feat: npm full proxy — URL rewriting, scoped packages, publish, integrity cache (v0.2.31)

npm proxy:
- Rewrite tarball URLs in metadata to point to NORA (was broken — tarballs bypassed NORA)
- Scoped packages (@scope/package) full support in handler and repo index
- Metadata cache TTL (NORA_NPM_METADATA_TTL, default 300s) with stale-while-revalidate
- proxy_auth now wired into fetch_from_proxy (was configured but unused)

npm publish:
- PUT /npm/{package} — accepts standard npm publish payload
- Version immutability — 409 Conflict on duplicate version
- Tarball URL rewriting in published metadata

Security:
- SHA256 integrity verification on cached tarballs (immutable cache)
- Attachment filename validation (path traversal protection)
- Package name mismatch detection (URL vs payload)

Config:
- npm.metadata_ttl — configurable cache TTL (env: NORA_NPM_METADATA_TTL)

.github/workflows/ci.yml

@@ -51,16 +51,14 @@ jobs:
         run: |
           curl -sL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz \
             | tar xz -C /usr/local/bin gitleaks
-          gitleaks detect --source . --exit-code 1 --report-format sarif --report-path gitleaks.sarif || true
-        continue-on-error: true  # findings are reported, do not block the pipeline
+          gitleaks detect --source . --exit-code 1 --report-format sarif --report-path gitleaks.sarif
 
       # ── CVE in Rust dependencies ────────────────────────────────────────────
       - name: Install cargo-audit
         run: cargo install cargo-audit --locked
 
       - name: cargo audit — RustSec advisory database
-        run: cargo audit
-        continue-on-error: true  # warn only; known CVEs should not block CI until triaged
+        run: cargo audit --ignore RUSTSEC-2025-0119  # known: number_prefix via indicatif
 
       # ── Licenses, banned crates, supply chain policy ────────────────────────
       - name: cargo deny — licenses and banned crates
@@ -72,14 +70,14 @@ jobs:
       # ── CVE scan of source tree and Cargo.lock ──────────────────────────────
       - name: Trivy — filesystem scan (Cargo.lock + source)
         if: always()
-        uses: aquasecurity/trivy-action@0.34.2
+        uses: aquasecurity/trivy-action@0.35.0
         with:
           scan-type: fs
           scan-ref: .
           format: sarif
           output: trivy-fs.sarif
           severity: HIGH,CRITICAL
-          exit-code: 0  # warn only; change to 1 to block the pipeline
+          exit-code: 1  # block pipeline on HIGH/CRITICAL vulnerabilities
 
       - name: Upload Trivy fs results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v4
@@ -87,3 +85,93 @@ jobs:
         with:
           sarif_file: trivy-fs.sarif
           category: trivy-fs
+
+  integration:
+    name: Integration
+    runs-on: ubuntu-latest
+    needs: test
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Cache cargo
+        uses: Swatinem/rust-cache@v2
+
+      - name: Build NORA
+        run: cargo build --release --package nora-registry
+
+      # -- Start NORA --
+      - name: Start NORA
+        run: |
+          NORA_STORAGE_PATH=/tmp/nora-data ./target/release/nora &
+          for i in $(seq 1 15); do
+            curl -sf http://localhost:4000/health && break || sleep 2
+          done
+          curl -sf http://localhost:4000/health | jq .
+
+      # -- Docker push/pull --
+      - name: Configure Docker for insecure registry
+        run: |
+          echo '{"insecure-registries": ["localhost:4000"]}' | sudo tee /etc/docker/daemon.json
+          sudo systemctl restart docker
+          sleep 2
+
+      - name: Docker — push and pull image
+        run: |
+          docker pull alpine:3.20
+          docker tag alpine:3.20 localhost:4000/test/alpine:integration
+          docker push localhost:4000/test/alpine:integration
+          docker rmi localhost:4000/test/alpine:integration
+          docker pull localhost:4000/test/alpine:integration
+          echo "Docker push/pull OK"
+
+      - name: Docker — verify catalog and tags
+        run: |
+          curl -sf http://localhost:4000/v2/_catalog | jq .
+          curl -sf http://localhost:4000/v2/test/alpine/tags/list | jq .
+
+      # -- npm (read-only proxy, no publish support yet) --
+      - name: npm — verify registry endpoint
+        run: |
+          STATUS=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:4000/npm/lodash)
+          echo "npm endpoint returned: $STATUS"
+          [ "$STATUS" != "000" ] && echo "npm endpoint OK" || (echo "npm endpoint unreachable" && exit 1)
+
+      # -- Maven deploy/download --
+      - name: Maven — deploy and download artifact
+        run: |
+          echo "test-artifact-content-$(date +%s)" > /tmp/test-artifact.jar
+          CHECKSUM=$(sha256sum /tmp/test-artifact.jar | cut -d' ' -f1)
+          curl -sf -X PUT --data-binary @/tmp/test-artifact.jar             http://localhost:4000/maven2/com/example/test-lib/1.0.0/test-lib-1.0.0.jar
+          curl -sf -o /tmp/downloaded.jar             http://localhost:4000/maven2/com/example/test-lib/1.0.0/test-lib-1.0.0.jar
+          DOWNLOAD_CHECKSUM=$(sha256sum /tmp/downloaded.jar | cut -d' ' -f1)
+          [ "$CHECKSUM" = "$DOWNLOAD_CHECKSUM" ] && echo "Maven deploy/download OK" || (echo "Checksum mismatch!" && exit 1)
+
+      # -- PyPI (read-only proxy, no upload support yet) --
+      - name: PyPI — verify simple index
+        run: |
+          STATUS=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:4000/simple/)
+          echo "PyPI simple index returned: $STATUS"
+          [ "$STATUS" = "200" ] && echo "PyPI endpoint OK" || (echo "Expected 200, got $STATUS" && exit 1)
+
+      # -- Cargo (read-only proxy, no publish support yet) --
+      - name: Cargo — verify registry API responds
+        run: |
+          STATUS=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:4000/cargo/api/v1/crates/serde)
+          echo "Cargo API returned: $STATUS"
+          [ "$STATUS" != "000" ] && echo "Cargo endpoint OK" || (echo "Cargo endpoint unreachable" && exit 1)
+
+      # -- API checks --
+      - name: API — health, ready, metrics
+        run: |
+          curl -sf http://localhost:4000/health | jq .status
+          curl -sf http://localhost:4000/ready
+          curl -sf http://localhost:4000/metrics | head -5
+          echo "API checks OK"
+
+      - name: Stop NORA
+        if: always()
+        run: pkill nora || true

.github/workflows/release.yml

@@ -39,12 +39,12 @@ jobs:
           retention-days: 1
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
         with:
           driver-opts: network=host
 
       - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -53,7 +53,7 @@ jobs:
       # ── Alpine ───────────────────────────────────────────────────────────────
       - name: Extract metadata (alpine)
         id: meta-alpine
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
         with:
           images: |
             ${{ env.NORA }}/${{ env.IMAGE_NAME }}
@@ -64,7 +64,7 @@ jobs:
             type=raw,value=latest
 
       - name: Build and push (alpine)
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           context: .
           file: Dockerfile
@@ -72,13 +72,13 @@ jobs:
           push: true
           tags: ${{ steps.meta-alpine.outputs.tags }}
           labels: ${{ steps.meta-alpine.outputs.labels }}
-          cache-from: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:alpine
+          cache-from: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:alpine,ignore-error=true
           cache-to: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:alpine,mode=max
 
       # ── RED OS ───────────────────────────────────────────────────────────────
       - name: Extract metadata (redos)
         id: meta-redos
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
         with:
           images: |
             ${{ env.NORA }}/${{ env.IMAGE_NAME }}
@@ -90,7 +90,7 @@ jobs:
             type=raw,value=redos
 
       - name: Build and push (redos)
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           context: .
           file: Dockerfile.redos
@@ -98,13 +98,13 @@ jobs:
           push: true
           tags: ${{ steps.meta-redos.outputs.tags }}
           labels: ${{ steps.meta-redos.outputs.labels }}
-          cache-from: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:redos
+          cache-from: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:redos,ignore-error=true
           cache-to: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:redos,mode=max
 
       # ── Astra Linux SE ───────────────────────────────────────────────────────
       - name: Extract metadata (astra)
         id: meta-astra
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
         with:
           images: |
             ${{ env.NORA }}/${{ env.IMAGE_NAME }}
@@ -116,7 +116,7 @@ jobs:
             type=raw,value=astra
 
       - name: Build and push (astra)
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           context: .
           file: Dockerfile.astra
@@ -124,9 +124,21 @@ jobs:
           push: true
           tags: ${{ steps.meta-astra.outputs.tags }}
           labels: ${{ steps.meta-astra.outputs.labels }}
-          cache-from: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:astra
+          cache-from: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:astra,ignore-error=true
           cache-to: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:astra,mode=max
 
+      # ── Smoke test ──────────────────────────────────────────────────────────
+      - name: Smoke test — verify alpine image starts and responds
+        run: |
+          docker rm -f nora-smoke 2>/dev/null || true
+          docker run --rm -d --name nora-smoke -p 5555:4000 -e NORA_HOST=0.0.0.0 \
+            ${{ env.NORA }}/${{ env.IMAGE_NAME }}:latest
+          for i in $(seq 1 10); do
+            curl -sf http://localhost:5555/health && break || sleep 2
+          done
+          curl -sf http://localhost:5555/health
+          docker stop nora-smoke
+
   scan:
     name: Scan (${{ matrix.name }})
     runs-on: [self-hosted, nora]
@@ -153,7 +165,7 @@ jobs:
         run: echo "tag=${GITHUB_REF_NAME#v}" >> $GITHUB_OUTPUT
 
       - name: Trivy — image scan (${{ matrix.name }})
-        uses: aquasecurity/trivy-action@0.34.2
+        uses: aquasecurity/trivy-action@0.35.0
         with:
           scan-type: image
           image-ref: ${{ env.NORA }}/${{ env.IMAGE_NAME }}:${{ steps.ver.outputs.tag }}${{ matrix.suffix }}

.gitignore

@@ -6,6 +6,9 @@ data/
 *.log
 internal config
 
+# Backup files
+*.bak
+
 # Internal files
 SESSION*.md
 TODO.md

.gitleaks.toml

@@ -0,0 +1,8 @@
+# Gitleaks configuration
+# https://github.com/gitleaks/gitleaks
+
+[allowlist]
+  description = "Allowlist for false positives"
+
+  # Documentation examples with placeholder credentials
+  commits = ["92155cf6574d89f93ee68503a7b68455ceaa19af"]

