chore: bump version to 0.2.28

chore(deps): bump toml from 1.0.3+spec-1.1.0 to 1.0.6+spec-1.1.0

.github/workflows/ci.yml

@@ -72,7 +72,7 @@ jobs:
       # ── CVE scan of source tree and Cargo.lock ──────────────────────────────
       - name: Trivy — filesystem scan (Cargo.lock + source)
         if: always()
-        uses: aquasecurity/trivy-action@0.34.1
+        uses: aquasecurity/trivy-action@0.35.0
         with:
           scan-type: fs
           scan-ref: .

.github/workflows/release.yml

@@ -6,6 +6,7 @@ on:
 
 env:
   REGISTRY: ghcr.io
+  NORA: localhost:5000
   IMAGE_NAME: ${{ github.repository }}
 
 jobs:
@@ -17,7 +18,7 @@ jobs:
       packages: write
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Set up Rust
         run: |
@@ -30,29 +31,40 @@ jobs:
           cargo build --release --target x86_64-unknown-linux-musl --package nora-registry
           cp target/x86_64-unknown-linux-musl/release/nora ./nora
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+      - name: Upload binary artifact
+        uses: actions/upload-artifact@v7
+        with:
+          name: nora-binary-${{ github.run_id }}
+          path: ./nora
+          retention-days: 1
 
-      - name: Log in to Container Registry
-        uses: docker/login-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v4
+        with:
+          driver-opts: network=host
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v4
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      # ── Alpine (standard) ────────────────────────────────────────────────────
+      # ── Alpine ───────────────────────────────────────────────────────────────
       - name: Extract metadata (alpine)
         id: meta-alpine
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
         with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          images: |
+            ${{ env.NORA }}/${{ env.IMAGE_NAME }}
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
             type=raw,value=latest
 
       - name: Build and push (alpine)
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v7
         with:
           context: .
           file: Dockerfile
@@ -60,15 +72,17 @@ jobs:
           push: true
           tags: ${{ steps.meta-alpine.outputs.tags }}
           labels: ${{ steps.meta-alpine.outputs.labels }}
-          cache-from: type=gha,scope=alpine
-          cache-to: type=gha,mode=max,scope=alpine
+          cache-from: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:alpine
+          cache-to: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:alpine,mode=max
 
       # ── RED OS ───────────────────────────────────────────────────────────────
       - name: Extract metadata (redos)
         id: meta-redos
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
         with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          images: |
+            ${{ env.NORA }}/${{ env.IMAGE_NAME }}
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           flavor: suffix=-redos,onlatest=true
           tags: |
             type=semver,pattern={{version}}
@@ -76,7 +90,7 @@ jobs:
             type=raw,value=redos
 
       - name: Build and push (redos)
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v7
         with:
           context: .
           file: Dockerfile.redos
@@ -84,12 +98,38 @@ jobs:
           push: true
           tags: ${{ steps.meta-redos.outputs.tags }}
           labels: ${{ steps.meta-redos.outputs.labels }}
-          cache-from: type=gha,scope=redos
-          cache-to: type=gha,mode=max,scope=redos
+          cache-from: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:redos
+          cache-to: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:redos,mode=max
+
+      # ── Astra Linux SE ───────────────────────────────────────────────────────
+      - name: Extract metadata (astra)
+        id: meta-astra
+        uses: docker/metadata-action@v6
+        with:
+          images: |
+            ${{ env.NORA }}/${{ env.IMAGE_NAME }}
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          flavor: suffix=-astra,onlatest=true
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=raw,value=astra
+
+      - name: Build and push (astra)
+        uses: docker/build-push-action@v7
+        with:
+          context: .
+          file: Dockerfile.astra
+          platforms: linux/amd64
+          push: true
+          tags: ${{ steps.meta-astra.outputs.tags }}
+          labels: ${{ steps.meta-astra.outputs.labels }}
+          cache-from: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:astra
+          cache-to: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:astra,mode=max
 
   scan:
     name: Scan (${{ matrix.name }})
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, nora]
     needs: build
     permissions:
       contents: read
@@ -104,30 +144,23 @@ jobs:
             suffix: ""
           - name: redos
             suffix: "-redos"
+          - name: astra
+            suffix: "-astra"
 
     steps:
-      - name: Log in to Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Set version tag (strip leading v)
         id: ver
         run: echo "tag=${GITHUB_REF_NAME#v}" >> $GITHUB_OUTPUT
 
-      # ── CVE scan of the pushed image ────────────────────────────────────────
-      # Images are FROM scratch — no OS packages, only binary CVE scan
       - name: Trivy — image scan (${{ matrix.name }})
-        uses: aquasecurity/trivy-action@0.30.0
+        uses: aquasecurity/trivy-action@0.35.0
         with:
           scan-type: image
-          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.ver.outputs.tag }}${{ matrix.suffix }}
+          image-ref: ${{ env.NORA }}/${{ env.IMAGE_NAME }}:${{ steps.ver.outputs.tag }}${{ matrix.suffix }}
           format: sarif
           output: trivy-image-${{ matrix.name }}.sarif
           severity: HIGH,CRITICAL
-          exit-code: 1  # block release on HIGH/CRITICAL vulnerabilities
+          exit-code: 1
 
       - name: Upload Trivy image results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v4
@@ -138,59 +171,49 @@ jobs:
 
   release:
     name: GitHub Release
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, nora]
     needs: [build, scan]
     permissions:
       contents: write
-      packages: read  # to pull image for SBOM generation
+      packages: read
 
     steps:
-      - uses: actions/checkout@v4
-
-      - name: Log in to Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions/checkout@v6
 
       - name: Set version tag (strip leading v)
         id: ver
         run: echo "tag=${GITHUB_REF_NAME#v}" >> $GITHUB_OUTPUT
 
-      # ── Binary — extract from Docker image ──────────────────────────────────
-      - name: Extract binary from image
+      - name: Download binary artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: nora-binary-${{ github.run_id }}
+          path: ./artifacts
+
+      - name: Prepare binary
         run: |
-          docker create --name nora-extract \
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.ver.outputs.tag }}
-          docker cp nora-extract:/usr/local/bin/nora ./nora-linux-amd64
-          docker rm nora-extract
+          cp ./artifacts/nora ./nora-linux-amd64
           chmod +x ./nora-linux-amd64
           sha256sum ./nora-linux-amd64 > nora-linux-amd64.sha256
           echo "Binary size: $(du -sh nora-linux-amd64 | cut -f1)"
           cat nora-linux-amd64.sha256
 
-      # ── SBOM — Software Bill of Materials ───────────────────────────────────
       - name: Generate SBOM (SPDX)
         uses: anchore/sbom-action@v0
         with:
-          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.ver.outputs.tag }}
+          image: ${{ env.NORA }}/${{ env.IMAGE_NAME }}:${{ steps.ver.outputs.tag }}
           format: spdx-json
           output-file: nora-${{ github.ref_name }}.sbom.spdx.json
-          registry-username: ${{ github.actor }}
-          registry-password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Generate SBOM (CycloneDX)
         uses: anchore/sbom-action@v0
         with:
-          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.ver.outputs.tag }}
+          image: ${{ env.NORA }}/${{ env.IMAGE_NAME }}:${{ steps.ver.outputs.tag }}
           format: cyclonedx-json
           output-file: nora-${{ github.ref_name }}.sbom.cdx.json
-          registry-username: ${{ github.actor }}
-          registry-password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Create Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
           generate_release_notes: true
           files: |
@@ -225,6 +248,11 @@ jobs:
             docker pull ghcr.io/${{ github.repository }}:${{ github.ref_name }}-redos
             ```
 
+            **Astra Linux SE:**
+            ```bash
+            docker pull ghcr.io/${{ github.repository }}:${{ github.ref_name }}-astra
+            ```
+
             ## Changelog
 
             See [CHANGELOG.md](https://github.com/${{ github.repository }}/blob/main/CHANGELOG.md)

