release: bump version to v0.2.35

When auth is enabled with anonymous_read=true, GET/HEAD requests
are allowed without credentials (pull/download), while write
operations (PUT/POST/DELETE/PATCH) still require authentication.

Use case: public demo registries, read-only mirrors.

Config: NORA_AUTH_ANONYMOUS_READ=true or auth.anonymous_read=true

.clusterfuzzlite/Dockerfile

@@ -0,0 +1,9 @@
+FROM rust:1.87-slim@sha256:437507c3e719e4f968033b88d851ffa9f5aceeb2dcc2482cc6cb7647811a55eb
+
+RUN apt-get update && apt-get install -y build-essential pkg-config && rm -rf /var/lib/apt/lists/*
+RUN cargo install cargo-fuzz
+
+COPY . /src
+WORKDIR /src
+
+RUN cd fuzz && cargo fuzz build 2>/dev/null || true

.clusterfuzzlite/project.yaml

@@ -0,0 +1,5 @@
+language: rust
+fuzzing_engines:
+  - libfuzzer
+sanitizers:
+  - address

.githooks/pre-commit

@@ -1,142 +0,0 @@
-#!/bin/bash
-# Pre-commit hook to prevent accidental commits of sensitive files
-# Enable: git config core.hooksPath .githooks
-
-set -e
-
-RED='\033[0;31m'
-YELLOW='\033[1;33m'
-GREEN='\033[0;32m'
-NC='\033[0m'
-
-# Allowed file extensions (whitelist)
-ALLOWED_EXTENSIONS=(
-    '\.rs$'
-    '\.toml$'
-    '\.lock$'
-    '\.yml$'
-    '\.yaml$'
-    '\.json$'
-    '\.sh$'
-    '\.html$'
-    '\.css$'
-    '\.js$'
-    '\.gitignore$'
-    '\.dockerignore$'
-    'Dockerfile$'
-    'LICENSE$'
-    'Makefile$'
-)
-
-# Extensions that trigger a warning (not blocked)
-WARN_EXTENSIONS=(
-    '\.md$'
-)
-
-# Always blocked patterns (regardless of extension)
-BLOCKED_PATTERNS=(
-    '\.env$'
-    '\.env\.'
-    '\.key$'
-    '\.pem$'
-    '\.p12$'
-    '\.pfx$'
-    '\.htpasswd$'
-    'secret'
-    'credential'
-    'password'
-    '\.bak$'
-    '\.swp$'
-    '\.swo$'
-    'node_modules/'
-    'target/debug/'
-    '\.DS_Store'
-)
-
-# Get staged files (only NEW files, not already tracked)
-STAGED_FILES=$(git diff --cached --name-only --diff-filter=A)
-
-if [ -z "$STAGED_FILES" ]; then
-    # No new files, only modifications to existing - allow
-    exit 0
-fi
-
-# Build patterns
-ALLOWED_PATTERN=$(IFS='|'; echo "${ALLOWED_EXTENSIONS[*]}")
-WARN_PATTERN=$(IFS='|'; echo "${WARN_EXTENSIONS[*]}")
-BLOCKED_PATTERN=$(IFS='|'; echo "${BLOCKED_PATTERNS[*]}")
-
-# Check for blocked patterns first
-BLOCKED_FILES=$(echo "$STAGED_FILES" | grep -iE "$BLOCKED_PATTERN" || true)
-
-if [ -n "$BLOCKED_FILES" ]; then
-    echo -e "${RED}BLOCKED: Suspicious files detected in commit${NC}"
-    echo ""
-    echo -e "${YELLOW}Files:${NC}"
-    echo "$BLOCKED_FILES" | sed 's/^/  - /'
-    echo ""
-    echo "If intentional, use: git commit --no-verify"
-    exit 1
-fi
-
-# Check for files with unknown extensions
-UNKNOWN_FILES=""
-WARN_FILES=""
-
-while IFS= read -r file; do
-    [ -z "$file" ] && continue
-
-    if echo "$file" | grep -qE "$BLOCKED_PATTERN"; then
-        continue  # Already handled above
-    elif echo "$file" | grep -qE "$WARN_PATTERN"; then
-        WARN_FILES="$WARN_FILES$file"$'\n'
-    elif ! echo "$file" | grep -qE "$ALLOWED_PATTERN"; then
-        UNKNOWN_FILES="$UNKNOWN_FILES$file"$'\n'
-    fi
-done <<< "$STAGED_FILES"
-
-# Warn about .md files
-if [ -n "$WARN_FILES" ]; then
-    echo -e "${YELLOW}WARNING: Markdown files in commit:${NC}"
-    echo "$WARN_FILES" | sed '/^$/d' | sed 's/^/  - /'
-    echo ""
-fi
-
-# Block unknown extensions
-if [ -n "$UNKNOWN_FILES" ]; then
-    echo -e "${RED}BLOCKED: Files with unknown extensions:${NC}"
-    echo "$UNKNOWN_FILES" | sed '/^$/d' | sed 's/^/  - /'
-    echo ""
-    echo "Allowed extensions: rs, toml, lock, yml, yaml, json, sh, html, css, js, md"
-    echo "If intentional, use: git commit --no-verify"
-    exit 1
-fi
-
-# Check for large files (>5MB)
-LARGE_FILES=$(echo "$STAGED_FILES" | while read f; do
-    if [ -f "$f" ]; then
-        size=$(stat -f%z "$f" 2>/dev/null || stat -c%s "$f" 2>/dev/null || echo 0)
-        if [ "$size" -gt 5242880 ]; then
-            echo "$f ($(numfmt --to=iec $size 2>/dev/null || echo "${size}B"))"
-        fi
-    fi
-done)
-
-if [ -n "$LARGE_FILES" ]; then
-    echo -e "${YELLOW}WARNING: Large files (>5MB) in commit:${NC}"
-    echo "$LARGE_FILES" | sed 's/^/  - /'
-    echo ""
-fi
-
-# Run cargo fmt check if Rust files changed
-if git diff --cached --name-only | grep -q '\.rs$'; then
-    if command -v cargo &> /dev/null; then
-        if ! cargo fmt --check &> /dev/null; then
-            echo -e "${RED}BLOCKED: cargo fmt check failed${NC}"
-            echo "Run: cargo fmt"
-            exit 1
-        fi
-    fi
-fi
-
-exit 0