CHANGELOG.md

@@ -4,6 +4,174 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
+## [0.2.29] - 2026-03-15
+
+### Added / Добавлено
+- **Upstream Authentication**: All registry proxies now support Basic Auth credentials for private upstream registries
+- **Аутентификация upstream**: Все прокси реестров теперь поддерживают Basic Auth для приватных upstream-реестров
+  - Docker: `NORA_DOCKER_UPSTREAMS="https://registry.corp.com|user:pass"`
+  - Maven: `NORA_MAVEN_PROXIES="https://nexus.corp.com/maven2|user:pass"`
+  - npm: `NORA_NPM_PROXY_AUTH="user:pass"`
+  - PyPI: `NORA_PYPI_PROXY_AUTH="user:pass"`
+- **Plaintext credential warning**: NORA logs a warning at startup if credentials are stored in config.toml instead of env vars
+- **Предупреждение о plaintext credentials**: NORA логирует предупреждение при старте, если credentials хранятся в config.toml вместо переменных окружения
+
+### Changed / Изменено
+- Extracted `basic_auth_header()` helper for consistent auth across all protocols
+- Вынесен хелпер `basic_auth_header()` для единообразной авторизации всех протоколов
+
+### Removed / Удалено
+- Removed unused `DockerAuth::fetch_with_auth()` method (dead code cleanup)
+- Удалён неиспользуемый метод `DockerAuth::fetch_with_auth()` (очистка мёртвого кода)
+
+---
+
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
+## [0.2.28] - 2026-03-13
+
+### Fixed / Исправлено
+- **docker-compose.yml**: Fixed image reference from `getnora/nora:latest` to `ghcr.io/getnora-io/nora:latest`
+- **docker-compose.yml**: Исправлена ссылка на образ с `getnora/nora:latest` на `ghcr.io/getnora-io/nora:latest`
+
+### Documentation / Документация
+- **Authentication Guide**: Added complete auth setup guide in README — htpasswd, API tokens, RBAC roles, curl examples
+- **Руководство по аутентификации**: Добавлено полное руководство по настройке auth в README — htpasswd, API-токены, RBAC-роли, примеры curl
+- **FSTEC builds**: Documented `Dockerfile.astra` and `Dockerfile.redos` purpose in README
+- **Сборки ФСТЭК**: Документировано назначение `Dockerfile.astra` и `Dockerfile.redos` в README
+- **TLS / HTTPS**: Added reverse proxy setup guide (Caddy, Nginx) and `insecure-registries` Docker config for internal deployments
+- **TLS / HTTPS**: Добавлено руководство по настройке reverse proxy (Caddy, Nginx) и конфигурация `insecure-registries` Docker для внутренних инсталляций
+
+### Removed / Удалено
+- Removed stale `CHANGELOG.md.bak` from repository
+- Удалён устаревший `CHANGELOG.md.bak` из репозитория
+
+---
+
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
+## [0.2.27] - 2026-03-03
+
+### Added / Добавлено
+- **Configurable body limit**: `NORA_BODY_LIMIT_MB` env var (default: `2048` = 2GB) — replaces hardcoded 100MB limit that caused `413 Payload Too Large` on large Docker image push
+- **Настраиваемый лимит тела запроса**: переменная `NORA_BODY_LIMIT_MB` (по умолчанию: `2048` = 2GB) — заменяет захардкоженный лимит 100MB, вызывавший `413 Payload Too Large` при push больших Docker-образов
+- **Docker Delete API**: `DELETE /v2/{name}/manifests/{reference}` and `DELETE /v2/{name}/blobs/{digest}` per Docker Registry V2 spec (returns 202 Accepted)
+- **Docker Delete API**: `DELETE /v2/{name}/manifests/{reference}` и `DELETE /v2/{name}/blobs/{digest}` по спецификации Docker Registry V2 (возвращает 202 Accepted)
+- Namespace-qualified DELETE variants (`/v2/{ns}/{name}/...`)
+- Audit log integration for delete operations
+
+### Fixed / Исправлено
+- Docker push of images >100MB no longer fails with 413 error
+- Push Docker-образов >100MB больше не падает с ошибкой 413
+
+---
+
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
+## [0.2.26] - 2026-03-03
+
+### Added / Добавлено
+- **Helm OCI support**: `helm push` / `helm pull` now works out of the box via OCI protocol
+- **Поддержка Helm OCI**: `helm push` / `helm pull` теперь работают из коробки через OCI протокол
+- **RBAC**: Token-based role system with three roles — `read`, `write`, `admin` (default: `read`)
+- **RBAC**: Ролевая система на основе токенов — `read`, `write`, `admin` (по умолчанию: `read`)
+- **Audit log**: Persistent append-only JSONL audit trail for all registry operations (`{storage}/audit.jsonl`)
+- **Аудит**: Персистентный append-only JSONL лог всех операций реестра (`{storage}/audit.jsonl`)
+- **GC command**: `nora gc --dry-run` — garbage collection for orphaned blobs (mark-and-sweep)
+- **Команда GC**: `nora gc --dry-run` — сборка мусора для осиротевших блобов (mark-and-sweep)
+
+### Fixed / Исправлено
+- **Helm OCI pull**: Fixed OCI manifest media type detection — manifests with non-Docker `config.mediaType` now correctly return `application/vnd.oci.image.manifest.v1+json`
+- **Helm OCI pull**: Исправлено определение media type OCI манифестов — манифесты с не-Docker `config.mediaType` теперь корректно возвращают `application/vnd.oci.image.manifest.v1+json`
+- **Docker-Content-Digest**: Added missing header in blob upload response (required by Helm OCI client)
+- **Docker-Content-Digest**: Добавлен отсутствующий заголовок в ответе на загрузку blob (требуется клиентом Helm OCI)
+
+### Security / Безопасность
+- Read-only tokens (`role: read`) are now blocked from PUT/POST/DELETE/PATCH operations with HTTP 403
+- Токены только для чтения (`role: read`) теперь блокируются при PUT/POST/DELETE/PATCH с HTTP 403
+
+---
+
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
+## [0.2.25] - 2026-03-03
+
+### Fixed / Исправлено
+- **Rate limiter fix**: Added `NORA_RATE_LIMIT_ENABLED` env var (default: `true`) to disable rate limiting on internal deployments
+- **Исправление rate limiter**: Добавлена переменная `NORA_RATE_LIMIT_ENABLED` (по умолчанию: `true`) для отключения rate limiting на внутренних инсталляциях
+- **SmartIpKeyExtractor**: Upload and general routes now use `SmartIpKeyExtractor` (reads `X-Forwarded-For`) instead of `PeerIpKeyExtractor` — fixes 429 errors behind reverse proxy / Docker bridge
+- **SmartIpKeyExtractor**: Маршруты upload и general теперь используют `SmartIpKeyExtractor` (читает `X-Forwarded-For`) вместо `PeerIpKeyExtractor` — устраняет ошибки 429 за reverse proxy / Docker bridge
+
+### Dependencies / Зависимости
+- `clap` 4.5.56 → 4.5.60
+- `uuid` 1.20.0 → 1.21.0
+- `tempfile` 3.24.0 → 3.26.0
+- `bcrypt` 0.17.1 → 0.18.0
+- `indicatif` 0.17.11 → 0.18.4
+
+### CI/CD
+- `actions/checkout` 4 → 6
+- `actions/upload-artifact` 4 → 7
+- `softprops/action-gh-release` 1 → 2
+- `aquasecurity/trivy-action` 0.30.0 → 0.34.2
+- `docker/build-push-action` 5 → 6
+- Move scan/release to self-hosted runner with NORA cache
+- Сканирование/релиз перенесены на self-hosted runner с кэшем через NORA
+
+---
+
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.24] - 2026-02-24
 
 ### Added / Добавлено
@@ -16,6 +184,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.23] - 2026-02-24
 
 ### Added / Добавлено
@@ -51,6 +229,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.22] - 2026-02-24
 
 ### Changed / Изменено
@@ -59,6 +247,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.21] - 2026-02-24
 
 ### CI/CD
@@ -73,6 +271,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.20] - 2026-02-23
 
 ### Added / Добавлено
@@ -88,6 +296,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.19] - 2026-01-31
 
 ### Added / Добавлено
@@ -102,6 +320,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.18] - 2026-01-31
 
 ### Changed
@@ -109,6 +337,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.17] - 2026-01-31
 
 ### Added
@@ -117,6 +355,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.16] - 2026-01-31
 
 ### Changed
@@ -125,6 +373,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.15] - 2026-01-31
 
 ### Fixed
@@ -132,6 +390,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.14] - 2026-01-31
 
 ### Fixed
@@ -140,6 +408,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.13] - 2026-01-31
 
 ### Fixed
@@ -149,6 +427,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.12] - 2026-01-30
 
 ### Added
@@ -173,6 +461,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.11] - 2026-01-26
 
 ### Added
@@ -182,6 +480,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.10] - 2026-01-26
 
 ### Changed
@@ -189,6 +497,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.9] - 2026-01-26
 
 ### Changed
@@ -196,6 +514,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.8] - 2026-01-26
 
 ### Added
@@ -203,6 +531,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.7] - 2026-01-26
 
 ### Added
@@ -210,6 +548,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.6] - 2026-01-26
 
 ### Added
@@ -224,6 +572,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.5] - 2026-01-26
 
 ### Fixed
@@ -231,6 +589,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.4] - 2026-01-26
 
 ### Fixed
@@ -239,6 +607,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.0] - 2026-01-25
 
 ### Added
@@ -309,6 +687,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.1.0] - 2026-01-24
 
 ### Added
@@ -328,12 +716,32 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 # Журнал изменений (RU)
 
 Все значимые изменения NORA документируются в этом файле.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.12] - 2026-01-30
 
 ### Добавлено
@@ -358,6 +766,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.11] - 2026-01-26
 
 ### Добавлено
@@ -367,6 +785,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.10] - 2026-01-26
 
 ### Изменено
@@ -374,6 +802,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.9] - 2026-01-26
 
 ### Изменено
@@ -381,6 +819,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.8] - 2026-01-26
 
 ### Добавлено
@@ -388,6 +836,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.7] - 2026-01-26
 
 ### Добавлено
@@ -395,6 +853,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.6] - 2026-01-26
 
 ### Добавлено
@@ -409,6 +877,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.5] - 2026-01-26
 
 ### Исправлено
@@ -416,6 +894,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.4] - 2026-01-26
 
 ### Исправлено
@@ -424,6 +912,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.0] - 2026-01-25
 
 ### Добавлено
@@ -494,6 +992,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.1.0] - 2026-01-24
 
 ### Добавлено

Cargo.lock

@@ -190,13 +190,13 @@ checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
 
 [[package]]
 name = "bcrypt"
-version = "0.18.0"
+version = "0.19.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9a0f5948f30df5f43ac29d310b7476793be97c50787e6ef4a63d960a0d0be827"
+checksum = "523ab528ce3a7ada6597f8ccf5bd8d85ebe26d5edf311cad4d1d3cfb2d357ac6"
 dependencies = [
  "base64",
  "blowfish",
- "getrandom 0.3.4",
+ "getrandom 0.4.1",
  "subtle",
  "zeroize",
 ]
@@ -473,7 +473,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
 dependencies = [
  "libc",
- "windows-sys 0.61.2",
+ "windows-sys 0.60.2",
 ]
 
 [[package]]
@@ -1247,7 +1247,7 @@ checksum = "38bf9645c8b145698bb0b18a4637dcacbc421ea49bef2317e4fd8065a387cf21"
 
 [[package]]
 name = "nora-cli"
-version = "0.2.26"
+version = "0.2.31"
 dependencies = [
  "clap",
  "flate2",
@@ -1261,7 +1261,7 @@ dependencies = [
 
 [[package]]
 name = "nora-registry"
-version = "0.2.26"
+version = "0.2.31"
 dependencies = [
  "async-trait",
  "axum",
@@ -1299,7 +1299,7 @@ dependencies = [
 
 [[package]]
 name = "nora-storage"
-version = "0.2.26"
+version = "0.2.31"
 dependencies = [
  "axum",
  "base64",
@@ -1542,9 +1542,9 @@ dependencies = [
 
 [[package]]
 name = "quinn-proto"
-version = "0.11.13"
+version = "0.11.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f1906b49b0c3bc04b5fe5d86a77925ae6524a19b816ae38ce1e426255f1d8a31"
+checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098"
 dependencies = [
  "bytes",
  "getrandom 0.3.4",
@@ -1779,7 +1779,7 @@ dependencies = [
  "errno",
  "libc",
  "linux-raw-sys",
- "windows-sys 0.61.2",
+ "windows-sys 0.60.2",
 ]
 
 [[package]]
@@ -2068,7 +2068,7 @@ dependencies = [
  "getrandom 0.4.1",
  "once_cell",
  "rustix",
- "windows-sys 0.61.2",
+ "windows-sys 0.60.2",
 ]
 
 [[package]]
@@ -2147,9 +2147,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
 
 [[package]]
 name = "tokio"
-version = "1.49.0"
+version = "1.50.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "72a2903cd7736441aac9df9d7688bd0ce48edccaadf181c3b90be801e81d3d86"
+checksum = "27ad5e34374e03cfffefc301becb44e9dc3c17584f414349ebe29ed26661822d"
 dependencies = [
  "bytes",
  "libc",
@@ -2209,9 +2209,9 @@ dependencies = [
 
 [[package]]
 name = "toml"
-version = "1.0.3+spec-1.1.0"
+version = "1.0.6+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c7614eaf19ad818347db24addfa201729cf2a9b6fdfd9eb0ab870fcacc606c0c"
+checksum = "399b1124a3c9e16766831c6bba21e50192572cdd98706ea114f9502509686ffc"
 dependencies = [
  "indexmap",
  "serde_core",
@@ -2533,9 +2533,9 @@ dependencies = [
 
 [[package]]
 name = "uuid"
-version = "1.21.0"
+version = "1.22.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b672338555252d43fd2240c714dc444b8c6fb0a5c5335e65a07bba7742735ddb"
+checksum = "a68d3c8f01c0cfa54a75291d83601161799e4a89a39e0929f4b0354d88757a37"
 dependencies = [
  "getrandom 0.4.1",
  "js-sys",
@@ -2741,7 +2741,7 @@ version = "0.1.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
 dependencies = [
- "windows-sys 0.61.2",
+ "windows-sys 0.60.2",
 ]
 
 [[package]]

Cargo.toml

@@ -7,7 +7,7 @@ members = [
 ]
 
 [workspace.package]
-version = "0.2.26"
+version = "0.2.31"
 edition = "2021"
 license = "MIT"
 authors = ["DevITWay <devitway@gmail.com>"]

README.md

@@ -1,17 +1,17 @@
-<img src="logo.jpg" alt="NORA" height="120" />
-
-
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
 [![Release](https://img.shields.io/github/v/release/getnora-io/nora)](https://github.com/getnora-io/nora/releases)
 [![CI](https://img.shields.io/github/actions/workflow/status/getnora-io/nora/ci.yml?label=CI)](https://github.com/getnora-io/nora/actions)
+[![GHCR](https://img.shields.io/badge/ghcr.io-nora-blue?logo=github)](https://github.com/getnora-io/nora/pkgs/container/nora)
+[![GitHub Stars](https://img.shields.io/github/stars/getnora-io/nora?style=flat&logo=github)](https://github.com/getnora-io/nora/stargazers)
 [![Rust](https://img.shields.io/badge/rust-%23000000.svg?logo=rust&logoColor=white)](https://www.rust-lang.org/)
-[![Telegram](https://img.shields.io/badge/Telegram-DevITWay-blue?logo=telegram)](https://t.me/DevITWay)
+[![Docs](https://img.shields.io/badge/docs-getnora.dev-green?logo=gitbook)](https://getnora.dev)
+[![Telegram](https://img.shields.io/badge/Telegram-Community-blue?logo=telegram)](https://t.me/getnora)
 
-> **Your Cloud-Native Artifact Registry**
+> **Multi-protocol artifact registry that doesn't suck.**
+>
+> One binary. All protocols. Stupidly fast.
 
-Fast. Organized. Feel at Home.
-
-**10x faster** than Nexus | **< 100 MB RAM** | **32 MB Docker image**
+**32 MB** binary | **< 100 MB** RAM | **3s** startup | **5** protocols
 
 ## Features
 
@@ -36,8 +36,10 @@ Fast. Organized. Feel at Home.
 
