security: harden Docker registry and container runtime

- Verify blob digest (SHA256) on upload, reject mismatches (DIGEST_INVALID)
- Reject sha512 digests (only sha256 supported)
- Add upload session limits: max 100 concurrent, 2GB per session, 30min TTL
- Bind upload sessions to repository name (prevent session fixation)
- Filter .meta.json from Docker tag list (fix ArgoCD Image Updater recursion)
- Fix catalog to show namespaced images (library/alpine instead of library)
- Add security headers: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Run containers as non-root user (USER nora) in all 3 Dockerfiles
- Add configurable NORA_MAX_UPLOAD_SESSIONS and NORA_MAX_UPLOAD_SESSION_SIZE_MB

Cargo.lock

@@ -1267,20 +1267,6 @@ version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "38bf9645c8b145698bb0b18a4637dcacbc421ea49bef2317e4fd8065a387cf21"
 
-[[package]]
-name = "nora-cli"
-version = "0.2.32"
-dependencies = [
- "clap",
- "flate2",
- "indicatif",
- "reqwest",
- "serde",
- "serde_json",
- "tar",
- "tokio",
-]
-
 [[package]]
 name = "nora-fuzz"
 version = "0.0.0"
@@ -1317,6 +1303,7 @@ dependencies = [
  "thiserror 2.0.18",
  "tokio",
  "toml",
+ "tower-http",
  "tower_governor",
  "tracing",
  "tracing-subscriber",
@@ -1327,25 +1314,6 @@ dependencies = [
  "zeroize",
 ]
 
-[[package]]
-name = "nora-storage"
-version = "0.2.32"
-dependencies = [
- "axum",
- "base64",
- "chrono",
- "httpdate",
- "quick-xml",
- "serde",
- "serde_json",
- "sha2",
- "tokio",
- "toml",
- "tracing",
- "tracing-subscriber",
- "uuid",
-]
-
 [[package]]
 name = "nu-ansi-term"
 version = "0.50.3"
@@ -1540,16 +1508,6 @@ dependencies = [
  "winapi",
 ]
 
-[[package]]
-name = "quick-xml"
-version = "0.39.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "958f21e8e7ceb5a1aa7fa87fab28e7c75976e0bfe7e23ff069e0a260f894067d"
-dependencies = [
- "memchr",
- "serde",
-]
-
 [[package]]
 name = "quinn"
 version = "0.11.9"