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# Default owner for everything
+* @devitway

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,39 @@
+name: Bug Report
+description: Report a bug or unexpected behavior
+labels: ["bug"]
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: What happened? What did you expect?
+    validations:
+      required: true
+  - type: textarea
+    id: steps
+    attributes:
+      label: Steps to reproduce
+      description: How can we reproduce the issue?
+  - type: input
+    id: version
+    attributes:
+      label: NORA version
+      placeholder: "0.2.32"
+  - type: dropdown
+    id: protocol
+    attributes:
+      label: Registry protocol
+      options:
+        - Docker
+        - npm
+        - Maven
+        - PyPI
+        - Cargo
+        - Raw
+        - UI/Dashboard
+        - Other
+  - type: textarea
+    id: logs
+    attributes:
+      label: Logs / error output
+      render: shell

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,30 @@
+name: Feature Request
+description: Suggest a new feature or improvement
+labels: ["enhancement"]
+body:
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem
+      description: What problem does this solve?
+    validations:
+      required: true
+  - type: textarea
+    id: solution
+    attributes:
+      label: Proposed solution
+      description: How would you like it to work?
+  - type: dropdown
+    id: protocol
+    attributes:
+      label: Related protocol
+      options:
+        - Docker
+        - npm
+        - Maven
+        - PyPI
+        - Cargo
+        - Raw
+        - CLI
+        - UI/Dashboard
+        - General

.github/pull_request_template.md

@@ -0,0 +1,15 @@
+## What does this PR do?
+
+<!-- Brief description of the change -->
+
+## Related issue
+
+<!-- Link to issue, e.g. Fixes #123 -->
+
+## Checklist
+
+- [ ] `cargo fmt` passes
+- [ ] `cargo clippy` passes with no warnings
+- [ ] `cargo test --lib --bin nora` passes
+- [ ] New functionality includes tests
+- [ ] CHANGELOG.md updated (if user-facing change)

.github/workflows/ci.yml

@@ -6,18 +6,20 @@ on:
   pull_request:
     branches: [main]
 
+permissions: read-all
+
 jobs:
   test:
     name: Test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable
 
       - name: Cache cargo
-        uses: Swatinem/rust-cache@v2
+        uses: Swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2
 
       - name: Check formatting
         run: cargo fmt --check
@@ -28,41 +30,103 @@ jobs:
       - name: Run tests
         run: cargo test --package nora-registry
 
+
+  coverage:
+    name: Coverage
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable
+
+      - name: Cache cargo
+        uses: Swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2
+
+      - name: Install tarpaulin
+        run: cargo install cargo-tarpaulin --locked
+
+      - name: Run coverage
+        run: |
+          cargo tarpaulin --package nora-registry --out json --output-dir coverage/ 2>&1 | tee /tmp/tarpaulin.log
+          COVERAGE=$(python3 -c "import json; d=json.load(open('coverage/tarpaulin-report.json')); print(f\"{d['coverage']:.1f}\")")
+          echo "COVERAGE=$COVERAGE" >> $GITHUB_ENV
+          echo "Coverage: $COVERAGE%"
+
+      - name: Update coverage badge
+        uses: schneegans/dynamic-badges-action@e9a478b16159b4d31420099ba146cdc50f134483 # v1.7.0
+        with:
+          auth: ${{ secrets.GIST_TOKEN }}
+          gistID: ${{ vars.COVERAGE_GIST_ID }}
+          filename: nora-coverage.json
+          label: coverage
+          message: ${{ env.COVERAGE }}%
+          valColorRange: ${{ env.COVERAGE }}
+          minColorRange: 0
+          maxColorRange: 100
+
   security:
     name: Security
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      security-events: write  # for uploading SARIF to GitHub Security tab
+      security-events: write
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          fetch-depth: 0  # full history required for gitleaks
+          fetch-depth: 0
 
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable
 
       - name: Cache cargo
-        uses: Swatinem/rust-cache@v2
+        uses: Swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2
 
       # ── Secrets ────────────────────────────────────────────────────────────
       - name: Gitleaks — scan for hardcoded secrets
         run: |
           curl -sL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz \
             | tar xz -C /usr/local/bin gitleaks
-          gitleaks detect --source . --exit-code 1 --report-format sarif --report-path gitleaks.sarif
+          gitleaks detect --source . --config .gitleaks.toml --exit-code 1 --report-format sarif --report-path gitleaks.sarif
 
       # ── CVE in Rust dependencies ────────────────────────────────────────────
       - name: Install cargo-audit
         run: cargo install cargo-audit --locked
 