CHANGELOG.md

@@ -4,6 +4,170 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.27] - 2026-03-03
+
+### Added / Добавлено
+- **Configurable body limit**: `NORA_BODY_LIMIT_MB` env var (default: `2048` = 2GB) — replaces hardcoded 100MB limit that caused `413 Payload Too Large` on large Docker image push
+- **Настраиваемый лимит тела запроса**: переменная `NORA_BODY_LIMIT_MB` (по умолчанию: `2048` = 2GB) — заменяет захардкоженный лимит 100MB, вызывавший `413 Payload Too Large` при push больших Docker-образов
+- **Docker Delete API**: `DELETE /v2/{name}/manifests/{reference}` and `DELETE /v2/{name}/blobs/{digest}` per Docker Registry V2 spec (returns 202 Accepted)
+- **Docker Delete API**: `DELETE /v2/{name}/manifests/{reference}` и `DELETE /v2/{name}/blobs/{digest}` по спецификации Docker Registry V2 (возвращает 202 Accepted)
+- Namespace-qualified DELETE variants (`/v2/{ns}/{name}/...`)
+- Audit log integration for delete operations
+
+### Fixed / Исправлено
+- Docker push of images >100MB no longer fails with 413 error
+- Push Docker-образов >100MB больше не падает с ошибкой 413
+
+---
+
+## [0.2.26] - 2026-03-03
+
+### Added / Добавлено
+- **Helm OCI support**: `helm push` / `helm pull` now works out of the box via OCI protocol
+- **Поддержка Helm OCI**: `helm push` / `helm pull` теперь работают из коробки через OCI протокол
+- **RBAC**: Token-based role system with three roles — `read`, `write`, `admin` (default: `read`)
+- **RBAC**: Ролевая система на основе токенов — `read`, `write`, `admin` (по умолчанию: `read`)
+- **Audit log**: Persistent append-only JSONL audit trail for all registry operations (`{storage}/audit.jsonl`)
+- **Аудит**: Персистентный append-only JSONL лог всех операций реестра (`{storage}/audit.jsonl`)
+- **GC command**: `nora gc --dry-run` — garbage collection for orphaned blobs (mark-and-sweep)
+- **Команда GC**: `nora gc --dry-run` — сборка мусора для осиротевших блобов (mark-and-sweep)
+
+### Fixed / Исправлено
+- **Helm OCI pull**: Fixed OCI manifest media type detection — manifests with non-Docker `config.mediaType` now correctly return `application/vnd.oci.image.manifest.v1+json`
+- **Helm OCI pull**: Исправлено определение media type OCI манифестов — манифесты с не-Docker `config.mediaType` теперь корректно возвращают `application/vnd.oci.image.manifest.v1+json`
+- **Docker-Content-Digest**: Added missing header in blob upload response (required by Helm OCI client)
+- **Docker-Content-Digest**: Добавлен отсутствующий заголовок в ответе на загрузку blob (требуется клиентом Helm OCI)
+
+### Security / Безопасность
+- Read-only tokens (`role: read`) are now blocked from PUT/POST/DELETE/PATCH operations with HTTP 403
+- Токены только для чтения (`role: read`) теперь блокируются при PUT/POST/DELETE/PATCH с HTTP 403
+
+---
+
+## [0.2.25] - 2026-03-03
+
+### Fixed / Исправлено
+- **Rate limiter fix**: Added `NORA_RATE_LIMIT_ENABLED` env var (default: `true`) to disable rate limiting on internal deployments
+- **Исправление rate limiter**: Добавлена переменная `NORA_RATE_LIMIT_ENABLED` (по умолчанию: `true`) для отключения rate limiting на внутренних инсталляциях
+- **SmartIpKeyExtractor**: Upload and general routes now use `SmartIpKeyExtractor` (reads `X-Forwarded-For`) instead of `PeerIpKeyExtractor` — fixes 429 errors behind reverse proxy / Docker bridge
+- **SmartIpKeyExtractor**: Маршруты upload и general теперь используют `SmartIpKeyExtractor` (читает `X-Forwarded-For`) вместо `PeerIpKeyExtractor` — устраняет ошибки 429 за reverse proxy / Docker bridge
+
+### Dependencies / Зависимости
+- `clap` 4.5.56 → 4.5.60
+- `uuid` 1.20.0 → 1.21.0
+- `tempfile` 3.24.0 → 3.26.0
+- `bcrypt` 0.17.1 → 0.18.0
+- `indicatif` 0.17.11 → 0.18.4
+
+### CI/CD
+- `actions/checkout` 4 → 6
+- `actions/upload-artifact` 4 → 7
+- `softprops/action-gh-release` 1 → 2
+- `aquasecurity/trivy-action` 0.30.0 → 0.34.2
+- `docker/build-push-action` 5 → 6
+- Move scan/release to self-hosted runner with NORA cache
+- Сканирование/релиз перенесены на self-hosted runner с кэшем через NORA
+
+---
+
+## [0.2.24] - 2026-02-24
+
+### Added / Добавлено
+- `install.sh` installer script live at <https://getnora.io/install.sh> — `curl -fsSL https://getnora.io/install.sh | sh`
+- Скрипт установки `install.sh` доступен на <https://getnora.io/install.sh>
+
+### CI/CD
+- Restore Astra Linux SE Docker image build, Trivy scan, and release artifact (`-astra` tag)
+- Восстановлена сборка Docker-образа для Astra Linux SE, сканирование Trivy и артефакт релиза (тег `-astra`)
+
+---
+
+## [0.2.23] - 2026-02-24
+
+### Added / Добавлено
+- Binary (`nora`) + SHA-256 checksum attached to every GitHub Release
+- Бинарник (`nora`) и SHA-256 контрольная сумма прикреплены к каждому релизу GitHub
+
+### Fixed / Исправлено
+- Security: bump `prometheus` 0.13 → 0.14 (CVE-2025-53605) and `bytes` 1.11.0 → 1.11.1 (CVE-2026-25541)
+- Безопасность: обновлены `prometheus` 0.13 → 0.14 (CVE-2025-53605) и `bytes` 1.11.0 → 1.11.1 (CVE-2026-25541)
+
+### CI/CD
+- Add Dependabot for automated dependency updates / Добавлен Dependabot для автоматического обновления зависимостей
+- Pin `aquasecurity/trivy-action` to `0.30.0`, bump to `0.34.1`; scan gate blocks release on HIGH/CRITICAL CVE
+- Закреплён `trivy-action@0.30.0`, обновлён до `0.34.1`; сканирование блокирует релиз при HIGH/CRITICAL CVE
+- Upgrade `codeql-action` v3 → v4 / Обновлён `codeql-action` v3 → v4
+- Fix `deny.toml` deprecated keys (`copyleft`, `unlicensed` removed in `cargo-deny`) / Исправлены устаревшие ключи в `deny.toml`
+- Fix binary path in Docker image (`/usr/local/bin/nora`) / Исправлен путь бинарника в Docker-образе
+- Pin build job to `nora` runner label / Джоб сборки закреплён за runner'ом с меткой `nora`
+- Allow `CDLA-Permissive-2.0` license (`webpki-roots`) / Разрешена лицензия `CDLA-Permissive-2.0`
+- Ignore `RUSTSEC-2025-0119` (unmaintained transitive dep `number_prefix` via `indicatif`)
+
+### Dependencies / Зависимости
+- `chrono` 0.4.43 → 0.4.44
+- `quick-xml` 0.31.0 → 0.39.2
+- `toml` 0.8.23 → 1.0.3+spec-1.1.0
+- `flate2` 1.1.8 → 1.1.9
+- `softprops/action-gh-release` 1 → 2
+- `actions/checkout` 4 → 6
+- `docker/build-push-action` 5 → 6
+
+### Documentation / Документация
+- Replace text title with SVG logo; `O` styled in blue-600 / Заголовок заменён SVG-логотипом; буква `O` стилизована в blue-600
+
+---
+
+## [0.2.22] - 2026-02-24
+
+### Changed / Изменено
+- First stable release with Docker images published to container registry
+- Первый стабильный релиз с Docker-образами, опубликованными в container registry
+
+---
+
+## [0.2.21] - 2026-02-24
+
+### CI/CD
+- Consolidate all Docker builds into a single job to fix runner network issues / Все Docker-сборки объединены в один job для устранения сетевых проблем runner'а
+- Build musl static binary for maximum portability / Сборка musl-бинарника для максимальной переносимости
+- Add security scanning (Trivy) + SBOM generation to release pipeline / Добавлено сканирование безопасности (Trivy) и генерация SBOM в pipeline релиза
+- Add Cargo cache to speed up builds / Добавлен кэш Cargo для ускорения сборок
+- Replace `gitleaks` GitHub Action with CLI (no license requirement) / `gitleaks` Action заменён CLI-вызовом (лицензия не требуется)
+- Use GitHub-runner's own Rust toolchain (avoid path conflicts) / Используется Rust toolchain самого GitHub-runner'а
+- Use shared runner filesystem instead of artifact API (avoids network upload latency) / Общая файловая система runner'а вместо artifact API
+- Remove Astra Linux build temporarily / Сборка для Astra Linux временно удалена
+
+---
+
+## [0.2.20] - 2026-02-23
+
+### Added / Добавлено
+- Parallel CI builds for Astra Linux and RedOS / Параллельная сборка в CI для Astra Linux и RedOS
+
+### Changed / Изменено
+- Use `FROM scratch` base image for Astra Linux and RedOS Docker builds / Базовый образ `FROM scratch` для Docker-сборок Astra Linux и RedOS
+- Shared `reqwest::Client` across all registry handlers / Общий `reqwest::Client` для всех registry-обработчиков
+
+### Fixed / Исправлено
+- Auth: replace `starts_with` with explicit `matches!` for token path checks / Аутентификация: `starts_with` заменён явной проверкой `matches!` для путей с токенами
+- Remove unnecessary QEMU step for amd64-only builds / Удалён лишний шаг QEMU для amd64-сборок
+
+---
+
+## [0.2.19] - 2026-01-31
+
+### Added / Добавлено
+- Pre-commit hook to prevent accidental commits of sensitive files / Pre-commit хук для защиты от случайного коммита чувствительных файлов
+- README badges: build status, version, license / Бейджи в README: статус сборки, версия, лицензия
+
+### Performance / Производительность
+- In-memory repository index with pagination for faster dashboard load / Индекс репозитория в памяти с пагинацией для ускорения загрузки дашборда
+
+### Fixed / Исправлено
+- Use `div_ceil` instead of manual ceiling division / Использован `div_ceil` вместо ручной реализации деления с округлением вверх
+
+---
+
 ## [0.2.18] - 2026-01-31
 
