1a38902b0c
style: clean up code comments
2026-03-18 11:23:11 +00:00
3b9b2ee0a0
chore: repo cleanup — remove dead crates from workspace, stale files, duplicate assets
...
- Remove nora-cli and nora-storage from workspace (stub crates, not used)
- Remove root install.sh (duplicate of dist/install.sh)
- Remove root logo.jpg (duplicate of ui/logo.jpg)
- Remove committed SBOM .cdx.json files (generated by CI in release)
- Remove stale .githooks/ (real hook is in .git/hooks/)
- Update version in docs-ru to 0.2.32
- Add *.cdx.json to .gitignore
2026-03-18 11:20:22 +00:00
b7cb458edf
test: E2E smoke tests + Playwright browser tests (23 tests)
...
smoke.sh:
- Full E2E smoke test: health, npm proxy/publish/security, Maven, PyPI, Docker, Raw, UI, mirror CLI
- Self-contained: starts NORA, runs tests, cleans up
Playwright (tests/e2e/):
- Dashboard: page load, registry sections visible, npm count > 0, Docker stats
- npm: URL rewriting, scoped packages, tarball download, publish, immutability, security
- Docker: v2 check, catalog, manifest push/pull, tags list
- Maven: proxy download, upload
- PyPI: simple index, package page
- Raw: upload and download
- Health, metrics, OpenAPI endpoints
All 23 tests pass in 4.7s against live NORA instance.
2026-03-18 11:04:19 +00:00
e1a1d80a77
docs: add CII Best Practices passing badge
2026-03-18 10:46:51 +00:00
b50dd6386e
security: pin Docker base images by SHA, cosign signing in release, branch protection
...
- Pin alpine:3.20 by SHA digest in all Dockerfiles (Pinned-Dependencies)
- Add cosign keyless signing for Docker images and binary (Signed-Releases)
- Enable branch protection: strict status checks, linear history, no force push
- Add .sig and .pem to GitHub Release assets
2026-03-18 09:49:45 +00:00
6b5a397862
docs: changelog v0.2.32
2026-03-18 09:43:49 +00:00
6b4d627fa2
fix: allow NCSA license for libfuzzer-sys in cargo-deny
2026-03-18 09:27:30 +00:00
659e7730de
fix: add MIT license to nora-fuzz crate (cargo-deny compliance)
2026-03-18 09:23:31 +00:00
d0441f31d1
fix: correct cargo-deny key for unused license allowance
2026-03-18 09:19:50 +00:00
1956401932
fix: allow unused license entries in cargo-deny config
2026-03-18 09:15:25 +00:00
e415f0f1ce
fix: Docker dashboard for namespaced images, library/ auto-prepend for Hub official images (v0.2.32)
...
Docker dashboard:
- build_docker_index now finds manifests segment by position, not fixed index
- Correctly indexes library/alpine, grafana/grafana, and other namespaced images
Docker proxy:
- Auto-prepend library/ for single-segment names when upstream returns 404
- Applies to both manifests and blobs
- nginx, alpine, node now work without explicit library/ prefix
- Cached under original name for future local hits
2026-03-18 08:07:53 +00:00
aa86633a04
security: add cargo-fuzz targets and ClusterFuzzLite config
...
Fuzz targets:
- fuzz_validation: storage key, Docker name, digest, reference validators
- fuzz_docker_manifest: Docker/OCI manifest media type detection
Infrastructure:
- lib.rs exposing validation module and docker_fuzz for fuzz harnesses
- ClusterFuzzLite project config (libfuzzer + ASan)
2026-03-17 11:20:17 +00:00
31afa1f70b
fix: use tags for scorecard webapp verification
2026-03-17 11:04:48 +00:00
f36abd82ef
fix: use scorecard-action by tag for webapp verification
2026-03-17 11:02:14 +00:00
ea6a86b0f1
docs: add OpenSSF Scorecard badge
2026-03-17 10:41:00 +00:00
638f99d8dc
Merge pull request #32 from getnora-io/dependabot/cargo/tracing-subscriber-0.3.23
...
chore(deps): bump tracing-subscriber from 0.3.22 to 0.3.23
2026-03-17 13:38:22 +03:00
c55307a3af
Merge pull request #31 from getnora-io/dependabot/cargo/clap-4.6.0
...
chore(deps): bump clap from 4.5.60 to 4.6.0
2026-03-17 13:38:20 +03:00
cc416f3adf
Merge pull request #30 from getnora-io/dependabot/cargo/tempfile-3.27.0
...
chore(deps): bump tempfile from 3.26.0 to 3.27.0
2026-03-17 13:38:17 +03:00
30aedac238
Merge pull request #33 from getnora-io/security/scorecard-hardening
...
security: OpenSSF Scorecard hardening
2026-03-17 13:36:40 +03:00
34e85acd6e
security: harden OpenSSF Scorecard compliance
...
