fix: proxy dedup, multi-registry GC, TOCTOU and credential hygiene (#83)

- Deduplicate proxy_fetch/proxy_fetch_text into generic proxy_fetch_core
  with response extractor closure (removes ~50 lines of copy-paste)
- GC now scans all registry prefixes, not just docker/
- Add tracing::warn to fire-and-forget cache writes in docker proxy
- Mark S3 credentials as skip_serializing to prevent accidental leaks
- Remove TOCTOU race in LocalStorage get/delete (redundant exists check)

nora-registry/src/config.rs

@@ -72,10 +72,10 @@ pub struct StorageConfig {
     #[serde(default = "default_bucket")]
     pub bucket: String,
     /// S3 access key (optional, uses anonymous access if not set)
-    #[serde(default)]
+    #[serde(default, skip_serializing)]
     pub s3_access_key: Option<String>,
     /// S3 secret key (optional, uses anonymous access if not set)
-    #[serde(default)]
+    #[serde(default, skip_serializing)]
     pub s3_secret_key: Option<String>,
     /// S3 region (default: us-east-1)
     #[serde(default = "default_s3_region")]