docs: add CONTRIBUTING.md and SECURITY.md

Copyright (c) 2026 Volkov Pavel | DevITWay
SPDX-License-Identifier: MIT

CHANGELOG.md

@@ -4,6 +4,53 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.18] - 2026-01-31
+
+### Changed
+- Logo styling refinements
+
+---
+
+## [0.2.17] - 2026-01-31
+
+### Added
+- Copyright headers to all source files (Volkov Pavel | DevITWay)
+- SPDX-License-Identifier: MIT in all .rs files
+
+---
+
+## [0.2.16] - 2026-01-31
+
+### Changed
+- N○RA branding: stylized O logo across dashboard
+- Fixed O letter alignment in logo
+
+---
+
+## [0.2.15] - 2026-01-31
+
+### Fixed
+- Code formatting (cargo fmt)
+
+---
+
+## [0.2.14] - 2026-01-31
+
+### Fixed
+- Docker dashboard now shows actual image size from manifest layers (config + layers sum)
+- Previously showed only manifest file size (~500 B instead of actual image size)
+
+---
+
+## [0.2.13] - 2026-01-31
+
+### Fixed
+- npm dashboard now shows correct version count and package sizes
+- Parses metadata.json for versions, dist.unpackedSize, and time.modified
+- Previously showed 0 versions / 0 B for all packages
+
+---
+
 ## [0.2.12] - 2026-01-30
 
 ### Added

CONTRIBUTING.md

@@ -1,100 +1,68 @@
 # Contributing to NORA
 
-Thanks for your interest in contributing to NORA!
+Thank you for your interest in contributing to NORA!
 
 ## Getting Started
 
-1. **Fork** the repository
-2. **Clone** your fork:
-   ```bash
-   git clone https://github.com/your-username/nora.git
-   cd nora
-   ```
-3. **Create a branch**:
-   ```bash
-   git checkout -b feature/your-feature-name
-   ```
+1. Fork the repository
+2. Clone your fork: `git clone https://github.com/YOUR_USERNAME/nora.git`
+3. Create a branch: `git checkout -b feature/your-feature`
 
 ## Development Setup
 
-### Prerequisites
-
-- Rust 1.75+ (`rustup update`)
-- Docker (for testing)
-- Git
-
-### Build
-
 ```bash
+# Install Rust (if needed)
+curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
+
+# Build
 cargo build
-```
 
-### Run
-
-```bash
-cargo run --bin nora
-```
-
-### Test
-
-```bash
+# Run tests
 cargo test
-cargo clippy
-cargo fmt --check
+
+# Run locally
+cargo run --bin nora -- serve
 ```
 
-## Making Changes
-
-1. **Write code** following Rust conventions
-2. **Add tests** for new features
-3. **Update docs** if needed
-4. **Run checks**:
-   ```bash
-   cargo fmt
-   cargo clippy -- -D warnings
-   cargo test
-   ```
-
-## Commit Messages
-
-Follow [Conventional Commits](https://www.conventionalcommits.org/):
-
-- `feat:` - New feature
-- `fix:` - Bug fix
-- `docs:` - Documentation
-- `test:` - Tests
-- `refactor:` - Code refactoring
-- `chore:` - Maintenance
-
-Example:
-```bash
-git commit -m "feat: add S3 storage migration"
-```
-
-## Pull Request Process
-
-1. **Push** to your fork:
-   ```bash
-   git push origin feature/your-feature-name
-   ```
-
-2. **Open a Pull Request** on GitHub
-
-3. **Wait for review** - maintainers will review your PR
-
 ## Code Style
 
-- Follow Rust conventions
-- Use `cargo fmt` for formatting
-- Pass `cargo clippy` with no warnings
-- Write meaningful commit messages
+- Run `cargo fmt` before committing
+- Run `cargo clippy` and fix warnings
+- Follow Rust naming conventions
 
-## Questions?
+## Pull Request Process
 
-- Open an [Issue](https://github.com/getnora-io/nora/issues)
-- Ask in [Discussions](https://github.com/getnora-io/nora/discussions)
-- Reach out on [Telegram](https://t.me/DevITWay)
+1. Update documentation if needed
+2. Add tests for new features
+3. Ensure all tests pass: `cargo test`
+4. Ensure code is formatted: `cargo fmt --check`
+5. Ensure no clippy warnings: `cargo clippy`
 