 - **Security**
   - Basic Auth (htpasswd + bcrypt)
-  - Revocable API tokens
+  - Revocable API tokens with RBAC
   - ENV-based configuration (12-Factor)
+  - SBOM (SPDX + CycloneDX) in every release
+  - See [SECURITY.md](SECURITY.md) for vulnerability reporting
 
 ## Quick Start
 
@@ -86,6 +88,39 @@ npm config set registry http://localhost:4000/npm/
 npm publish
 ```
 
+## Authentication
+
+NORA supports Basic Auth (htpasswd) and revocable API tokens with RBAC.
+
+### Quick Setup
+
+```bash
+# 1. Create htpasswd file with bcrypt
+htpasswd -cbB users.htpasswd admin yourpassword
+# Add more users:
+htpasswd -bB users.htpasswd ci-user ci-secret
+
+# 2. Start NORA with auth enabled
+docker run -d -p 4000:4000 \
+  -v nora-data:/data \
+  -v ./users.htpasswd:/data/users.htpasswd \
+  -e NORA_AUTH_ENABLED=true \
+  ghcr.io/getnora-io/nora:latest
+
+# 3. Verify
+curl -u admin:yourpassword http://localhost:4000/v2/_catalog
+```
+
+### API Tokens (RBAC)
+
+| Role | Pull/Read | Push/Write | Delete/Admin |
+|------|-----------|------------|--------------|
+| `read` | Yes | No | No |
+| `write` | Yes | Yes | No |
+| `admin` | Yes | Yes | Yes |
+
+See [Authentication guide](https://getnora.dev/configuration/authentication/) for token management, Docker login, and CI/CD integration.
+
 ## CLI Commands
 
 ```bash
@@ -105,18 +140,10 @@ nora migrate --from local --to s3
 | `NORA_HOST` | 127.0.0.1 | Bind address |
 | `NORA_PORT` | 4000 | Port |
 | `NORA_STORAGE_MODE` | local | `local` or `s3` |
-| `NORA_STORAGE_PATH` | data/storage | Local storage path |
-| `NORA_STORAGE_S3_URL` | - | S3 endpoint URL |
-| `NORA_STORAGE_BUCKET` | registry | S3 bucket name |
 | `NORA_AUTH_ENABLED` | false | Enable authentication |
-| `NORA_RATE_LIMIT_AUTH_RPS` | 1 | Auth requests per second |
-| `NORA_RATE_LIMIT_AUTH_BURST` | 5 | Auth burst size |
-| `NORA_RATE_LIMIT_UPLOAD_RPS` | 200 | Upload requests per second |
-| `NORA_RATE_LIMIT_UPLOAD_BURST` | 500 | Upload burst size |
-| `NORA_RATE_LIMIT_GENERAL_RPS` | 100 | General requests per second |
-| `NORA_RATE_LIMIT_GENERAL_BURST` | 200 | General burst size |
-| `NORA_SECRETS_PROVIDER` | env | Secrets provider (`env`) |
-| `NORA_SECRETS_CLEAR_ENV` | false | Clear env vars after reading |
+| `NORA_DOCKER_UPSTREAMS` | `https://registry-1.docker.io` | Docker upstreams (`url\|user:pass,...`) |
+
+See [full configuration reference](https://getnora.dev/configuration/settings/) for all environment variables including storage, rate limiting, proxy auth, and secrets.
 
 ### config.toml
 
@@ -133,24 +160,15 @@ path = "data/storage"
 enabled = false
 htpasswd_file = "users.htpasswd"
 
-[rate_limit]
-# Strict limits for authentication (brute-force protection)
-auth_rps = 1
-auth_burst = 5
-# High limits for CI/CD upload workloads
-upload_rps = 200
-upload_burst = 500
-# Balanced limits for general API endpoints
-general_rps = 100
-general_burst = 200
+[docker]
+proxy_timeout = 60
 