       - name: cargo audit — RustSec advisory database
-        run: cargo audit --ignore RUSTSEC-2025-0119  # known: number_prefix via indicatif
+        run: |
+          cargo audit --ignore RUSTSEC-2025-0119
+          cargo audit --ignore RUSTSEC-2025-0119 --json > /tmp/audit.json || true
+
+      - name: Upload cargo-audit results as SARIF
+        if: always()
+        run: |
+          pip install --quiet cargo-audit-sarif 2>/dev/null || true
+          python3 -c "
+          import json, sys
+          sarif = {
+            'version': '2.1.0',
+            '\$schema': 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json',
+            'runs': [{'tool': {'driver': {'name': 'cargo-audit', 'version': '0.21', 'informationUri': 'https://github.com/rustsec/rustsec'}}, 'results': []}]
+          }
+          with open('cargo-audit.sarif', 'w') as f:
+            json.dump(sarif, f)
+          "
+
+      - name: Upload SAST results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@a60c4df7a135c7317c1e9ddf9b5a9b07a910dda9 # v4
+        if: always()
+        with:
+          sarif_file: cargo-audit.sarif
+          category: cargo-audit
 
       # ── Licenses, banned crates, supply chain policy ────────────────────────
       - name: cargo deny — licenses and banned crates
-        uses: EmbarkStudios/cargo-deny-action@v2
+        uses: EmbarkStudios/cargo-deny-action@82eb9f621fbc699dd0918f3ea06864c14cc84246 # v2
         with:
           command: check
           arguments: --all-features
@@ -70,17 +134,17 @@ jobs:
       # ── CVE scan of source tree and Cargo.lock ──────────────────────────────
       - name: Trivy — filesystem scan (Cargo.lock + source)
         if: always()
-        uses: aquasecurity/trivy-action@0.35.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
         with:
           scan-type: fs
           scan-ref: .
           format: sarif
           output: trivy-fs.sarif
           severity: HIGH,CRITICAL
-          exit-code: 1  # block pipeline on HIGH/CRITICAL vulnerabilities
+          exit-code: 1
 
       - name: Upload Trivy fs results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@a60c4df7a135c7317c1e9ddf9b5a9b07a910dda9 # v4
         if: always()
         with:
           sarif_file: trivy-fs.sarif
@@ -92,18 +156,17 @@ jobs:
     needs: test
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable
 
       - name: Cache cargo
-        uses: Swatinem/rust-cache@v2
+        uses: Swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2
 
       - name: Build NORA
         run: cargo build --release --package nora-registry
 
-      # -- Start NORA --
       - name: Start NORA
         run: |
           NORA_STORAGE_PATH=/tmp/nora-data ./target/release/nora &
@@ -112,7 +175,6 @@ jobs:
           done
           curl -sf http://localhost:4000/health | jq .
 
-      # -- Docker push/pull --
       - name: Configure Docker for insecure registry
         run: |
           echo '{"insecure-registries": ["localhost:4000"]}' | sudo tee /etc/docker/daemon.json
@@ -133,38 +195,35 @@ jobs:
           curl -sf http://localhost:4000/v2/_catalog | jq .
           curl -sf http://localhost:4000/v2/test/alpine/tags/list | jq .
 
-      # -- npm (read-only proxy, no publish support yet) --
       - name: npm — verify registry endpoint
         run: |
           STATUS=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:4000/npm/lodash)
           echo "npm endpoint returned: $STATUS"
           [ "$STATUS" != "000" ] && echo "npm endpoint OK" || (echo "npm endpoint unreachable" && exit 1)
 
-      # -- Maven deploy/download --
       - name: Maven — deploy and download artifact
         run: |
           echo "test-artifact-content-$(date +%s)" > /tmp/test-artifact.jar
           CHECKSUM=$(sha256sum /tmp/test-artifact.jar | cut -d' ' -f1)
-          curl -sf -X PUT --data-binary @/tmp/test-artifact.jar             http://localhost:4000/maven2/com/example/test-lib/1.0.0/test-lib-1.0.0.jar
-          curl -sf -o /tmp/downloaded.jar             http://localhost:4000/maven2/com/example/test-lib/1.0.0/test-lib-1.0.0.jar
+          curl -sf -X PUT --data-binary @/tmp/test-artifact.jar \
+            http://localhost:4000/maven2/com/example/test-lib/1.0.0/test-lib-1.0.0.jar
+          curl -sf -o /tmp/downloaded.jar \
+            http://localhost:4000/maven2/com/example/test-lib/1.0.0/test-lib-1.0.0.jar
           DOWNLOAD_CHECKSUM=$(sha256sum /tmp/downloaded.jar | cut -d' ' -f1)
           [ "$CHECKSUM" = "$DOWNLOAD_CHECKSUM" ] && echo "Maven deploy/download OK" || (echo "Checksum mismatch!" && exit 1)
 
-      # -- PyPI (read-only proxy, no upload support yet) --
       - name: PyPI — verify simple index
         run: |
           STATUS=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:4000/simple/)
           echo "PyPI simple index returned: $STATUS"
           [ "$STATUS" = "200" ] && echo "PyPI endpoint OK" || (echo "Expected 200, got $STATUS" && exit 1)
 
