chore: bump version to 0.2.28

Merge pull request #28 from getnora-io/dependabot/cargo/toml-1.0.6spec-1.1.0
chore(deps): bump toml from 1.0.3+spec-1.1.0 to 1.0.6+spec-1.1.0
2026-04-13 14:20:31 +00:00 · 2026-03-12 19:23:32 +00:00 · 2026-03-12 22:14:13 +03:00 · 2026-03-12 22:14:09 +03:00 · 2026-03-12 22:14:06 +03:00 · 2026-03-12 22:14:01 +03:00
19 changed files with 731 additions and 63 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -72,7 +72,7 @@ jobs:
      # ── CVE scan of source tree and Cargo.lock ──────────────────────────────
      - name: Trivy — filesystem scan (Cargo.lock + source)
        if: always()
-        uses: aquasecurity/trivy-action@0.34.2
+        uses: aquasecurity/trivy-action@0.35.0
        with:
          scan-type: fs
          scan-ref: .
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -39,12 +39,12 @@ jobs:
          retention-days: 1

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
        with:
          driver-opts: network=host

      - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
@@ -53,7 +53,7 @@ jobs:
      # ── Alpine ───────────────────────────────────────────────────────────────
      - name: Extract metadata (alpine)
        id: meta-alpine
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
        with:
          images: |
            ${{ env.NORA }}/${{ env.IMAGE_NAME }}
@@ -64,7 +64,7 @@ jobs:
            type=raw,value=latest

      - name: Build and push (alpine)
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
        with:
          context: .
          file: Dockerfile
@@ -78,7 +78,7 @@ jobs:
      # ── RED OS ───────────────────────────────────────────────────────────────
      - name: Extract metadata (redos)
        id: meta-redos
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
        with:
          images: |
            ${{ env.NORA }}/${{ env.IMAGE_NAME }}
@@ -90,7 +90,7 @@ jobs:
            type=raw,value=redos

      - name: Build and push (redos)
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
        with:
          context: .
          file: Dockerfile.redos
@@ -104,7 +104,7 @@ jobs:
      # ── Astra Linux SE ───────────────────────────────────────────────────────
      - name: Extract metadata (astra)
        id: meta-astra
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
        with:
          images: |
            ${{ env.NORA }}/${{ env.IMAGE_NAME }}
@@ -116,7 +116,7 @@ jobs:
            type=raw,value=astra

      - name: Build and push (astra)
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
        with:
          context: .
          file: Dockerfile.astra
@@ -153,7 +153,7 @@ jobs:
        run: echo "tag=${GITHUB_REF_NAME#v}" >> $GITHUB_OUTPUT

      - name: Trivy — image scan (${{ matrix.name }})
-        uses: aquasecurity/trivy-action@0.34.2
+        uses: aquasecurity/trivy-action@0.35.0
        with:
          scan-type: image
          image-ref: ${{ env.NORA }}/${{ env.IMAGE_NAME }}:${{ steps.ver.outputs.tag }}${{ matrix.suffix }}
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,72 @@ All notable changes to NORA will be documented in this file.

 ---

+## [0.2.27] - 2026-03-03
+
+### Added / Добавлено
+- **Configurable body limit**: `NORA_BODY_LIMIT_MB` env var (default: `2048` = 2GB) — replaces hardcoded 100MB limit that caused `413 Payload Too Large` on large Docker image push
+- **Настраиваемый лимит тела запроса**: переменная `NORA_BODY_LIMIT_MB` (по умолчанию: `2048` = 2GB) — заменяет захардкоженный лимит 100MB, вызывавший `413 Payload Too Large` при push больших Docker-образов
+- **Docker Delete API**: `DELETE /v2/{name}/manifests/{reference}` and `DELETE /v2/{name}/blobs/{digest}` per Docker Registry V2 spec (returns 202 Accepted)
+- **Docker Delete API**: `DELETE /v2/{name}/manifests/{reference}` и `DELETE /v2/{name}/blobs/{digest}` по спецификации Docker Registry V2 (возвращает 202 Accepted)
+- Namespace-qualified DELETE variants (`/v2/{ns}/{name}/...`)
+- Audit log integration for delete operations
+
+### Fixed / Исправлено
+- Docker push of images >100MB no longer fails with 413 error
+- Push Docker-образов >100MB больше не падает с ошибкой 413
+
+---
+
+## [0.2.26] - 2026-03-03
+
+### Added / Добавлено
+- **Helm OCI support**: `helm push` / `helm pull` now works out of the box via OCI protocol
+- **Поддержка Helm OCI**: `helm push` / `helm pull` теперь работают из коробки через OCI протокол
+- **RBAC**: Token-based role system with three roles — `read`, `write`, `admin` (default: `read`)
+- **RBAC**: Ролевая система на основе токенов — `read`, `write`, `admin` (по умолчанию: `read`)
+- **Audit log**: Persistent append-only JSONL audit trail for all registry operations (`{storage}/audit.jsonl`)
+- **Аудит**: Персистентный append-only JSONL лог всех операций реестра (`{storage}/audit.jsonl`)
+- **GC command**: `nora gc --dry-run` — garbage collection for orphaned blobs (mark-and-sweep)
+- **Команда GC**: `nora gc --dry-run` — сборка мусора для осиротевших блобов (mark-and-sweep)
+
+### Fixed / Исправлено
+- **Helm OCI pull**: Fixed OCI manifest media type detection — manifests with non-Docker `config.mediaType` now correctly return `application/vnd.oci.image.manifest.v1+json`
+- **Helm OCI pull**: Исправлено определение media type OCI манифестов — манифесты с не-Docker `config.mediaType` теперь корректно возвращают `application/vnd.oci.image.manifest.v1+json`
+- **Docker-Content-Digest**: Added missing header in blob upload response (required by Helm OCI client)
+- **Docker-Content-Digest**: Добавлен отсутствующий заголовок в ответе на загрузку blob (требуется клиентом Helm OCI)
+
+### Security / Безопасность
+- Read-only tokens (`role: read`) are now blocked from PUT/POST/DELETE/PATCH operations with HTTP 403
+- Токены только для чтения (`role: read`) теперь блокируются при PUT/POST/DELETE/PATCH с HTTP 403
+
+---
+
+## [0.2.25] - 2026-03-03
+
+### Fixed / Исправлено
+- **Rate limiter fix**: Added `NORA_RATE_LIMIT_ENABLED` env var (default: `true`) to disable rate limiting on internal deployments
+- **Исправление rate limiter**: Добавлена переменная `NORA_RATE_LIMIT_ENABLED` (по умолчанию: `true`) для отключения rate limiting на внутренних инсталляциях
+- **SmartIpKeyExtractor**: Upload and general routes now use `SmartIpKeyExtractor` (reads `X-Forwarded-For`) instead of `PeerIpKeyExtractor` — fixes 429 errors behind reverse proxy / Docker bridge
+- **SmartIpKeyExtractor**: Маршруты upload и general теперь используют `SmartIpKeyExtractor` (читает `X-Forwarded-For`) вместо `PeerIpKeyExtractor` — устраняет ошибки 429 за reverse proxy / Docker bridge
+
+### Dependencies / Зависимости
+- `clap` 4.5.56 → 4.5.60
+- `uuid` 1.20.0 → 1.21.0
+- `tempfile` 3.24.0 → 3.26.0
+- `bcrypt` 0.17.1 → 0.18.0
+- `indicatif` 0.17.11 → 0.18.4
+
+### CI/CD
+- `actions/checkout` 4 → 6
+- `actions/upload-artifact` 4 → 7
+- `softprops/action-gh-release` 1 → 2
+- `aquasecurity/trivy-action` 0.30.0 → 0.34.2
+- `docker/build-push-action` 5 → 6
+- Move scan/release to self-hosted runner with NORA cache
+- Сканирование/релиз перенесены на self-hosted runner с кэшем через NORA
+
+---
+
 ## [0.2.24] - 2026-02-24