 ### Changed

CHANGELOG.md.bak

@@ -0,0 +1,414 @@
+# Changelog
+
+All notable changes to NORA will be documented in this file.
+
+---
+
+## [0.2.18] - 2026-01-31
+
+### Changed
+- Logo styling refinements
+
+---
+
+## [0.2.17] - 2026-01-31
+
+### Added
+- Copyright headers to all source files (Volkov Pavel | DevITWay)
+- SPDX-License-Identifier: MIT in all .rs files
+
+---
+
+## [0.2.16] - 2026-01-31
+
+### Changed
+- N○RA branding: stylized O logo across dashboard
+- Fixed O letter alignment in logo
+
+---
+
+## [0.2.15] - 2026-01-31
+
+### Fixed
+- Code formatting (cargo fmt)
+
+---
+
+## [0.2.14] - 2026-01-31
+
+### Fixed
+- Docker dashboard now shows actual image size from manifest layers (config + layers sum)
+- Previously showed only manifest file size (~500 B instead of actual image size)
+
+---
+
+## [0.2.13] - 2026-01-31
+
+### Fixed
+- npm dashboard now shows correct version count and package sizes
+- Parses metadata.json for versions, dist.unpackedSize, and time.modified
+- Previously showed 0 versions / 0 B for all packages
+
+---
+
+## [0.2.12] - 2026-01-30
+
+### Added
+
+#### Configurable Rate Limiting
+- Rate limits now configurable via `config.toml` and environment variables
+- New config section `[rate_limit]` with parameters: `auth_rps`, `auth_burst`, `upload_rps`, `upload_burst`, `general_rps`, `general_burst`
+- Environment variables: `NORA_RATE_LIMIT_{AUTH|UPLOAD|GENERAL}_{RPS|BURST}`
+
+#### Secrets Provider Architecture
+- Trait-based secrets management (`SecretsProvider` trait)
+- ENV provider as default (12-Factor App pattern)
+- Protected secrets with `zeroize` (memory zeroed on drop)
+- Redacted Debug impl prevents secret leakage in logs
+- New config section `[secrets]` with `provider` and `clear_env` options
+
+#### Docker Image Metadata
+- Support for image metadata retrieval
+
+#### Documentation
+- Bilingual onboarding guide (EN/RU)
+
+---
+
+## [0.2.11] - 2026-01-26
+
+### Added
+- Internationalization (i18n) support
+- PyPI registry proxy
+- UI improvements
+
+---
+
+## [0.2.10] - 2026-01-26
+
+### Changed
+- Dark theme applied to all UI pages
+
+---
+
+## [0.2.9] - 2026-01-26
+
+### Changed
+- Version bump release
+
+---
+
+## [0.2.8] - 2026-01-26
+
+### Added
+- Dashboard endpoint added to OpenAPI documentation
+
+---
+
+## [0.2.7] - 2026-01-26
+
+### Added
+- Dynamic version display in UI sidebar
+
+---
+
+## [0.2.6] - 2026-01-26
+
+### Added
+
+#### Dashboard Metrics
+- Global stats panel: downloads, uploads, artifacts, cache hit rate, storage
+- Extended registry cards with artifact count, size, counters
+- Activity log (last 20 events)
+
+#### UI
+- Dark theme (bg: #0f172a, cards: #1e293b)
+
+---
+
+## [0.2.5] - 2026-01-26
+
+### Fixed
+- Docker push/pull: added PATCH endpoint for chunked uploads
+
+---
+
+## [0.2.4] - 2026-01-26
+
+### Fixed
+- Rate limiting: health/metrics endpoints now exempt
+- Increased upload rate limits for Docker parallel requests
+
+---
+
+## [0.2.0] - 2026-01-25
+
+### Added
+
+#### UI: SVG Brand Icons
+- Replaced emoji icons with proper SVG brand icons (Simple Icons style)
+- Docker, Maven, npm, Cargo, PyPI icons now render as scalable vector graphics
+- Consistent icon styling across dashboard, sidebar, and detail pages
+
+#### Testing Infrastructure
+- Unit tests for LocalStorage (8 tests): put/get, list, stat, health_check
+- Unit tests for S3Storage with wiremock HTTP mocking (11 tests)
+- Integration tests for auth/htpasswd (7 tests)
+- Token lifecycle tests (11 tests)
+- Validation tests (21 tests)
+- **Total: 75 tests passing**
+
+#### Security: Input Validation (`validation.rs`)
+- Path traversal protection: rejects `../`, `..\\`, null bytes, absolute paths
+- Docker image name validation per OCI distribution spec
+- Content digest validation (`sha256:[64 hex]`, `sha512:[128 hex]`)
+- Docker tag/reference validation
+- Storage key length limits (max 1024 chars)
+
+#### Security: Rate Limiting (`rate_limit.rs`)
+- Auth endpoints: 1 req/sec, burst 5 (brute-force protection)
+- Upload endpoints: 10 req/sec, burst 20
+- General endpoints: 100 req/sec, burst 200
+- Uses `tower_governor` 0.8 with `PeerIpKeyExtractor`
+
+#### Observability: Request ID Tracking (`request_id.rs`)
+- `X-Request-ID` header added to all responses
+- Accepts upstream request ID or generates UUID v4
+- Tracing spans include request_id for log correlation
+
+#### CLI: Migrate Command (`migrate.rs`)
+- `nora migrate --from local --to s3` - migrate between storage backends
+- `--dry-run` flag for preview without copying
+- Progress bar with indicatif
+- Skips existing files in destination
+- Summary statistics (migrated, skipped, failed, bytes)
+
+#### Error Handling (`error.rs`)
+- `AppError` enum with `IntoResponse` for Axum
+- Automatic conversion from `StorageError` and `ValidationError`
+- JSON error responses with request_id support
+
+### Changed
+- `StorageError` now uses `thiserror` derive macro
+- `TokenError` now uses `thiserror` derive macro
+- Storage wrapper validates keys before delegating to backend
+- Docker registry handlers validate name, digest, reference inputs
+- Body size limit set to 100MB default via `DefaultBodyLimit`
+
+### Dependencies Added
+- `thiserror = "2"` - typed error handling
+- `tower_governor = "0.8"` - rate limiting
+- `governor = "0.10"` - rate limiting backend
+- `tempfile = "3"` (dev) - temporary directories for tests
+- `wiremock = "0.6"` (dev) - HTTP mocking for S3 tests
+
+### Files Added
+- `src/validation.rs` - input validation module
+- `src/migrate.rs` - storage migration module
+- `src/error.rs` - application error types
+- `src/request_id.rs` - request ID middleware
+- `src/rate_limit.rs` - rate limiting configuration
+
+---
+
+## [0.1.0] - 2026-01-24
+
+### Added
+- Multi-protocol support: Docker Registry v2, Maven, npm, Cargo, PyPI
+- Web UI dashboard
+- Swagger UI (`/api-docs`)
+- Storage backends: Local filesystem, S3-compatible
+- Smart proxy/cache for Maven and npm
+- Health checks (`/health`, `/ready`)
+- Basic authentication (htpasswd with bcrypt)
+- API tokens (revocable, per-user)
+- Prometheus metrics (`/metrics`)
+- JSON structured logging
+- Environment variable configuration
+- Graceful shutdown (SIGTERM/SIGINT)
+- Backup/restore commands
+
+---
+
+# Журнал изменений (RU)
+
+Все значимые изменения NORA документируются в этом файле.
+
+---
+
+## [0.2.12] - 2026-01-30
+
+### Добавлено
+
+#### Настраиваемый Rate Limiting
+- Rate limits настраиваются через `config.toml` и переменные окружения
+- Новая секция `[rate_limit]` с параметрами: `auth_rps`, `auth_burst`, `upload_rps`, `upload_burst`, `general_rps`, `general_burst`
+- Переменные окружения: `NORA_RATE_LIMIT_{AUTH|UPLOAD|GENERAL}_{RPS|BURST}`
+
+#### Архитектура Secrets Provider
+- Trait-based управление секретами (`SecretsProvider` trait)
+- ENV provider по умолчанию (12-Factor App паттерн)
+- Защищённые секреты с `zeroize` (память обнуляется при drop)
+- Redacted Debug impl предотвращает утечку секретов в логи
+- Новая секция `[secrets]` с опциями `provider` и `clear_env`
+
+#### Docker Image Metadata
+- Поддержка получения метаданных образов
+
+#### Документация
+- Двуязычный onboarding guide (EN/RU)
+
+---
+
+## [0.2.11] - 2026-01-26
+
+### Добавлено
+- Поддержка интернационализации (i18n)
+- PyPI registry proxy
+- Улучшения UI
+
+---
+
+## [0.2.10] - 2026-01-26
+
+### Изменено
+- Тёмная тема применена ко всем страницам UI
+
+---
+
+## [0.2.9] - 2026-01-26
+
+### Изменено
+- Релиз с обновлением версии
+
+---
+
+## [0.2.8] - 2026-01-26
+
+### Добавлено
+- Dashboard endpoint добавлен в OpenAPI документацию
+
+---
+
+## [0.2.7] - 2026-01-26
+
+### Добавлено
+- Динамическое отображение версии в сайдбаре UI
+
+---
+
+## [0.2.6] - 2026-01-26
+
+### Добавлено
+
+#### Dashboard Metrics
+- Глобальная панель статистики: downloads, uploads, artifacts, cache hit rate, storage
+- Расширенные карточки реестров с количеством артефактов, размером, счётчиками
+- Лог активности (последние 20 событий)
+
+#### UI
+- Тёмная тема (bg: #0f172a, cards: #1e293b)
+
+---
+
+## [0.2.5] - 2026-01-26
+
+### Исправлено
+- Docker push/pull: добавлен PATCH endpoint для chunked uploads
+
+---
+
+## [0.2.4] - 2026-01-26
+
+### Исправлено
+- Rate limiting: health/metrics endpoints теперь исключены
+- Увеличены лимиты upload для параллельных Docker запросов
+
+---
+
+## [0.2.0] - 2026-01-25
+
+### Добавлено
+
+#### UI: SVG иконки брендов
+- Эмоджи заменены на SVG иконки брендов (стиль Simple Icons)
+- Docker, Maven, npm, Cargo, PyPI теперь отображаются как векторная графика
+- Единый стиль иконок на дашборде, сайдбаре и страницах деталей
+
+#### Тестовая инфраструктура
+- Unit-тесты для LocalStorage (8 тестов): put/get, list, stat, health_check
+- Unit-тесты для S3Storage с HTTP-мокированием wiremock (11 тестов)
+- Интеграционные тесты auth/htpasswd (7 тестов)
+- Тесты жизненного цикла токенов (11 тестов)
+- Тесты валидации (21 тест)
+- **Всего: 75 тестов проходят**
+
+#### Безопасность: Валидация ввода (`validation.rs`)
+- Защита от path traversal: отклоняет `../`, `..\\`, null-байты, абсолютные пути
+- Валидация имён Docker-образов по спецификации OCI distribution
+- Валидация дайджестов (`sha256:[64 hex]`, `sha512:[128 hex]`)
+- Валидация тегов и ссылок Docker
+- Ограничение длины ключей хранилища (макс. 1024 символа)
+
+#### Безопасность: Rate Limiting (`rate_limit.rs`)
+- Auth endpoints: 1 req/sec, burst 5 (защита от брутфорса)
+- Upload endpoints: 10 req/sec, burst 20
+- Общие endpoints: 100 req/sec, burst 200
+- Использует `tower_governor` 0.8 с `PeerIpKeyExtractor`
+
+#### Наблюдаемость: Отслеживание Request ID (`request_id.rs`)
+- Заголовок `X-Request-ID` добавляется ко всем ответам
+- Принимает upstream request ID или генерирует UUID v4
+- Tracing spans включают request_id для корреляции логов
+
+#### CLI: Команда миграции (`migrate.rs`)
+- `nora migrate --from local --to s3` - миграция между storage backends
+- Флаг `--dry-run` для предпросмотра без копирования
+- Прогресс-бар с indicatif
+- Пропуск существующих файлов в destination
+- Итоговая статистика (migrated, skipped, failed, bytes)
+
+#### Обработка ошибок (`error.rs`)
+- Enum `AppError` с `IntoResponse` для Axum
+- Автоматическая конверсия из `StorageError` и `ValidationError`
+- JSON-ответы об ошибках с поддержкой request_id
+
+### Изменено
+- `StorageError` теперь использует макрос `thiserror`
+- `TokenError` теперь использует макрос `thiserror`
+- Storage wrapper валидирует ключи перед делегированием backend
+- Docker registry handlers валидируют name, digest, reference
+- Лимит размера body установлен в 100MB через `DefaultBodyLimit`
+
+### Добавлены зависимости
+- `thiserror = "2"` - типизированная обработка ошибок
+- `tower_governor = "0.8"` - rate limiting
+- `governor = "0.10"` - backend для rate limiting
+- `tempfile = "3"` (dev) - временные директории для тестов
+- `wiremock = "0.6"` (dev) - HTTP-мокирование для S3 тестов
+
+### Добавлены файлы
+- `src/validation.rs` - модуль валидации ввода
+- `src/migrate.rs` - модуль миграции хранилища
+- `src/error.rs` - типы ошибок приложения
+- `src/request_id.rs` - middleware для request ID
+- `src/rate_limit.rs` - конфигурация rate limiting
+
+---
+
+## [0.1.0] - 2026-01-24
+
+### Добавлено
+- Мульти-протокольная поддержка: Docker Registry v2, Maven, npm, Cargo, PyPI
+- Web UI дашборд
+- Swagger UI (`/api-docs`)
+- Storage backends: локальная файловая система, S3-совместимое хранилище
+- Умный прокси/кэш для Maven и npm
+- Health checks (`/health`, `/ready`)
+- Базовая аутентификация (htpasswd с bcrypt)
+- API токены (отзываемые, per-user)
+- Prometheus метрики (`/metrics`)
+- JSON структурированное логирование
+- Конфигурация через переменные окружения
+- Graceful shutdown (SIGTERM/SIGINT)
+- Команды backup/restore

Cargo.lock

@@ -82,6 +82,12 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
+[[package]]
+name = "anyhow"
+version = "1.0.102"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c"
+
 [[package]]
 name = "arbitrary"
 version = "1.4.2"
@@ -184,13 +190,13 @@ checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
 
 [[package]]
 name = "bcrypt"
-version = "0.17.1"
+version = "0.19.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "abaf6da45c74385272ddf00e1ac074c7d8a6c1a1dda376902bd6a427522a8b2c"
+checksum = "523ab528ce3a7ada6597f8ccf5bd8d85ebe26d5edf311cad4d1d3cfb2d357ac6"
 dependencies = [
  "base64",
  "blowfish",
- "getrandom 0.3.4",
+ "getrandom 0.4.1",
  "subtle",
  "zeroize",
 ]
@@ -286,9 +292,9 @@ dependencies = [
 
 [[package]]
 name = "clap"
-version = "4.5.56"
+version = "4.5.60"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a75ca66430e33a14957acc24c5077b503e7d374151b2b4b3a10c83b4ceb4be0e"
+checksum = "2797f34da339ce31042b27d23607e051786132987f595b02ba4f6a6dffb7030a"
 dependencies = [
  "clap_builder",
  "clap_derive",
@@ -296,9 +302,9 @@ dependencies = [
 
 [[package]]
 name = "clap_builder"
-version = "4.5.56"
+version = "4.5.60"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "793207c7fa6300a0608d1080b858e5fdbe713cdc1c8db9fb17777d8a13e63df0"
+checksum = "24a241312cea5059b13574bb9b3861cabf758b879c15190b37b6d6fd63ab6876"
 dependencies = [
  "anstream",
  "anstyle",
@@ -320,9 +326,9 @@ dependencies = [
 
 [[package]]
 name = "clap_lex"
-version = "0.7.7"
+version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c3e64b0cc0439b12df2fa678eae89a1c56a529fd067a9115f7827f1fffd22b32"
+checksum = "3a822ea5bc7590f9d40f1ba12c0dc3c2760f3482c6984db1573ad11031420831"
 
 [[package]]
 name = "colorchoice"
@@ -332,15 +338,15 @@ checksum = "b05b61dc5112cbb17e4b6cd61790d9845d13888356391624cbe7e41efeac1e75"
 
