fix: code quality hardening — unwrap removal, unsafe forbid, Go/Raw tests (#72)

* fix: remove unwrap() from production code, improve error handling

- Replace unwrap() with proper error handling in npm, mirror, validation
- Add input validation to cargo registry (crate name + version)
- Improve expect() messages with descriptive context in metrics, rate_limit
- Remove unnecessary clone() in error.rs, docker.rs, npm.rs, dashboard_metrics
- Add #![deny(clippy::unwrap_used)] to prevent future unwrap in prod code
- Add let-else pattern for safer null checks in validation.rs

* docs: update SECURITY.md — add 0.3.x to supported versions

* security: forbid unsafe code at crate level

Add #![forbid(unsafe_code)] to both lib.rs and main.rs.
NORA has zero unsafe blocks — this prevents future additions
without removing the forbid attribute (stronger than deny).

* build: add rust-toolchain.toml, Dockerfile HEALTHCHECK

- Pin toolchain to stable with clippy + rustfmt components
- Add Docker HEALTHCHECK for standalone deployments (wget /health)

* test: add Go proxy and Raw registry integration tests

Go proxy tests: list, .info, .mod, @latest, path traversal, 404
Raw registry tests: upload/download, HEAD, 404, path traversal,
overwrite, delete, binary data (10KB)

nora-registry/src/registry/npm.rs

@@ -176,8 +176,7 @@ async fn handle_request(State(state): State<Arc<AppState>>, Path(path): Path<Str
             } else {
                 // Metadata: rewrite tarball URLs to point to NORA
                 let nora_base = nora_base_url(&state);
-                let rewritten = rewrite_tarball_urls(&data, &nora_base, proxy_url)
-                    .unwrap_or_else(|_| data.clone());
+                let rewritten = rewrite_tarball_urls(&data, &nora_base, proxy_url).unwrap_or(data);
 
                 data_to_cache = rewritten.clone();
                 data_to_serve = rewritten;
@@ -217,8 +216,7 @@ async fn refetch_metadata(state: &Arc<AppState>, path: &str, key: &str) -> Optio
     .ok()?;
 
     let nora_base = nora_base_url(state);
-    let rewritten =
-        rewrite_tarball_urls(&data, &nora_base, proxy_url).unwrap_or_else(|_| data.clone());
+    let rewritten = rewrite_tarball_urls(&data, &nora_base, proxy_url).unwrap_or(data);
 
     let storage = state.storage.clone();
     let key_clone = key.to_string();
@@ -346,7 +344,9 @@ async fn handle_publish(
     }
 
     // Merge versions
-    let meta_obj = metadata.as_object_mut().unwrap();
+    let Some(meta_obj) = metadata.as_object_mut() else {
+        return (StatusCode::INTERNAL_SERVER_ERROR, "invalid metadata format").into_response();
+    };
     let stored_versions = meta_obj.entry("versions").or_insert(serde_json::json!({}));
     if let Some(sv) = stored_versions.as_object_mut() {
         for (ver, ver_data) in new_versions {