- Pin all GitHub Actions by SHA hash (Pinned-Dependencies)
- Add top-level permissions: read-all (Token-Permissions)
- Add explicit job-level permissions (least privilege)
- Add OpenSSF Scorecard workflow with weekly schedule
- Publish scorecard results to scorecard.dev and GitHub Security tab
2026-03-17 10:30:15 +00:00
dependabot[bot]
41eefdd90d
chore(deps): bump tracing-subscriber from 0.3.22 to 0.3.23
...
Bumps [tracing-subscriber](https://github.com/tokio-rs/tracing ) from 0.3.22 to 0.3.23.
- [Release notes](https://github.com/tokio-rs/tracing/releases )
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-subscriber-0.3.22...tracing-subscriber-0.3.23 )
---
updated-dependencies:
- dependency-name: tracing-subscriber
dependency-version: 0.3.23
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-17 04:25:13 +00:00
dependabot[bot]
94ca418155
chore(deps): bump clap from 4.5.60 to 4.6.0
...
Bumps [clap](https://github.com/clap-rs/clap ) from 4.5.60 to 4.6.0.
- [Release notes](https://github.com/clap-rs/clap/releases )
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md )
- [Commits](https://github.com/clap-rs/clap/compare/clap_complete-v4.5.60...clap_complete-v4.6.0 )
---
updated-dependencies:
- dependency-name: clap
dependency-version: 4.6.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-17 04:25:03 +00:00
dependabot[bot]
e72648a6c4
chore(deps): bump tempfile from 3.26.0 to 3.27.0
...
Bumps [tempfile](https://github.com/Stebalien/tempfile ) from 3.26.0 to 3.27.0.
- [Changelog](https://github.com/Stebalien/tempfile/blob/master/CHANGELOG.md )
- [Commits](https://github.com/Stebalien/tempfile/compare/v3.26.0...v3.27.0 )
---
updated-dependencies:
- dependency-name: tempfile
dependency-version: 3.27.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-17 04:24:55 +00:00
18e93d23a9
docs: Russian documentation — admin guide, user guide, technical spec (Минцифры)
2026-03-16 13:58:17 +00:00
db05adb060
docs: add CycloneDX SBOM (238 components, 0 vulnerabilities)
2026-03-16 13:29:59 +00:00
a57de6690e
feat: nora mirror CLI + systemd + install script
...
nora mirror:
- Pre-fetch dependencies through NORA proxy cache
- npm: --lockfile (v1/v2/v3) and --packages with --all-versions
- pip: requirements.txt parser
- cargo: Cargo.lock parser
- maven: dependency:list output parser
- Concurrent downloads (--concurrency, default 8)
- Progress bar with indicatif
- Health check before start
dist/:
- nora.service — systemd unit with security hardening
- nora.env.example — environment configuration template
- install.sh — automated install (binary + user + systemd + config)
Tested: 103 tests pass, 0 clippy warnings, cargo audit clean.
Smoke: mirrored 70 npm packages from real lockfile in 5.4s.
2026-03-16 13:27:37 +00:00
d3439ae33d
docs: changelog v0.2.31
2026-03-16 12:51:10 +00:00
b3b74b8b2d
feat: npm full proxy — URL rewriting, scoped packages, publish, integrity cache (v0.2.31)
...
npm proxy:
- Rewrite tarball URLs in metadata to point to NORA (was broken — tarballs bypassed NORA)
- Scoped packages (@scope/package) full support in handler and repo index
- Metadata cache TTL (NORA_NPM_METADATA_TTL, default 300s) with stale-while-revalidate
- proxy_auth now wired into fetch_from_proxy (was configured but unused)
npm publish:
- PUT /npm/{package} — accepts standard npm publish payload
- Version immutability — 409 Conflict on duplicate version
- Tarball URL rewriting in published metadata
Security:
- SHA256 integrity verification on cached tarballs (immutable cache)
- Attachment filename validation (path traversal protection)
- Package name mismatch detection (URL vs payload)
Config:
- npm.metadata_ttl — configurable cache TTL (env: NORA_NPM_METADATA_TTL)
2026-03-16 12:32:16 +00:00
d41b55fa3a
style: cargo fmt
2026-03-16 08:58:27 +00:00
5a68bfd695
fix: dashboard — docker namespaced repos, npm proxy cache, upstream display (v0.2.30)
2026-03-16 08:55:33 +00:00
9c8fee5a5d
docs: rewrite README — new slogan, roadmap, trim TLS/FSTEC, fix config example
2026-03-16 07:39:43 +00:00
bbff337b4c
fix: clean up stale smoke test container before run
2026-03-15 22:25:37 +00:00
a73335c549
docs: trim README, link to docs site, fix website URL
2026-03-15 22:21:08 +00:00
ad6aba46b2
chore: remove internal release runbook from public repo
2026-03-15 21:57:05 +00:00
095270d113
fix: smoke test port mapping (4000, not 5000)
2026-03-15 21:54:13 +00:00
769f5fb01d
docs: update CHANGELOG and README for v0.2.29 upstream auth
2026-03-15 21:50:14 +00:00
53884e143b
v0.2.29: upstream auth, remove dead code, version bump
...