----
+## Commit Messages
 
-Built with love by the NORA community
+Use conventional commits:
+
+- `feat:` - new feature
+- `fix:` - bug fix
+- `docs:` - documentation
+- `style:` - formatting
+- `refactor:` - code refactoring
+- `test:` - adding tests
+- `chore:` - maintenance
+
+Example: `feat: add OAuth2 authentication`
+
+## Reporting Issues
+
+- Use GitHub Issues
+- Include steps to reproduce
+- Include NORA version and OS
+
+## License
+
+By contributing, you agree that your contributions will be licensed under the MIT License.
+
+## Contact
+
+- Telegram: [@DevITWay](https://t.me/DevITWay)
+- GitHub Issues: [getnora-io/nora](https://github.com/getnora-io/nora/issues)

Cargo.toml

@@ -7,7 +7,7 @@ members = [
 ]
 
 [workspace.package]
-version = "0.2.12"
+version = "0.2.18"
 edition = "2021"
 license = "MIT"
 authors = ["DevITWay <devitway@gmail.com>"]

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2026 DevITWay
+Copyright (c) 2026 Volkov Pavel | DevITWay
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

SECURITY.md

@@ -0,0 +1,53 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.2.x   | :white_check_mark: |
+| < 0.2   | :x:                |
+
+## Reporting a Vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report them via:
+
+1. **Email:** devitway@gmail.com
+2. **Telegram:** [@DevITWay](https://t.me/DevITWay) (private message)
+
+### What to Include
+
+- Type of vulnerability
+- Steps to reproduce
+- Potential impact
+- Suggested fix (if any)
+
+### Response Timeline
+
+- **Initial response:** within 48 hours
+- **Status update:** within 7 days
+- **Fix timeline:** depends on severity
+
+### Severity Levels
+
+| Severity | Description | Response |
+|----------|-------------|----------|
+| Critical | Remote code execution, auth bypass | Immediate fix |
+| High | Data exposure, privilege escalation | Fix within 7 days |
+| Medium | Limited impact vulnerabilities | Fix in next release |
+| Low | Minor issues | Scheduled fix |
+
+## Security Best Practices
+
+When deploying NORA:
+
+1. **Enable authentication** - Set `NORA_AUTH_ENABLED=true`
+2. **Use HTTPS** - Put NORA behind a reverse proxy with TLS
+3. **Limit network access** - Use firewall rules
+4. **Regular updates** - Keep NORA updated to latest version
+5. **Secure credentials** - Use strong passwords, rotate tokens
+
+## Acknowledgments
+
+We appreciate responsible disclosure and will acknowledge security researchers who report valid vulnerabilities.

nora-cli/src/main.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 use clap::{Parser, Subcommand};
 
 #[derive(Parser)]

nora-registry/src/activity_log.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 use chrono::{DateTime, Utc};
 use parking_lot::RwLock;
 use serde::Serialize;

nora-registry/src/auth.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 use axum::{
     body::Body,
     extract::State,

nora-registry/src/backup.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 //! Backup and restore functionality for Nora
 //!
 //! Exports all artifacts to a tar.gz file and restores from backups.

nora-registry/src/config.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 use serde::{Deserialize, Serialize};
 use std::env;
 use std::fs;

nora-registry/src/dashboard_metrics.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 use std::sync::atomic::{AtomicU64, Ordering};
 use std::time::Instant;
 

nora-registry/src/error.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 #![allow(dead_code)]
 //! Application error handling with HTTP response conversion
 //!

nora-registry/src/health.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 use axum::{extract::State, http::StatusCode, response::Json, routing::get, Router};
 use serde::Serialize;
 use std::sync::Arc;

nora-registry/src/main.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 mod activity_log;
 mod auth;
 mod backup;

nora-registry/src/metrics.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 use axum::{
     body::Body,
     extract::MatchedPath,

nora-registry/src/migrate.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 //! Migration between storage backends
 //!
 //! Supports migrating artifacts from one storage backend to another

nora-registry/src/openapi.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 //! OpenAPI documentation and Swagger UI
 //!
 //! Functions in this module are stubs used only for generating OpenAPI documentation.