-[secrets]
-# Provider: env (default), aws-secrets, vault, k8s (coming soon)
-provider = "env"
-# Clear environment variables after reading (security hardening)
-clear_env = false
+[[docker.upstreams]]
+url = "https://registry-1.docker.io"
 ```
 
+See [full config reference](https://getnora.dev/configuration/settings/) for rate limiting, secrets, proxy auth, and all options.
+
 ## Endpoints
 
 | URL | Description |
@@ -166,6 +184,31 @@ clear_env = false
 | `/cargo/` | Cargo |
 | `/simple/` | PyPI |
 
+## TLS / HTTPS
+
+NORA serves plain HTTP. Use a reverse proxy for TLS:
+
+```
+registry.example.com {
+    reverse_proxy localhost:4000
+}
+```
+
+For internal networks without TLS, configure Docker:
+
+```json
+// /etc/docker/daemon.json
+{
+  "insecure-registries": ["192.168.1.100:4000"]
+}
+```
+
+See [TLS / HTTPS guide](https://getnora.dev/configuration/tls/) for Nginx, Traefik, and custom CA setup.
+
+## FSTEC-Certified OS Builds
+
+Dedicated builds for Astra Linux SE and RED OS are published as `-astra` and `-redos` tagged images in every [GitHub Release](https://github.com/getnora-io/nora/releases). Both use `scratch` base with statically-linked binary.
+
 ## Performance
 
 | Metric | NORA | Nexus | JFrog |
@@ -174,11 +217,21 @@ clear_env = false
 | Memory | < 100 MB | 2-4 GB | 2-4 GB |
 | Image Size | 32 MB | 600+ MB | 1+ GB |
 
+## Roadmap
+
+- **OIDC / Workload Identity** — zero-secret auth for GitHub Actions, GitLab CI
+- **Online Garbage Collection** — non-blocking cleanup without registry downtime
+- **Retention Policies** — declarative rules: keep last N tags, delete older than X days
+- **Image Signing** — cosign/notation verification and policy enforcement
+- **Replication** — push/pull sync between NORA instances
+
+See [CHANGELOG.md](CHANGELOG.md) for release history.
+
 ## Author
 
 **Created and maintained by [DevITWay](https://github.com/devitway)**
 
-- Website: [devopsway.ru](https://devopsway.ru)
+- Website: [getnora.dev](https://getnora.dev)
 - Telegram: [@DevITWay](https://t.me/DevITWay)
 - GitHub: [@devitway](https://github.com/devitway)
 - Email: devitway@gmail.com

deny.toml

@@ -5,7 +5,7 @@
 # Vulnerability database (RustSec)
 db-urls = ["https://github.com/rustsec/advisory-db"]
 ignore = [
-    "RUSTSEC-2025-0119",  # number_prefix unmaintained, transitive via indicatif; no fix available
+    "RUSTSEC-2025-0119",  # number_prefix unmaintained via indicatif; no fix available. Review by 2026-06-15
 ]
 
 [licenses]

docker-compose.yml

@@ -1,7 +1,7 @@
 services:
   nora:
     build: .
-    image: getnora/nora:latest
+    image: ghcr.io/getnora-io/nora:latest
     ports:
       - "4000:4000"
     volumes:

nora-registry/Cargo.toml

@@ -28,7 +28,7 @@ hmac.workspace = true
 hex.workspace = true
 toml = "1.0"
 uuid = { version = "1", features = ["v4"] }
-bcrypt = "0.18"
+bcrypt = "0.19"
 base64 = "0.22"
 prometheus = "0.14"
 lazy_static = "1.5"

nora-registry/src/audit.rs

@@ -45,11 +45,7 @@ pub struct AuditLog {
 impl AuditLog {
     pub fn new(storage_path: &str) -> Self {
         let path = PathBuf::from(storage_path).join("audit.jsonl");
-        let writer = match OpenOptions::new()
-            .create(true)
-            .append(true)
-            .open(&path)
-        {
+        let writer = match OpenOptions::new().create(true).append(true).open(&path) {
             Ok(f) => {
                 info!(path = %path.display(), "Audit log initialized");
                 Mutex::new(Some(f))

nora-registry/src/auth.rs

@@ -13,8 +13,8 @@ use std::collections::HashMap;
 use std::path::Path;
 use std::sync::Arc;
 
-use crate::AppState;
 use crate::tokens::Role;
+use crate::AppState;
 
 /// Htpasswd-based authentication
 #[derive(Clone)]
@@ -247,12 +247,18 @@ async fn create_token(
     };
 
     let role = match req.role.as_str() {
-            "read" => Role::Read,
-            "write" => Role::Write,
-            "admin" => Role::Admin,
-            _ => return (StatusCode::BAD_REQUEST, "Invalid role. Use: read, write, admin").into_response(),
-        };
-        match token_store.create_token(&req.username, req.ttl_days, req.description, role) {
+        "read" => Role::Read,
+        "write" => Role::Write,
+        "admin" => Role::Admin,
+        _ => {
+            return (
+                StatusCode::BAD_REQUEST,
+                "Invalid role. Use: read, write, admin",
+            )
+                .into_response()
+        }
+    };
+    match token_store.create_token(&req.username, req.ttl_days, req.description, role) {
         Ok(token) => Json(CreateTokenResponse {
             token,
             expires_in_days: req.ttl_days,

nora-registry/src/config.rs

@@ -1,12 +1,18 @@
 // Copyright (c) 2026 Volkov Pavel | DevITWay
 // SPDX-License-Identifier: MIT
 
+use base64::{engine::general_purpose::STANDARD, Engine};
 use serde::{Deserialize, Serialize};
 use std::env;
 use std::fs;
 
 pub use crate::secrets::SecretsConfig;
 
+/// Encode "user:pass" into a Basic Auth header value, e.g. "Basic dXNlcjpwYXNz".
+pub fn basic_auth_header(credentials: &str) -> String {
+    format!("Basic {}", STANDARD.encode(credentials))
+}
+
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct Config {
     pub server: ServerConfig,
@@ -36,6 +42,13 @@ pub struct ServerConfig {
     /// Public URL for generating pull commands (e.g., "registry.example.com")
     #[serde(default)]
     pub public_url: Option<String>,
+    /// Maximum request body size in MB (default: 2048 = 2GB)
+    #[serde(default = "default_body_limit_mb")]
+    pub body_limit_mb: usize,
+}
+
+fn default_body_limit_mb() -> usize {
+    2048 // 2GB - enough for any Docker image
 }
 
 #[derive(Debug, Clone, Default, Serialize, Deserialize, PartialEq)]
@@ -86,7 +99,7 @@ fn default_bucket() -> String {
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct MavenConfig {
     #[serde(default)]
-    pub proxies: Vec<String>,
+    pub proxies: Vec<MavenProxyEntry>,
     #[serde(default = "default_timeout")]
     pub proxy_timeout: u64,
 }
@@ -95,14 +108,21 @@ pub struct MavenConfig {
 pub struct NpmConfig {
     #[serde(default)]
     pub proxy: Option<String>,
+    #[serde(default)]
+    pub proxy_auth: Option<String>, // "user:pass" for basic auth
     #[serde(default = "default_timeout")]
     pub proxy_timeout: u64,
+    /// Metadata cache TTL in seconds (default: 300 = 5 min). Set to 0 to cache forever.
+    #[serde(default = "default_metadata_ttl")]
+    pub metadata_ttl: u64,
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct PypiConfig {
     #[serde(default)]
     pub proxy: Option<String>,
+    #[serde(default)]
+    pub proxy_auth: Option<String>, // "user:pass" for basic auth
     #[serde(default = "default_timeout")]
     pub proxy_timeout: u64,
 }
@@ -124,6 +144,37 @@ pub struct DockerUpstream {
     pub auth: Option<String>, // "user:pass" for basic auth
 }
 
+/// Maven upstream proxy configuration
+#[derive(Debug, Clone, Serialize, Deserialize)]
+#[serde(untagged)]
+pub enum MavenProxyEntry {
+    Simple(String),
+    Full(MavenProxy),
+}
+
+/// Maven upstream proxy with optional auth
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct MavenProxy {
+    pub url: String,
+    #[serde(default)]
+    pub auth: Option<String>, // "user:pass" for basic auth
+}
+
+impl MavenProxyEntry {
+    pub fn url(&self) -> &str {
+        match self {
+            MavenProxyEntry::Simple(s) => s,
+            MavenProxyEntry::Full(p) => &p.url,
+        }
+    }
+    pub fn auth(&self) -> Option<&str> {
+        match self {
+            MavenProxyEntry::Simple(_) => None,
+            MavenProxyEntry::Full(p) => p.auth.as_deref(),
+        }
+    }
+}
+
 /// Raw repository configuration for simple file storage
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct RawConfig {
@@ -167,10 +218,16 @@ fn default_timeout() -> u64 {
     30
 }
 
+fn default_metadata_ttl() -> u64 {
+    300 // 5 minutes
+}
+
 impl Default for MavenConfig {
     fn default() -> Self {
         Self {
-            proxies: vec!["https://repo1.maven.org/maven2".to_string()],
+            proxies: vec![MavenProxyEntry::Simple(
+                "https://repo1.maven.org/maven2".to_string(),
+            )],
             proxy_timeout: 30,
         }
     }
@@ -180,7 +237,9 @@ impl Default for NpmConfig {
     fn default() -> Self {
         Self {
             proxy: Some("https://registry.npmjs.org".to_string()),
+            proxy_auth: None,
             proxy_timeout: 30,
+            metadata_ttl: 300,
         }
     }
 }
@@ -189,6 +248,7 @@ impl Default for PypiConfig {
     fn default() -> Self {
         Self {
             proxy: Some("https://pypi.org/simple/".to_string()),
+            proxy_auth: None,
             proxy_timeout: 30,
         }
     }
@@ -302,6 +362,37 @@ impl Default for RateLimitConfig {
 }
 
 impl Config {
+    /// Warn if credentials are configured via config.toml (not env vars)
+    pub fn warn_plaintext_credentials(&self) {
+        // Docker upstreams
+        for (i, upstream) in self.docker.upstreams.iter().enumerate() {
+            if upstream.auth.is_some() && std::env::var("NORA_DOCKER_UPSTREAMS").is_err() {
+                tracing::warn!(
+                    upstream_index = i,
+                    url = %upstream.url,
+                    "Docker upstream credentials in config.toml are plaintext — consider NORA_DOCKER_UPSTREAMS env var"
+                );
+            }
+        }
+        // Maven proxies
+        for proxy in &self.maven.proxies {
+            if proxy.auth().is_some() && std::env::var("NORA_MAVEN_PROXIES").is_err() {
+                tracing::warn!(
+                    url = %proxy.url(),
+                    "Maven proxy credentials in config.toml are plaintext — consider NORA_MAVEN_PROXIES env var"
+                );
+            }
+        }
+        // npm
+        if self.npm.proxy_auth.is_some() && std::env::var("NORA_NPM_PROXY_AUTH").is_err() {
+            tracing::warn!("npm proxy credentials in config.toml are plaintext — consider NORA_NPM_PROXY_AUTH env var");
+        }
+        // PyPI
+        if self.pypi.proxy_auth.is_some() && std::env::var("NORA_PYPI_PROXY_AUTH").is_err() {
+            tracing::warn!("PyPI proxy credentials in config.toml are plaintext — consider NORA_PYPI_PROXY_AUTH env var");
+        }
+    }
+
     /// Load configuration with priority: ENV > config.toml > defaults
     pub fn load() -> Self {
         // 1. Start with defaults
@@ -330,6 +421,11 @@ impl Config {
         if let Ok(val) = env::var("NORA_PUBLIC_URL") {
             self.server.public_url = if val.is_empty() { None } else { Some(val) };
         }
+        if let Ok(val) = env::var("NORA_BODY_LIMIT_MB") {
+            if let Ok(mb) = val.parse() {
+                self.server.body_limit_mb = mb;
+            }
+        }
 
         // Storage config
         if let Ok(val) = env::var("NORA_STORAGE_MODE") {
@@ -365,9 +461,23 @@ impl Config {
             self.auth.htpasswd_file = val;
         }
 
-        // Maven config
+        // Maven config — supports "url1,url2" or "url1|auth1,url2|auth2"
         if let Ok(val) = env::var("NORA_MAVEN_PROXIES") {
-            self.maven.proxies = val.split(',').map(|s| s.trim().to_string()).collect();
+            self.maven.proxies = val
+                .split(',')
+                .filter(|s| !s.is_empty())
+                .map(|s| {
+                    let parts: Vec<&str> = s.trim().splitn(2, '|').collect();
+                    if parts.len() > 1 {
+                        MavenProxyEntry::Full(MavenProxy {
+                            url: parts[0].to_string(),
+                            auth: Some(parts[1].to_string()),
+                        })
+                    } else {
+                        MavenProxyEntry::Simple(parts[0].to_string())
+                    }
+                })
+                .collect();
         }
         if let Ok(val) = env::var("NORA_MAVEN_PROXY_TIMEOUT") {
             if let Ok(timeout) = val.parse() {
@@ -384,6 +494,16 @@ impl Config {
                 self.npm.proxy_timeout = timeout;
             }
         }
+        if let Ok(val) = env::var("NORA_NPM_METADATA_TTL") {
+            if let Ok(ttl) = val.parse() {
+                self.npm.metadata_ttl = ttl;
+            }
+        }
+
+        // npm proxy auth
+        if let Ok(val) = env::var("NORA_NPM_PROXY_AUTH") {
+            self.npm.proxy_auth = if val.is_empty() { None } else { Some(val) };
+        }
 
         // PyPI config
         if let Ok(val) = env::var("NORA_PYPI_PROXY") {
@@ -395,6 +515,11 @@ impl Config {
             }
         }
 
+        // PyPI proxy auth
+        if let Ok(val) = env::var("NORA_PYPI_PROXY_AUTH") {
+            self.pypi.proxy_auth = if val.is_empty() { None } else { Some(val) };
+        }
+
         // Docker config
         if let Ok(val) = env::var("NORA_DOCKER_PROXY_TIMEOUT") {
             if let Ok(timeout) = val.parse() {
@@ -483,6 +608,7 @@ impl Default for Config {
                 host: String::from("127.0.0.1"),
                 port: 4000,
                 public_url: None,
+                body_limit_mb: 2048,
             },
             storage: StorageConfig {
                 mode: StorageMode::Local,

nora-registry/src/dashboard_metrics.rs

@@ -1,8 +1,29 @@
 // Copyright (c) 2026 Volkov Pavel | DevITWay
 // SPDX-License-Identifier: MIT
 
+use serde::{Deserialize, Serialize};
+use std::path::{Path, PathBuf};
 use std::sync::atomic::{AtomicU64, Ordering};
 use std::time::Instant;
+use tracing::{info, warn};
+
+/// Serializable snapshot of metrics for persistence
+#[derive(Serialize, Deserialize, Default)]
+struct MetricsSnapshot {
+    downloads: u64,
+    uploads: u64,
+    cache_hits: u64,
+    cache_misses: u64,
+    docker_downloads: u64,
+    docker_uploads: u64,
+    npm_downloads: u64,
+    maven_downloads: u64,
+    maven_uploads: u64,
+    cargo_downloads: u64,
+    pypi_downloads: u64,
+    raw_downloads: u64,
+    raw_uploads: u64,
+}
 
 /// Dashboard metrics for tracking registry activity
 /// Uses atomic counters for thread-safe access without locks
@@ -25,6 +46,9 @@ pub struct DashboardMetrics {
     pub raw_uploads: AtomicU64,
 
     pub start_time: Instant,
+
+    /// Path to metrics.json for persistence
+    persist_path: Option<PathBuf>,
 }
 
 impl DashboardMetrics {
@@ -44,6 +68,75 @@ impl DashboardMetrics {
             raw_downloads: AtomicU64::new(0),
             raw_uploads: AtomicU64::new(0),
             start_time: Instant::now(),
+            persist_path: None,
+        }
+    }
+
+    /// Create metrics with persistence — loads existing data from metrics.json
+    pub fn with_persistence(storage_path: &str) -> Self {
+        let path = Path::new(storage_path).join("metrics.json");
+        let mut metrics = Self::new();
+        metrics.persist_path = Some(path.clone());
+
+        // Load existing metrics if file exists
+        if path.exists() {
+            match std::fs::read_to_string(&path) {
+                Ok(data) => match serde_json::from_str::<MetricsSnapshot>(&data) {
+                    Ok(snap) => {
+                        metrics.downloads = AtomicU64::new(snap.downloads);
+                        metrics.uploads = AtomicU64::new(snap.uploads);
+                        metrics.cache_hits = AtomicU64::new(snap.cache_hits);
+                        metrics.cache_misses = AtomicU64::new(snap.cache_misses);
+                        metrics.docker_downloads = AtomicU64::new(snap.docker_downloads);