 [[package]]
 name = "console"
-version = "0.15.11"
+version = "0.16.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "054ccb5b10f9f2cbf51eb355ca1d05c2d279ce1804688d0db74b4733a5aeafd8"
+checksum = "03e45a4a8926227e4197636ba97a9fc9b00477e9f4bd711395687c5f0734bec4"
 dependencies = [
  "encode_unicode",
  "libc",
  "once_cell",
  "unicode-width",
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -467,7 +473,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
 dependencies = [
  "libc",
- "windows-sys 0.61.2",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -510,6 +516,12 @@ version = "1.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
 
+[[package]]
+name = "foldhash"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2"
+
 [[package]]
 name = "foldhash"
 version = "0.2.0"
@@ -667,6 +679,19 @@ dependencies = [
  "wasm-bindgen",
 ]
 
+[[package]]
+name = "getrandom"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "139ef39800118c7683f2fd3c98c1b23c09ae076556b435f8e9064ae108aaeeec"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "r-efi",
+ "wasip2",
+ "wasip3",
+]
+
 [[package]]
 name = "governor"
 version = "0.10.4"
@@ -715,6 +740,15 @@ version = "0.14.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e5274423e17b7c9fc20b6e7e208532f9b19825d82dfd615708b70edd83df41f1"
 
+[[package]]
+name = "hashbrown"
+version = "0.15.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1"
+dependencies = [
+ "foldhash 0.1.5",
+]
+
 [[package]]
 name = "hashbrown"
 version = "0.16.1"
@@ -723,7 +757,7 @@ checksum = "841d1cc9bed7f9236f321df977030373f4a4163ae1a7dbfe1a51a2c1a51d9100"
 dependencies = [
  "allocator-api2",
  "equivalent",
- "foldhash",
+ "foldhash 0.2.0",
 ]
 
 [[package]]
@@ -980,6 +1014,12 @@ dependencies = [
  "zerovec",
 ]
 
+[[package]]
+name = "id-arena"
+version = "2.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3d3067d79b975e8844ca9eb072e16b31c3c1c36928edf9c6789548c524d0d954"
+
 [[package]]
 name = "idna"
 version = "1.1.0"
@@ -1015,14 +1055,14 @@ dependencies = [
 
 [[package]]
 name = "indicatif"
-version = "0.17.11"
+version = "0.18.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "183b3088984b400f4cfac3620d5e076c84da5364016b4f49473de574b2586235"
+checksum = "25470f23803092da7d239834776d653104d551bc4d7eacaf31e6837854b8e9eb"
 dependencies = [
  "console",
- "number_prefix",
  "portable-atomic",
  "unicode-width",
+ "unit-prefix",
  "web-time",
 ]
 
@@ -1080,10 +1120,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"
 
 [[package]]
-name = "libc"
-version = "0.2.180"
+name = "leb128fmt"
+version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bcc35a38544a891a5f7c865aca548a982ccb3b8650a5b06d0fd33a10283c56fc"
+checksum = "09edd9e8b54e49e587e4f6295a7d29c3ea94d469cb40ab8ca70b288248a81db2"
+
+[[package]]
+name = "libc"
+version = "0.2.182"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6800badb6cb2082ffd7b6a67e6125bb39f18782f793520caee8cb8846be06112"
 
 [[package]]
 name = "libredox"
@@ -1098,9 +1144,9 @@ dependencies = [
 
 [[package]]
 name = "linux-raw-sys"
-version = "0.11.0"
+version = "0.12.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df1d3c3b53da64cf5760482273a98e575c651a67eec7f77df96b5b642de8f039"
+checksum = "32a66949e030da00e8c7d4434b251670a91556f4144941d37452769c25d58a53"
 
 [[package]]
 name = "litemap"
@@ -1201,7 +1247,7 @@ checksum = "38bf9645c8b145698bb0b18a4637dcacbc421ea49bef2317e4fd8065a387cf21"
 
 [[package]]
 name = "nora-cli"
-version = "0.2.22"
+version = "0.2.28"
 dependencies = [
  "clap",
  "flate2",
@@ -1215,7 +1261,7 @@ dependencies = [
 
 [[package]]
 name = "nora-registry"
-version = "0.2.22"
+version = "0.2.28"
 dependencies = [
  "async-trait",
  "axum",
@@ -1253,7 +1299,7 @@ dependencies = [
 
 [[package]]
 name = "nora-storage"
-version = "0.2.22"
+version = "0.2.28"
 dependencies = [
  "axum",
  "base64",
@@ -1298,12 +1344,6 @@ dependencies = [
  "libc",
 ]
 
-[[package]]
-name = "number_prefix"
-version = "0.4.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "830b246a0e5f20af87141b25c173cd1b609bd7779a4617d6ec582abaf90870f3"
-
 [[package]]
 name = "once_cell"
 version = "1.21.3"
@@ -1401,6 +1441,16 @@ dependencies = [
  "zerocopy",
 ]
 
+[[package]]
+name = "prettyplease"
+version = "0.2.37"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "479ca8adacdd7ce8f1fb39ce9ecccbfe93a3f1344b3d0d97f20bc0196208f62b"
+dependencies = [
+ "proc-macro2",
+ "syn",
+]
+
 [[package]]
 name = "proc-macro2"
 version = "1.0.106"
@@ -1522,7 +1572,7 @@ dependencies = [
  "once_cell",
  "socket2",
  "tracing",
- "windows-sys 0.60.2",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -1721,15 +1771,15 @@ checksum = "357703d41365b4b27c590e3ed91eabb1b663f07c4c084095e60cbed4362dff0d"
 
 [[package]]
 name = "rustix"
-version = "1.1.3"
+version = "1.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "146c9e247ccc180c1f61615433868c99f3de3ae256a30a43b49f67c2d9171f34"
+checksum = "b6fe4565b9518b83ef4f91bb47ce29620ca828bd32cb7e408f0062e9930ba190"
 dependencies = [
  "bitflags",
  "errno",
  "libc",
  "linux-raw-sys",
- "windows-sys 0.61.2",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -1794,6 +1844,12 @@ version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
 
+[[package]]
+name = "semver"
+version = "1.0.27"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d767eb0aabc880b29956c35734170f26ed551a859dbd361d140cdbeca61ab1e2"
+
 [[package]]
 name = "serde"
 version = "1.0.228"
@@ -2004,15 +2060,15 @@ dependencies = [
 
 [[package]]
 name = "tempfile"
-version = "3.24.0"
+version = "3.26.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "655da9c7eb6305c55742045d5a8d2037996d61d8de95806335c7c86ce0f82e9c"
+checksum = "82a72c767771b47409d2345987fda8628641887d5466101319899796367354a0"
 dependencies = [
  "fastrand",
- "getrandom 0.3.4",
+ "getrandom 0.4.1",
  "once_cell",
  "rustix",
- "windows-sys 0.61.2",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -2091,9 +2147,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
 
 [[package]]
 name = "tokio"
-version = "1.49.0"
+version = "1.50.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "72a2903cd7736441aac9df9d7688bd0ce48edccaadf181c3b90be801e81d3d86"
+checksum = "27ad5e34374e03cfffefc301becb44e9dc3c17584f414349ebe29ed26661822d"
 dependencies = [
  "bytes",
  "libc",
@@ -2153,9 +2209,9 @@ dependencies = [
 
 [[package]]
 name = "toml"
-version = "1.0.3+spec-1.1.0"
+version = "1.0.6+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c7614eaf19ad818347db24addfa201729cf2a9b6fdfd9eb0ab870fcacc606c0c"
+checksum = "399b1124a3c9e16766831c6bba21e50192572cdd98706ea114f9502509686ffc"
 dependencies = [
  "indexmap",
  "serde_core",
@@ -2390,6 +2446,18 @@ version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b4ac048d71ede7ee76d585517add45da530660ef4390e49b098733c6e897f254"
 
+[[package]]
+name = "unicode-xid"
+version = "0.2.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ebc1c04c71510c7f702b52b7c350734c9ff1295c464a03335b00bb84fc54f853"
+
+[[package]]
+name = "unit-prefix"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "81e544489bf3d8ef66c953931f56617f423cd4b5494be343d9b9d3dda037b9a3"
+
 [[package]]
 name = "untrusted"
 version = "0.9.0"
@@ -2465,11 +2533,11 @@ dependencies = [
 
 [[package]]
 name = "uuid"
-version = "1.20.0"
+version = "1.22.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ee48d38b119b0cd71fe4141b30f5ba9c7c5d9f4e7a3a8b4a674e4b6ef789976f"
+checksum = "a68d3c8f01c0cfa54a75291d83601161799e4a89a39e0929f4b0354d88757a37"
 dependencies = [
- "getrandom 0.3.4",
+ "getrandom 0.4.1",
  "js-sys",
  "wasm-bindgen",
 ]
@@ -2520,6 +2588,15 @@ dependencies = [
  "wit-bindgen",
 ]
 
+[[package]]
+name = "wasip3"
+version = "0.4.0+wasi-0.3.0-rc-2026-01-06"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5428f8bf88ea5ddc08faddef2ac4a67e390b88186c703ce6dbd955e1c145aca5"
+dependencies = [
+ "wit-bindgen",
+]
+
 [[package]]
 name = "wasm-bindgen"
 version = "0.2.108"
@@ -2579,6 +2656,40 @@ dependencies = [
  "unicode-ident",
 ]
 
+[[package]]
+name = "wasm-encoder"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "990065f2fe63003fe337b932cfb5e3b80e0b4d0f5ff650e6985b1048f62c8319"
+dependencies = [
+ "leb128fmt",
+ "wasmparser",
+]
+
+[[package]]
+name = "wasm-metadata"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bb0e353e6a2fbdc176932bbaab493762eb1255a7900fe0fea1a2f96c296cc909"
+dependencies = [
+ "anyhow",
+ "indexmap",
+ "wasm-encoder",
+ "wasmparser",
+]
+
+[[package]]
+name = "wasmparser"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "47b807c72e1bac69382b3a6fb3dbe8ea4c0ed87ff5629b8685ae6b9a611028fe"
+dependencies = [
+ "bitflags",
+ "hashbrown 0.15.5",
+ "indexmap",
+ "semver",
+]
+
 [[package]]
 name = "web-sys"
 version = "0.3.85"
@@ -2630,7 +2741,7 @@ version = "0.1.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
 dependencies = [
- "windows-sys 0.61.2",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -2707,15 +2818,6 @@ dependencies = [
  "windows-targets 0.52.6",
 ]
 
