7 Commits

Author	SHA1	Message	Date
Wes	98c9c33ea0	fix: correct zeroize annotation placement and avoid secret cloning in protected.rs (#108) ... S3Credentials had #[zeroize(skip)] on secret_access_key instead of access_key_id. The comment said "access_key_id is not sensitive" but the annotation was on the adjacent field. In practice ProtectedString has its own #[zeroize(drop)] so the secret was still zeroed on drop, but the annotation contradicted its own comment and would silently break if ProtectedString's drop behavior ever changed. ProtectedString::into_inner() cloned self.inner instead of moving it out. Use std::mem::take to swap the value out directly, avoiding the unnecessary heap allocation of the clone. // ticktockbent	2026-04-06 15:30:18 +03:00
DevITWay | Pavel Volkov	ac3a8a7c43	quality: MSRV, tarpaulin config, proptest for parsers (#84) ... * fix: proxy dedup, multi-registry GC, TOCTOU and credential hygiene - Deduplicate proxy_fetch/proxy_fetch_text into generic proxy_fetch_core with response extractor closure (removes ~50 lines of copy-paste) - GC now scans all registry prefixes, not just docker/ - Add tracing::warn to fire-and-forget cache writes in docker proxy - Mark S3 credentials as skip_serializing to prevent accidental leaks - Remove TOCTOU race in LocalStorage get/delete (redundant exists check) * chore: clean up root directory structure - Move Dockerfile.astra and Dockerfile.redos to deploy/ (niche builds should not clutter the project root) - Harden .gitignore to exclude session files, working notes, and internal review scripts * refactor(metrics): replace 13 atomic fields with CounterMap Per-registry download/upload counters were 13 individual AtomicU64 fields, each duplicated across new(), with_persistence(), save(), record_download(), record_upload(), and get_registry_* (6 touch points per counter). Adding a new registry required changes in 6+ places. Now uses CounterMap (HashMap<String, AtomicU64>) for per-registry counters. Adding a new registry = one entry in REGISTRIES const. Added Go registry to REGISTRIES, gaining go metrics for free. * quality: add MSRV, tarpaulin config, proptest for parsers - Set rust-version = 1.75 in workspace Cargo.toml (MSRV policy) - Add tarpaulin.toml: llvm engine, fail-under=25, json+html output - Add coverage/ to .gitignore - Update CI to use tarpaulin.toml instead of inline flags - Add proptest dev-dependency and property tests: - validation.rs: 16 tests (never-panics + invariants for all 4 validators) - pypi.rs: 5 tests (extract_filename never-panics + format assertions) * test: add unit tests for 14 modules, coverage 21% → 30% Add 149 new tests across auth, backup, gc, metrics, mirror parsers, docker (manifest detection, session cleanup, metadata serde), docker_auth (token cache), maven, npm, pypi (normalize, rewrite, extract), raw (content-type guessing), request_id, and s3 (URI encoding). Update tarpaulin.toml: raise fail-under to 30, exclude UI/main from coverage reporting as they require integration tests. * bench: add criterion benchmarks for validation and manifest parsing Add parsing benchmark suite with 14 benchmarks covering: - Storage key, Docker name, digest, and reference validation - Docker manifest media type detection (v2, OCI index, minimal, invalid) Run with: cargo bench --package nora-registry --bench parsing * test: add 48 integration tests via tower oneshot Add integration tests for all HTTP handlers: - health (3), raw (7), cargo (4), maven (4), request_id (2) - pypi (5), npm (5), docker (12), auth (6) Create test_helpers.rs with TestContext pattern. Add tower and http-body-util dev-dependencies. Update tarpaulin fail-under 30 to 40. Coverage: 29.5% to 43.3% (2089/4825 lines) * fix: clean clippy warnings in tests, fix flaky audit test Add #[allow(clippy::unwrap_used)] to 18 test modules. Fix 3 additional clippy lints: writeln_empty_string, needless_update, unnecessary_get_then_check. Fix flaky audit test: replace single sleep(50ms) with retry loop (max 1s). Prefix unused token variable with underscore. cargo clippy --all-targets = 0 warnings (was 245 errors)	2026-04-05 10:01:50 +03:00
devitway	582e8fbed1	fix: cargo fmt, add .gitleaks.toml allowlist for doc examples ... - remove extra blank lines in openapi.rs and secrets/mod.rs - allowlist commit 92155cf (curl -u admin:yourpassword in README)	2026-03-15 19:27:36 +00:00
devitway	233b83f902	security: make CI gates blocking, add smoke test, clean up dead code ... - gitleaks, cargo audit, trivy fs now block pipeline on findings - add smoke test (docker run + curl /health) in release workflow - deny.toml: add review date to RUSTSEC-2025-0119 ignore - remove unused validation functions (maven, npm, crate) - replace blanket #![allow(dead_code)] with targeted allows	2026-03-15 19:25:00 +00:00
DevITWay	7763b85b94	chore: add copyright headers to all source files ... Copyright (c) 2026 Volkov Pavel | DevITWay SPDX-License-Identifier: MIT	2026-01-31 12:39:31 +00:00
DevITWay	5fc4237ac5	feat: add Docker image metadata support ... - Store metadata (.meta.json) alongside manifests with: - push_timestamp, last_pulled, downloads counter - size_bytes, os, arch, variant - layers list with digest and size - Update metadata on manifest pull (increment downloads, update last_pulled) - Extract OS/arch from config blob on push - Extend UI API TagInfo with metadata fields - Add public_url config option for pull commands - Add Docker upstream proxy with auth support - Add raw repository support - Bump version to 0.2.12	2026-01-30 15:52:29 +00:00
DevITWay	ee4e01467a	feat: add secrets provider architecture ... Trait-based secrets management for secure credential handling: - SecretsProvider trait for pluggable backends - EnvProvider as default (12-Factor App pattern) - ProtectedString with zeroize (memory zeroed on drop) - Redacted Debug impl prevents secret leakage in logs - S3Credentials struct for future AWS S3 integration - Config: [secrets] section with provider and clear_env options Foundation for AWS Secrets Manager, Vault, K8s (v0.4.0+)	2026-01-30 10:02:58 +00:00