+                        metrics.docker_uploads = AtomicU64::new(snap.docker_uploads);
+                        metrics.npm_downloads = AtomicU64::new(snap.npm_downloads);
+                        metrics.maven_downloads = AtomicU64::new(snap.maven_downloads);
+                        metrics.maven_uploads = AtomicU64::new(snap.maven_uploads);
+                        metrics.cargo_downloads = AtomicU64::new(snap.cargo_downloads);
+                        metrics.pypi_downloads = AtomicU64::new(snap.pypi_downloads);
+                        metrics.raw_downloads = AtomicU64::new(snap.raw_downloads);
+                        metrics.raw_uploads = AtomicU64::new(snap.raw_uploads);
+                        info!(
+                            downloads = snap.downloads,
+                            uploads = snap.uploads,
+                            "Loaded persisted metrics"
+                        );
+                    }
+                    Err(e) => warn!("Failed to parse metrics.json: {}", e),
+                },
+                Err(e) => warn!("Failed to read metrics.json: {}", e),
+            }
+        }
+
+        metrics
+    }
+
+    /// Save current metrics to disk
+    pub fn save(&self) {
+        let Some(path) = &self.persist_path else {
+            return;
+        };
+        let snap = MetricsSnapshot {
+            downloads: self.downloads.load(Ordering::Relaxed),
+            uploads: self.uploads.load(Ordering::Relaxed),
+            cache_hits: self.cache_hits.load(Ordering::Relaxed),
+            cache_misses: self.cache_misses.load(Ordering::Relaxed),
+            docker_downloads: self.docker_downloads.load(Ordering::Relaxed),
+            docker_uploads: self.docker_uploads.load(Ordering::Relaxed),
+            npm_downloads: self.npm_downloads.load(Ordering::Relaxed),
+            maven_downloads: self.maven_downloads.load(Ordering::Relaxed),
+            maven_uploads: self.maven_uploads.load(Ordering::Relaxed),
+            cargo_downloads: self.cargo_downloads.load(Ordering::Relaxed),
+            pypi_downloads: self.pypi_downloads.load(Ordering::Relaxed),
+            raw_downloads: self.raw_downloads.load(Ordering::Relaxed),
+            raw_uploads: self.raw_uploads.load(Ordering::Relaxed),
+        };
+        // Atomic write: write to tmp then rename
+        let tmp = path.with_extension("json.tmp");
+        if let Ok(data) = serde_json::to_string_pretty(&snap) {
+            if std::fs::write(&tmp, &data).is_ok() {
+                let _ = std::fs::rename(&tmp, path);
+            }
         }
     }
 

nora-registry/src/error.rs

@@ -1,7 +1,6 @@
 // Copyright (c) 2026 Volkov Pavel | DevITWay
 // SPDX-License-Identifier: MIT
 
-#![allow(dead_code)]
 //! Application error handling with HTTP response conversion
 //!
 //! Provides a unified error type that can be converted to HTTP responses
@@ -18,6 +17,7 @@ use thiserror::Error;
 use crate::storage::StorageError;
 use crate::validation::ValidationError;
 
+#[allow(dead_code)] // Wiring into handlers planned for v0.3
 /// Application-level errors with HTTP response conversion
 #[derive(Debug, Error)]
 pub enum AppError {
@@ -40,6 +40,7 @@ pub enum AppError {
     Validation(#[from] ValidationError),
 }
 
+#[allow(dead_code)]
 /// JSON error response body
 #[derive(Serialize)]
 struct ErrorResponse {
@@ -74,6 +75,7 @@ impl IntoResponse for AppError {
     }
 }
 
+#[allow(dead_code)]
 impl AppError {
     /// Create a not found error
     pub fn not_found(msg: impl Into<String>) -> Self {

nora-registry/src/gc.rs

@@ -29,7 +29,10 @@ pub async fn run_gc(storage: &Storage, dry_run: bool) -> GcResult {
 
     // 2. Collect all referenced digests from manifests
     let referenced = collect_referenced_digests(storage).await;
-    info!("Found {} referenced digests from manifests", referenced.len());
+    info!(
+        "Found {} referenced digests from manifests",
+        referenced.len()
+    );
 
     // 3. Find orphans
     let mut orphan_keys: Vec<String> = Vec::new();

nora-registry/src/main.rs

@@ -8,11 +8,11 @@ mod backup;
 mod config;
 mod dashboard_metrics;
 mod error;
+mod gc;
 mod health;
 mod metrics;
 mod migrate;
 mod openapi;
-mod gc;
 mod rate_limit;
 mod registry;
 mod repo_index;
@@ -289,6 +289,9 @@ async fn run_server(config: Config, storage: Storage) {
     let storage_path = config.storage.path.clone();
     let rate_limit_enabled = config.rate_limit.enabled;
 
+    // Warn about plaintext credentials in config.toml
+    config.warn_plaintext_credentials();
+
     // Initialize Docker auth with proxy timeout
     let docker_auth = registry::DockerAuth::new(config.docker.proxy_timeout);
 
@@ -336,7 +339,7 @@ async fn run_server(config: Config, storage: Storage) {
         start_time,
         auth,
         tokens,
-        metrics: DashboardMetrics::new(),
+        metrics: DashboardMetrics::with_persistence(&storage_path),
         activity: ActivityLog::new(50),
         audit: AuditLog::new(&storage_path),
         docker_auth,
@@ -347,7 +350,9 @@ async fn run_server(config: Config, storage: Storage) {
     let app = Router::new()
         .merge(public_routes)
         .merge(app_routes)
-        .layer(DefaultBodyLimit::max(100 * 1024 * 1024)) // 100MB default body limit
+        .layer(DefaultBodyLimit::max(
+            state.config.server.body_limit_mb * 1024 * 1024,
+        ))
         .layer(middleware::from_fn(request_id::request_id_middleware))
         .layer(middleware::from_fn(metrics::metrics_middleware))
         .layer(middleware::from_fn_with_state(
@@ -366,6 +371,7 @@ async fn run_server(config: Config, storage: Storage) {
         version = env!("CARGO_PKG_VERSION"),
         storage = state.storage.backend_name(),
         auth_enabled = state.auth.is_some(),
+        body_limit_mb = state.config.server.body_limit_mb,
         "Nora started"
     );
 
@@ -384,6 +390,16 @@ async fn run_server(config: Config, storage: Storage) {
         "Available endpoints"
     );
 
+    // Background task: persist metrics every 30 seconds
+    let metrics_state = state.clone();
+    tokio::spawn(async move {
+        let mut interval = tokio::time::interval(std::time::Duration::from_secs(30));
+        loop {
+            interval.tick().await;
+            metrics_state.metrics.save();
+        }
+    });
+
     // Graceful shutdown on SIGTERM/SIGINT
     axum::serve(
         listener,
@@ -393,6 +409,9 @@ async fn run_server(config: Config, storage: Storage) {
     .await
     .expect("Server error");
 
+    // Save metrics on shutdown
+    state.metrics.save();
+
     info!(
         uptime_seconds = state.start_time.elapsed().as_secs(),
         "Nora shutdown complete"

nora-registry/src/openapi.rs

@@ -5,7 +5,7 @@
 //!
 //! Functions in this module are stubs used only for generating OpenAPI documentation.
 
-#![allow(dead_code)]
+#![allow(dead_code)] // utoipa doc stubs — not called at runtime, used by derive macros
 
 use axum::Router;
 use std::sync::Arc;

nora-registry/src/registry/cargo_registry.rs

@@ -51,7 +51,9 @@ async fn download(
                 "cargo",
                 "LOCAL",
             ));
-            state.audit.log(AuditEntry::new("pull", "api", "", "cargo", ""));
+            state
+                .audit
+                .log(AuditEntry::new("pull", "api", "", "cargo", ""));
             (StatusCode::OK, data).into_response()
         }
         Err(_) => StatusCode::NOT_FOUND.into_response(),

nora-registry/src/registry/docker.rs

@@ -3,6 +3,7 @@
 
 use crate::activity_log::{ActionType, ActivityEntry};
 use crate::audit::AuditEntry;
+use crate::config::basic_auth_header;
 use crate::registry::docker_auth::DockerAuth;
 use crate::storage::Storage;
 use crate::validation::{validate_digest, validate_docker_name, validate_docker_reference};
@@ -12,7 +13,7 @@ use axum::{
     extract::{Path, State},
     http::{header, HeaderName, StatusCode},
     response::{IntoResponse, Response},
-    routing::{get, head, patch, put},
+    routing::{delete, get, head, patch, put},
     Json, Router,
 };
 use parking_lot::RwLock;
@@ -65,6 +66,8 @@ pub fn routes() -> Router<Arc<AppState>> {
         )
         .route("/v2/{name}/manifests/{reference}", get(get_manifest))
         .route("/v2/{name}/manifests/{reference}", put(put_manifest))
+        .route("/v2/{name}/manifests/{reference}", delete(delete_manifest))
+        .route("/v2/{name}/blobs/{digest}", delete(delete_blob))
         .route("/v2/{name}/tags/list", get(list_tags))
         // Two-segment name routes (e.g., /v2/library/alpine/...)
         .route("/v2/{ns}/{name}/blobs/{digest}", head(check_blob_ns))
@@ -85,6 +88,11 @@ pub fn routes() -> Router<Arc<AppState>> {
             "/v2/{ns}/{name}/manifests/{reference}",
             put(put_manifest_ns),
         )
+        .route(
+            "/v2/{ns}/{name}/manifests/{reference}",
+            delete(delete_manifest_ns),
+        )
+        .route("/v2/{ns}/{name}/blobs/{digest}", delete(delete_blob_ns))
         .route("/v2/{ns}/{name}/tags/list", get(list_tags_ns))
 }
 
@@ -174,6 +182,7 @@ async fn download_blob(
             &digest,
             &state.docker_auth,
             state.config.docker.proxy_timeout,
+            upstream.auth.as_deref(),
         )
         .await
         {
@@ -312,7 +321,10 @@ async fn upload_blob(
                 StatusCode::CREATED,
                 [
                     (header::LOCATION, location),
-                    (HeaderName::from_static("docker-content-digest"), digest.to_string()),
+                    (
+                        HeaderName::from_static("docker-content-digest"),
+                        digest.to_string(),
+                    ),
                 ],
             )
                 .into_response()
@@ -382,6 +394,7 @@ async fn get_manifest(
             &reference,
             &state.docker_auth,
             state.config.docker.proxy_timeout,
+            upstream.auth.as_deref(),
         )
         .await
         {
@@ -489,7 +502,13 @@ async fn put_manifest(
         "docker",
         "LOCAL",
     ));
-    state.audit.log(AuditEntry::new("push", "api", &format!("{}:{}", name, reference), "docker", "manifest"));
+    state.audit.log(AuditEntry::new(
+        "push",
+        "api",
+        &format!("{}:{}", name, reference),
+        "docker",
+        "manifest",
+    ));
     state.repo_index.invalidate("docker");
 
     let location = format!("/v2/{}/manifests/{}", name, reference);
@@ -521,6 +540,109 @@ async fn list_tags(State(state): State<Arc<AppState>>, Path(name): Path<String>)
     (StatusCode::OK, Json(json!({"name": name, "tags": tags}))).into_response()
 }
 
+// ============================================================================
+// Delete handlers (Docker Registry V2 spec)
+// ============================================================================
+
+async fn delete_manifest(
+    State(state): State<Arc<AppState>>,
+    Path((name, reference)): Path<(String, String)>,
+) -> Response {
+    if let Err(e) = validate_docker_name(&name) {
+        return (StatusCode::BAD_REQUEST, e.to_string()).into_response();
+    }
+    if let Err(e) = validate_docker_reference(&reference) {
+        return (StatusCode::BAD_REQUEST, e.to_string()).into_response();
+    }
+
+    let key = format!("docker/{}/manifests/{}.json", name, reference);
+
+    // If reference is a tag, also delete digest-keyed copy
+    let is_tag = !reference.starts_with("sha256:");
+    if is_tag {
+        if let Ok(data) = state.storage.get(&key).await {
+            use sha2::Digest;
+            let digest = format!("sha256:{:x}", sha2::Sha256::digest(&data));
+            let digest_key = format!("docker/{}/manifests/{}.json", name, digest);
+            let _ = state.storage.delete(&digest_key).await;
+            let digest_meta = format!("docker/{}/manifests/{}.meta.json", name, digest);
+            let _ = state.storage.delete(&digest_meta).await;
+        }
+    }
+
+    // Delete manifest
+    match state.storage.delete(&key).await {
+        Ok(()) => {
+            // Delete associated metadata
+            let meta_key = format!("docker/{}/manifests/{}.meta.json", name, reference);
+            let _ = state.storage.delete(&meta_key).await;
+
+            state.audit.log(AuditEntry::new(
+                "delete",
+                "api",
+                &format!("{}:{}", name, reference),
+                "docker",
+                "manifest",
+            ));
+            state.repo_index.invalidate("docker");
+            tracing::info!(name = %name, reference = %reference, "Docker manifest deleted");
+            StatusCode::ACCEPTED.into_response()
+        }
+        Err(crate::storage::StorageError::NotFound) => (
+            StatusCode::NOT_FOUND,
+            Json(json!({
+                "errors": [{
+                    "code": "MANIFEST_UNKNOWN",
+                    "message": "manifest unknown",
+                    "detail": { "name": name, "reference": reference }
+                }]
+            })),
+        )
+            .into_response(),
+        Err(_) => StatusCode::INTERNAL_SERVER_ERROR.into_response(),
+    }
+}
+
+async fn delete_blob(
+    State(state): State<Arc<AppState>>,
+    Path((name, digest)): Path<(String, String)>,
+) -> Response {
+    if let Err(e) = validate_docker_name(&name) {
+        return (StatusCode::BAD_REQUEST, e.to_string()).into_response();
+    }
+    if let Err(e) = validate_digest(&digest) {
+        return (StatusCode::BAD_REQUEST, e.to_string()).into_response();
+    }
+
+    let key = format!("docker/{}/blobs/{}", name, digest);
+    match state.storage.delete(&key).await {
+        Ok(()) => {
+            state.audit.log(AuditEntry::new(
+                "delete",
+                "api",
+                &format!("{}@{}", name, &digest[..19.min(digest.len())]),
+                "docker",
+                "blob",
+            ));
+            state.repo_index.invalidate("docker");
+            tracing::info!(name = %name, digest = %digest, "Docker blob deleted");
+            StatusCode::ACCEPTED.into_response()
+        }
+        Err(crate::storage::StorageError::NotFound) => (
+            StatusCode::NOT_FOUND,
+            Json(json!({
+                "errors": [{
+                    "code": "BLOB_UNKNOWN",
+                    "message": "blob unknown to registry",
+                    "detail": { "digest": digest }
+                }]
+            })),
+        )
+            .into_response(),
+        Err(_) => StatusCode::INTERNAL_SERVER_ERROR.into_response(),
+    }
+}
+
 // ============================================================================
 // Namespace handlers (for two-segment names like library/alpine)
 // These combine ns/name into a single name and delegate to the main handlers
@@ -590,6 +712,22 @@ async fn list_tags_ns(
     list_tags(state, Path(full_name)).await
 }
 
+async fn delete_manifest_ns(
+    state: State<Arc<AppState>>,
+    Path((ns, name, reference)): Path<(String, String, String)>,
+) -> Response {
+    let full_name = format!("{}/{}", ns, name);
+    delete_manifest(state, Path((full_name, reference))).await
+}
+
+async fn delete_blob_ns(
+    state: State<Arc<AppState>>,
+    Path((ns, name, digest)): Path<(String, String, String)>,
+) -> Response {
+    let full_name = format!("{}/{}", ns, name);
+    delete_blob(state, Path((full_name, digest))).await
+}
+
 /// Fetch a blob from an upstream Docker registry
 async fn fetch_blob_from_upstream(
     client: &reqwest::Client,