-[[package]]
-name = "windows-sys"
-version = "0.59.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e38bc4d79ed67fd075bcc251a1c39b32a1776bbe92e5bef1f0bf1f8c531853b"
-dependencies = [
- "windows-targets 0.52.6",
-]
-
 [[package]]
 name = "windows-sys"
 version = "0.60.2"
@@ -2897,6 +2999,88 @@ name = "wit-bindgen"
 version = "0.51.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d7249219f66ced02969388cf2bb044a09756a083d0fab1e566056b04d9fbcaa5"
+dependencies = [
+ "wit-bindgen-rust-macro",
+]
+
+[[package]]
+name = "wit-bindgen-core"
+version = "0.51.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ea61de684c3ea68cb082b7a88508a8b27fcc8b797d738bfc99a82facf1d752dc"
+dependencies = [
+ "anyhow",
+ "heck",
+ "wit-parser",
+]
+
+[[package]]
+name = "wit-bindgen-rust"
+version = "0.51.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b7c566e0f4b284dd6561c786d9cb0142da491f46a9fbed79ea69cdad5db17f21"
+dependencies = [
+ "anyhow",
+ "heck",
+ "indexmap",
+ "prettyplease",
+ "syn",
+ "wasm-metadata",
+ "wit-bindgen-core",
+ "wit-component",
+]
+
+[[package]]
+name = "wit-bindgen-rust-macro"
+version = "0.51.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0c0f9bfd77e6a48eccf51359e3ae77140a7f50b1e2ebfe62422d8afdaffab17a"
+dependencies = [
+ "anyhow",
+ "prettyplease",
+ "proc-macro2",
+ "quote",
+ "syn",
+ "wit-bindgen-core",
+ "wit-bindgen-rust",
+]
+
+[[package]]
+name = "wit-component"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9d66ea20e9553b30172b5e831994e35fbde2d165325bec84fc43dbf6f4eb9cb2"
+dependencies = [
+ "anyhow",
+ "bitflags",
+ "indexmap",
+ "log",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "wasm-encoder",
+ "wasm-metadata",
+ "wasmparser",
+ "wit-parser",
+]
+
+[[package]]
+name = "wit-parser"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ecc8ac4bc1dc3381b7f59c34f00b67e18f910c2c0f50015669dde7def656a736"
+dependencies = [
+ "anyhow",
+ "id-arena",
+ "indexmap",
+ "log",
+ "semver",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "unicode-xid",
+ "wasmparser",
+]
 
 [[package]]
 name = "writeable"

Cargo.toml

@@ -7,7 +7,7 @@ members = [
 ]
 
 [workspace.package]
-version = "0.2.23"
+version = "0.2.28"
 edition = "2021"
 license = "MIT"
 authors = ["DevITWay <devitway@gmail.com>"]

install.sh

@@ -0,0 +1,98 @@
+#!/usr/bin/env sh
+# NORA installer — https://getnora.io/install.sh
+# Usage: curl -fsSL https://getnora.io/install.sh | sh
+
+set -e
+
+REPO="getnora-io/nora"
+BINARY="nora"
+INSTALL_DIR="/usr/local/bin"
+
+# ── Detect OS and architecture ──────────────────────────────────────────────
+
+OS="$(uname -s)"
+ARCH="$(uname -m)"
+
+case "$OS" in
+  Linux)  os="linux" ;;
+  Darwin) os="darwin" ;;
+  *)
+    echo "Unsupported OS: $OS"
+    echo "Please download manually: https://github.com/$REPO/releases/latest"
+    exit 1
+    ;;
+esac
+
+case "$ARCH" in
+  x86_64 | amd64) arch="amd64" ;;
+  aarch64 | arm64) arch="arm64" ;;
+  *)
+    echo "Unsupported architecture: $ARCH"
+    echo "Please download manually: https://github.com/$REPO/releases/latest"
+    exit 1
+    ;;
+esac
+
+ASSET="${BINARY}-${os}-${arch}"
+
+# ── Get latest release version ──────────────────────────────────────────────
+
+VERSION="$(curl -fsSL "https://api.github.com/repos/$REPO/releases/latest" \
+  | grep '"tag_name"' \
+  | sed 's/.*"tag_name": *"\([^"]*\)".*/\1/')"
+
+if [ -z "$VERSION" ]; then
+  echo "Failed to get latest version"
+  exit 1
+fi
+
+echo "Installing NORA $VERSION ($os/$arch)..."
+
+# ── Download binary and checksum ────────────────────────────────────────────
+
+BASE_URL="https://github.com/$REPO/releases/download/$VERSION"
+TMP_DIR="$(mktemp -d)"
+trap 'rm -rf "$TMP_DIR"' EXIT
+
+echo "Downloading $ASSET..."
+curl -fsSL "$BASE_URL/$ASSET" -o "$TMP_DIR/$BINARY"
+curl -fsSL "$BASE_URL/$ASSET.sha256" -o "$TMP_DIR/$ASSET.sha256"
+
+# ── Verify checksum ─────────────────────────────────────────────────────────
+
+echo "Verifying checksum..."
+EXPECTED="$(awk '{print $1}' "$TMP_DIR/$ASSET.sha256")"
+ACTUAL="$(sha256sum "$TMP_DIR/$BINARY" | awk '{print $1}')"
+
+if [ "$EXPECTED" != "$ACTUAL" ]; then
+  echo "Checksum mismatch!"
+  echo "  Expected: $EXPECTED"
+  echo "  Actual:   $ACTUAL"
+  exit 1
+fi
+
+echo "Checksum OK"
+
+# ── Install ─────────────────────────────────────────────────────────────────
+
+chmod +x "$TMP_DIR/$BINARY"
+
+if [ -w "$INSTALL_DIR" ]; then
+  mv "$TMP_DIR/$BINARY" "$INSTALL_DIR/$BINARY"
+elif command -v sudo >/dev/null 2>&1; then
+  sudo mv "$TMP_DIR/$BINARY" "$INSTALL_DIR/$BINARY"
+else
+  # Fallback to ~/.local/bin
+  INSTALL_DIR="$HOME/.local/bin"
+  mkdir -p "$INSTALL_DIR"
+  mv "$TMP_DIR/$BINARY" "$INSTALL_DIR/$BINARY"
+  echo "Installed to $INSTALL_DIR/$BINARY"
+  echo "Make sure $INSTALL_DIR is in your PATH"
+fi
+
+# ── Done ────────────────────────────────────────────────────────────────────
+
+echo ""
+echo "NORA $VERSION installed to $INSTALL_DIR/$BINARY"
+echo ""
+nora --version 2>/dev/null || true

nora-cli/Cargo.toml

@@ -18,6 +18,6 @@ reqwest.workspace = true
 serde.workspace = true
 serde_json.workspace = true
 clap = { version = "4", features = ["derive"] }
-indicatif = "0.17"
+indicatif = "0.18"
 tar = "0.4"
 flate2 = "1.1"

nora-registry/Cargo.toml

@@ -28,7 +28,7 @@ hmac.workspace = true
 hex.workspace = true
 toml = "1.0"
 uuid = { version = "1", features = ["v4"] }
-bcrypt = "0.17"
+bcrypt = "0.19"
 base64 = "0.22"
 prometheus = "0.14"
 lazy_static = "1.5"
@@ -38,7 +38,7 @@ utoipa-swagger-ui = { version = "9", features = ["axum", "reqwest"] }
 clap = { version = "4", features = ["derive"] }
 tar = "0.4"
 flate2 = "1.1"
-indicatif = "0.17"
+indicatif = "0.18"
 chrono = { version = "0.4", features = ["serde"] }
 thiserror = "2"
 tower_governor = "0.8"

nora-registry/src/audit.rs

@@ -0,0 +1,73 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
+//! Persistent audit log — append-only JSONL file
+//!
+//! Records who/when/what for every registry operation.
+//! File: {storage_path}/audit.jsonl
+
+use chrono::{DateTime, Utc};
+use parking_lot::Mutex;
+use serde::Serialize;
+use std::fs::{self, OpenOptions};
+use std::io::Write;
+use std::path::PathBuf;
+use tracing::{info, warn};
+
+#[derive(Debug, Clone, Serialize)]
+pub struct AuditEntry {
+    pub ts: DateTime<Utc>,
+    pub action: String,
+    pub actor: String,
+    pub artifact: String,
+    pub registry: String,
+    pub detail: String,
+}
+
+impl AuditEntry {
+    pub fn new(action: &str, actor: &str, artifact: &str, registry: &str, detail: &str) -> Self {
+        Self {
+            ts: Utc::now(),
+            action: action.to_string(),
+            actor: actor.to_string(),
+            artifact: artifact.to_string(),
+            registry: registry.to_string(),
+            detail: detail.to_string(),
+        }
+    }
+}
+
+pub struct AuditLog {
+    path: PathBuf,
+    writer: Mutex<Option<fs::File>>,
+}
+
+impl AuditLog {
+    pub fn new(storage_path: &str) -> Self {
+        let path = PathBuf::from(storage_path).join("audit.jsonl");
+        let writer = match OpenOptions::new().create(true).append(true).open(&path) {
+            Ok(f) => {
+                info!(path = %path.display(), "Audit log initialized");
+                Mutex::new(Some(f))
+            }
+            Err(e) => {
+                warn!(path = %path.display(), error = %e, "Failed to open audit log, auditing disabled");
+                Mutex::new(None)
+            }
+        };
+        Self { path, writer }
+    }
+
+    pub fn log(&self, entry: AuditEntry) {
+        if let Some(ref mut file) = *self.writer.lock() {
+            if let Ok(json) = serde_json::to_string(&entry) {
+                let _ = writeln!(file, "{}", json);
+                let _ = file.flush();
+            }
+        }
+    }
+
+    pub fn path(&self) -> &PathBuf {
+        &self.path
+    }
+}

nora-registry/src/auth.rs

@@ -13,6 +13,7 @@ use std::collections::HashMap;
 use std::path::Path;
 use std::sync::Arc;
 
+use crate::tokens::Role;
 use crate::AppState;
 
 /// Htpasswd-based authentication
@@ -108,7 +109,18 @@ pub async fn auth_middleware(
     if let Some(token) = auth_header.strip_prefix("Bearer ") {
         if let Some(ref token_store) = state.tokens {
             match token_store.verify_token(token) {
-                Ok(_user) => return next.run(request).await,
+                Ok((_user, role)) => {
+                    let method = request.method().clone();
+                    if (method == axum::http::Method::PUT
+                        || method == axum::http::Method::POST
+                        || method == axum::http::Method::DELETE
+                        || method == axum::http::Method::PATCH)
+                        && !role.can_write()
+                    {
+                        return (StatusCode::FORBIDDEN, "Read-only token").into_response();
+                    }
+                    return next.run(request).await;
+                }
                 Err(_) => return unauthorized_response("Invalid or expired token"),
             }
         } else {
@@ -175,6 +187,12 @@ pub struct CreateTokenRequest {
     #[serde(default = "default_ttl")]
     pub ttl_days: u64,
     pub description: Option<String>,
+    #[serde(default = "default_role_str")]
+    pub role: String,
+}
+
+fn default_role_str() -> String {
+    "read".to_string()
 }
 
 fn default_ttl() -> u64 {
@@ -194,6 +212,7 @@ pub struct TokenListItem {
     pub expires_at: u64,
     pub last_used: Option<u64>,
     pub description: Option<String>,
+    pub role: String,
 }
 
 #[derive(Serialize)]
@@ -227,7 +246,19 @@ async fn create_token(
         }
     };
 
-    match token_store.create_token(&req.username, req.ttl_days, req.description) {
+    let role = match req.role.as_str() {
+        "read" => Role::Read,
+        "write" => Role::Write,
+        "admin" => Role::Admin,
+        _ => {
+            return (
+                StatusCode::BAD_REQUEST,
+                "Invalid role. Use: read, write, admin",
+            )
+                .into_response()
+        }
+    };
+    match token_store.create_token(&req.username, req.ttl_days, req.description, role) {
         Ok(token) => Json(CreateTokenResponse {
             token,
             expires_in_days: req.ttl_days,
@@ -271,6 +302,7 @@ async fn list_tokens(
             expires_at: t.expires_at,
             last_used: t.last_used,
             description: t.description,
+            role: t.role.to_string(),
         })
         .collect();
 

nora-registry/src/config.rs

@@ -36,6 +36,13 @@ pub struct ServerConfig {
     /// Public URL for generating pull commands (e.g., "registry.example.com")
     #[serde(default)]
     pub public_url: Option<String>,
+    /// Maximum request body size in MB (default: 2048 = 2GB)
+    #[serde(default = "default_body_limit_mb")]
+    pub body_limit_mb: usize,
+}
+
+fn default_body_limit_mb() -> usize {
+    2048 // 2GB - enough for any Docker image
 }
 
