including soft-deleted), matching Confluent's behavior.
 func (h *Handler) findDeletedVersion(ctx context.Context, subject string, version int) (*storage.SchemaRecord, error) {
 	schemas, err := h.registry.GetSchemasBySubject(ctx, subject, true) // include deleted
 	if err != nil {
@@ -327,6 +335,21 @@ func (h *Handler) findDeletedVersion(ctx context.Context, subject string, versio
 	if len(schemas) == 0 {
 		return nil, storage.ErrSubjectNotFound
 	}
+
+	// "latest" sentinel: return the highest version among all (including deleted)
+	if version == -1 {
+		var latest *storage.SchemaRecord
+		for _, s := range schemas {
+			if latest == nil || s.Version > latest.Version {
+				latest = s
+			}
+		}
+		if latest != nil {
+			return latest, nil
+		}
+		return nil, storage.ErrVersionNotFound
+	}
+
 	for _, s := range schemas {
 		if s.Version == version {
 			return s, nil
@@ -357,7 +380,10 @@ func (h *Handler) RegisterSchema(w http.ResponseWriter, r *http.Request) {
 	subject := h.resolveAlias(r.Context(), chi.URLParam(r, "subject"))
 
 	// Check mode enforcement
-	if mode := h.checkModeForWrite(r, subject); mode != "" {
+	if mode, modeErr := h.checkModeForWrite(r, subject); modeErr != nil {
+		writeError(w, http.StatusInternalServerError, types.ErrorCodeStorageError, modeErr.Error())
+		return
+	} else if mode != "" {
 		writeError(w, http.StatusUnprocessableEntity, types.ErrorCodeOperationNotPermitted,
 			fmt.Sprintf("Subject '%s' is in %s mode", subject, mode))
 		return
@@ -384,8 +410,18 @@ func (h *Handler) RegisterSchema(w http.ResponseWriter, r *http.Request) {
 	var schema *storage.SchemaRecord
 	var err error
 
-	// In IMPORT mode with explicit ID, use import path
+	// Explicit ID requires IMPORT mode (Confluent behavior)
 	if req.ID > 0 {
+		mode, modeErr := h.registry.GetMode(r.Context(), subject)
+		if modeErr != nil {
+			writeError(w, http.StatusInternalServerError, types.ErrorCodeStorageError, "Failed to check mode")
+			return
+		}
+		if mode != "IMPORT" {
+			writeError(w, http.StatusUnprocessableEntity, types.ErrorCodeOperationNotPermitted,
+				fmt.Sprintf("Subject '%s' is not in import mode. Registering schemas with explicit IDs requires IMPORT mode.", subject))
+			return
+		}
 		schema, err = h.registry.RegisterSchemaWithID(r.Context(), subject, req.Schema, schemaType, req.References, req.ID)
 	} else {
 		schema, err = h.registry.RegisterSchema(r.Context(), subject, req.Schema, schemaType, req.References, registry.RegisterOpts{
@@ -491,7 +527,10 @@ func (h *Handler) DeleteSubject(w http.ResponseWriter, r *http.Request) {
 	permanent := r.URL.Query().Get("permanent") == "true"
 
 	// Check mode enforcement
-	if mode := h.checkModeForWrite(r, subject); mode != "" {
+	if mode, modeErr := h.checkModeForWrite(r, subject); modeErr != nil {
+		writeError(w, http.StatusInternalServerError, types.ErrorCodeStorageError, modeErr.Error())
+		return
+	} else if mode != "" {
 		writeError(w, http.StatusUnprocessableEntity, types.ErrorCodeOperationNotPermitted,
 			fmt.Sprintf("Subject '%s' is in %s mode", subject, mode))
 		return
@@ -531,7 +570,10 @@ func (h *Handler) DeleteVersion(w http.ResponseWriter, r *http.Request) {
 	permanent := r.URL.Query().Get("permanent") == "true"
 