 ### Added / Добавлено
--- a/CHANGELOG.md.bak
+++ b/CHANGELOG.md.bak
@@ -0,0 +1,414 @@
+# Changelog
+
+All notable changes to NORA will be documented in this file.
+
+---
+
+## [0.2.18] - 2026-01-31
+
+### Changed
+- Logo styling refinements
+
+---
+
+## [0.2.17] - 2026-01-31
+
+### Added
+- Copyright headers to all source files (Volkov Pavel | DevITWay)
+- SPDX-License-Identifier: MIT in all .rs files
+
+---
+
+## [0.2.16] - 2026-01-31
+
+### Changed
+- N○RA branding: stylized O logo across dashboard
+- Fixed O letter alignment in logo
+
+---
+
+## [0.2.15] - 2026-01-31
+
+### Fixed
+- Code formatting (cargo fmt)
+
+---
+
+## [0.2.14] - 2026-01-31
+
+### Fixed
+- Docker dashboard now shows actual image size from manifest layers (config + layers sum)
+- Previously showed only manifest file size (~500 B instead of actual image size)
+
+---
+
+## [0.2.13] - 2026-01-31
+
+### Fixed
+- npm dashboard now shows correct version count and package sizes
+- Parses metadata.json for versions, dist.unpackedSize, and time.modified
+- Previously showed 0 versions / 0 B for all packages
+
+---
+
+## [0.2.12] - 2026-01-30
+
+### Added
+
+#### Configurable Rate Limiting
+- Rate limits now configurable via `config.toml` and environment variables
+- New config section `[rate_limit]` with parameters: `auth_rps`, `auth_burst`, `upload_rps`, `upload_burst`, `general_rps`, `general_burst`
+- Environment variables: `NORA_RATE_LIMIT_{AUTH|UPLOAD|GENERAL}_{RPS|BURST}`
+
+#### Secrets Provider Architecture
+- Trait-based secrets management (`SecretsProvider` trait)
+- ENV provider as default (12-Factor App pattern)
+- Protected secrets with `zeroize` (memory zeroed on drop)
+- Redacted Debug impl prevents secret leakage in logs
+- New config section `[secrets]` with `provider` and `clear_env` options
+
+#### Docker Image Metadata
+- Support for image metadata retrieval
+
+#### Documentation
+- Bilingual onboarding guide (EN/RU)
+
+---
+
+## [0.2.11] - 2026-01-26
+
+### Added
+- Internationalization (i18n) support
+- PyPI registry proxy
+- UI improvements
+
+---
+
+## [0.2.10] - 2026-01-26
+
+### Changed
+- Dark theme applied to all UI pages
+
+---
+
+## [0.2.9] - 2026-01-26
+
+### Changed
+- Version bump release
+
+---
+
+## [0.2.8] - 2026-01-26
+
+### Added
+- Dashboard endpoint added to OpenAPI documentation
+
+---
+
+## [0.2.7] - 2026-01-26
+
+### Added
+- Dynamic version display in UI sidebar
+
+---
+
+## [0.2.6] - 2026-01-26
+
+### Added
+
+#### Dashboard Metrics
+- Global stats panel: downloads, uploads, artifacts, cache hit rate, storage
+- Extended registry cards with artifact count, size, counters
+- Activity log (last 20 events)
+
+#### UI
+- Dark theme (bg: #0f172a, cards: #1e293b)
+
+---
+
+## [0.2.5] - 2026-01-26
+
+### Fixed
+- Docker push/pull: added PATCH endpoint for chunked uploads
+
+---
+
+## [0.2.4] - 2026-01-26
+
+### Fixed
+- Rate limiting: health/metrics endpoints now exempt
+- Increased upload rate limits for Docker parallel requests
+
+---
+
+## [0.2.0] - 2026-01-25
+
+### Added
+
+#### UI: SVG Brand Icons
+- Replaced emoji icons with proper SVG brand icons (Simple Icons style)
+- Docker, Maven, npm, Cargo, PyPI icons now render as scalable vector graphics
+- Consistent icon styling across dashboard, sidebar, and detail pages
+
+#### Testing Infrastructure
+- Unit tests for LocalStorage (8 tests): put/get, list, stat, health_check
+- Unit tests for S3Storage with wiremock HTTP mocking (11 tests)
+- Integration tests for auth/htpasswd (7 tests)
+- Token lifecycle tests (11 tests)
+- Validation tests (21 tests)
+- **Total: 75 tests passing**
+
+#### Security: Input Validation (`validation.rs`)
+- Path traversal protection: rejects `../`, `..\\`, null bytes, absolute paths
+- Docker image name validation per OCI distribution spec
+- Content digest validation (`sha256:[64 hex]`, `sha512:[128 hex]`)
+- Docker tag/reference validation
+- Storage key length limits (max 1024 chars)
+
+#### Security: Rate Limiting (`rate_limit.rs`)
+- Auth endpoints: 1 req/sec, burst 5 (brute-force protection)
+- Upload endpoints: 10 req/sec, burst 20
+- General endpoints: 100 req/sec, burst 200
+- Uses `tower_governor` 0.8 with `PeerIpKeyExtractor`
+
+#### Observability: Request ID Tracking (`request_id.rs`)
+- `X-Request-ID` header added to all responses
+- Accepts upstream request ID or generates UUID v4
+- Tracing spans include request_id for log correlation
+
+#### CLI: Migrate Command (`migrate.rs`)
+- `nora migrate --from local --to s3` - migrate between storage backends
+- `--dry-run` flag for preview without copying
+- Progress bar with indicatif
+- Skips existing files in destination
+- Summary statistics (migrated, skipped, failed, bytes)
+
+#### Error Handling (`error.rs`)
+- `AppError` enum with `IntoResponse` for Axum
+- Automatic conversion from `StorageError` and `ValidationError`
+- JSON error responses with request_id support
+
+### Changed
+- `StorageError` now uses `thiserror` derive macro
+- `TokenError` now uses `thiserror` derive macro
+- Storage wrapper validates keys before delegating to backend
+- Docker registry handlers validate name, digest, reference inputs
+- Body size limit set to 100MB default via `DefaultBodyLimit`
+
+### Dependencies Added
+- `thiserror = "2"` - typed error handling
+- `tower_governor = "0.8"` - rate limiting
+- `governor = "0.10"` - rate limiting backend
+- `tempfile = "3"` (dev) - temporary directories for tests
+- `wiremock = "0.6"` (dev) - HTTP mocking for S3 tests
+
+### Files Added
+- `src/validation.rs` - input validation module
+- `src/migrate.rs` - storage migration module
+- `src/error.rs` - application error types
+- `src/request_id.rs` - request ID middleware
+- `src/rate_limit.rs` - rate limiting configuration
+
+---
+
+## [0.1.0] - 2026-01-24
+
+### Added
+- Multi-protocol support: Docker Registry v2, Maven, npm, Cargo, PyPI
+- Web UI dashboard
+- Swagger UI (`/api-docs`)
+- Storage backends: Local filesystem, S3-compatible