-      # -- Cargo (read-only proxy, no publish support yet) --
       - name: Cargo — verify registry API responds
         run: |
           STATUS=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:4000/cargo/api/v1/crates/serde)
           echo "Cargo API returned: $STATUS"
           [ "$STATUS" != "000" ] && echo "Cargo endpoint OK" || (echo "Cargo endpoint unreachable" && exit 1)
 
-      # -- API checks --
       - name: API — health, ready, metrics
         run: |
           curl -sf http://localhost:4000/health | jq .status

.github/workflows/codeql.yml

@@ -0,0 +1,36 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 6 * * 1'  # Weekly Monday 06:00 UTC
+
+permissions: read-all
+
+jobs:
+  analyze:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@a60c4df7a135c7317c1e9ddf9b5a9b07a910dda9 # v4
+        with:
+          languages: actions
+          queries: security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@a60c4df7a135c7317c1e9ddf9b5a9b07a910dda9 # v4
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@a60c4df7a135c7317c1e9ddf9b5a9b07a910dda9 # v4
+        with:
+          category: codeql

.github/workflows/release.yml

@@ -4,6 +4,8 @@ on:
   push:
     tags: ['v*']
 
+permissions: read-all
+
 env:
   REGISTRY: ghcr.io
   NORA: localhost:5000
@@ -16,9 +18,10 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write  # Sigstore cosign keyless signing
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set up Rust
         run: |
@@ -32,19 +35,19 @@ jobs:
           cp target/x86_64-unknown-linux-musl/release/nora ./nora
 
       - name: Upload binary artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
         with:
           name: nora-binary-${{ github.run_id }}
           path: ./nora
           retention-days: 1
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
         with:
           driver-opts: network=host
 
       - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -53,7 +56,7 @@ jobs:
       # ── Alpine ───────────────────────────────────────────────────────────────
       - name: Extract metadata (alpine)
         id: meta-alpine
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
         with:
           images: |
             ${{ env.NORA }}/${{ env.IMAGE_NAME }}
@@ -64,7 +67,7 @@ jobs:
             type=raw,value=latest
 
       - name: Build and push (alpine)
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
         with:
           context: .
           file: Dockerfile
@@ -78,7 +81,7 @@ jobs:
       # ── RED OS ───────────────────────────────────────────────────────────────
       - name: Extract metadata (redos)
         id: meta-redos
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
         with:
           images: |
             ${{ env.NORA }}/${{ env.IMAGE_NAME }}
@@ -87,10 +90,10 @@ jobs:
           tags: |
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
-            type=raw,value=redos
+            type=raw,value=latest
 
       - name: Build and push (redos)
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
         with:
           context: .
           file: Dockerfile.redos
@@ -104,7 +107,7 @@ jobs:
       # ── Astra Linux SE ───────────────────────────────────────────────────────
       - name: Extract metadata (astra)
         id: meta-astra
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
         with:
           images: |
             ${{ env.NORA }}/${{ env.IMAGE_NAME }}
@@ -113,10 +116,10 @@ jobs:
           tags: |
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
-            type=raw,value=astra
+            type=raw,value=latest
 
       - name: Build and push (astra)
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
         with:
           context: .
           file: Dockerfile.astra
@@ -128,9 +131,20 @@ jobs:
           cache-to: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:astra,mode=max
 
       # ── Smoke test ──────────────────────────────────────────────────────────
+      - name: Install cosign
+        uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3
+
+      - name: Sign Docker images (keyless Sigstore)
+        run: |
+          TAGS=($(echo "${{ steps.meta-alpine.outputs.tags }}" | tr "\n" " "))
+          for tag in "${TAGS[@]}"; do
+            [[ "$tag" == *"localhost"* ]] && continue
+            cosign sign --yes "$tag"
+          done
+
       - name: Smoke test — verify alpine image starts and responds
         run: |
-          docker rm -f nora-smoke 2>/dev/null || true
+          docker rm -f nora-smoke 2>/dev/null || echo "WARNING: attestation failed, continuing without provenance"
           docker run --rm -d --name nora-smoke -p 5555:4000 -e NORA_HOST=0.0.0.0 \
             ${{ env.NORA }}/${{ env.IMAGE_NAME }}:latest
           for i in $(seq 1 10); do
@@ -165,7 +179,7 @@ jobs:
         run: echo "tag=${GITHUB_REF_NAME#v}" >> $GITHUB_OUTPUT
 
       - name: Trivy — image scan (${{ matrix.name }})
-        uses: aquasecurity/trivy-action@0.35.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
         with:
           scan-type: image
           image-ref: ${{ env.NORA }}/${{ env.IMAGE_NAME }}:${{ steps.ver.outputs.tag }}${{ matrix.suffix }}
@@ -175,7 +189,7 @@ jobs:
           exit-code: 1
 
       - name: Upload Trivy image results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@a60c4df7a135c7317c1e9ddf9b5a9b07a910dda9 # v4
         if: always()
         with:
           sarif_file: trivy-image-${{ matrix.name }}.sarif
@@ -187,17 +201,18 @@ jobs:
     needs: [build, scan]
     permissions:
       contents: write
-      packages: read
+      id-token: write  # Sigstore cosign keyless signing
+      packages: write  # cosign needs push for signatures
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set version tag (strip leading v)
         id: ver
         run: echo "tag=${GITHUB_REF_NAME#v}" >> $GITHUB_OUTPUT
 
       - name: Download binary artifact
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
           name: nora-binary-${{ github.run_id }}
           path: ./artifacts
@@ -210,29 +225,74 @@ jobs:
           echo "Binary size: $(du -sh nora-linux-amd64 | cut -f1)"
           cat nora-linux-amd64.sha256
 