@@ -598,6 +736,7 @@ async fn fetch_blob_from_upstream(
     digest: &str,
     docker_auth: &DockerAuth,
     timeout: u64,
+    basic_auth: Option<&str>,
 ) -> Result<Vec<u8>, ()> {
     let url = format!(
         "{}/v2/{}/blobs/{}",
@@ -606,13 +745,12 @@ async fn fetch_blob_from_upstream(
         digest
     );
 
-    // First try without auth
-    let response = client
-        .get(&url)
-        .timeout(Duration::from_secs(timeout))
-        .send()
-        .await
-        .map_err(|_| ())?;
+    // First try — with basic auth if configured
+    let mut request = client.get(&url).timeout(Duration::from_secs(timeout));
+    if let Some(credentials) = basic_auth {
+        request = request.header("Authorization", basic_auth_header(credentials));
+    }
+    let response = request.send().await.map_err(|_| ())?;
 
     let response = if response.status() == reqwest::StatusCode::UNAUTHORIZED {
         // Get Www-Authenticate header and fetch token
@@ -623,7 +761,7 @@ async fn fetch_blob_from_upstream(
             .map(String::from);
 
         if let Some(token) = docker_auth
-            .get_token(upstream_url, name, www_auth.as_deref())
+            .get_token(upstream_url, name, www_auth.as_deref(), basic_auth)
             .await
         {
             client
@@ -655,6 +793,7 @@ async fn fetch_manifest_from_upstream(
     reference: &str,
     docker_auth: &DockerAuth,
     timeout: u64,
+    basic_auth: Option<&str>,
 ) -> Result<(Vec<u8>, String), ()> {
     let url = format!(
         "{}/v2/{}/manifests/{}",
@@ -671,16 +810,17 @@ async fn fetch_manifest_from_upstream(
                          application/vnd.oci.image.manifest.v1+json, \
                          application/vnd.oci.image.index.v1+json";
 
-    // First try without auth
-    let response = client
+    // First try — with basic auth if configured
+    let mut request = client
         .get(&url)
         .timeout(Duration::from_secs(timeout))
-        .header("Accept", accept_header)
-        .send()
-        .await
-        .map_err(|e| {
-            tracing::error!(error = %e, url = %url, "Failed to send request to upstream");
-        })?;
+        .header("Accept", accept_header);
+    if let Some(credentials) = basic_auth {
+        request = request.header("Authorization", basic_auth_header(credentials));
+    }
+    let response = request.send().await.map_err(|e| {
+        tracing::error!(error = %e, url = %url, "Failed to send request to upstream");
+    })?;
 
     tracing::debug!(status = %response.status(), "Initial upstream response");
 
@@ -695,7 +835,7 @@ async fn fetch_manifest_from_upstream(
         tracing::debug!(www_auth = ?www_auth, "Got 401, fetching token");
 
         if let Some(token) = docker_auth
-            .get_token(upstream_url, name, www_auth.as_deref())
+            .get_token(upstream_url, name, www_auth.as_deref(), basic_auth)
             .await
         {
             tracing::debug!("Token acquired, retrying with auth");

nora-registry/src/registry/docker_auth.rs

@@ -1,6 +1,7 @@
 // Copyright (c) 2026 Volkov Pavel | DevITWay
 // SPDX-License-Identifier: MIT
 
+use crate::config::basic_auth_header;
 use parking_lot::RwLock;
 use std::collections::HashMap;
 use std::time::{Duration, Instant};
@@ -36,6 +37,7 @@ impl DockerAuth {
         registry_url: &str,
         name: &str,
         www_authenticate: Option<&str>,
+        basic_auth: Option<&str>,
     ) -> Option<String> {
         let cache_key = format!("{}:{}", registry_url, name);
 
@@ -51,7 +53,7 @@ impl DockerAuth {
 
         // Need to fetch a new token
         let www_auth = www_authenticate?;
-        let token = self.fetch_token(www_auth, name).await?;
+        let token = self.fetch_token(www_auth, name, basic_auth).await?;
 
         // Cache the token (default 5 minute expiry)
         {
@@ -70,7 +72,12 @@ impl DockerAuth {
 
     /// Parse Www-Authenticate header and fetch token from auth server
     /// Format: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:library/alpine:pull"
-    async fn fetch_token(&self, www_authenticate: &str, name: &str) -> Option<String> {
+    async fn fetch_token(
+        &self,
+        www_authenticate: &str,
+        name: &str,
+        basic_auth: Option<&str>,
+    ) -> Option<String> {
         let params = parse_www_authenticate(www_authenticate)?;
 
         let realm = params.get("realm")?;
@@ -82,7 +89,13 @@ impl DockerAuth {
 
         tracing::debug!(url = %url, "Fetching auth token");
 
-        let response = self.client.get(&url).send().await.ok()?;
+        let mut request = self.client.get(&url);
+        if let Some(credentials) = basic_auth {
+            request = request.header("Authorization", basic_auth_header(credentials));
+            tracing::debug!("Using basic auth for token request");
+        }
+
+        let response = request.send().await.ok()?;
 
         if !response.status().is_success() {
             tracing::warn!(status = %response.status(), "Token request failed");
@@ -97,44 +110,6 @@ impl DockerAuth {
             .and_then(|v| v.as_str())
             .map(String::from)
     }
-
-    /// Make an authenticated request to an upstream registry
-    pub async fn fetch_with_auth(
-        &self,
-        url: &str,
-        registry_url: &str,
-        name: &str,
-    ) -> Result<reqwest::Response, ()> {
-        // First try without auth
-        let response = self.client.get(url).send().await.map_err(|_| ())?;
-
-        if response.status() == reqwest::StatusCode::UNAUTHORIZED {
-            // Extract Www-Authenticate header
-            let www_auth = response
-                .headers()
-                .get("www-authenticate")
-                .and_then(|v| v.to_str().ok())
-                .map(String::from);
-
-            // Get token and retry
-            if let Some(token) = self
-                .get_token(registry_url, name, www_auth.as_deref())
-                .await
-            {
-                return self
-                    .client
-                    .get(url)
-                    .header("Authorization", format!("Bearer {}", token))
-                    .send()
-                    .await
-                    .map_err(|_| ());
-            }
-
-            return Err(());
-        }
-
-        Ok(response)
-    }
 }
 
 impl Default for DockerAuth {

nora-registry/src/registry/maven.rs

@@ -3,6 +3,7 @@
 
 use crate::activity_log::{ActionType, ActivityEntry};
 use crate::audit::AuditEntry;
+use crate::config::basic_auth_header;
 use crate::AppState;
 use axum::{
     body::Bytes,
@@ -43,14 +44,23 @@ async fn download(State(state): State<Arc<AppState>>, Path(path): Path<String>)
             "maven",
             "CACHE",
         ));
-        state.audit.log(AuditEntry::new("cache_hit", "api", "", "maven", ""));
+        state
+            .audit
+            .log(AuditEntry::new("cache_hit", "api", "", "maven", ""));
         return with_content_type(&path, data).into_response();
     }
 
-    for proxy_url in &state.config.maven.proxies {
-        let url = format!("{}/{}", proxy_url.trim_end_matches('/'), path);
+    for proxy in &state.config.maven.proxies {
+        let url = format!("{}/{}", proxy.url().trim_end_matches('/'), path);
 
-        match fetch_from_proxy(&state.http_client, &url, state.config.maven.proxy_timeout).await {
+        match fetch_from_proxy(
+            &state.http_client,
+            &url,
+            state.config.maven.proxy_timeout,
+            proxy.auth(),
+        )
+        .await
+        {
             Ok(data) => {
                 state.metrics.record_download("maven");
                 state.metrics.record_cache_miss();
@@ -60,7 +70,9 @@ async fn download(State(state): State<Arc<AppState>>, Path(path): Path<String>)
                     "maven",
                     "PROXY",
                 ));
-                state.audit.log(AuditEntry::new("proxy_fetch", "api", "", "maven", ""));
+                state
+                    .audit
+                    .log(AuditEntry::new("proxy_fetch", "api", "", "maven", ""));
 
                 let storage = state.storage.clone();
                 let key_clone = key.clone();
@@ -106,7 +118,9 @@ async fn upload(
                 "maven",
                 "LOCAL",
             ));
-            state.audit.log(AuditEntry::new("push", "api", "", "maven", ""));
+            state
+                .audit
+                .log(AuditEntry::new("push", "api", "", "maven", ""));
             state.repo_index.invalidate("maven");
             StatusCode::CREATED
         }
@@ -118,13 +132,13 @@ async fn fetch_from_proxy(
     client: &reqwest::Client,
     url: &str,
     timeout_secs: u64,
+    auth: Option<&str>,
 ) -> Result<Vec<u8>, ()> {
-    let response = client
-        .get(url)
-        .timeout(Duration::from_secs(timeout_secs))
-        .send()
-        .await
-        .map_err(|_| ())?;
+    let mut request = client.get(url).timeout(Duration::from_secs(timeout_secs));
+    if let Some(credentials) = auth {
+        request = request.header("Authorization", basic_auth_header(credentials));
+    }
+    let response = request.send().await.map_err(|_| ())?;
 
     if !response.status().is_success() {
         return Err(());

nora-registry/src/registry/npm.rs

@@ -3,27 +3,71 @@
 
 use crate::activity_log::{ActionType, ActivityEntry};
 use crate::audit::AuditEntry;
+use crate::config::basic_auth_header;
 use crate::AppState;
 use axum::{
     body::Bytes,
     extract::{Path, State},
     http::{header, StatusCode},
     response::{IntoResponse, Response},
-    routing::get,
+    routing::{get, put},
     Router,
 };
+use base64::Engine;
+use sha2::Digest;
 use std::sync::Arc;
 use std::time::Duration;
 
 pub fn routes() -> Router<Arc<AppState>> {
-    Router::new().route("/npm/{*path}", get(handle_request))
+    Router::new()
+        .route("/npm/{*path}", get(handle_request))
+        .route("/npm/{*path}", put(handle_publish))
+}
+
+/// Build NORA base URL from config (for URL rewriting)
+fn nora_base_url(state: &AppState) -> String {
+    state.config.server.public_url.clone().unwrap_or_else(|| {
+        format!(
+            "http://{}:{}",
+            state.config.server.host, state.config.server.port
+        )
+    })
+}
+
+/// Rewrite tarball URLs in npm metadata to point to NORA.
+///
+/// Replaces upstream registry URLs (e.g. `https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz`)
+/// with NORA URLs (e.g. `http://nora:5000/npm/lodash/-/lodash-4.17.21.tgz`).
+fn rewrite_tarball_urls(data: &[u8], nora_base: &str, upstream_url: &str) -> Result<Vec<u8>, ()> {
+    let mut json: serde_json::Value = serde_json::from_slice(data).map_err(|_| ())?;
+
+    let upstream_trimmed = upstream_url.trim_end_matches('/');
+    let nora_npm_base = format!("{}/npm", nora_base.trim_end_matches('/'));
+
+    if let Some(versions) = json.get_mut("versions").and_then(|v| v.as_object_mut()) {
+        for (_ver, version_data) in versions.iter_mut() {
+            if let Some(tarball_url) = version_data
+                .get("dist")
+                .and_then(|d| d.get("tarball"))
+                .and_then(|t| t.as_str())
+                .map(|s| s.to_string())
+            {
+                let rewritten = tarball_url.replace(upstream_trimmed, &nora_npm_base);
+                if let Some(dist) = version_data.get_mut("dist") {
+                    dist["tarball"] = serde_json::Value::String(rewritten);
+                }
+            }
+        }
+    }
+
+    serde_json::to_vec(&json).map_err(|_| ())
 }
 
 async fn handle_request(State(state): State<Arc<AppState>>, Path(path): Path<String>) -> Response {
     let is_tarball = path.contains("/-/");
 
     let key = if is_tarball {
-        let parts: Vec<&str> = path.split("/-/").collect();
+        let parts: Vec<&str> = path.splitn(2, "/-/").collect();
         if parts.len() == 2 {
             format!("npm/{}/tarballs/{}", parts[0], parts[1])
         } else {
@@ -39,28 +83,83 @@ async fn handle_request(State(state): State<Arc<AppState>>, Path(path): Path<Str
         path.clone()
     };
 
+    // --- Cache hit path ---
     if let Ok(data) = state.storage.get(&key).await {
-        if is_tarball {
-            state.metrics.record_download("npm");
-            state.metrics.record_cache_hit();
-            state.activity.push(ActivityEntry::new(
-                ActionType::CacheHit,
-                package_name,
-                "npm",
-                "CACHE",
-            ));
-            state.audit.log(AuditEntry::new("cache_hit", "api", "", "npm", ""));
+        // Metadata TTL: if stale, try to refetch from upstream
+        if !is_tarball {
+            let ttl = state.config.npm.metadata_ttl;
+            if ttl > 0 {
+                if let Some(meta) = state.storage.stat(&key).await {
+                    let now = std::time::SystemTime::now()
+                        .duration_since(std::time::UNIX_EPOCH)
+                        .map(|d| d.as_secs())
+                        .unwrap_or(0);
+                    if now.saturating_sub(meta.modified) > ttl {
+                        if let Some(fresh) = refetch_metadata(&state, &path, &key).await {
+                            return with_content_type(false, fresh.into()).into_response();
+                        }
+                        // Upstream failed — serve stale cache
+                    }
+                }
+            }
+            return with_content_type(false, data).into_response();
         }
-        return with_content_type(is_tarball, data).into_response();
+
+        // Tarball: integrity check if hash exists
+        let hash_key = format!("{}.sha256", key);
+        if let Ok(stored_hash) = state.storage.get(&hash_key).await {
+            let computed = format!("{:x}", sha2::Sha256::digest(&data));
+            let expected = String::from_utf8_lossy(&stored_hash);
+            if computed != expected.as_ref() {
+                tracing::error!(
+                    key = %key,
+                    expected = %expected,
+                    computed = %computed,
+                    "SECURITY: npm tarball integrity check FAILED — possible tampering"
+                );
+                return (StatusCode::INTERNAL_SERVER_ERROR, "Integrity check failed")
+                    .into_response();
+            }
+        }
+
+        state.metrics.record_download("npm");
+        state.metrics.record_cache_hit();
+        state.activity.push(ActivityEntry::new(
+            ActionType::CacheHit,
+            package_name,
+            "npm",
+            "CACHE",
+        ));
+        state
+            .audit
+            .log(AuditEntry::new("cache_hit", "api", "", "npm", ""));
+        return with_content_type(true, data).into_response();
     }
 
+    // --- Proxy fetch path ---
     if let Some(proxy_url) = &state.config.npm.proxy {
         let url = format!("{}/{}", proxy_url.trim_end_matches('/'), path);
 
-        if let Ok(data) =
-            fetch_from_proxy(&state.http_client, &url, state.config.npm.proxy_timeout).await
+        if let Ok(data) = fetch_from_proxy(
+            &state.http_client,
+            &url,
+            state.config.npm.proxy_timeout,
+            state.config.npm.proxy_auth.as_deref(),
+        )
+        .await
         {
+            let data_to_cache;
+            let data_to_serve;
+
             if is_tarball {
+                // Compute and store sha256
+                let hash = format!("{:x}", sha2::Sha256::digest(&data));