- Remove unused DockerAuth::fetch_with_auth() method
- Fix basic_auth_header docstring
- Bump to v0.2.29
2026-03-15 21:42:49 +00:00
0eb26f24f7
refactor: extract basic_auth_header helper, add plaintext credential warnings
...
- basic_auth_header() in config.rs replaces 6 inline STANDARD.encode calls
- warn_plaintext_credentials() logs warning at startup if auth is in config.toml
- All protocol handlers use shared helper instead of duplicating base64 logic
2026-03-15 21:37:51 +00:00
fa962b2d6e
feat: upstream auth for all protocols (Docker, Maven, npm, PyPI)
...
Wire up basic auth credentials for upstream registry proxying:
- Docker: pass configured auth to Bearer token requests
- Maven: support url|auth format in NORA_MAVEN_PROXIES env var
- npm: add NORA_NPM_PROXY_AUTH env var
- PyPI: add NORA_PYPI_PROXY_AUTH env var
- Mask credentials in logs (never log plaintext passwords)
Config examples:
NORA_DOCKER_UPSTREAMS="https://registry.corp.com |user:pass"
NORA_MAVEN_PROXIES="https://nexus.corp.com/maven2 |user:pass"
NORA_NPM_PROXY_AUTH="user:pass"
NORA_PYPI_PROXY_AUTH="user:pass"
2026-03-15 21:29:20 +00:00
a1da4fff1e
fix: integration tests match actual protocol support
...
- Docker, Maven: full push/pull (write support exists)
- npm, PyPI, Cargo: endpoint checks only (read-only proxy, no publish yet)
2026-03-15 19:58:36 +00:00
868c4feca7
feat: add Maven, PyPI, Cargo integration tests
...
- Maven: PUT artifact, GET and verify checksum
- PyPI: twine upload + pip install
- Cargo: API endpoint check
- Now testing all 5 protocols: Docker, npm, Maven, PyPI, Cargo
2026-03-15 19:53:27 +00:00
5b4cba1392
fix: add npm auth token for integration test publish
2026-03-15 19:49:54 +00:00
ad890be56a
feat: add integration tests, release runbook, cache fallback
...
- CI: integration job — build NORA, docker push/pull, npm publish/install, API checks
- release: cache-from with ignore-error=true (no dependency on localhost:5000)
- RELEASE_RUNBOOK.md: rollback procedure, deploy order, verification steps
2026-03-15 19:36:38 +00:00
3b9ea37b0e
fix: cargo fmt, add .gitleaks.toml allowlist for doc examples
...
- remove extra blank lines in openapi.rs and secrets/mod.rs
- allowlist commit 92155cf (curl -u admin:yourpassword in README)
2026-03-15 19:27:36 +00:00
233b83f902
security: make CI gates blocking, add smoke test, clean up dead code
...
- gitleaks, cargo audit, trivy fs now block pipeline on findings
- add smoke test (docker run + curl /health) in release workflow
- deny.toml: add review date to RUSTSEC-2025-0119 ignore
- remove unused validation functions (maven, npm, crate)
- replace blanket #![allow(dead_code)] with targeted allows
2026-03-15 19:25:00 +00:00
d886426957
docs: fix docker badge to GHCR
2026-03-13 17:12:02 +00:00
52c2443543
docs: remove flaky logo, add docs/stars/docker-size badges
2026-03-13 17:09:13 +00:00
26d30b622d
style: cargo fmt
2026-03-13 16:59:54 +00:00
272898f43c
fix: quinn-proto CVE, add Telegram @getnora, fix website URL
2026-03-13 16:44:20 +00:00
61de6c6ddd
fix: persist dashboard metrics and count versions instead of repos
...
Metrics (downloads, uploads, cache hits) were stored in-memory only
and reset to zero on every restart. Now they persist to metrics.json
in the storage directory with:
- Load on startup from {storage_path}/metrics.json
- Background save every 30 seconds
- Final save on graceful shutdown
- Atomic writes (tmp + rename) to prevent corruption
Artifact count on dashboard now shows total tags/versions across
all registries instead of just counting unique repository names.
This matches user expectations when pushing multiple tags to the
same image (e.g. myapp:v1, myapp:v2 now shows 2, not 1).
2026-03-13 15:43:03 +00:00