+- Smart proxy/cache for Maven and npm
+- Health checks (`/health`, `/ready`)
+- Basic authentication (htpasswd with bcrypt)
+- API tokens (revocable, per-user)
+- Prometheus metrics (`/metrics`)
+- JSON structured logging
+- Environment variable configuration
+- Graceful shutdown (SIGTERM/SIGINT)
+- Backup/restore commands
+
+---
+
+# Журнал изменений (RU)
+
+Все значимые изменения NORA документируются в этом файле.
+
+---
+
+## [0.2.12] - 2026-01-30
+
+### Добавлено
+
+#### Настраиваемый Rate Limiting
+- Rate limits настраиваются через `config.toml` и переменные окружения
+- Новая секция `[rate_limit]` с параметрами: `auth_rps`, `auth_burst`, `upload_rps`, `upload_burst`, `general_rps`, `general_burst`
+- Переменные окружения: `NORA_RATE_LIMIT_{AUTH|UPLOAD|GENERAL}_{RPS|BURST}`
+
+#### Архитектура Secrets Provider
+- Trait-based управление секретами (`SecretsProvider` trait)
+- ENV provider по умолчанию (12-Factor App паттерн)
+- Защищённые секреты с `zeroize` (память обнуляется при drop)
+- Redacted Debug impl предотвращает утечку секретов в логи
+- Новая секция `[secrets]` с опциями `provider` и `clear_env`
+
+#### Docker Image Metadata
+- Поддержка получения метаданных образов
+
+#### Документация
+- Двуязычный onboarding guide (EN/RU)
+
+---
+
+## [0.2.11] - 2026-01-26
+
+### Добавлено
+- Поддержка интернационализации (i18n)
+- PyPI registry proxy
+- Улучшения UI
+
+---
+
+## [0.2.10] - 2026-01-26
+
+### Изменено
+- Тёмная тема применена ко всем страницам UI
+
+---
+
+## [0.2.9] - 2026-01-26
+
+### Изменено
+- Релиз с обновлением версии
+
+---
+
+## [0.2.8] - 2026-01-26
+
+### Добавлено
+- Dashboard endpoint добавлен в OpenAPI документацию
+
+---
+
+## [0.2.7] - 2026-01-26
+
+### Добавлено
+- Динамическое отображение версии в сайдбаре UI
+
+---
+
+## [0.2.6] - 2026-01-26
+
+### Добавлено
+
+#### Dashboard Metrics
+- Глобальная панель статистики: downloads, uploads, artifacts, cache hit rate, storage
+- Расширенные карточки реестров с количеством артефактов, размером, счётчиками
+- Лог активности (последние 20 событий)
+
+#### UI
+- Тёмная тема (bg: #0f172a, cards: #1e293b)
+
+---
+
+## [0.2.5] - 2026-01-26
+
+### Исправлено
+- Docker push/pull: добавлен PATCH endpoint для chunked uploads
+
+---
+
+## [0.2.4] - 2026-01-26
+
+### Исправлено
+- Rate limiting: health/metrics endpoints теперь исключены
+- Увеличены лимиты upload для параллельных Docker запросов
+
+---
+
+## [0.2.0] - 2026-01-25
+
+### Добавлено
+
+#### UI: SVG иконки брендов
+- Эмоджи заменены на SVG иконки брендов (стиль Simple Icons)
+- Docker, Maven, npm, Cargo, PyPI теперь отображаются как векторная графика
+- Единый стиль иконок на дашборде, сайдбаре и страницах деталей
+
+#### Тестовая инфраструктура
+- Unit-тесты для LocalStorage (8 тестов): put/get, list, stat, health_check
+- Unit-тесты для S3Storage с HTTP-мокированием wiremock (11 тестов)
+- Интеграционные тесты auth/htpasswd (7 тестов)
+- Тесты жизненного цикла токенов (11 тестов)
+- Тесты валидации (21 тест)
+- **Всего: 75 тестов проходят**
+
+#### Безопасность: Валидация ввода (`validation.rs`)
+- Защита от path traversal: отклоняет `../`, `..\\`, null-байты, абсолютные пути
+- Валидация имён Docker-образов по спецификации OCI distribution
+- Валидация дайджестов (`sha256:[64 hex]`, `sha512:[128 hex]`)
+- Валидация тегов и ссылок Docker
+- Ограничение длины ключей хранилища (макс. 1024 символа)
+
+#### Безопасность: Rate Limiting (`rate_limit.rs`)
+- Auth endpoints: 1 req/sec, burst 5 (защита от брутфорса)
+- Upload endpoints: 10 req/sec, burst 20
+- Общие endpoints: 100 req/sec, burst 200
+- Использует `tower_governor` 0.8 с `PeerIpKeyExtractor`
+
+#### Наблюдаемость: Отслеживание Request ID (`request_id.rs`)
+- Заголовок `X-Request-ID` добавляется ко всем ответам
+- Принимает upstream request ID или генерирует UUID v4
+- Tracing spans включают request_id для корреляции логов
+
+#### CLI: Команда миграции (`migrate.rs`)
+- `nora migrate --from local --to s3` - миграция между storage backends
+- Флаг `--dry-run` для предпросмотра без копирования
+- Прогресс-бар с indicatif
+- Пропуск существующих файлов в destination
+- Итоговая статистика (migrated, skipped, failed, bytes)
+
+#### Обработка ошибок (`error.rs`)
+- Enum `AppError` с `IntoResponse` для Axum
+- Автоматическая конверсия из `StorageError` и `ValidationError`
+- JSON-ответы об ошибках с поддержкой request_id
+
+### Изменено
+- `StorageError` теперь использует макрос `thiserror`
+- `TokenError` теперь использует макрос `thiserror`
+- Storage wrapper валидирует ключи перед делегированием backend
+- Docker registry handlers валидируют name, digest, reference
+- Лимит размера body установлен в 100MB через `DefaultBodyLimit`
+
+### Добавлены зависимости
+- `thiserror = "2"` - типизированная обработка ошибок
+- `tower_governor = "0.8"` - rate limiting
+- `governor = "0.10"` - backend для rate limiting
+- `tempfile = "3"` (dev) - временные директории для тестов
+- `wiremock = "0.6"` (dev) - HTTP-мокирование для S3 тестов
+
+### Добавлены файлы
+- `src/validation.rs` - модуль валидации ввода
+- `src/migrate.rs` - модуль миграции хранилища
+- `src/error.rs` - типы ошибок приложения
+- `src/request_id.rs` - middleware для request ID
+- `src/rate_limit.rs` - конфигурация rate limiting
+
+---
+
+## [0.1.0] - 2026-01-24
+
+### Добавлено
+- Мульти-протокольная поддержка: Docker Registry v2, Maven, npm, Cargo, PyPI
+- Web UI дашборд
+- Swagger UI (`/api-docs`)
+- Storage backends: локальная файловая система, S3-совместимое хранилище
+- Умный прокси/кэш для Maven и npm
+- Health checks (`/health`, `/ready`)
+- Базовая аутентификация (htpasswd с bcrypt)
+- API токены (отзываемые, per-user)
+- Prometheus метрики (`/metrics`)
+- JSON структурированное логирование
+- Конфигурация через переменные окружения
+- Graceful shutdown (SIGTERM/SIGINT)
+- Команды backup/restore
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -190,13 +190,13 @@ checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"