nora-registry/src/rate_limit.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 //! Rate limiting configuration and middleware
 //!
 //! Provides rate limiting to protect against:

nora-registry/src/registry/cargo_registry.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 use crate::activity_log::{ActionType, ActivityEntry};
 use crate::AppState;
 use axum::{

nora-registry/src/registry/docker.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 use crate::activity_log::{ActionType, ActivityEntry};
 use crate::registry::docker_auth::DockerAuth;
 use crate::storage::Storage;

nora-registry/src/registry/docker_auth.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 use parking_lot::RwLock;
 use std::collections::HashMap;
 use std::time::{Duration, Instant};

nora-registry/src/registry/maven.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 use crate::activity_log::{ActionType, ActivityEntry};
 use crate::AppState;
 use axum::{

nora-registry/src/registry/mod.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 mod cargo_registry;
 pub mod docker;
 pub mod docker_auth;

nora-registry/src/registry/npm.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 use crate::activity_log::{ActionType, ActivityEntry};
 use crate::AppState;
 use axum::{

nora-registry/src/registry/pypi.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 use crate::activity_log::{ActionType, ActivityEntry};
 use crate::AppState;
 use axum::{

nora-registry/src/registry/raw.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 use crate::activity_log::{ActionType, ActivityEntry};
 use crate::AppState;
 use axum::{

nora-registry/src/request_id.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 //! Request ID middleware for request tracking and correlation
 //!
 //! Generates a unique ID for each request that can be used for:

nora-registry/src/secrets/env.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 //! Environment variables secrets provider
 //!
 //! Reads secrets from environment variables. This is the default provider

nora-registry/src/secrets/mod.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 #![allow(dead_code)] // Foundational code for future S3/Vault integration
 
 //! Secrets management for NORA

nora-registry/src/secrets/protected.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 //! Protected secret types with memory safety
 //!
 //! Secrets are automatically zeroed on drop and redacted in Debug output.

nora-registry/src/storage/local.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 use async_trait::async_trait;
 use axum::body::Bytes;
 use std::path::PathBuf;

nora-registry/src/storage/mod.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 mod local;
 mod s3;
 

nora-registry/src/storage/s3.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 use async_trait::async_trait;
 use axum::body::Bytes;
 use chrono::Utc;

nora-registry/src/tokens.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 use serde::{Deserialize, Serialize};
 use sha2::{Digest, Sha256};
 use std::fs;

nora-registry/src/ui/api.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 use super::components::{format_size, format_timestamp, html_escape};
 use super::templates::encode_uri_component;
 use crate::activity_log::ActivityEntry;

nora-registry/src/ui/components.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 use super::i18n::{get_translations, Lang, Translations};
 
 /// Application version from Cargo.toml
@@ -137,7 +140,7 @@ fn sidebar_dark(active_page: Option<&str>, t: &Translations) -> String {
         <div id="sidebar" class="fixed md:static inset-y-0 left-0 z-50 w-64 bg-slate-800 text-white flex flex-col transform -translate-x-full md:translate-x-0 transition-transform duration-200 ease-in-out">
             <div class="h-16 flex items-center justify-between px-6 border-b border-slate-700">
                 <div class="flex items-center">
-                    <span class="text-2xl font-bold tracking-tight">N<span class="inline-block w-5 h-5 rounded-full border-2 border-current align-middle relative -top-0.5 mx-0.5"></span>RA</span>
+                    <span class="text-xl font-bold tracking-tight">N<span class="inline-block w-4 h-4 rounded-full border-2 border-current align-middle mx-px"></span>RA</span>
                 </div>
                 <button onclick="toggleSidebar()" class="md:hidden p-1 rounded-lg hover:bg-slate-700">
                     <svg class="w-6 h-6" fill="none" stroke="currentColor" viewBox="0 0 24 24">

nora-registry/src/ui/i18n.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 /// Internationalization support for the UI
 use serde::{Deserialize, Serialize};
 

nora-registry/src/ui/mod.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 mod api;
 mod components;
 pub mod i18n;

nora-registry/src/ui/templates.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 use super::api::{DashboardResponse, DockerDetail, MavenDetail, PackageDetail, RepoInfo};
 use super::components::*;
 use super::i18n::{get_translations, Lang};

nora-registry/src/validation.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 #![allow(dead_code)]
 //! Input validation for artifact registry paths and identifiers
 //!

nora-storage/src/config.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 use serde::{Deserialize, Serialize};
 use std::fs;
 

nora-storage/src/main.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 mod config;
 
 use axum::extract::DefaultBodyLimit;