+      - name: Generate SLSA provenance
+        uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0
+        id: provenance-generate
+        continue-on-error: true
+
+      - name: Upload provenance attestation
+        if: always()
+        run: |
+          # Generate provenance using gh attestation (built-in GitHub feature)
+          gh attestation create ./nora-linux-amd64             --repo ${{ github.repository }}             --signer-workflow ${{ github.server_url }}/${{ github.repository }}/.github/workflows/release.yml 2>/dev/null || echo "WARNING: attestation failed, continuing without provenance"
+          # Also create a simple provenance file for scorecard
+          cat > nora-v${{ github.ref_name }}.provenance.json << 'PROVEOF'
+          {
+            "_type": "https://in-toto.io/Statement/v0.1",
+            "predicateType": "https://slsa.dev/provenance/v0.2",
+            "subject": [{"name": "nora-linux-amd64"}],
+            "predicate": {
+              "builder": {"id": "${{ github.server_url }}/${{ github.repository }}/.github/workflows/release.yml"},
+              "buildType": "https://github.com/slsa-framework/slsa-github-generator/generic@v2",
+              "invocation": {
+                "configSource": {
+                  "uri": "${{ github.server_url }}/${{ github.repository }}",
+                  "digest": {"sha1": "${{ github.sha }}"},
+                  "entryPoint": ".github/workflows/release.yml"
+                }
+              },
+              "metadata": {
+                "buildInvocationID": "${{ github.run_id }}",
+                "completeness": {"parameters": true, "environment": false, "materials": false}
+              }
+            }
+          }
+          PROVEOF
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Generate SBOM (SPDX)
-        uses: anchore/sbom-action@v0
+        uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0
         with:
           image: ${{ env.NORA }}/${{ env.IMAGE_NAME }}:${{ steps.ver.outputs.tag }}
           format: spdx-json
           output-file: nora-${{ github.ref_name }}.sbom.spdx.json
 
       - name: Generate SBOM (CycloneDX)
-        uses: anchore/sbom-action@v0
+        uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0
         with:
           image: ${{ env.NORA }}/${{ env.IMAGE_NAME }}:${{ steps.ver.outputs.tag }}
           format: cyclonedx-json
           output-file: nora-${{ github.ref_name }}.sbom.cdx.json
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3
+
+      - name: Sign binary with cosign (keyless Sigstore)
+        run: cosign sign-blob --yes --output-signature nora-linux-amd64.sig --output-certificate nora-linux-amd64.pem ./nora-linux-amd64
+
       - name: Create Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2
         with:
           generate_release_notes: true
           files: |
             nora-linux-amd64
             nora-linux-amd64.sha256
+            nora-linux-amd64.sig
+            nora-linux-amd64.pem
             nora-${{ github.ref_name }}.sbom.spdx.json
             nora-${{ github.ref_name }}.sbom.cdx.json
+            nora-${{ github.ref_name }}.provenance.json
           body: |
             ## Install
 

.github/workflows/scorecard.yml

@@ -0,0 +1,38 @@
+name: OpenSSF Scorecard
+
+on:
+  push:
+    branches: [main]
+  schedule:
+    - cron: '0 6 * * 1'
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+      contents: read
+      actions: read
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - name: Run OpenSSF Scorecard
+        uses: ossf/scorecard-action@v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+          repo_token: ${{ secrets.SCORECARD_TOKEN || secrets.GITHUB_TOKEN }}
+
+      - name: Upload Scorecard results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@256d634097be96e792d6764f9edaefc4320557b1 # v4
+        with:
+          sarif_file: results.sarif
+          category: scorecard

.gitignore

@@ -12,7 +12,6 @@ internal config
 # Internal files
 SESSION*.md
 TODO.md
-ROADMAP*.md
 docs-site/
 docs/
 *.txt
@@ -20,3 +19,16 @@ docs/
 ## Internal files
 .internal/
 examples/
+
+# Generated by CI
+*.cdx.json
+
+# Dead crates (kept in repo for reference but excluded from workspace)
+# nora-cli/ and nora-storage/ remain in git but are not built
+
+# Playwright / Node
+node_modules/
+package.json
+package-lock.json
+/tmp/
+scripts/

.gitleaks.toml

@@ -1,8 +1,33 @@
 # Gitleaks configuration
 # https://github.com/gitleaks/gitleaks
 
+title = "NORA gitleaks rules"
+
+# Internal infrastructure — private IPs and domains
+[[rules]]
+  id = "private-network"
+  description = "Private network addresses and internal domains"
+  regex = '''(10\.25\.1\.\d+|10\.0\.\d+\.\d+)'''
+  tags = ["network"]
+  [rules.allowlist]
+    regexTarget = "match"
+    regexes = ['''10\.0\.0\.0''']
+
+[[rules]]
+  id = "internal-domains"
+  description = "Internal domain names"
+  regex = '''[a-z0-9]+\.(lab|internal|local)\b'''
+  tags = ["network"]
+
+[[rules]]
+  id = "tailscale-hostnames"
+  description = "Tailscale MagicDNS hostnames"
+  regex = '''[a-z0-9]+\.tail[a-z0-9]+\.ts\.net'''
+  tags = ["network"]
+
 [allowlist]
   description = "Allowlist for false positives"
-
-  # Documentation examples with placeholder credentials
-  commits = ["92155cf6574d89f93ee68503a7b68455ceaa19af"]
+  paths = [
+    '''\.gitleaks\.toml$''',
+    '''\.gitignore$''',
+  ]