 #[derive(Debug, Clone, Default, Serialize, Deserialize, PartialEq)]
@@ -249,6 +256,8 @@ impl Default for AuthConfig {
 /// - `NORA_RATE_LIMIT_GENERAL_BURST` - General burst size
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct RateLimitConfig {
+    #[serde(default = "default_rate_limit_enabled")]
+    pub enabled: bool,
     #[serde(default = "default_auth_rps")]
     pub auth_rps: u64,
     #[serde(default = "default_auth_burst")]
@@ -263,6 +272,9 @@ pub struct RateLimitConfig {
     pub general_burst: u32,
 }
 
+fn default_rate_limit_enabled() -> bool {
+    true
+}
 fn default_auth_rps() -> u64 {
     1
 }
@@ -285,6 +297,7 @@ fn default_general_burst() -> u32 {
 impl Default for RateLimitConfig {
     fn default() -> Self {
         Self {
+            enabled: default_rate_limit_enabled(),
             auth_rps: default_auth_rps(),
             auth_burst: default_auth_burst(),
             upload_rps: default_upload_rps(),
@@ -324,6 +337,11 @@ impl Config {
         if let Ok(val) = env::var("NORA_PUBLIC_URL") {
             self.server.public_url = if val.is_empty() { None } else { Some(val) };
         }
+        if let Ok(val) = env::var("NORA_BODY_LIMIT_MB") {
+            if let Ok(mb) = val.parse() {
+                self.server.body_limit_mb = mb;
+            }
+        }
 
         // Storage config
         if let Ok(val) = env::var("NORA_STORAGE_MODE") {
@@ -426,6 +444,9 @@ impl Config {
         }
 
         // Rate limit config
+        if let Ok(val) = env::var("NORA_RATE_LIMIT_ENABLED") {
+            self.rate_limit.enabled = val.to_lowercase() == "true" || val == "1";
+        }
         if let Ok(val) = env::var("NORA_RATE_LIMIT_AUTH_RPS") {
             if let Ok(v) = val.parse::<u64>() {
                 self.rate_limit.auth_rps = v;
@@ -474,6 +495,7 @@ impl Default for Config {
                 host: String::from("127.0.0.1"),
                 port: 4000,
                 public_url: None,
+                body_limit_mb: 2048,
             },
             storage: StorageConfig {
                 mode: StorageMode::Local,

nora-registry/src/gc.rs

@@ -0,0 +1,121 @@
+//! Garbage Collection for orphaned blobs
+//!
+//! Mark-and-sweep approach:
+//! 1. List all blobs across registries
+//! 2. Parse all manifests to find referenced blobs
+//! 3. Blobs not referenced by any manifest = orphans
+//! 4. Delete orphans (with --dry-run support)
+
+use std::collections::HashSet;
+
+use tracing::info;
+
+use crate::storage::Storage;
+
+pub struct GcResult {
+    pub total_blobs: usize,
+    pub referenced_blobs: usize,
+    pub orphaned_blobs: usize,
+    pub deleted_blobs: usize,
+    pub orphan_keys: Vec<String>,
+}
+
+pub async fn run_gc(storage: &Storage, dry_run: bool) -> GcResult {
+    info!("Starting garbage collection (dry_run={})", dry_run);
+
+    // 1. Collect all blob keys
+    let all_blobs = collect_all_blobs(storage).await;
+    info!("Found {} total blobs", all_blobs.len());
+
+    // 2. Collect all referenced digests from manifests
+    let referenced = collect_referenced_digests(storage).await;
+    info!(
+        "Found {} referenced digests from manifests",
+        referenced.len()
+    );
+
+    // 3. Find orphans
+    let mut orphan_keys: Vec<String> = Vec::new();
+    for key in &all_blobs {
+        if let Some(digest) = key.rsplit('/').next() {
+            if !referenced.contains(digest) {
+                orphan_keys.push(key.clone());
+            }
+        }
+    }
+
+    info!("Found {} orphaned blobs", orphan_keys.len());
+
+    let mut deleted = 0;
+    if !dry_run {
+        for key in &orphan_keys {
+            if storage.delete(key).await.is_ok() {
+                deleted += 1;
+                info!("Deleted: {}", key);
+            }
+        }
+        info!("Deleted {} orphaned blobs", deleted);
+    } else {
+        for key in &orphan_keys {
+            info!("[dry-run] Would delete: {}", key);
+        }
+    }
+
+    GcResult {
+        total_blobs: all_blobs.len(),
+        referenced_blobs: referenced.len(),
+        orphaned_blobs: orphan_keys.len(),
+        deleted_blobs: deleted,
+        orphan_keys,
+    }
+}
+
+async fn collect_all_blobs(storage: &Storage) -> Vec<String> {
+    let mut blobs = Vec::new();
+    let docker_blobs = storage.list("docker/").await;
+    for key in docker_blobs {
+        if key.contains("/blobs/") {
+            blobs.push(key);
+        }
+    }
+    blobs
+}
+
+async fn collect_referenced_digests(storage: &Storage) -> HashSet<String> {
+    let mut referenced = HashSet::new();
+
+    let all_keys = storage.list("docker/").await;
+    for key in &all_keys {
+        if !key.contains("/manifests/") || !key.ends_with(".json") || key.ends_with(".meta.json") {
+            continue;
+        }
+
+        if let Ok(data) = storage.get(key).await {
+            if let Ok(json) = serde_json::from_slice::<serde_json::Value>(&data) {
+                if let Some(config) = json.get("config") {
+                    if let Some(digest) = config.get("digest").and_then(|v| v.as_str()) {
+                        referenced.insert(digest.to_string());
+                    }
+                }
+
+                if let Some(layers) = json.get("layers").and_then(|v| v.as_array()) {
+                    for layer in layers {
+                        if let Some(digest) = layer.get("digest").and_then(|v| v.as_str()) {
+                            referenced.insert(digest.to_string());
+                        }
+                    }
+                }
+
+                if let Some(manifests) = json.get("manifests").and_then(|v| v.as_array()) {
+                    for m in manifests {
+                        if let Some(digest) = m.get("digest").and_then(|v| v.as_str()) {
+                            referenced.insert(digest.to_string());
+                        }
+                    }
+                }
+            }
+        }
+    }
+
+    referenced
+}

nora-registry/src/main.rs

@@ -2,11 +2,13 @@
 // SPDX-License-Identifier: MIT
 
 mod activity_log;
+mod audit;
 mod auth;
 mod backup;
 mod config;
 mod dashboard_metrics;
 mod error;
+mod gc;
 mod health;
 mod metrics;
 mod migrate;
@@ -31,6 +33,7 @@ use tracing::{error, info, warn};
 use tracing_subscriber::{fmt, prelude::*, EnvFilter};
 
 use activity_log::ActivityLog;
+use audit::AuditLog;
 use auth::HtpasswdAuth;
 use config::{Config, StorageMode};
 use dashboard_metrics::DashboardMetrics;
@@ -61,6 +64,12 @@ enum Commands {
         #[arg(short, long)]
         input: PathBuf,
     },
+    /// Garbage collect orphaned blobs
+    Gc {
+        /// Dry run - show what would be deleted without deleting
+        #[arg(long, default_value = "false")]
+        dry_run: bool,
+    },
     /// Migrate artifacts between storage backends
     Migrate {
         /// Source storage: local or s3
@@ -83,6 +92,7 @@ pub struct AppState {
     pub tokens: Option<TokenStore>,
     pub metrics: DashboardMetrics,
     pub activity: ActivityLog,
+    pub audit: AuditLog,
     pub docker_auth: registry::DockerAuth,
     pub repo_index: RepoIndex,
     pub http_client: reqwest::Client,
@@ -143,6 +153,17 @@ async fn main() {
                 std::process::exit(1);
             }
         }
+        Some(Commands::Gc { dry_run }) => {
+            let result = gc::run_gc(&storage, dry_run).await;
+            println!("GC Summary:");
+            println!("  Total blobs:      {}", result.total_blobs);
+            println!("  Referenced:        {}", result.referenced_blobs);
+            println!("  Orphaned:          {}", result.orphaned_blobs);
+            println!("  Deleted:           {}", result.deleted_blobs);
+            if dry_run && !result.orphan_keys.is_empty() {
+                println!("\nRun without --dry-run to delete orphaned blobs.");
+            }
+        }
         Some(Commands::Migrate { from, to, dry_run }) => {
             let source = match from.as_str() {
                 "local" => Storage::new_local(&config.storage.path),
@@ -210,6 +231,7 @@ async fn run_server(config: Config, storage: Storage) {
 
     // Log rate limiting configuration
     info!(
+        enabled = config.rate_limit.enabled,
         auth_rps = config.rate_limit.auth_rps,
         auth_burst = config.rate_limit.auth_burst,
         upload_rps = config.rate_limit.upload_rps,
@@ -264,16 +286,50 @@ async fn run_server(config: Config, storage: Storage) {
         None
     };
 
-    // Create rate limiters before moving config to state
-    let auth_limiter = rate_limit::auth_rate_limiter(&config.rate_limit);
-    let upload_limiter = rate_limit::upload_rate_limiter(&config.rate_limit);
-    let general_limiter = rate_limit::general_rate_limiter(&config.rate_limit);
+    let storage_path = config.storage.path.clone();
+    let rate_limit_enabled = config.rate_limit.enabled;
 
     // Initialize Docker auth with proxy timeout
     let docker_auth = registry::DockerAuth::new(config.docker.proxy_timeout);
 
     let http_client = reqwest::Client::new();
 
+    // Registry routes (shared between rate-limited and non-limited paths)
+    let registry_routes = Router::new()
+        .merge(registry::docker_routes())
+        .merge(registry::maven_routes())
+        .merge(registry::npm_routes())
+        .merge(registry::cargo_routes())
+        .merge(registry::pypi_routes())
+        .merge(registry::raw_routes());
+
+    // Routes WITHOUT rate limiting (health, metrics, UI)
+    let public_routes = Router::new()
+        .merge(health::routes())
+        .merge(metrics::routes())
+        .merge(ui::routes())
+        .merge(openapi::routes());
+
+    let app_routes = if rate_limit_enabled {
+        // Create rate limiters before moving config to state
+        let auth_limiter = rate_limit::auth_rate_limiter(&config.rate_limit);
+        let upload_limiter = rate_limit::upload_rate_limiter(&config.rate_limit);
+        let general_limiter = rate_limit::general_rate_limiter(&config.rate_limit);
+
+        let auth_routes = auth::token_routes().layer(auth_limiter);
+        let limited_registry = registry_routes.layer(upload_limiter);
+
+        Router::new()
+            .merge(auth_routes)
+            .merge(limited_registry)
+            .layer(general_limiter)
+    } else {
+        info!("Rate limiting DISABLED");
+        Router::new()
+            .merge(auth::token_routes())
+            .merge(registry_routes)
+    };
+
     let state = Arc::new(AppState {
         storage,
         config,
@@ -282,41 +338,18 @@ async fn run_server(config: Config, storage: Storage) {
         tokens,
         metrics: DashboardMetrics::new(),
         activity: ActivityLog::new(50),
+        audit: AuditLog::new(&storage_path),
         docker_auth,
         repo_index: RepoIndex::new(),
         http_client,
     });
 