+                let hash_key = format!("{}.sha256", key);
+                let storage = state.storage.clone();
+                tokio::spawn(async move {
+                    let _ = storage.put(&hash_key, hash.as_bytes()).await;
+                });
+
                 state.metrics.record_download("npm");
                 state.metrics.record_cache_miss();
                 state.activity.push(ActivityEntry::new(
@@ -69,38 +168,268 @@ async fn handle_request(State(state): State<Arc<AppState>>, Path(path): Path<Str
                     "npm",
                     "PROXY",
                 ));
-                state.audit.log(AuditEntry::new("proxy_fetch", "api", "", "npm", ""));
+                state
+                    .audit
+                    .log(AuditEntry::new("proxy_fetch", "api", "", "npm", ""));
+
+                data_to_cache = data.clone();
+                data_to_serve = data;
+            } else {
+                // Metadata: rewrite tarball URLs to point to NORA
+                let nora_base = nora_base_url(&state);
+                let rewritten = rewrite_tarball_urls(&data, &nora_base, proxy_url)
+                    .unwrap_or_else(|_| data.clone());
+
+                data_to_cache = rewritten.clone();
+                data_to_serve = rewritten;
             }
 
+            // Cache in background
             let storage = state.storage.clone();
             let key_clone = key.clone();
-            let data_clone = data.clone();
             tokio::spawn(async move {
-                let _ = storage.put(&key_clone, &data_clone).await;
+                let _ = storage.put(&key_clone, &data_to_cache).await;
             });
 
             if is_tarball {
                 state.repo_index.invalidate("npm");
             }
 
-            return with_content_type(is_tarball, data.into()).into_response();
+            return with_content_type(is_tarball, data_to_serve.into()).into_response();
         }
     }
 
     StatusCode::NOT_FOUND.into_response()
 }
 
+/// Refetch metadata from upstream, rewrite URLs, update cache.
+/// Returns None if upstream is unavailable (caller serves stale cache).
+async fn refetch_metadata(state: &Arc<AppState>, path: &str, key: &str) -> Option<Vec<u8>> {
+    let proxy_url = state.config.npm.proxy.as_ref()?;
+    let url = format!("{}/{}", proxy_url.trim_end_matches('/'), path);
+
+    let data = fetch_from_proxy(
+        &state.http_client,
+        &url,
+        state.config.npm.proxy_timeout,
+        state.config.npm.proxy_auth.as_deref(),
+    )
+    .await
+    .ok()?;
+
+    let nora_base = nora_base_url(state);
+    let rewritten =
+        rewrite_tarball_urls(&data, &nora_base, proxy_url).unwrap_or_else(|_| data.clone());
+
+    let storage = state.storage.clone();
+    let key_clone = key.to_string();
+    let cache_data = rewritten.clone();
+    tokio::spawn(async move {
+        let _ = storage.put(&key_clone, &cache_data).await;
+    });
+
+    Some(rewritten)
+}
+
+// ============================================================================
+// npm publish
+// ============================================================================
+
+/// Validate attachment filename: only safe characters, no path traversal.
+fn is_valid_attachment_name(name: &str) -> bool {
+    !name.is_empty()
+        && !name.contains("..")
+        && !name.contains('/')
+        && !name.contains('\\')
+        && !name.contains('\0')
+        && name
+            .chars()
+            .all(|c| c.is_ascii_alphanumeric() || matches!(c, '.' | '-' | '_' | '@'))
+}
+
+async fn handle_publish(
+    State(state): State<Arc<AppState>>,
+    Path(path): Path<String>,
+    body: Bytes,
+) -> Response {
+    let package_name = path;
+
+    let payload: serde_json::Value = match serde_json::from_slice(&body) {
+        Ok(v) => v,
+        Err(e) => return (StatusCode::BAD_REQUEST, format!("Invalid JSON: {}", e)).into_response(),
+    };
+
+    // Security: verify payload name matches URL path
+    if let Some(payload_name) = payload.get("name").and_then(|n| n.as_str()) {
+        if payload_name != package_name {
+            tracing::warn!(
+                url_name = %package_name,
+                payload_name = %payload_name,
+                "SECURITY: npm publish name mismatch — possible spoofing attempt"
+            );
+            return (
+                StatusCode::BAD_REQUEST,
+                "Package name in URL does not match payload",
+            )
+                .into_response();
+        }
+    }
+
+    let attachments = match payload.get("_attachments").and_then(|a| a.as_object()) {
+        Some(a) => a,
+        None => return (StatusCode::BAD_REQUEST, "Missing _attachments").into_response(),
+    };
+
+    let new_versions = match payload.get("versions").and_then(|v| v.as_object()) {
+        Some(v) => v,
+        None => return (StatusCode::BAD_REQUEST, "Missing versions").into_response(),
+    };
+
+    // Load or create metadata
+    let metadata_key = format!("npm/{}/metadata.json", package_name);
+    let mut metadata = if let Ok(existing) = state.storage.get(&metadata_key).await {
+        serde_json::from_slice::<serde_json::Value>(&existing)
+            .unwrap_or_else(|_| serde_json::json!({}))
+    } else {
+        serde_json::json!({})
+    };
+
+    // Version immutability
+    if let Some(existing_versions) = metadata.get("versions").and_then(|v| v.as_object()) {
+        for ver in new_versions.keys() {
+            if existing_versions.contains_key(ver) {
+                return (
+                    StatusCode::CONFLICT,
+                    format!("Version {} already exists", ver),
+                )
+                    .into_response();
+            }
+        }
+    }
+
+    // Store tarballs
+    for (filename, attachment_data) in attachments {
+        if !is_valid_attachment_name(filename) {
+            tracing::warn!(
+                filename = %filename,
+                package = %package_name,
+                "SECURITY: npm publish rejected — invalid attachment filename"
+            );
+            return (StatusCode::BAD_REQUEST, "Invalid attachment filename").into_response();
+        }
+
+        let base64_data = match attachment_data.get("data").and_then(|d| d.as_str()) {
+            Some(d) => d,
+            None => continue,
+        };
+
+        let tarball_bytes = match base64::engine::general_purpose::STANDARD.decode(base64_data) {
+            Ok(b) => b,
+            Err(_) => {
+                return (StatusCode::BAD_REQUEST, "Invalid base64 in attachment").into_response()
+            }
+        };
+
+        let tarball_key = format!("npm/{}/tarballs/{}", package_name, filename);
+        if state
+            .storage
+            .put(&tarball_key, &tarball_bytes)
+            .await
+            .is_err()
+        {
+            return StatusCode::INTERNAL_SERVER_ERROR.into_response();
+        }
+
+        // Store sha256
+        let hash = format!("{:x}", sha2::Sha256::digest(&tarball_bytes));
+        let hash_key = format!("{}.sha256", tarball_key);
+        let _ = state.storage.put(&hash_key, hash.as_bytes()).await;
+    }
+
+    // Merge versions
+    let meta_obj = metadata.as_object_mut().unwrap();
+    let stored_versions = meta_obj.entry("versions").or_insert(serde_json::json!({}));
+    if let Some(sv) = stored_versions.as_object_mut() {
+        for (ver, ver_data) in new_versions {
+            sv.insert(ver.clone(), ver_data.clone());
+        }
+    }
+
+    // Copy standard fields
+    for field in &["name", "_id", "description", "readme", "license"] {
+        if let Some(val) = payload.get(*field) {
+            meta_obj.insert(field.to_string(), val.clone());
+        }
+    }
+
+    // Merge dist-tags
+    if let Some(new_dist_tags) = payload.get("dist-tags").and_then(|d| d.as_object()) {
+        let stored_dist_tags = meta_obj.entry("dist-tags").or_insert(serde_json::json!({}));
+        if let Some(sdt) = stored_dist_tags.as_object_mut() {
+            for (tag, ver) in new_dist_tags {
+                sdt.insert(tag.clone(), ver.clone());
+            }
+        }
+    }
+
+    // Rewrite tarball URLs for published packages
+    let nora_base = nora_base_url(&state);
+    if let Some(versions) = metadata.get_mut("versions").and_then(|v| v.as_object_mut()) {
+        for (ver, ver_data) in versions.iter_mut() {
+            if let Some(dist) = ver_data.get_mut("dist") {
+                let short_name = package_name.split('/').next_back().unwrap_or(&package_name);
+                let tarball_url = format!(
+                    "{}/npm/{}/-/{}-{}.tgz",
+                    nora_base.trim_end_matches('/'),
+                    package_name,
+                    short_name,
+                    ver
+                );
+                dist["tarball"] = serde_json::Value::String(tarball_url);
+            }
+        }
+    }
+
+    // Store metadata
+    match serde_json::to_vec(&metadata) {
+        Ok(bytes) => {
+            if state.storage.put(&metadata_key, &bytes).await.is_err() {
+                return StatusCode::INTERNAL_SERVER_ERROR.into_response();
+            }
+        }
+        Err(_) => return StatusCode::INTERNAL_SERVER_ERROR.into_response(),
+    }
+
+    state.metrics.record_upload("npm");
+    state.activity.push(ActivityEntry::new(
+        ActionType::Push,
+        package_name,
+        "npm",
+        "LOCAL",
+    ));
+    state
+        .audit
+        .log(AuditEntry::new("push", "api", "", "npm", ""));
+    state.repo_index.invalidate("npm");
+
+    StatusCode::CREATED.into_response()
+}
+
+// ============================================================================
+// Helpers
+// ============================================================================
+
 async fn fetch_from_proxy(
     client: &reqwest::Client,
     url: &str,
     timeout_secs: u64,
+    auth: Option<&str>,
 ) -> Result<Vec<u8>, ()> {
-    let response = client
-        .get(url)
-        .timeout(Duration::from_secs(timeout_secs))
-        .send()
-        .await
-        .map_err(|_| ())?;
+    let mut request = client.get(url).timeout(Duration::from_secs(timeout_secs));
+    if let Some(credentials) = auth {
+        request = request.header("Authorization", basic_auth_header(credentials));
+    }
+    let response = request.send().await.map_err(|_| ())?;
 
     if !response.status().is_success() {
         return Err(());
@@ -121,3 +450,129 @@ fn with_content_type(
 
     (StatusCode::OK, [(header::CONTENT_TYPE, content_type)], data)
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_rewrite_tarball_urls_regular_package() {
+        let metadata = serde_json::json!({
+            "name": "lodash",
+            "versions": {
+                "4.17.21": {
+                    "dist": {
+                        "tarball": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
+                        "shasum": "abc123"
+                    }
+                }
+            }
+        });
+        let data = serde_json::to_vec(&metadata).unwrap();
+        let result =
+            rewrite_tarball_urls(&data, "http://nora:5000", "https://registry.npmjs.org").unwrap();
+        let json: serde_json::Value = serde_json::from_slice(&result).unwrap();
+
+        assert_eq!(
+            json["versions"]["4.17.21"]["dist"]["tarball"],
+            "http://nora:5000/npm/lodash/-/lodash-4.17.21.tgz"
+        );
+        assert_eq!(json["versions"]["4.17.21"]["dist"]["shasum"], "abc123");
+    }
+
+    #[test]
+    fn test_rewrite_tarball_urls_scoped_package() {
+        let metadata = serde_json::json!({
+            "name": "@babel/core",
+            "versions": {
+                "7.26.0": {
+                    "dist": {
+                        "tarball": "https://registry.npmjs.org/@babel/core/-/core-7.26.0.tgz",
+                        "integrity": "sha512-test"
+                    }
+                }
+            }
+        });
+        let data = serde_json::to_vec(&metadata).unwrap();
+        let result =
+            rewrite_tarball_urls(&data, "http://nora:5000", "https://registry.npmjs.org").unwrap();
+        let json: serde_json::Value = serde_json::from_slice(&result).unwrap();
+
+        assert_eq!(
+            json["versions"]["7.26.0"]["dist"]["tarball"],
+            "http://nora:5000/npm/@babel/core/-/core-7.26.0.tgz"
+        );
+    }
+
+    #[test]
+    fn test_rewrite_tarball_urls_multiple_versions() {
+        let metadata = serde_json::json!({
+            "name": "express",
+            "versions": {
+                "4.18.2": { "dist": { "tarball": "https://registry.npmjs.org/express/-/express-4.18.2.tgz" } },
+                "4.19.0": { "dist": { "tarball": "https://registry.npmjs.org/express/-/express-4.19.0.tgz" } }
+            }
+        });
+        let data = serde_json::to_vec(&metadata).unwrap();
+        let result = rewrite_tarball_urls(
+            &data,
+            "https://demo.getnora.io",
+            "https://registry.npmjs.org",
+        )
+        .unwrap();
+        let json: serde_json::Value = serde_json::from_slice(&result).unwrap();
+
+        assert_eq!(
+            json["versions"]["4.18.2"]["dist"]["tarball"],
+            "https://demo.getnora.io/npm/express/-/express-4.18.2.tgz"
+        );
+        assert_eq!(
+            json["versions"]["4.19.0"]["dist"]["tarball"],
+            "https://demo.getnora.io/npm/express/-/express-4.19.0.tgz"
+        );
+    }
+
+    #[test]
+    fn test_rewrite_tarball_urls_no_versions() {
+        let metadata = serde_json::json!({ "name": "empty-pkg" });
+        let data = serde_json::to_vec(&metadata).unwrap();
+        let result =
+            rewrite_tarball_urls(&data, "http://nora:5000", "https://registry.npmjs.org").unwrap();
+        let json: serde_json::Value = serde_json::from_slice(&result).unwrap();
+        assert_eq!(json["name"], "empty-pkg");
+    }
+
+    #[test]
+    fn test_rewrite_invalid_json() {
+        assert!(rewrite_tarball_urls(
+            b"not json",
+            "http://nora:5000",
+            "https://registry.npmjs.org"
+        )
+        .is_err());
+    }
+
+    #[test]
+    fn test_valid_attachment_names() {
+        assert!(is_valid_attachment_name("lodash-4.17.21.tgz"));
+        assert!(is_valid_attachment_name("core-7.26.0.tgz"));
+        assert!(is_valid_attachment_name("my_package-1.0.0.tgz"));
+        assert!(is_valid_attachment_name("@scope-pkg-1.0.0.tgz"));
+    }
+
+    #[test]
+    fn test_path_traversal_attachment_names() {
+        assert!(!is_valid_attachment_name("../../etc/passwd"));
+        assert!(!is_valid_attachment_name(
+            "../docker/nginx/manifests/latest.json"
+        ));
+        assert!(!is_valid_attachment_name("foo/bar.tgz"));
+        assert!(!is_valid_attachment_name("foo\\bar.tgz"));
+    }
+
+    #[test]
+    fn test_empty_and_null_attachment_names() {
+        assert!(!is_valid_attachment_name(""));
+        assert!(!is_valid_attachment_name("foo\0bar.tgz"));
+    }
+}

nora-registry/src/registry/pypi.rs

@@ -3,6 +3,7 @@
 
 use crate::activity_log::{ActionType, ActivityEntry};
 use crate::audit::AuditEntry;
+use crate::config::basic_auth_header;
 use crate::AppState;
 use axum::{
     extract::{Path, State},
@@ -86,8 +87,13 @@ async fn package_versions(
     if let Some(proxy_url) = &state.config.pypi.proxy {
         let url = format!("{}/{}/", proxy_url.trim_end_matches('/'), normalized);
 
-        if let Ok(html) =
-            fetch_package_page(&state.http_client, &url, state.config.pypi.proxy_timeout).await