 	// Check mode enforcement
-	if mode := h.checkModeForWrite(r, subject); mode != "" {
+	if mode, modeErr := h.checkModeForWrite(r, subject); modeErr != nil {
+		writeError(w, http.StatusInternalServerError, types.ErrorCodeStorageError, modeErr.Error())
+		return
+	} else if mode != "" {
 		writeError(w, http.StatusUnprocessableEntity, types.ErrorCodeOperationNotPermitted,
 			fmt.Sprintf("Subject '%s' is in %s mode", subject, mode))
 		return
@@ -1083,6 +1125,18 @@ func (h *Handler) ListSchemas(w http.ResponseWriter, r *http.Request) {
 
 // ImportSchemas handles POST /import/schemas
 func (h *Handler) ImportSchemas(w http.ResponseWriter, r *http.Request) {
+	// Bulk import requires IMPORT mode (Confluent behavior)
+	mode, modeErr := h.registry.GetMode(r.Context(), "")
+	if modeErr != nil {
+		writeError(w, http.StatusInternalServerError, types.ErrorCodeStorageError, "Failed to check mode")
+		return
+	}
+	if mode != "IMPORT" {
+		writeError(w, http.StatusUnprocessableEntity, types.ErrorCodeOperationNotPermitted,
+			"Import is not permitted. The registry must be in IMPORT mode to import schemas.")
+		return
+	}
+
 	var req types.ImportSchemasRequest
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		writeError(w, http.StatusBadRequest, types.ErrorCodeInvalidSchema, "Invalid request body")
 
@@ -53,6 +53,25 @@ func registerSchema(t *testing.T, h *Handler, subject, schemaStr string) int64 {
 	return resp.ID
 }
 
+// setImportMode sets the global mode to IMPORT via the handler.
+func setImportMode(t *testing.T, h *Handler) {
+	t.Helper()
+	modeReq := types.ModeRequest{Mode: "IMPORT"}
+	modeBytes, _ := json.Marshal(modeReq)
+
+	r := chi.NewRouter()
+	r.Put("/mode", h.SetMode)
+
+	req := httptest.NewRequest("PUT", "/mode?force=true", bytes.NewReader(modeBytes))
+	req.Header.Set("Content-Type", "application/json")
+	w := httptest.NewRecorder()
+	r.ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("setImportMode failed: %d %s", w.Code, w.Body.String())
+	}
+}
+
 func decodeErrorResponse(t *testing.T, w *httptest.ResponseRecorder) types.ErrorResponse {
 	t.Helper()
 	var resp types.ErrorResponse
@@ -1389,6 +1408,7 @@ func TestListSchemas_WithSchemas(t *testing.T) {
 
 func TestImportSchemas_Success(t *testing.T) {
 	h := setupTestHandler(t)
+	setImportMode(t, h)
 
 	r := chi.NewRouter()
 	r.Post("/import/schemas", h.ImportSchemas)
@@ -1422,6 +1442,7 @@ func TestImportSchemas_Success(t *testing.T) {
 
 func TestImportSchemas_EmptyList(t *testing.T) {
 	h := setupTestHandler(t)
+	setImportMode(t, h)
 
 	r := chi.NewRouter()
 	r.Post("/import/schemas", h.ImportSchemas)
@@ -1441,6 +1462,7 @@ func TestImportSchemas_EmptyList(t *testing.T) {
 
 func TestImportSchemas_InvalidBody(t *testing.T) {
 	h := setupTestHandler(t)
+	setImportMode(t, h)
 
 	r := chi.NewRouter()
 	r.Post("/import/schemas", h.ImportSchemas)
@@ -1457,6 +1479,7 @@ func TestImportSchemas_InvalidBody(t *testing.T) {
 
 func TestImportSchemas_DuplicateID(t *testing.T) {
 	h := setupTestHandler(t)
+	setImportMode(t, h)
 
 	r := chi.NewRouter()
 	r.Post("/import/schemas", h.ImportSchemas)
 