-    // Token routes with strict rate limiting (brute-force protection)
-    let auth_routes = auth::token_routes().layer(auth_limiter);
-
-    // Registry routes with upload rate limiting
-    let registry_routes = Router::new()
-        .merge(registry::docker_routes())
-        .merge(registry::maven_routes())
-        .merge(registry::npm_routes())
-        .merge(registry::cargo_routes())
-        .merge(registry::pypi_routes())
-        .merge(registry::raw_routes())
-        .layer(upload_limiter);
-
-    // Routes WITHOUT rate limiting (health, metrics, UI)
-    let public_routes = Router::new()
-        .merge(health::routes())
-        .merge(metrics::routes())
-        .merge(ui::routes())
-        .merge(openapi::routes());
-
-    // Routes WITH rate limiting
-    let rate_limited_routes = Router::new()
-        .merge(auth_routes)
-        .merge(registry_routes)
-        .layer(general_limiter);
-
     let app = Router::new()
         .merge(public_routes)
-        .merge(rate_limited_routes)
-        .layer(DefaultBodyLimit::max(100 * 1024 * 1024)) // 100MB default body limit
+        .merge(app_routes)
+        .layer(DefaultBodyLimit::max(
+            state.config.server.body_limit_mb * 1024 * 1024,
+        ))
         .layer(middleware::from_fn(request_id::request_id_middleware))
         .layer(middleware::from_fn(metrics::metrics_middleware))
         .layer(middleware::from_fn_with_state(
@@ -335,6 +368,7 @@ async fn run_server(config: Config, storage: Storage) {
         version = env!("CARGO_PKG_VERSION"),
         storage = state.storage.backend_name(),
         auth_enabled = state.auth.is_some(),
+        body_limit_mb = state.config.server.body_limit_mb,
         "Nora started"
     );
 

nora-registry/src/rate_limit.rs

@@ -10,6 +10,7 @@
 
 use crate::config::RateLimitConfig;
 use tower_governor::governor::GovernorConfigBuilder;
+use tower_governor::key_extractor::SmartIpKeyExtractor;
 
 /// Create rate limiter layer for auth endpoints (strict protection against brute-force)
 pub fn auth_rate_limiter(
@@ -35,11 +36,12 @@ pub fn auth_rate_limiter(
 pub fn upload_rate_limiter(
     config: &RateLimitConfig,
 ) -> tower_governor::GovernorLayer<
-    tower_governor::key_extractor::PeerIpKeyExtractor,
+    SmartIpKeyExtractor,
     governor::middleware::StateInformationMiddleware,
     axum::body::Body,
 > {
     let gov_config = GovernorConfigBuilder::default()
+        .key_extractor(SmartIpKeyExtractor)
         .per_second(config.upload_rps)
         .burst_size(config.upload_burst)
         .use_headers()
@@ -53,11 +55,12 @@ pub fn upload_rate_limiter(
 pub fn general_rate_limiter(
     config: &RateLimitConfig,
 ) -> tower_governor::GovernorLayer<
-    tower_governor::key_extractor::PeerIpKeyExtractor,
+    SmartIpKeyExtractor,
     governor::middleware::StateInformationMiddleware,
     axum::body::Body,
 > {
     let gov_config = GovernorConfigBuilder::default()
+        .key_extractor(SmartIpKeyExtractor)
         .per_second(config.general_rps)
         .burst_size(config.general_burst)
         .use_headers()
@@ -102,6 +105,7 @@ mod tests {
     #[test]
     fn test_custom_config() {
         let config = RateLimitConfig {
+            enabled: true,
             auth_rps: 10,
             auth_burst: 20,
             upload_rps: 500,

nora-registry/src/registry/cargo_registry.rs

@@ -2,6 +2,7 @@
 // SPDX-License-Identifier: MIT
 
 use crate::activity_log::{ActionType, ActivityEntry};
+use crate::audit::AuditEntry;
 use crate::AppState;
 use axum::{
     extract::{Path, State},
@@ -50,6 +51,9 @@ async fn download(
                 "cargo",
                 "LOCAL",
             ));
+            state
+                .audit
+                .log(AuditEntry::new("pull", "api", "", "cargo", ""));
             (StatusCode::OK, data).into_response()
         }
         Err(_) => StatusCode::NOT_FOUND.into_response(),

nora-registry/src/registry/docker.rs

@@ -2,6 +2,7 @@
 // SPDX-License-Identifier: MIT
 
 use crate::activity_log::{ActionType, ActivityEntry};
+use crate::audit::AuditEntry;
 use crate::registry::docker_auth::DockerAuth;
 use crate::storage::Storage;
 use crate::validation::{validate_digest, validate_docker_name, validate_docker_reference};
@@ -11,7 +12,7 @@ use axum::{
     extract::{Path, State},
     http::{header, HeaderName, StatusCode},
     response::{IntoResponse, Response},
-    routing::{get, head, patch, put},
+    routing::{delete, get, head, patch, put},
     Json, Router,
 };
 use parking_lot::RwLock;
@@ -64,6 +65,8 @@ pub fn routes() -> Router<Arc<AppState>> {
         )
         .route("/v2/{name}/manifests/{reference}", get(get_manifest))
         .route("/v2/{name}/manifests/{reference}", put(put_manifest))
+        .route("/v2/{name}/manifests/{reference}", delete(delete_manifest))
+        .route("/v2/{name}/blobs/{digest}", delete(delete_blob))
         .route("/v2/{name}/tags/list", get(list_tags))
         // Two-segment name routes (e.g., /v2/library/alpine/...)
         .route("/v2/{ns}/{name}/blobs/{digest}", head(check_blob_ns))
@@ -84,6 +87,11 @@ pub fn routes() -> Router<Arc<AppState>> {
             "/v2/{ns}/{name}/manifests/{reference}",
             put(put_manifest_ns),
         )
+        .route(
+            "/v2/{ns}/{name}/manifests/{reference}",
+            delete(delete_manifest_ns),
+        )
+        .route("/v2/{ns}/{name}/blobs/{digest}", delete(delete_blob_ns))
         .route("/v2/{ns}/{name}/tags/list", get(list_tags_ns))
 }
 
@@ -307,7 +315,17 @@ async fn upload_blob(
             ));
             state.repo_index.invalidate("docker");
             let location = format!("/v2/{}/blobs/{}", name, digest);
-            (StatusCode::CREATED, [(header::LOCATION, location)]).into_response()
+            (
+                StatusCode::CREATED,
+                [
+                    (header::LOCATION, location),
+                    (
+                        HeaderName::from_static("docker-content-digest"),
+                        digest.to_string(),
+                    ),
+                ],
+            )
+                .into_response()
         }
         Err(_) => StatusCode::INTERNAL_SERVER_ERROR.into_response(),
     }
@@ -481,6 +499,13 @@ async fn put_manifest(
         "docker",
         "LOCAL",
     ));
+    state.audit.log(AuditEntry::new(
+        "push",
+        "api",
+        &format!("{}:{}", name, reference),
+        "docker",
+        "manifest",
+    ));
     state.repo_index.invalidate("docker");
 
     let location = format!("/v2/{}/manifests/{}", name, reference);
@@ -512,6 +537,109 @@ async fn list_tags(State(state): State<Arc<AppState>>, Path(name): Path<String>)
     (StatusCode::OK, Json(json!({"name": name, "tags": tags}))).into_response()
 }
 
+// ============================================================================
+// Delete handlers (Docker Registry V2 spec)
+// ============================================================================
+
+async fn delete_manifest(
+    State(state): State<Arc<AppState>>,
+    Path((name, reference)): Path<(String, String)>,
+) -> Response {
+    if let Err(e) = validate_docker_name(&name) {
+        return (StatusCode::BAD_REQUEST, e.to_string()).into_response();
+    }
+    if let Err(e) = validate_docker_reference(&reference) {
+        return (StatusCode::BAD_REQUEST, e.to_string()).into_response();
+    }
+
+    let key = format!("docker/{}/manifests/{}.json", name, reference);
+
+    // If reference is a tag, also delete digest-keyed copy
+    let is_tag = !reference.starts_with("sha256:");
+    if is_tag {
+        if let Ok(data) = state.storage.get(&key).await {
+            use sha2::Digest;
+            let digest = format!("sha256:{:x}", sha2::Sha256::digest(&data));
+            let digest_key = format!("docker/{}/manifests/{}.json", name, digest);
+            let _ = state.storage.delete(&digest_key).await;
+            let digest_meta = format!("docker/{}/manifests/{}.meta.json", name, digest);
+            let _ = state.storage.delete(&digest_meta).await;
+        }
+    }
+
+    // Delete manifest
+    match state.storage.delete(&key).await {
+        Ok(()) => {
+            // Delete associated metadata
+            let meta_key = format!("docker/{}/manifests/{}.meta.json", name, reference);
+            let _ = state.storage.delete(&meta_key).await;
+
+            state.audit.log(AuditEntry::new(
+                "delete",
+                "api",
+                &format!("{}:{}", name, reference),
+                "docker",
+                "manifest",
+            ));
+            state.repo_index.invalidate("docker");
+            tracing::info!(name = %name, reference = %reference, "Docker manifest deleted");
+            StatusCode::ACCEPTED.into_response()
+        }
+        Err(crate::storage::StorageError::NotFound) => (
+            StatusCode::NOT_FOUND,
+            Json(json!({
+                "errors": [{
+                    "code": "MANIFEST_UNKNOWN",
+                    "message": "manifest unknown",
+                    "detail": { "name": name, "reference": reference }
+                }]
+            })),
+        )
+            .into_response(),
+        Err(_) => StatusCode::INTERNAL_SERVER_ERROR.into_response(),
+    }
+}
+
+async fn delete_blob(
+    State(state): State<Arc<AppState>>,
+    Path((name, digest)): Path<(String, String)>,
+) -> Response {
+    if let Err(e) = validate_docker_name(&name) {
+        return (StatusCode::BAD_REQUEST, e.to_string()).into_response();
+    }
+    if let Err(e) = validate_digest(&digest) {
+        return (StatusCode::BAD_REQUEST, e.to_string()).into_response();
+    }
+
+    let key = format!("docker/{}/blobs/{}", name, digest);
+    match state.storage.delete(&key).await {
+        Ok(()) => {
+            state.audit.log(AuditEntry::new(
+                "delete",
+                "api",
+                &format!("{}@{}", name, &digest[..19.min(digest.len())]),
+                "docker",
+                "blob",
+            ));
+            state.repo_index.invalidate("docker");
+            tracing::info!(name = %name, digest = %digest, "Docker blob deleted");
+            StatusCode::ACCEPTED.into_response()
+        }
+        Err(crate::storage::StorageError::NotFound) => (
+            StatusCode::NOT_FOUND,
+            Json(json!({
+                "errors": [{
+                    "code": "BLOB_UNKNOWN",
+                    "message": "blob unknown to registry",
+                    "detail": { "digest": digest }
+                }]
+            })),
+        )
+            .into_response(),
+        Err(_) => StatusCode::INTERNAL_SERVER_ERROR.into_response(),
+    }
+}
+
 // ============================================================================
 // Namespace handlers (for two-segment names like library/alpine)
 // These combine ns/name into a single name and delegate to the main handlers
@@ -581,6 +709,22 @@ async fn list_tags_ns(
     list_tags(state, Path(full_name)).await
 }
 