 [[package]]
 name = "bcrypt"
-version = "0.18.0"
+version = "0.19.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9a0f5948f30df5f43ac29d310b7476793be97c50787e6ef4a63d960a0d0be827"
+checksum = "523ab528ce3a7ada6597f8ccf5bd8d85ebe26d5edf311cad4d1d3cfb2d357ac6"
 dependencies = [
 "base64",
 "blowfish",
- "getrandom 0.3.4",
+ "getrandom 0.4.1",
 "subtle",
 "zeroize",
 ]
@@ -473,7 +473,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
 dependencies = [
 "libc",
- "windows-sys 0.61.2",
+ "windows-sys 0.52.0",
 ]

 [[package]]
@@ -1247,7 +1247,7 @@ checksum = "38bf9645c8b145698bb0b18a4637dcacbc421ea49bef2317e4fd8065a387cf21"

 [[package]]
 name = "nora-cli"
-version = "0.2.26"
+version = "0.2.28"
 dependencies = [
 "clap",
 "flate2",
@@ -1261,7 +1261,7 @@ dependencies = [

 [[package]]
 name = "nora-registry"
-version = "0.2.26"
+version = "0.2.28"
 dependencies = [
 "async-trait",
 "axum",
@@ -1299,7 +1299,7 @@ dependencies = [

 [[package]]
 name = "nora-storage"
-version = "0.2.26"
+version = "0.2.28"
 dependencies = [
 "axum",
 "base64",
@@ -1572,7 +1572,7 @@ dependencies = [
 "once_cell",
 "socket2",
 "tracing",
- "windows-sys 0.60.2",
+ "windows-sys 0.52.0",
 ]

 [[package]]
@@ -1779,7 +1779,7 @@ dependencies = [
 "errno",
 "libc",
 "linux-raw-sys",
- "windows-sys 0.61.2",
+ "windows-sys 0.52.0",
 ]

 [[package]]
@@ -2068,7 +2068,7 @@ dependencies = [
 "getrandom 0.4.1",
 "once_cell",
 "rustix",
- "windows-sys 0.61.2",
+ "windows-sys 0.52.0",
 ]

 [[package]]
@@ -2147,9 +2147,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"

 [[package]]
 name = "tokio"
-version = "1.49.0"
+version = "1.50.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "72a2903cd7736441aac9df9d7688bd0ce48edccaadf181c3b90be801e81d3d86"
+checksum = "27ad5e34374e03cfffefc301becb44e9dc3c17584f414349ebe29ed26661822d"
 dependencies = [
 "bytes",
 "libc",
@@ -2209,9 +2209,9 @@ dependencies = [

 [[package]]
 name = "toml"
-version = "1.0.3+spec-1.1.0"
+version = "1.0.6+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c7614eaf19ad818347db24addfa201729cf2a9b6fdfd9eb0ab870fcacc606c0c"
+checksum = "399b1124a3c9e16766831c6bba21e50192572cdd98706ea114f9502509686ffc"
 dependencies = [
 "indexmap",
 "serde_core",
@@ -2533,9 +2533,9 @@ dependencies = [

 [[package]]
 name = "uuid"
-version = "1.21.0"
+version = "1.22.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b672338555252d43fd2240c714dc444b8c6fb0a5c5335e65a07bba7742735ddb"
+checksum = "a68d3c8f01c0cfa54a75291d83601161799e4a89a39e0929f4b0354d88757a37"
 dependencies = [
 "getrandom 0.4.1",
 "js-sys",
@@ -2741,7 +2741,7 @@ version = "0.1.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
 dependencies = [
- "windows-sys 0.61.2",
+ "windows-sys 0.52.0",
 ]

 [[package]]
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -7,7 +7,7 @@ members = [
 ]