+        if let Ok(html) = fetch_package_page(
+            &state.http_client,
+            &url,
+            state.config.pypi.proxy_timeout,
+            state.config.pypi.proxy_auth.as_deref(),
+        )
+        .await
         {
             // Rewrite URLs in the HTML to point to our registry
             let rewritten = rewrite_pypi_links(&html, &normalized);
@@ -116,7 +122,9 @@ async fn download_file(
             "pypi",
             "CACHE",
         ));
-        state.audit.log(AuditEntry::new("cache_hit", "api", "", "pypi", ""));
+        state
+            .audit
+            .log(AuditEntry::new("cache_hit", "api", "", "pypi", ""));
 
         let content_type = if filename.ends_with(".whl") {
             "application/zip"
@@ -138,6 +146,7 @@ async fn download_file(
             &state.http_client,
             &page_url,
             state.config.pypi.proxy_timeout,
+            state.config.pypi.proxy_auth.as_deref(),
         )
         .await
         {
@@ -147,6 +156,7 @@ async fn download_file(
                     &state.http_client,
                     &file_url,
                     state.config.pypi.proxy_timeout,
+                    state.config.pypi.proxy_auth.as_deref(),
                 )
                 .await
                 {
@@ -158,7 +168,9 @@ async fn download_file(
                         "pypi",
                         "PROXY",
                     ));
-                    state.audit.log(AuditEntry::new("proxy_fetch", "api", "", "pypi", ""));
+                    state
+                        .audit
+                        .log(AuditEntry::new("proxy_fetch", "api", "", "pypi", ""));
 
                     // Cache in local storage
                     let storage = state.storage.clone();
@@ -198,14 +210,16 @@ async fn fetch_package_page(
     client: &reqwest::Client,
     url: &str,
     timeout_secs: u64,
+    auth: Option<&str>,
 ) -> Result<String, ()> {
-    let response = client
+    let mut request = client
         .get(url)
         .timeout(Duration::from_secs(timeout_secs))
-        .header("Accept", "text/html")
-        .send()
-        .await
-        .map_err(|_| ())?;
+        .header("Accept", "text/html");
+    if let Some(credentials) = auth {
+        request = request.header("Authorization", basic_auth_header(credentials));
+    }
+    let response = request.send().await.map_err(|_| ())?;
 
     if !response.status().is_success() {
         return Err(());
@@ -215,13 +229,17 @@ async fn fetch_package_page(
 }
 
 /// Fetch file from upstream
-async fn fetch_file(client: &reqwest::Client, url: &str, timeout_secs: u64) -> Result<Vec<u8>, ()> {
-    let response = client
-        .get(url)
-        .timeout(Duration::from_secs(timeout_secs))
-        .send()
-        .await
-        .map_err(|_| ())?;
+async fn fetch_file(
+    client: &reqwest::Client,
+    url: &str,
+    timeout_secs: u64,
+    auth: Option<&str>,
+) -> Result<Vec<u8>, ()> {
+    let mut request = client.get(url).timeout(Duration::from_secs(timeout_secs));
+    if let Some(credentials) = auth {
+        request = request.header("Authorization", basic_auth_header(credentials));
+    }
+    let response = request.send().await.map_err(|_| ())?;
 
     if !response.status().is_success() {
         return Err(());

nora-registry/src/registry/raw.rs

@@ -36,7 +36,9 @@ async fn download(State(state): State<Arc<AppState>>, Path(path): Path<String>)
             state
                 .activity
                 .push(ActivityEntry::new(ActionType::Pull, path, "raw", "LOCAL"));
-                state.audit.log(AuditEntry::new("pull", "api", "", "raw", ""));
+            state
+                .audit
+                .log(AuditEntry::new("pull", "api", "", "raw", ""));
 
             // Guess content type from extension
             let content_type = guess_content_type(&key);
@@ -74,7 +76,9 @@ async fn upload(
             state
                 .activity
                 .push(ActivityEntry::new(ActionType::Push, path, "raw", "LOCAL"));
-                state.audit.log(AuditEntry::new("push", "api", "", "raw", ""));
+            state
+                .audit
+                .log(AuditEntry::new("push", "api", "", "raw", ""));
             StatusCode::CREATED.into_response()
         }
         Err(_) => StatusCode::INTERNAL_SERVER_ERROR.into_response(),

nora-registry/src/repo_index.rs

@@ -244,10 +244,16 @@ async fn build_npm_index(storage: &Storage) -> Vec<RepoInfo> {
     for key in &keys {
         if let Some(rest) = key.strip_prefix("npm/") {
             // Pattern: npm/{package}/tarballs/{file}.tgz
+            // Scoped:  npm/@scope/package/tarballs/{file}.tgz
             if rest.contains("/tarballs/") && key.ends_with(".tgz") {
                 let parts: Vec<_> = rest.split('/').collect();
                 if !parts.is_empty() {
-                    let name = parts[0].to_string();
+                    // Scoped packages: @scope/package → parts[0]="@scope", parts[1]="package"
+                    let name = if parts[0].starts_with('@') && parts.len() >= 4 {
+                        format!("{}/{}", parts[0], parts[1])
+                    } else {
+                        parts[0].to_string()
+                    };
                     let entry = packages.entry(name).or_insert((0, 0, 0));
                     entry.0 += 1;
 

nora-registry/src/secrets/mod.rs

@@ -1,8 +1,6 @@
 // Copyright (c) 2026 Volkov Pavel | DevITWay
 // SPDX-License-Identifier: MIT
 
-#![allow(dead_code)] // Foundational code for future S3/Vault integration
-
 //! Secrets management for NORA
 //!
 //! Provides a trait-based architecture for secrets providers:
@@ -34,6 +32,7 @@ use async_trait::async_trait;
 use serde::{Deserialize, Serialize};
 use thiserror::Error;
 
+#[allow(dead_code)] // Variants used by provider impls; external error handling planned for v0.4
 /// Secrets provider error
 #[derive(Debug, Error)]
 pub enum SecretsError {
@@ -56,9 +55,11 @@ pub enum SecretsError {
 #[async_trait]
 pub trait SecretsProvider: Send + Sync {
     /// Get a secret by key (required)
+    #[allow(dead_code)]
     async fn get_secret(&self, key: &str) -> Result<ProtectedString, SecretsError>;
 
     /// Get a secret by key (optional, returns None if not found)
+    #[allow(dead_code)]
     async fn get_secret_optional(&self, key: &str) -> Option<ProtectedString> {
         self.get_secret(key).await.ok()
     }

nora-registry/src/secrets/protected.rs

@@ -13,12 +13,14 @@ use zeroize::{Zeroize, Zeroizing};
 /// - Implements Zeroize: memory is overwritten with zeros when dropped
 /// - Debug shows `***REDACTED***` instead of actual value
 /// - Clone creates a new protected copy
+#[allow(dead_code)] // Used internally by SecretsProvider impls; external callers planned for v0.4
 #[derive(Clone, Zeroize)]
 #[zeroize(drop)]
 pub struct ProtectedString {
     inner: String,
 }
 
+#[allow(dead_code)]
 impl ProtectedString {
     /// Create a new protected string
     pub fn new(value: String) -> Self {
@@ -68,6 +70,7 @@ impl From<&str> for ProtectedString {
 }
 
 /// S3 credentials with protected secrets
+#[allow(dead_code)] // S3 storage backend planned for v0.4
 #[derive(Clone, Zeroize)]
 #[zeroize(drop)]
 pub struct S3Credentials {
@@ -77,6 +80,7 @@ pub struct S3Credentials {
     pub region: Option<String>,
 }
 
+#[allow(dead_code)]
 impl S3Credentials {
     pub fn new(access_key_id: String, secret_access_key: String) -> Self {
         Self {

nora-registry/src/tokens.rs

@@ -40,7 +40,6 @@ impl Role {
     }
 }
 
-
 /// API Token metadata stored on disk
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct TokenInfo {
@@ -260,7 +259,9 @@ mod tests {
         let temp_dir = TempDir::new().unwrap();
         let store = TokenStore::new(temp_dir.path());
 
-        let token = store.create_token("testuser", 30, None, Role::Write).unwrap();
+        let token = store
+            .create_token("testuser", 30, None, Role::Write)
+            .unwrap();
         let (user, role) = store.verify_token(&token).unwrap();
 
         assert_eq!(user, "testuser");
@@ -291,7 +292,9 @@ mod tests {
         let store = TokenStore::new(temp_dir.path());
 
         // Create token and manually set it as expired
-        let token = store.create_token("testuser", 1, None, Role::Write).unwrap();
+        let token = store
+            .create_token("testuser", 1, None, Role::Write)
+            .unwrap();
         let token_hash = hash_token(&token);
         let file_path = temp_dir.path().join(format!("{}.json", &token_hash[..16]));
 
@@ -330,7 +333,9 @@ mod tests {
         let temp_dir = TempDir::new().unwrap();
         let store = TokenStore::new(temp_dir.path());
 
-        let token = store.create_token("testuser", 30, None, Role::Write).unwrap();
+        let token = store
+            .create_token("testuser", 30, None, Role::Write)
+            .unwrap();
         let token_hash = hash_token(&token);
         let hash_prefix = &token_hash[..16];
 
@@ -375,7 +380,9 @@ mod tests {
         let temp_dir = TempDir::new().unwrap();
         let store = TokenStore::new(temp_dir.path());
 
-        let token = store.create_token("testuser", 30, None, Role::Write).unwrap();
+        let token = store
+            .create_token("testuser", 30, None, Role::Write)
+            .unwrap();
 
         // First verification
         store.verify_token(&token).unwrap();
@@ -391,7 +398,12 @@ mod tests {
         let store = TokenStore::new(temp_dir.path());
 
         store
-            .create_token("testuser", 30, Some("CI/CD Pipeline".to_string()), Role::Admin)
+            .create_token(
+                "testuser",
+                30,
+                Some("CI/CD Pipeline".to_string()),
+                Role::Admin,
+            )
             .unwrap();
 
         let tokens = store.list_tokens("testuser");

nora-registry/src/ui/api.rs

@@ -141,11 +141,14 @@ pub async fn api_dashboard(State(state): State<Arc<AppState>>) -> Json<Dashboard
     let pypi_size: u64 = pypi_repos.iter().map(|r| r.size).sum();
     let total_storage = docker_size + maven_size + npm_size + cargo_size + pypi_size;
 
-    let total_artifacts = docker_repos.len()
-        + maven_repos.len()
-        + npm_repos.len()
-        + cargo_repos.len()
-        + pypi_repos.len();
+    // Count total versions/tags, not just repositories
+    let docker_versions: usize = docker_repos.iter().map(|r| r.versions).sum();
+    let maven_versions: usize = maven_repos.iter().map(|r| r.versions).sum();
+    let npm_versions: usize = npm_repos.iter().map(|r| r.versions).sum();
+    let cargo_versions: usize = cargo_repos.iter().map(|r| r.versions).sum();
+    let pypi_versions: usize = pypi_repos.iter().map(|r| r.versions).sum();
+    let total_artifacts =
+        docker_versions + maven_versions + npm_versions + cargo_versions + pypi_versions;
 
     let global_stats = GlobalStats {
         downloads: state.metrics.downloads.load(Ordering::Relaxed),
@@ -158,35 +161,35 @@ pub async fn api_dashboard(State(state): State<Arc<AppState>>) -> Json<Dashboard
     let registry_card_stats = vec![
         RegistryCardStats {
             name: "docker".to_string(),
-            artifact_count: docker_repos.len(),
+            artifact_count: docker_versions,
             downloads: state.metrics.get_registry_downloads("docker"),
             uploads: state.metrics.get_registry_uploads("docker"),
             size_bytes: docker_size,
         },
         RegistryCardStats {
             name: "maven".to_string(),
-            artifact_count: maven_repos.len(),
+            artifact_count: maven_versions,
             downloads: state.metrics.get_registry_downloads("maven"),
             uploads: state.metrics.get_registry_uploads("maven"),
             size_bytes: maven_size,
         },
         RegistryCardStats {
             name: "npm".to_string(),
-            artifact_count: npm_repos.len(),
+            artifact_count: npm_versions,
             downloads: state.metrics.get_registry_downloads("npm"),
             uploads: 0,
             size_bytes: npm_size,
         },
         RegistryCardStats {
             name: "cargo".to_string(),
-            artifact_count: cargo_repos.len(),
+            artifact_count: cargo_versions,
             downloads: state.metrics.get_registry_downloads("cargo"),
             uploads: 0,
             size_bytes: cargo_size,
         },
         RegistryCardStats {
             name: "pypi".to_string(),
-            artifact_count: pypi_repos.len(),
+            artifact_count: pypi_versions,
             downloads: state.metrics.get_registry_downloads("pypi"),
             uploads: 0,
             size_bytes: pypi_size,
@@ -197,12 +200,17 @@ pub async fn api_dashboard(State(state): State<Arc<AppState>>) -> Json<Dashboard
         MountPoint {
             registry: "Docker".to_string(),
             mount_path: "/v2/".to_string(),
-            proxy_upstream: None,
+            proxy_upstream: state.config.docker.upstreams.first().map(|u| u.url.clone()),
         },
         MountPoint {
             registry: "Maven".to_string(),
             mount_path: "/maven2/".to_string(),
-            proxy_upstream: state.config.maven.proxies.first().cloned(),
+            proxy_upstream: state
+                .config
+                .maven
+                .proxies
+                .first()
+                .map(|p| p.url().to_string()),
         },
         MountPoint {
             registry: "npm".to_string(),

nora-registry/src/validation.rs

@@ -1,7 +1,6 @@
 // Copyright (c) 2026 Volkov Pavel | DevITWay
 // SPDX-License-Identifier: MIT
 
-#![allow(dead_code)]
 //! Input validation for artifact registry paths and identifiers
 //!
 //! Provides security validation to prevent path traversal attacks and
@@ -309,63 +308,6 @@ pub fn validate_docker_reference(reference: &str) -> Result<(), ValidationError>
     Ok(())
 }
 
-/// Validate Maven artifact path.
-///
-/// Maven paths follow the pattern: groupId/artifactId/version/filename
-/// Example: `org/apache/commons/commons-lang3/3.12.0/commons-lang3-3.12.0.jar`
-pub fn validate_maven_path(path: &str) -> Result<(), ValidationError> {
-    validate_storage_key(path)
-}
-
-/// Validate npm package name.
-pub fn validate_npm_name(name: &str) -> Result<(), ValidationError> {
-    if name.is_empty() {
-        return Err(ValidationError::EmptyInput);
-    }
-
-    if name.len() > 214 {
-        return Err(ValidationError::TooLong {
-            max: 214,
-            actual: name.len(),
-        });
-    }
-
-    // Check for path traversal
-    if name.contains("..") {
-        return Err(ValidationError::PathTraversal);
-    }
-
-    Ok(())
-}
-
-/// Validate Cargo crate name.
-pub fn validate_crate_name(name: &str) -> Result<(), ValidationError> {
-    if name.is_empty() {
-        return Err(ValidationError::EmptyInput);
-    }
-
-    if name.len() > 64 {
-        return Err(ValidationError::TooLong {
-            max: 64,
-            actual: name.len(),
-        });
-    }
-
-    // Check for path traversal
-    if name.contains("..") || name.contains('/') {
-        return Err(ValidationError::PathTraversal);
-    }
-
-    // Crate names: alphanumeric, underscores, hyphens
-    for c in name.chars() {
-        if !matches!(c, 'a'..='z' | 'A'..='Z' | '0'..='9' | '_' | '-') {
-            return Err(ValidationError::ForbiddenCharacter(c));
-        }
-    }
-
-    Ok(())
-}
-
 #[cfg(test)]
 mod tests {
     use super::*;