docs: add public roadmap, cosign verification in install script

.gitignore

@@ -12,7 +12,6 @@ internal config
 # Internal files
 SESSION*.md
 TODO.md
-ROADMAP*.md
 docs-site/
 docs/
 *.txt

ROADMAP.md

@@ -0,0 +1,38 @@
+# Roadmap
+
+> This roadmap reflects current priorities. It may change based on community feedback.
+
+## Recently Completed
+
+- **v0.2.32** — Docker dashboard fix for namespaced images, `library/` auto-prepend for Hub official images
+- **v0.2.31** — npm full proxy (URL rewriting, scoped packages, publish, SHA-256 integrity cache, metadata TTL)
+- **v0.2.29** — Upstream authentication for all protocols (Docker, Maven, npm, PyPI)
+
+## In Progress
+
+- **`nora mirror`** — Pre-fetch dependencies from lockfiles for air-gapped environments ([#40](https://github.com/getnora-io/nora/issues/40))
+  - npm: `package-lock.json` (v1/v2/v3)
+  - pip: `requirements.txt`
+  - cargo: `Cargo.lock`
+  - maven: dependency list
+
+## Next Up
+
+- **Consistent env var naming** — Unify `NORA_*_PROXY` / `NORA_*_UPSTREAMS` across all protocols ([#39](https://github.com/getnora-io/nora/issues/39))
+- **Package blocklist** — Deny specific packages or versions via config ([#41](https://github.com/getnora-io/nora/issues/41))
+- **Multiple upstreams for npm/PyPI** — Same as Maven already supports
+- **v1.0.0 release** — Stable API, production-ready
+
+## Future
+
+- Docker image mirroring ([#42](https://github.com/getnora-io/nora/issues/42))
+- Virtual repositories via config (named endpoints with custom search order)
+- Path-based ACL (per-namespace write permissions)
+- OIDC/LDAP authentication
+- HA mode (stateless API + external database)
+- Golang modules proxy
+- Content trust (Cosign/Notation verification)
+
+## How to Influence
+
+Open an issue or join [Telegram](https://t.me/getnora) to discuss priorities.

dist/install.sh

@@ -37,6 +37,26 @@ else
 fi
 
 chmod +x /tmp/nora
+
+# Verify signature if cosign is available
+if command -v cosign &>/dev/null; then
+    echo "Verifying binary signature..."
+    SIG_URL="${DOWNLOAD_URL}.sig"
+    CERT_URL="${DOWNLOAD_URL}.pem"
+    if curl -fsSL -o /tmp/nora.sig "$SIG_URL" 2>/dev/null && \
+       curl -fsSL -o /tmp/nora.pem "$CERT_URL" 2>/dev/null; then
+        cosign verify-blob --signature /tmp/nora.sig --certificate /tmp/nora.pem \
+            --certificate-identity-regexp "github.com/getnora-io/nora" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+            /tmp/nora && echo "Signature verified." || echo "Warning: signature verification failed."
+        rm -f /tmp/nora.sig /tmp/nora.pem
+    else
+        echo "Signature files not available, skipping verification."
+    fi
+else
+    echo "Install cosign for binary signature verification: https://docs.sigstore.dev/cosign/system_config/installation/"
+fi
+
 sudo mv /tmp/nora "$INSTALL_DIR/nora"
 
 # Create system user