 [workspace.package]
-version = "0.2.26"
+version = "0.2.28"
 edition = "2021"
 license = "MIT"
 authors = ["DevITWay <devitway@gmail.com>"]
--- a/nora-registry/Cargo.toml
+++ b/nora-registry/Cargo.toml
@@ -28,7 +28,7 @@ hmac.workspace = true
 hex.workspace = true
 toml = "1.0"
 uuid = { version = "1", features = ["v4"] }
-bcrypt = "0.18"
+bcrypt = "0.19"
 base64 = "0.22"
 prometheus = "0.14"
 lazy_static = "1.5"
--- a/nora-registry/src/audit.rs
+++ b/nora-registry/src/audit.rs
@@ -45,11 +45,7 @@ pub struct AuditLog {
 impl AuditLog {
    pub fn new(storage_path: &str) -> Self {
        let path = PathBuf::from(storage_path).join("audit.jsonl");
-        let writer = match OpenOptions::new()
-            .create(true)
-            .append(true)
-            .open(&path)
-        {
+        let writer = match OpenOptions::new().create(true).append(true).open(&path) {
            Ok(f) => {
                info!(path = %path.display(), "Audit log initialized");
                Mutex::new(Some(f))
--- a/nora-registry/src/auth.rs
+++ b/nora-registry/src/auth.rs
@@ -13,8 +13,8 @@ use std::collections::HashMap;
 use std::path::Path;
 use std::sync::Arc;

-use crate::AppState;
 use crate::tokens::Role;
+use crate::AppState;

 /// Htpasswd-based authentication
 #[derive(Clone)]
@@ -247,12 +247,18 @@ async fn create_token(
    };

    let role = match req.role.as_str() {
-            "read" => Role::Read,
-            "write" => Role::Write,
-            "admin" => Role::Admin,
-            _ => return (StatusCode::BAD_REQUEST, "Invalid role. Use: read, write, admin").into_response(),
-        };
-        match token_store.create_token(&req.username, req.ttl_days, req.description, role) {
+        "read" => Role::Read,
+        "write" => Role::Write,
+        "admin" => Role::Admin,
+        _ => {
+            return (
+                StatusCode::BAD_REQUEST,
+                "Invalid role. Use: read, write, admin",
+            )
+                .into_response()
+        }
+    };
+    match token_store.create_token(&req.username, req.ttl_days, req.description, role) {
        Ok(token) => Json(CreateTokenResponse {
            token,
            expires_in_days: req.ttl_days,
--- a/nora-registry/src/config.rs
+++ b/nora-registry/src/config.rs
@@ -36,6 +36,13 @@ pub struct ServerConfig {
    /// Public URL for generating pull commands (e.g., "registry.example.com")
    #[serde(default)]
    pub public_url: Option<String>,
+    /// Maximum request body size in MB (default: 2048 = 2GB)
+    #[serde(default = "default_body_limit_mb")]
+    pub body_limit_mb: usize,
+}
+
+fn default_body_limit_mb() -> usize {
+    2048 // 2GB - enough for any Docker image
 }

 #[derive(Debug, Clone, Default, Serialize, Deserialize, PartialEq)]
@@ -330,6 +337,11 @@ impl Config {
        if let Ok(val) = env::var("NORA_PUBLIC_URL") {
            self.server.public_url = if val.is_empty() { None } else { Some(val) };
        }
+        if let Ok(val) = env::var("NORA_BODY_LIMIT_MB") {
+            if let Ok(mb) = val.parse() {
+                self.server.body_limit_mb = mb;
+            }
+        }

        // Storage config
        if let Ok(val) = env::var("NORA_STORAGE_MODE") {
@@ -483,6 +495,7 @@ impl Default for Config {
                host: String::from("127.0.0.1"),
                port: 4000,
                public_url: None,
+                body_limit_mb: 2048,
            },
            storage: StorageConfig {
                mode: StorageMode::Local,
--- a/nora-registry/src/gc.rs
+++ b/nora-registry/src/gc.rs
@@ -29,7 +29,10 @@ pub async fn run_gc(storage: &Storage, dry_run: bool) -> GcResult {

    // 2. Collect all referenced digests from manifests
    let referenced = collect_referenced_digests(storage).await;
-    info!("Found {} referenced digests from manifests", referenced.len());
+    info!(
+        "Found {} referenced digests from manifests",
+        referenced.len()
+    );

    // 3. Find orphans
    let mut orphan_keys: Vec<String> = Vec::new();
--- a/nora-registry/src/main.rs
+++ b/nora-registry/src/main.rs
@@ -8,11 +8,11 @@ mod backup;
 mod config;
 mod dashboard_metrics;
 mod error;
+mod gc;
 mod health;
 mod metrics;
 mod migrate;
 mod openapi;
-mod gc;
 mod rate_limit;
 mod registry;
 mod repo_index;
@@ -347,7 +347,9 @@ async fn run_server(config: Config, storage: Storage) {
    let app = Router::new()
        .merge(public_routes)
        .merge(app_routes)
-        .layer(DefaultBodyLimit::max(100 * 1024 * 1024)) // 100MB default body limit
+        .layer(DefaultBodyLimit::max(
+            state.config.server.body_limit_mb * 1024 * 1024,
+        ))
        .layer(middleware::from_fn(request_id::request_id_middleware))
        .layer(middleware::from_fn(metrics::metrics_middleware))
        .layer(middleware::from_fn_with_state(
@@ -366,6 +368,7 @@ async fn run_server(config: Config, storage: Storage) {
        version = env!("CARGO_PKG_VERSION"),
        storage = state.storage.backend_name(),
        auth_enabled = state.auth.is_some(),
+        body_limit_mb = state.config.server.body_limit_mb,
        "Nora started"
    );

--- a/nora-registry/src/registry/cargo_registry.rs
+++ b/nora-registry/src/registry/cargo_registry.rs
@@ -51,7 +51,9 @@ async fn download(
                "cargo",
                "LOCAL",
            ));
-            state.audit.log(AuditEntry::new("pull", "api", "", "cargo", ""));
+            state
+                .audit
+                .log(AuditEntry::new("pull", "api", "", "cargo", ""));
            (StatusCode::OK, data).into_response()
        }
        Err(_) => StatusCode::NOT_FOUND.into_response(),
--- a/nora-registry/src/registry/docker.rs
+++ b/nora-registry/src/registry/docker.rs
@@ -12,7 +12,7 @@ use axum::{
    extract::{Path, State},
    http::{header, HeaderName, StatusCode},
    response::{IntoResponse, Response},
-    routing::{get, head, patch, put},
+    routing::{delete, get, head, patch, put},
    Json, Router,
 };
 use parking_lot::RwLock;
@@ -65,6 +65,8 @@ pub fn routes() -> Router<Arc<AppState>> {
        )
        .route("/v2/{name}/manifests/{reference}", get(get_manifest))
        .route("/v2/{name}/manifests/{reference}", put(put_manifest))
+        .route("/v2/{name}/manifests/{reference}", delete(delete_manifest))
+        .route("/v2/{name}/blobs/{digest}", delete(delete_blob))
        .route("/v2/{name}/tags/list", get(list_tags))
        // Two-segment name routes (e.g., /v2/library/alpine/...)
        .route("/v2/{ns}/{name}/blobs/{digest}", head(check_blob_ns))
@@ -85,6 +87,11 @@ pub fn routes() -> Router<Arc<AppState>> {
            "/v2/{ns}/{name}/manifests/{reference}",
            put(put_manifest_ns),
        )
+        .route(
+            "/v2/{ns}/{name}/manifests/{reference}",
+            delete(delete_manifest_ns),
+        )
+        .route("/v2/{ns}/{name}/blobs/{digest}", delete(delete_blob_ns))
        .route("/v2/{ns}/{name}/tags/list", get(list_tags_ns))
 }