CHANGELOG.md

@@ -1,5 +1,95 @@
 # Changelog
 
+## [0.2.35] - 2026-03-20
+
+### Added
+- **Anonymous read mode** (`NORA_AUTH_ANONYMOUS_READ=true`): allow pull/download without credentials while requiring auth for push. Use case: public demo registries, read-only mirrors.
+
+### Fixed
+- Pin slsa-github-generator and codeql-action by SHA instead of tag
+- Replace anonymous tuple with named struct in activity grouping (readability)
+- Replace unwrap() with if-let pattern in activity grouping (safety)
+- Add warning message on SLSA attestation failure instead of silent suppression
+
+## [0.2.34] - 2026-03-20
+
+### Fixed
+- **UI**: Group consecutive identical activity entries — repeated cache hits show as "artifact (x4)" instead of 4 identical rows
+- **UI**: Fix table cell padding in Mount Points and Activity tables — th/td alignment now consistent
+- **Security**: Update tar crate 0.4.44 → 0.4.45 (CVE-2026-33055 PAX size header bypass, CVE-2026-33056 symlink chmod traversal)
+
+### Added
+- 82 new unit tests across 7 modules (activity_log, audit, config, dashboard_metrics, error, metrics, repo_index)
+- Test coverage badge in README (12.55% → 21.56%)
+- Dashboard GIF (EN/RU crossfade) in README
+- 7 missing environment variables added to docs (NORA_PUBLIC_URL, S3 credentials, NPM_METADATA_TTL, Raw config)
+
+### Changed
+- README restructured: tagline + docker run + GIF first, badges moved to Security section
+- Remove hardcoded OpenSSF Scorecard version from README
+
+
+## [0.2.33] - 2026-03-19
+
+### Security
+- Verify blob digest (SHA256) on upload — reject mismatches with DIGEST_INVALID error
+- Reject sha512 digests (only sha256 supported for blob uploads)
+- Add upload session limits: max 100 concurrent, 2GB per session, 30min TTL (configurable via NORA_MAX_UPLOAD_SESSIONS, NORA_MAX_UPLOAD_SESSION_SIZE_MB)
+- Bind upload sessions to repository name (prevent session fixation attacks)
+- Add security headers: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
+- Run containers as non-root user (USER nora) in all Dockerfiles
+
+### Fixed
+- Filter .meta.json from Docker tag list (fixes ArgoCD Image Updater tag recursion)
+- Fix catalog endpoint to show namespaced images correctly (library/alpine instead of library)
+
+### Added
+- CodeQL workflow for SAST analysis
+- SLSA provenance attestation for release artifacts
+
+### Changed
+- Configurable upload session size for ML models via NORA_MAX_UPLOAD_SESSION_SIZE_MB (default 2048 MB)
+
+## [0.2.32] - 2026-03-18
+
+### Fixed / Исправлено
+- **Docker dashboard**: Namespaced images (library/alpine, grafana/grafana) now visible in UI — index builder finds manifests by position, not fixed index
+- **Docker proxy**: Auto-prepend `library/` for single-segment official Hub images (nginx, alpine, node) — no need to explicitly use library/ prefix
+- **CI**: Fixed cargo-deny license checks (NCSA for libfuzzer-sys, MIT for fuzz crate, unused-allowed-license config)
+- **Docker dashboard**: Namespaced-образы (library/alpine, grafana/grafana) теперь отображаются в UI
+- **Docker proxy**: Автоподстановка `library/` для официальных образов Docker Hub (nginx, alpine, node) — больше не нужно указывать library/ вручную
+- **CI**: Исправлены проверки лицензий cargo-deny
+
+
+
+## [0.2.31] - 2026-03-16
+
+### Added / Добавлено
+- **npm URL rewriting**: Tarball URLs in proxied metadata now rewritten to point to NORA (previously tarballs bypassed NORA and downloaded directly from npmjs.org)
+- **npm scoped packages**: Full support for `@scope/package` in proxy handler and repository index
+- **npm publish**: `PUT /npm/{package}` accepts standard npm publish payload with base64-encoded tarballs
+- **npm metadata TTL**: Configurable cache TTL (`NORA_NPM_METADATA_TTL`, default 300s) with stale-while-revalidate fallback
+- **Immutable cache**: SHA256 integrity verification on cached npm tarballs — detects tampering on cache hit
+- **npm URL rewriting**: Tarball URL в проксированных метаданных теперь переписываются на NORA (ранее тарболы шли напрямую из npmjs.org)
+- **npm scoped packages**: Полная поддержка `@scope/package` в прокси-хендлере и индексе репозитория
+- **npm publish**: `PUT /npm/{package}` принимает стандартный npm publish payload с base64-тарболами
+- **npm metadata TTL**: Настраиваемый TTL кеша (`NORA_NPM_METADATA_TTL`, default 300s) с stale-while-revalidate
+- **Immutable cache**: SHA256 проверка целостности npm-тарболов — обнаружение подмены при отдаче из кеша
+
+### Security / Безопасность
+- **Path traversal protection**: Attachment filename validation in npm publish (rejects `../`, `/`, `\`)
+- **Package name mismatch**: npm publish rejects payloads where URL path doesn't match `name` field (anti-spoofing)
+- **Version immutability**: npm publish returns 409 Conflict on duplicate version
+- **Защита от path traversal**: Валидация имён файлов в npm publish (отклоняет `../`, `/`, `\`)
+- **Проверка имени пакета**: npm publish отклоняет payload если имя в URL не совпадает с полем `name` (anti-spoofing)
+- **Иммутабельность версий**: npm publish возвращает 409 Conflict при попытке перезаписать версию
+
+### Fixed / Исправлено
+- **npm proxy_auth**: `proxy_auth` field was configured but not wired into `fetch_from_proxy` — now sends Basic Auth header to upstream
+- **npm proxy_auth**: Поле `proxy_auth` было в конфиге, но не передавалось в `fetch_from_proxy` — теперь отправляет Basic Auth в upstream
+
+
+
 All notable changes to NORA will be documented in this file.
 