+async fn delete_manifest_ns(
+    state: State<Arc<AppState>>,
+    Path((ns, name, reference)): Path<(String, String, String)>,
+) -> Response {
+    let full_name = format!("{}/{}", ns, name);
+    delete_manifest(state, Path((full_name, reference))).await
+}
+
+async fn delete_blob_ns(
+    state: State<Arc<AppState>>,
+    Path((ns, name, digest)): Path<(String, String, String)>,
+) -> Response {
+    let full_name = format!("{}/{}", ns, name);
+    delete_blob(state, Path((full_name, digest))).await
+}
+
 /// Fetch a blob from an upstream Docker registry
 async fn fetch_blob_from_upstream(
     client: &reqwest::Client,
@@ -739,8 +883,16 @@ fn detect_manifest_media_type(data: &[u8]) -> String {
             if schema_version == 1 {
                 return "application/vnd.docker.distribution.manifest.v1+json".to_string();
             }
-            // schemaVersion 2 without mediaType is likely docker manifest v2
-            if json.get("config").is_some() {
+            // schemaVersion 2 without mediaType - check config.mediaType to distinguish OCI vs Docker
+            if let Some(config) = json.get("config") {
+                if let Some(config_mt) = config.get("mediaType").and_then(|v| v.as_str()) {
+                    if config_mt.starts_with("application/vnd.docker.") {
+                        return "application/vnd.docker.distribution.manifest.v2+json".to_string();
+                    }
+                    // OCI or Helm or any non-docker config mediaType
+                    return "application/vnd.oci.image.manifest.v1+json".to_string();
+                }
+                // No config.mediaType - assume docker v2
                 return "application/vnd.docker.distribution.manifest.v2+json".to_string();
             }
             // If it has "manifests" array, it's an index/list

nora-registry/src/registry/maven.rs

@@ -2,6 +2,7 @@
 // SPDX-License-Identifier: MIT
 
 use crate::activity_log::{ActionType, ActivityEntry};
+use crate::audit::AuditEntry;
 use crate::AppState;
 use axum::{
     body::Bytes,
@@ -42,6 +43,9 @@ async fn download(State(state): State<Arc<AppState>>, Path(path): Path<String>)
             "maven",
             "CACHE",
         ));
+        state
+            .audit
+            .log(AuditEntry::new("cache_hit", "api", "", "maven", ""));
         return with_content_type(&path, data).into_response();
     }
 
@@ -58,6 +62,9 @@ async fn download(State(state): State<Arc<AppState>>, Path(path): Path<String>)
                     "maven",
                     "PROXY",
                 ));
+                state
+                    .audit
+                    .log(AuditEntry::new("proxy_fetch", "api", "", "maven", ""));
 
                 let storage = state.storage.clone();
                 let key_clone = key.clone();
@@ -103,6 +110,9 @@ async fn upload(
                 "maven",
                 "LOCAL",
             ));
+            state
+                .audit
+                .log(AuditEntry::new("push", "api", "", "maven", ""));
             state.repo_index.invalidate("maven");
             StatusCode::CREATED
         }

nora-registry/src/registry/npm.rs

@@ -2,6 +2,7 @@
 // SPDX-License-Identifier: MIT
 
 use crate::activity_log::{ActionType, ActivityEntry};
+use crate::audit::AuditEntry;
 use crate::AppState;
 use axum::{
     body::Bytes,
@@ -48,6 +49,9 @@ async fn handle_request(State(state): State<Arc<AppState>>, Path(path): Path<Str
                 "npm",
                 "CACHE",
             ));
+            state
+                .audit
+                .log(AuditEntry::new("cache_hit", "api", "", "npm", ""));
         }
         return with_content_type(is_tarball, data).into_response();
     }
@@ -67,6 +71,9 @@ async fn handle_request(State(state): State<Arc<AppState>>, Path(path): Path<Str
                     "npm",
                     "PROXY",
                 ));
+                state
+                    .audit
+                    .log(AuditEntry::new("proxy_fetch", "api", "", "npm", ""));
             }
 
             let storage = state.storage.clone();

nora-registry/src/registry/pypi.rs

@@ -2,6 +2,7 @@
 // SPDX-License-Identifier: MIT
 
 use crate::activity_log::{ActionType, ActivityEntry};
+use crate::audit::AuditEntry;
 use crate::AppState;
 use axum::{
     extract::{Path, State},
@@ -115,6 +116,9 @@ async fn download_file(
             "pypi",
             "CACHE",
         ));
+        state
+            .audit
+            .log(AuditEntry::new("cache_hit", "api", "", "pypi", ""));
 
         let content_type = if filename.ends_with(".whl") {
             "application/zip"
@@ -156,6 +160,9 @@ async fn download_file(
                         "pypi",
                         "PROXY",
                     ));
+                    state
+                        .audit
+                        .log(AuditEntry::new("proxy_fetch", "api", "", "pypi", ""));
 
                     // Cache in local storage
                     let storage = state.storage.clone();

nora-registry/src/registry/raw.rs

@@ -2,6 +2,7 @@
 // SPDX-License-Identifier: MIT
 
 use crate::activity_log::{ActionType, ActivityEntry};
+use crate::audit::AuditEntry;
 use crate::AppState;
 use axum::{
     body::Bytes,
@@ -35,6 +36,9 @@ async fn download(State(state): State<Arc<AppState>>, Path(path): Path<String>)
             state
                 .activity
                 .push(ActivityEntry::new(ActionType::Pull, path, "raw", "LOCAL"));
+            state
+                .audit
+                .log(AuditEntry::new("pull", "api", "", "raw", ""));
 
             // Guess content type from extension
             let content_type = guess_content_type(&key);
@@ -72,6 +76,9 @@ async fn upload(
             state
                 .activity
                 .push(ActivityEntry::new(ActionType::Push, path, "raw", "LOCAL"));
+            state
+                .audit
+                .log(AuditEntry::new("push", "api", "", "raw", ""));
             StatusCode::CREATED.into_response()
         }
         Err(_) => StatusCode::INTERNAL_SERVER_ERROR.into_response(),

nora-registry/src/tokens.rs

@@ -11,6 +11,35 @@ use uuid::Uuid;
 
 const TOKEN_PREFIX: &str = "nra_";
 
+/// Access role for API tokens
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
+#[serde(rename_all = "lowercase")]
+pub enum Role {
+    Read,
+    Write,
+    Admin,
+}
+
+impl std::fmt::Display for Role {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            Role::Read => write!(f, "read"),
+            Role::Write => write!(f, "write"),
+            Role::Admin => write!(f, "admin"),
+        }
+    }
+}
+
+impl Role {
+    pub fn can_write(&self) -> bool {
+        matches!(self, Role::Write | Role::Admin)
+    }
+
+    pub fn can_admin(&self) -> bool {
+        matches!(self, Role::Admin)
+    }
+}
+
 /// API Token metadata stored on disk
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct TokenInfo {
@@ -20,6 +49,12 @@ pub struct TokenInfo {
     pub expires_at: u64,
     pub last_used: Option<u64>,
     pub description: Option<String>,
+    #[serde(default = "default_role")]
+    pub role: Role,
+}
+
+fn default_role() -> Role {
+    Role::Read
 }
 
 /// Token store for managing API tokens
@@ -44,6 +79,7 @@ impl TokenStore {
         user: &str,
         ttl_days: u64,
         description: Option<String>,
+        role: Role,
     ) -> Result<String, TokenError> {
         // Generate random token
         let raw_token = format!(
@@ -67,6 +103,7 @@ impl TokenStore {
             expires_at,
             last_used: None,
             description,
+            role,
         };
 
         // Save to file
@@ -81,7 +118,7 @@ impl TokenStore {
     }
 
     /// Verify a token and return user info if valid
-    pub fn verify_token(&self, token: &str) -> Result<String, TokenError> {
+    pub fn verify_token(&self, token: &str) -> Result<(String, Role), TokenError> {
         if !token.starts_with(TOKEN_PREFIX) {
             return Err(TokenError::InvalidFormat);
         }
@@ -121,7 +158,7 @@ impl TokenStore {
             let _ = fs::write(&file_path, json);
         }
 
-        Ok(info.user)
+        Ok((info.user, info.role))
     }
 
     /// List all tokens for a user
@@ -210,7 +247,7 @@ mod tests {
         let store = TokenStore::new(temp_dir.path());
 
         let token = store
-            .create_token("testuser", 30, Some("Test token".to_string()))
+            .create_token("testuser", 30, Some("Test token".to_string()), Role::Write)
             .unwrap();
 
         assert!(token.starts_with("nra_"));
@@ -222,10 +259,13 @@ mod tests {
         let temp_dir = TempDir::new().unwrap();
         let store = TokenStore::new(temp_dir.path());
 
-        let token = store.create_token("testuser", 30, None).unwrap();
-        let user = store.verify_token(&token).unwrap();
+        let token = store
+            .create_token("testuser", 30, None, Role::Write)
+            .unwrap();
+        let (user, role) = store.verify_token(&token).unwrap();
 
         assert_eq!(user, "testuser");
+        assert_eq!(role, Role::Write);
     }
 
     #[test]
@@ -252,7 +292,9 @@ mod tests {
         let store = TokenStore::new(temp_dir.path());
 
         // Create token and manually set it as expired
-        let token = store.create_token("testuser", 1, None).unwrap();
+        let token = store
+            .create_token("testuser", 1, None, Role::Write)
+            .unwrap();
         let token_hash = hash_token(&token);
         let file_path = temp_dir.path().join(format!("{}.json", &token_hash[..16]));
 
@@ -272,9 +314,9 @@ mod tests {
         let temp_dir = TempDir::new().unwrap();
         let store = TokenStore::new(temp_dir.path());
 
-        store.create_token("user1", 30, None).unwrap();
-        store.create_token("user1", 30, None).unwrap();
-        store.create_token("user2", 30, None).unwrap();
+        store.create_token("user1", 30, None, Role::Write).unwrap();
+        store.create_token("user1", 30, None, Role::Write).unwrap();
+        store.create_token("user2", 30, None, Role::Read).unwrap();
 
         let user1_tokens = store.list_tokens("user1");
         assert_eq!(user1_tokens.len(), 2);
@@ -291,7 +333,9 @@ mod tests {
         let temp_dir = TempDir::new().unwrap();
         let store = TokenStore::new(temp_dir.path());
 
-        let token = store.create_token("testuser", 30, None).unwrap();
+        let token = store
+            .create_token("testuser", 30, None, Role::Write)
+            .unwrap();
         let token_hash = hash_token(&token);
         let hash_prefix = &token_hash[..16];
 
@@ -320,9 +364,9 @@ mod tests {
         let temp_dir = TempDir::new().unwrap();
         let store = TokenStore::new(temp_dir.path());
 
-        store.create_token("user1", 30, None).unwrap();
-        store.create_token("user1", 30, None).unwrap();
-        store.create_token("user2", 30, None).unwrap();
+        store.create_token("user1", 30, None, Role::Write).unwrap();
+        store.create_token("user1", 30, None, Role::Write).unwrap();
+        store.create_token("user2", 30, None, Role::Read).unwrap();
 
         let revoked = store.revoke_all_for_user("user1");
         assert_eq!(revoked, 2);
@@ -336,7 +380,9 @@ mod tests {
         let temp_dir = TempDir::new().unwrap();
         let store = TokenStore::new(temp_dir.path());
 
-        let token = store.create_token("testuser", 30, None).unwrap();
+        let token = store
+            .create_token("testuser", 30, None, Role::Write)
+            .unwrap();
 
         // First verification
         store.verify_token(&token).unwrap();
@@ -352,7 +398,12 @@ mod tests {
         let store = TokenStore::new(temp_dir.path());
 
         store
-            .create_token("testuser", 30, Some("CI/CD Pipeline".to_string()))
+            .create_token(
+                "testuser",
+                30,
+                Some("CI/CD Pipeline".to_string()),
+                Role::Admin,
+            )
             .unwrap();
 
         let tokens = store.list_tokens("testuser");