@@ -312,7 +319,10 @@ async fn upload_blob(
                StatusCode::CREATED,
                [
                    (header::LOCATION, location),
-                    (HeaderName::from_static("docker-content-digest"), digest.to_string()),
+                    (
+                        HeaderName::from_static("docker-content-digest"),
+                        digest.to_string(),
+                    ),
                ],
            )
                .into_response()
@@ -489,7 +499,13 @@ async fn put_manifest(
        "docker",
        "LOCAL",
    ));
-    state.audit.log(AuditEntry::new("push", "api", &format!("{}:{}", name, reference), "docker", "manifest"));
+    state.audit.log(AuditEntry::new(
+        "push",
+        "api",
+        &format!("{}:{}", name, reference),
+        "docker",
+        "manifest",
+    ));
    state.repo_index.invalidate("docker");

    let location = format!("/v2/{}/manifests/{}", name, reference);
@@ -521,6 +537,109 @@ async fn list_tags(State(state): State<Arc<AppState>>, Path(name): Path<String>)
    (StatusCode::OK, Json(json!({"name": name, "tags": tags}))).into_response()
 }

+// ============================================================================
+// Delete handlers (Docker Registry V2 spec)
+// ============================================================================
+
+async fn delete_manifest(
+    State(state): State<Arc<AppState>>,
+    Path((name, reference)): Path<(String, String)>,
+) -> Response {
+    if let Err(e) = validate_docker_name(&name) {
+        return (StatusCode::BAD_REQUEST, e.to_string()).into_response();
+    }
+    if let Err(e) = validate_docker_reference(&reference) {
+        return (StatusCode::BAD_REQUEST, e.to_string()).into_response();
+    }
+
+    let key = format!("docker/{}/manifests/{}.json", name, reference);
+
+    // If reference is a tag, also delete digest-keyed copy
+    let is_tag = !reference.starts_with("sha256:");
+    if is_tag {
+        if let Ok(data) = state.storage.get(&key).await {
+            use sha2::Digest;
+            let digest = format!("sha256:{:x}", sha2::Sha256::digest(&data));
+            let digest_key = format!("docker/{}/manifests/{}.json", name, digest);
+            let _ = state.storage.delete(&digest_key).await;
+            let digest_meta = format!("docker/{}/manifests/{}.meta.json", name, digest);
+            let _ = state.storage.delete(&digest_meta).await;
+        }
+    }
+
+    // Delete manifest
+    match state.storage.delete(&key).await {
+        Ok(()) => {
+            // Delete associated metadata
+            let meta_key = format!("docker/{}/manifests/{}.meta.json", name, reference);
+            let _ = state.storage.delete(&meta_key).await;
+
+            state.audit.log(AuditEntry::new(
+                "delete",
+                "api",
+                &format!("{}:{}", name, reference),
+                "docker",
+                "manifest",
+            ));
+            state.repo_index.invalidate("docker");
+            tracing::info!(name = %name, reference = %reference, "Docker manifest deleted");
+            StatusCode::ACCEPTED.into_response()
+        }
+        Err(crate::storage::StorageError::NotFound) => (
+            StatusCode::NOT_FOUND,
+            Json(json!({
+                "errors": [{
+                    "code": "MANIFEST_UNKNOWN",
+                    "message": "manifest unknown",
+                    "detail": { "name": name, "reference": reference }
+                }]
+            })),
+        )
+            .into_response(),
+        Err(_) => StatusCode::INTERNAL_SERVER_ERROR.into_response(),
+    }
+}
+
+async fn delete_blob(
+    State(state): State<Arc<AppState>>,
+    Path((name, digest)): Path<(String, String)>,
+) -> Response {
+    if let Err(e) = validate_docker_name(&name) {
+        return (StatusCode::BAD_REQUEST, e.to_string()).into_response();
+    }
+    if let Err(e) = validate_digest(&digest) {
+        return (StatusCode::BAD_REQUEST, e.to_string()).into_response();
+    }
+
+    let key = format!("docker/{}/blobs/{}", name, digest);
+    match state.storage.delete(&key).await {
+        Ok(()) => {
+            state.audit.log(AuditEntry::new(
+                "delete",
+                "api",
+                &format!("{}@{}", name, &digest[..19.min(digest.len())]),
+                "docker",
+                "blob",
+            ));
+            state.repo_index.invalidate("docker");
+            tracing::info!(name = %name, digest = %digest, "Docker blob deleted");
+            StatusCode::ACCEPTED.into_response()
+        }
+        Err(crate::storage::StorageError::NotFound) => (
+            StatusCode::NOT_FOUND,
+            Json(json!({
+                "errors": [{
+                    "code": "BLOB_UNKNOWN",
+                    "message": "blob unknown to registry",
+                    "detail": { "digest": digest }
+                }]
+            })),
+        )
+            .into_response(),
+        Err(_) => StatusCode::INTERNAL_SERVER_ERROR.into_response(),
+    }
+}
+
 // ============================================================================
 // Namespace handlers (for two-segment names like library/alpine)
 // These combine ns/name into a single name and delegate to the main handlers
@@ -590,6 +709,22 @@ async fn list_tags_ns(
    list_tags(state, Path(full_name)).await
 }

+async fn delete_manifest_ns(
+    state: State<Arc<AppState>>,
+    Path((ns, name, reference)): Path<(String, String, String)>,
+) -> Response {
+    let full_name = format!("{}/{}", ns, name);
+    delete_manifest(state, Path((full_name, reference))).await
+}
+
+async fn delete_blob_ns(
+    state: State<Arc<AppState>>,
+    Path((ns, name, digest)): Path<(String, String, String)>,
+) -> Response {
+    let full_name = format!("{}/{}", ns, name);
+    delete_blob(state, Path((full_name, digest))).await
+}
+
 /// Fetch a blob from an upstream Docker registry
 async fn fetch_blob_from_upstream(
    client: &reqwest::Client,
--- a/nora-registry/src/registry/maven.rs
+++ b/nora-registry/src/registry/maven.rs
@@ -43,7 +43,9 @@ async fn download(State(state): State<Arc<AppState>>, Path(path): Path<String>)
            "maven",
            "CACHE",
        ));
-        state.audit.log(AuditEntry::new("cache_hit", "api", "", "maven", ""));
+        state
+            .audit
+            .log(AuditEntry::new("cache_hit", "api", "", "maven", ""));
        return with_content_type(&path, data).into_response();
    }