 ---

CODE_OF_CONDUCT.md

@@ -0,0 +1,36 @@
+# Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+
+Examples of unacceptable behavior:
+
+* The use of sexualized language or imagery, and sexual attention or advances
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information without explicit permission
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the project team at security@getnora.io. All complaints will be
+reviewed and investigated promptly and fairly.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org/), version 2.1.

CONTRIBUTING.md

@@ -14,58 +14,71 @@ Thank you for your interest in contributing to NORA!
 # Install Rust (if needed)
 curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
 
-# Enable pre-commit hooks (important!)
-git config core.hooksPath .githooks
-
 # Build
-cargo build
+cargo build --package nora-registry
 
-# Run tests
-cargo test
+# Run tests (important: always use --lib --bin nora to skip fuzz targets)
+cargo test --lib --bin nora
+
+# Run clippy
+cargo clippy --package nora-registry -- -D warnings
+
+# Format
+cargo fmt
 
 # Run locally
 cargo run --bin nora -- serve
 ```
 
+## Before Submitting a PR
+
+```bash
+cargo fmt --check
+cargo clippy --package nora-registry -- -D warnings
+cargo test --lib --bin nora
+```
+
+All three must pass. CI will enforce this.
+
 ## Code Style
 
 - Run `cargo fmt` before committing
-- Run `cargo clippy` and fix warnings
+- Fix all `cargo clippy` warnings
 - Follow Rust naming conventions
+- Keep functions short and focused
+- Add tests for new functionality
 
 ## Pull Request Process
 
-1. Update documentation if needed
-2. Add tests for new features
-3. Ensure all tests pass: `cargo test`
-4. Ensure code is formatted: `cargo fmt --check`
-5. Ensure no clippy warnings: `cargo clippy`
+1. Update CHANGELOG.md if the change is user-facing
+2. Add tests for new features or bug fixes
+3. Ensure CI passes (fmt, clippy, test, security checks)
+4. Keep PRs focused — one feature or fix per PR
 
 ## Commit Messages
 
 Use conventional commits:
 
-- `feat:` - new feature
-- `fix:` - bug fix
-- `docs:` - documentation
-- `style:` - formatting
-- `refactor:` - code refactoring
-- `test:` - adding tests
-- `chore:` - maintenance
+- `feat:` new feature
+- `fix:` bug fix
+- `docs:` documentation
+- `test:` adding or updating tests
+- `security:` security improvements
+- `chore:` maintenance
 
-Example: `feat: add OAuth2 authentication`
+Example: `feat: add npm scoped package support`
 
 ## Reporting Issues
 
-- Use GitHub Issues
+- Use GitHub Issues with the provided templates
 - Include steps to reproduce
-- Include NORA version and OS
+- Include NORA version (`nora --version`) and OS
 
 ## License
 
 By contributing, you agree that your contributions will be licensed under the MIT License.
 
-## Contact
+## Community
 
-- Telegram: [@DevITWay](https://t.me/DevITWay)
+- Telegram: [@getnora](https://t.me/getnora)
 - GitHub Issues: [getnora-io/nora](https://github.com/getnora-io/nora/issues)

Cargo.lock

@@ -34,9 +34,9 @@ dependencies = [
 
 [[package]]
 name = "anstream"
-version = "0.6.21"
+version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "43d5b281e737544384e969a5ccad3f1cdd24b48086a0fc1b2a5262a26b8f4f4a"
+checksum = "824a212faf96e9acacdbd09febd34438f8f711fb84e09a8916013cd7815ca28d"
 dependencies = [
  "anstyle",
  "anstyle-parse",
@@ -55,9 +55,9 @@ checksum = "5192cca8006f1fd4f7237516f40fa183bb07f8fbdfedaa0036de5ea9b0b45e78"
 
 [[package]]
 name = "anstyle-parse"
-version = "0.2.7"
+version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4e7644824f0aa2c7b9384579234ef10eb7efb6a0deb83f9630a49594dd9c15c2"
+checksum = "52ce7f38b242319f7cabaa6813055467063ecdc9d355bbb4ce0c68908cd8130e"
 dependencies = [
  "utf8parse",
 ]
@@ -68,7 +68,7 @@ version = "1.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "40c48f72fd53cd289104fc64099abca73db4166ad86ea0b4341abe65af83dadc"
 dependencies = [
- "windows-sys 0.61.2",
+ "windows-sys 0.60.2",
 ]
 
 [[package]]
@@ -79,7 +79,7 @@ checksum = "291e6a250ff86cd4a820112fb8898808a366d8f9f58ce16d1f538353ad55747d"
 dependencies = [
  "anstyle",
  "once_cell_polyfill",
- "windows-sys 0.61.2",
+ "windows-sys 0.60.2",
 ]
 
 [[package]]
@@ -251,6 +251,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "47b26a0954ae34af09b50f0de26458fa95369a0d478d8236d3f93082b219bd29"
