Add third-party-copy (HTTP COPY) mode for the client

[Copilot]

Implements origin-to-origin transfers using the HTTP COPY verb per the WLCG HTTP-TPC specification. The client instructs the destination server to pull data directly from the source, rather than proxying bytes through itself.

Based on the approach drafted in #1604, adapted to the current codebase.

Core transfer engine (client/handle_http.go)

• New transferTypeCopy transfer type with srcURL, srcToken, srcDirResp fields on transferFile and TransferJob
• NewCopyJob() — creates a TPC job with separate director lookups and token acquisition for source and destination
• copyHTTP() — HEAD to source for size, then COPY to destination with Source and TransferHeaderAuthorization headers
• monitorTPC() — parses WLCG performance markers (Perf Marker / End blocks with stripe aggregation)
• WithSourceToken() / WithSourceTokenLocation() — transfer options for separate source auth

Client API (client/main.go)

• DoCopy() now detects both-remote URLs via isPelicanScheme() and routes to doThirdPartyCopy()
• Backwards compatible: local↔remote transfers still dispatch to DoGet/DoPut

CLI (cmd/object_sync.go)

• pelican object sync now accepts both source and destination as federation URLs, using TPC

Usage

# Copy between origins
pelican object copy pelican://fed.example.com/ns/source.dat pelican://fed.example.com/ns/dest.dat

# Sync between federation endpoints
pelican object sync pelican://fed.example.com/ns/srcdir/ pelican://fed.example.com/ns/destdir/

# With separate source/destination tokens
pelican object copy -t dest-token pelican://src/file pelican://dest/file

Tests

• Unit: TestMonitorTPC — perf marker parsing (multi-stripe, failure, empty body). TestTPCMockServer — mock HTTP server implementing COPY with performance markers and error scenarios.
• Integration: TestTPCPublicRead (public namespace, no source token) and TestTPCAuth (authenticated, both tokens) using federation test infrastructure.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• cilogon.org
  • Triggering command: /tmp/go-build3572016247/b001/client.test /tmp/go-build3572016247/b001/client.test -test.paniconexit0 -test.timeout=10m0s -test.v=true -test.run=TestCopyAuth -test.count=1 .cfg 0.1-go1.25.0.linux-amd64/pkg/tool/linux_amd64/vet -p AD/microsoft-aut--norc mpile 0.1-go1.25.0.linux-amd64/pkg/too-buildtags -o om/munnerz/goautoneg@v0.0.0-2019-errorsas .cfg 0.1-go1.25.0.linux-amd64/pkg/tool/linux_amd64/vet -p ongo-driver/bson--64 m 0.1-go1.25.0.lin/tmp/ccVamdr5.o (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Revisit third-party-copy mode for the client</issue_title>
<issue_description>In #1604, we drafted out a new mode for the client that could use XRootD's implementation of third-party-copy (the HTTP COPY verb) to do origin-to-origin transfers. Priorities shifted, we didn't complete the draft, and moved on. There have been numerous changes to the client since then so some concepts have been merged and others just have merge conflicts.

I'd like to revisit this work!

Using the old PR for the basic idea, please implement "pelican object copy" and (importantly!) "pelican object sync" for moving data between origins. Include integration tests; the integration test can show movement from an origin to itself to begin with. The initial use case will be for downloading from a public namespace; make sure there is test coverage for public sources. Include a unit test where a mock HTTP server in Golang is implementing COPY as well (don't just rely on the XRootD implementation).

Use the WLCG's documentation on the approach for HTTP-TPC. Some documentation is at https://twiki.cern.ch/twiki/bin/view/LCG/HttpTpcTechnical; other approach is in the original PR code.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Revisit third-party-copy mode for the client #3140

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[brianaydemir]

@bbockelm The error message when attempting a third-party copy between origins that aren't configured for it looks a bit odd:

DEBUG[2026-02-20T16:33:44Z] Matched object servers: https://origin-0:8443 
DEBUG[2026-02-20T16:33:44Z] Queuing transfer for object pelican://director:8444/tpc-test/data/foo/bar/0.1234 with first transfer URL: https://origin-0:8443/public/data/0.1234 
DEBUG[2026-02-20T16:33:44Z] Copying object from https://origin-0:8443/public/data/0.1234 to https://origin-1:8443/tpc-test/data/foo/bar/0.1234 
DEBUG[2026-02-20T16:33:44Z] Starting the HEAD request to the HTTP Third Party Copy source... 
DEBUG[2026-02-20T16:33:44Z] Starting the HTTP Third Party Copy transfer... 
ERROR[2026-02-20T16:33:44Z] TPC request was not successful (status code 200): OK 
ERROR[2026-02-20T16:33:44Z] Error when attempting to transfer object pelican://director:8444/tpc-test/data/foo/bar/0.1234 for client 019c7be6-4349-711d-a852-9c7e9bbc43d4: Request failed (HTTP status 200)

Specifically: "TPC request was not successful (status code 200): OK"