@@ -60,7 +62,9 @@ async fn download(State(state): State<Arc<AppState>>, Path(path): Path<String>)
                    "maven",
                    "PROXY",
                ));
-                state.audit.log(AuditEntry::new("proxy_fetch", "api", "", "maven", ""));
+                state
+                    .audit
+                    .log(AuditEntry::new("proxy_fetch", "api", "", "maven", ""));

                let storage = state.storage.clone();
                let key_clone = key.clone();
@@ -106,7 +110,9 @@ async fn upload(
                "maven",
                "LOCAL",
            ));
-            state.audit.log(AuditEntry::new("push", "api", "", "maven", ""));
+            state
+                .audit
+                .log(AuditEntry::new("push", "api", "", "maven", ""));
            state.repo_index.invalidate("maven");
            StatusCode::CREATED
        }
--- a/nora-registry/src/registry/npm.rs
+++ b/nora-registry/src/registry/npm.rs
@@ -49,7 +49,9 @@ async fn handle_request(State(state): State<Arc<AppState>>, Path(path): Path<Str
                "npm",
                "CACHE",
            ));
-            state.audit.log(AuditEntry::new("cache_hit", "api", "", "npm", ""));
+            state
+                .audit
+                .log(AuditEntry::new("cache_hit", "api", "", "npm", ""));
        }
        return with_content_type(is_tarball, data).into_response();
    }
@@ -69,7 +71,9 @@ async fn handle_request(State(state): State<Arc<AppState>>, Path(path): Path<Str
                    "npm",
                    "PROXY",
                ));
-                state.audit.log(AuditEntry::new("proxy_fetch", "api", "", "npm", ""));
+                state
+                    .audit
+                    .log(AuditEntry::new("proxy_fetch", "api", "", "npm", ""));
            }

            let storage = state.storage.clone();
--- a/nora-registry/src/registry/pypi.rs
+++ b/nora-registry/src/registry/pypi.rs
@@ -116,7 +116,9 @@ async fn download_file(
            "pypi",
            "CACHE",
        ));
-        state.audit.log(AuditEntry::new("cache_hit", "api", "", "pypi", ""));
+        state
+            .audit
+            .log(AuditEntry::new("cache_hit", "api", "", "pypi", ""));

        let content_type = if filename.ends_with(".whl") {
            "application/zip"
@@ -158,7 +160,9 @@ async fn download_file(
                        "pypi",
                        "PROXY",
                    ));
-                    state.audit.log(AuditEntry::new("proxy_fetch", "api", "", "pypi", ""));
+                    state
+                        .audit
+                        .log(AuditEntry::new("proxy_fetch", "api", "", "pypi", ""));

                    // Cache in local storage
                    let storage = state.storage.clone();
--- a/nora-registry/src/registry/raw.rs
+++ b/nora-registry/src/registry/raw.rs
@@ -36,7 +36,9 @@ async fn download(State(state): State<Arc<AppState>>, Path(path): Path<String>)
            state
                .activity
                .push(ActivityEntry::new(ActionType::Pull, path, "raw", "LOCAL"));
-                state.audit.log(AuditEntry::new("pull", "api", "", "raw", ""));
+            state
+                .audit
+                .log(AuditEntry::new("pull", "api", "", "raw", ""));

            // Guess content type from extension
            let content_type = guess_content_type(&key);
@@ -74,7 +76,9 @@ async fn upload(
            state
                .activity
                .push(ActivityEntry::new(ActionType::Push, path, "raw", "LOCAL"));
-                state.audit.log(AuditEntry::new("push", "api", "", "raw", ""));
+            state
+                .audit
+                .log(AuditEntry::new("push", "api", "", "raw", ""));
            StatusCode::CREATED.into_response()
        }
        Err(_) => StatusCode::INTERNAL_SERVER_ERROR.into_response(),
--- a/nora-registry/src/tokens.rs
+++ b/nora-registry/src/tokens.rs
@@ -40,7 +40,6 @@ impl Role {
    }
 }

-
 /// API Token metadata stored on disk
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct TokenInfo {
@@ -260,7 +259,9 @@ mod tests {
        let temp_dir = TempDir::new().unwrap();
        let store = TokenStore::new(temp_dir.path());

-        let token = store.create_token("testuser", 30, None, Role::Write).unwrap();
+        let token = store
+            .create_token("testuser", 30, None, Role::Write)
+            .unwrap();
        let (user, role) = store.verify_token(&token).unwrap();

        assert_eq!(user, "testuser");
@@ -291,7 +292,9 @@ mod tests {
        let store = TokenStore::new(temp_dir.path());

        // Create token and manually set it as expired
-        let token = store.create_token("testuser", 1, None, Role::Write).unwrap();
+        let token = store
+            .create_token("testuser", 1, None, Role::Write)
+            .unwrap();
        let token_hash = hash_token(&token);
        let file_path = temp_dir.path().join(format!("{}.json", &token_hash[..16]));

@@ -330,7 +333,9 @@ mod tests {
        let temp_dir = TempDir::new().unwrap();
        let store = TokenStore::new(temp_dir.path());

-        let token = store.create_token("testuser", 30, None, Role::Write).unwrap();
+        let token = store
+            .create_token("testuser", 30, None, Role::Write)
+            .unwrap();
        let token_hash = hash_token(&token);
        let hash_prefix = &token_hash[..16];

@@ -375,7 +380,9 @@ mod tests {
        let temp_dir = TempDir::new().unwrap();
        let store = TokenStore::new(temp_dir.path());

-        let token = store.create_token("testuser", 30, None, Role::Write).unwrap();
+        let token = store
+            .create_token("testuser", 30, None, Role::Write)
+            .unwrap();