@@ -558,9 +558,26 @@ func TestServer_RegisterCompatibleSchema(t *testing.T) {
 	}
 }
 
+// setGlobalMode sets the global mode via the API (e.g., "IMPORT", "READWRITE").
+func setGlobalMode(t *testing.T, server *Server, mode string) {
+	t.Helper()
+	modeReq := types.ModeRequest{Mode: mode}
+	modeBytes, _ := json.Marshal(modeReq)
+	req := httptest.NewRequest("PUT", "/mode?force=true", bytes.NewReader(modeBytes))
+	req.Header.Set("Content-Type", "application/json")
+	w := httptest.NewRecorder()
+	server.ServeHTTP(w, req)
+	if w.Code != http.StatusOK {
+		t.Fatalf("Failed to set mode to %s: %d %s", mode, w.Code, w.Body.String())
+	}
+}
+
 func TestServer_ImportSchemas(t *testing.T) {
 	server := setupTestServer(t)
 
+	// Set IMPORT mode (required for import operations)
+	setGlobalMode(t, server, "IMPORT")
+
 	// Import schemas with specific IDs
 	importReq := types.ImportSchemasRequest{
 		Schemas: []types.ImportSchemaRequest{
@@ -629,6 +646,9 @@ func TestServer_ImportSchemas(t *testing.T) {
 		t.Errorf("Expected schema ID 42, got %d", versionResp.ID)
 	}
 
+	// Switch back to READWRITE for normal registration
+	setGlobalMode(t, server, "READWRITE")
+
 	// New schema registration should get an ID after the imported ones
 	newSchema := `{"type": "record", "name": "Product", "fields": [{"name": "product_id", "type": "long"}]}`
 	registerBody := types.RegisterSchemaRequest{Schema: newSchema}
@@ -654,6 +674,9 @@ func TestServer_ImportSchemas(t *testing.T) {
 func TestServer_ImportSchemas_DuplicateID(t *testing.T) {
 	server := setupTestServer(t)
 
+	// Set IMPORT mode (required for import operations)
+	setGlobalMode(t, server, "IMPORT")
+
 	// Import first schema
 	importReq := types.ImportSchemasRequest{
 		Schemas: []types.ImportSchemaRequest{
@@ -715,6 +738,9 @@ func TestServer_ImportSchemas_DuplicateID(t *testing.T) {
 func TestServer_ImportSchemas_InvalidSchema(t *testing.T) {
 	server := setupTestServer(t)
 
+	// Set IMPORT mode (required for import operations)
+	setGlobalMode(t, server, "IMPORT")
+
 	// Try to import invalid schema
 	importReq := types.ImportSchemasRequest{
 		Schemas: []types.ImportSchemaRequest{
@@ -752,6 +778,9 @@ func TestServer_ImportSchemas_InvalidSchema(t *testing.T) {
 func TestServer_ImportSchemas_EmptyRequest(t *testing.T) {
 	server := setupTestServer(t)
 
+	// Set IMPORT mode (required for import operations)
+	setGlobalMode(t, server, "IMPORT")
+
 	// Try to import empty list
 	importReq := types.ImportSchemasRequest{
 		Schemas: []types.ImportSchemaRequest{},
 
@@ -163,9 +163,8 @@ const (
 	ErrorCodeSubjectCompatNotFound     = 40408
 	ErrorCodeSubjectModeNotFound       = 40409
 	ErrorCodeIncompatibleSchema        = 409
-	ErrorCodeInvalidSchema             = 42201
-	ErrorCodeInvalidSchemaType         = 42202
-	ErrorCodeInvalidVersion            = 42202 // Confluent uses 42202 for both invalid schema type and invalid version
+	ErrorCodeInvalidSchema  = 42201
+	ErrorCodeInvalidVersion = 42202
 	ErrorCodeInvalidCompatibilityLevel = 42203
 	ErrorCodeInvalidMode               = 42204
 	ErrorCodeOperationNotPermitted     = 42205