        // First verification
        store.verify_token(&token).unwrap();
@@ -391,7 +398,12 @@ mod tests {
        let store = TokenStore::new(temp_dir.path());

        store
-            .create_token("testuser", 30, Some("CI/CD Pipeline".to_string()), Role::Admin)
+            .create_token(
+                "testuser",
+                30,
+                Some("CI/CD Pipeline".to_string()),
+                Role::Admin,
+            )
            .unwrap();

        let tokens = store.list_tokens("testuser");
Author	SHA1	Message	Date
devitway	68089b2bbf	chore: bump version to 0.2.28	2026-03-12 19:23:32 +00:00
devitway	af411a2bf4	Merge pull request #28 from getnora-io/dependabot/cargo/toml-1.0.6spec-1.1.0 chore(deps): bump toml from 1.0.3+spec-1.1.0 to 1.0.6+spec-1.1.0	2026-03-12 22:14:13 +03:00
devitway	96ccd16879	Merge pull request #27 from getnora-io/dependabot/cargo/uuid-1.22.0 chore(deps): bump uuid from 1.21.0 to 1.22.0	2026-03-12 22:14:09 +03:00
devitway	6582000789	Merge pull request #26 from getnora-io/dependabot/cargo/tokio-1.50.0 chore(deps): bump tokio from 1.49.0 to 1.50.0	2026-03-12 22:14:06 +03:00
devitway	070774ac94	Merge pull request #25 from getnora-io/dependabot/cargo/bcrypt-0.19.0 chore(deps): bump bcrypt from 0.18.0 to 0.19.0	2026-03-12 22:14:01 +03:00
devitway	058fc41f1c	Merge pull request #24 from getnora-io/dependabot/github_actions/docker/metadata-action-6 chore(deps): bump docker/metadata-action from 5 to 6	2026-03-12 22:13:55 +03:00
devitway	7f5a3c7c8a	Merge pull request #23 from getnora-io/dependabot/github_actions/aquasecurity/trivy-action-0.35.0 chore(deps): bump aquasecurity/trivy-action from 0.34.2 to 0.35.0	2026-03-12 22:13:49 +03:00
devitway	5b57cc5913	Merge pull request #22 from getnora-io/dependabot/github_actions/docker/login-action-4 chore(deps): bump docker/login-action from 3 to 4	2026-03-12 22:13:45 +03:00
devitway	aa844d851d	Merge pull request #21 from getnora-io/dependabot/github_actions/docker/build-push-action-7 chore(deps): bump docker/build-push-action from 6 to 7	2026-03-12 22:13:41 +03:00
devitway	8569de23d5	Merge pull request #20 from getnora-io/dependabot/github_actions/docker/setup-buildx-action-4 chore(deps): bump docker/setup-buildx-action from 3 to 4	2026-03-12 22:13:38 +03:00
dependabot[bot]	9349b93757	chore(deps): bump toml from 1.0.3+spec-1.1.0 to 1.0.6+spec-1.1.0 Bumps [toml](https://github.com/toml-rs/toml) from 1.0.3+spec-1.1.0 to 1.0.6+spec-1.1.0. - [Commits](https://github.com/toml-rs/toml/compare/toml-v1.0.3...toml-v1.0.6) --- updated-dependencies: - dependency-name: toml dependency-version: 1.0.6+spec-1.1.0 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-10 04:26:09 +00:00
dependabot[bot]	69080dfd90	chore(deps): bump uuid from 1.21.0 to 1.22.0 Bumps [uuid](https://github.com/uuid-rs/uuid) from 1.21.0 to 1.22.0. - [Release notes](https://github.com/uuid-rs/uuid/releases) - [Commits](https://github.com/uuid-rs/uuid/compare/v1.21.0...v1.22.0) --- updated-dependencies: - dependency-name: uuid dependency-version: 1.22.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-10 04:25:59 +00:00
dependabot[bot]	ae799aed94	chore(deps): bump tokio from 1.49.0 to 1.50.0 Bumps [tokio](https://github.com/tokio-rs/tokio) from 1.49.0 to 1.50.0. - [Release notes](https://github.com/tokio-rs/tokio/releases) - [Commits](https://github.com/tokio-rs/tokio/compare/tokio-1.49.0...tokio-1.50.0) --- updated-dependencies: - dependency-name: tokio dependency-version: 1.50.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-10 04:25:50 +00:00
dependabot[bot]	95c6e403a8	chore(deps): bump bcrypt from 0.18.0 to 0.19.0 Bumps [bcrypt](https://github.com/Keats/rust-bcrypt) from 0.18.0 to 0.19.0. - [Commits](https://github.com/Keats/rust-bcrypt/compare/v0.18.0...v0.19.0) --- updated-dependencies: - dependency-name: bcrypt dependency-version: 0.19.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-10 04:25:38 +00:00
dependabot[bot]	2c886040d7	chore(deps): bump docker/metadata-action from 5 to 6 Bumps [docker/metadata-action](https://github.com/docker/metadata-action) from 5 to 6. - [Release notes](https://github.com/docker/metadata-action/releases) - [Commits](https://github.com/docker/metadata-action/compare/v5...v6) --- updated-dependencies: - dependency-name: docker/metadata-action dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-10 04:25:36 +00:00
dependabot[bot]	9ab6ccc594	chore(deps): bump aquasecurity/trivy-action from 0.34.2 to 0.35.0 Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.34.2 to 0.35.0. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](https://github.com/aquasecurity/trivy-action/compare/0.34.2...0.35.0) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-version: 0.35.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-10 04:25:33 +00:00
dependabot[bot]	679b36b986	chore(deps): bump docker/login-action from 3 to 4 Bumps [docker/login-action](https://github.com/docker/login-action) from 3 to 4. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/v3...v4) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-10 04:25:27 +00:00
dependabot[bot]	da8c473e02	chore(deps): bump docker/build-push-action from 6 to 7 Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6 to 7. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/v6...v7) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-10 04:25:23 +00:00
dependabot[bot]	3dc8b81261	chore(deps): bump docker/setup-buildx-action from 3 to 4 Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3 to 4. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/v3...v4) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-10 04:25:20 +00:00
devitway	7502c583d0	docs: add changelog for v0.2.27	2026-03-03 23:17:25 +00:00
devitway	a9455c35b9	chore: bump version to 0.2.27	2026-03-03 22:30:24 +00:00
devitway	8278297b4a	feat: configurable body limit + Docker delete API - Add body_limit_mb to ServerConfig (default 2048MB, env NORA_BODY_LIMIT_MB) - Replace hardcoded 100MB DefaultBodyLimit with config value - Add DELETE /v2/{name}/manifests/{reference} endpoint (Docker Registry V2 spec) - Add DELETE /v2/{name}/blobs/{digest} endpoint - Add namespace-qualified variants for both DELETE endpoints - Return 202 Accepted on success, 404 with MANIFEST_UNKNOWN/BLOB_UNKNOWN errors - Audit log integration for delete operations Fixes: 413 Payload Too Large on Docker push >100MB	2026-03-03 22:25:41 +00:00
devitway	8da4c4278a	style: cargo fmt DevITWay	2026-03-03 11:03:40 +00:00
devitway	99c1f9b5ec	docs: add changelog for v0.2.25 and v0.2.26 DevITWay	2026-03-03 11:01:12 +00:00