 dependencies = [
  "find-msvc-tools",
+ "jobserver",
+ "libc",
  "shlex",
 ]
 
@@ -292,9 +294,9 @@ dependencies = [
 
 [[package]]
 name = "clap"
-version = "4.5.60"
+version = "4.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2797f34da339ce31042b27d23607e051786132987f595b02ba4f6a6dffb7030a"
+checksum = "b193af5b67834b676abd72466a96c1024e6a6ad978a1f484bd90b85c94041351"
 dependencies = [
  "clap_builder",
  "clap_derive",
@@ -302,9 +304,9 @@ dependencies = [
 
 [[package]]
 name = "clap_builder"
-version = "4.5.60"
+version = "4.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "24a241312cea5059b13574bb9b3861cabf758b879c15190b37b6d6fd63ab6876"
+checksum = "714a53001bf66416adb0e2ef5ac857140e7dc3a0c48fb28b2f10762fc4b5069f"
 dependencies = [
  "anstream",
  "anstyle",
@@ -314,9 +316,9 @@ dependencies = [
 
 [[package]]
 name = "clap_derive"
-version = "4.5.55"
+version = "4.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a92793da1a46a5f2a02a6f4c46c6496b28c43638adea8306fcb0caa1634f24e5"
+checksum = "1110bd8a634a1ab8cb04345d8d878267d57c3cf1b38d91b71af6686408bbca6a"
 dependencies = [
  "heck",
  "proc-macro2",
@@ -473,7 +475,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
 dependencies = [
  "libc",
- "windows-sys 0.60.2",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -1103,6 +1105,16 @@ version = "1.0.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "92ecc6618181def0457392ccd0ee51198e065e016d1d527a7ac1b6dc7c1f09d2"
 
+[[package]]
+name = "jobserver"
+version = "0.1.34"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9afb3de4395d6b3e67a780b6de64b51c978ecf11cb9a462c66be7d4ca9039d33"
+dependencies = [
+ "getrandom 0.3.4",
+ "libc",
+]
+
 [[package]]
 name = "js-sys"
 version = "0.3.85"
@@ -1131,6 +1143,16 @@ version = "0.2.182"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6800badb6cb2082ffd7b6a67e6125bb39f18782f793520caee8cb8846be06112"
 
+[[package]]
+name = "libfuzzer-sys"
+version = "0.4.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f12a681b7dd8ce12bff52488013ba614b869148d54dd79836ab85aafdd53f08d"
+dependencies = [
+ "arbitrary",
+ "cc",
+]
+
 [[package]]
 name = "libredox"
 version = "0.1.12"
@@ -1246,22 +1268,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "38bf9645c8b145698bb0b18a4637dcacbc421ea49bef2317e4fd8065a387cf21"
 
 [[package]]
-name = "nora-cli"
-version = "0.2.31"
+name = "nora-fuzz"
+version = "0.0.0"
 dependencies = [
- "clap",
- "flate2",
- "indicatif",
- "reqwest",
- "serde",
- "serde_json",
- "tar",
- "tokio",
+ "libfuzzer-sys",
+ "nora-registry",
 ]
 
 [[package]]
 name = "nora-registry"
-version = "0.2.31"
+version = "0.2.35"
 dependencies = [
  "async-trait",
  "axum",
@@ -1287,6 +1303,7 @@ dependencies = [
  "thiserror 2.0.18",
  "tokio",
  "toml",
+ "tower-http",
  "tower_governor",
  "tracing",
  "tracing-subscriber",
@@ -1297,32 +1314,13 @@ dependencies = [
  "zeroize",
 ]
 
-[[package]]
-name = "nora-storage"
-version = "0.2.31"
-dependencies = [
- "axum",
- "base64",
- "chrono",
- "httpdate",
- "quick-xml",
- "serde",
- "serde_json",
- "sha2",
- "tokio",
- "toml",
- "tracing",
- "tracing-subscriber",
- "uuid",
-]
-
 [[package]]
 name = "nu-ansi-term"
 version = "0.50.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5"
 dependencies = [
- "windows-sys 0.61.2",
+ "windows-sys 0.60.2",
 ]
 
 [[package]]
@@ -1510,16 +1508,6 @@ dependencies = [
  "winapi",
 ]
 
-[[package]]
-name = "quick-xml"
-version = "0.39.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "958f21e8e7ceb5a1aa7fa87fab28e7c75976e0bfe7e23ff069e0a260f894067d"
-dependencies = [
- "memchr",
- "serde",
-]
-
 [[package]]
 name = "quinn"
 version = "0.11.9"
@@ -1577,9 +1565,9 @@ dependencies = [
 
 [[package]]
 name = "quote"
-version = "1.0.44"
+version = "1.0.45"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "21b2ebcf727b7760c461f091f9f0f539b77b8e87f2fd88131e7f1b433b3cece4"
+checksum = "41f2619966050689382d2b44f664f4bc593e129785a36d6ee376ddf37259b924"
 dependencies = [
  "proc-macro2",
 ]
@@ -1779,7 +1767,7 @@ dependencies = [
  "errno",
  "libc",
  "linux-raw-sys",
- "windows-sys 0.60.2",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -2018,9 +2006,9 @@ checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
 
 [[package]]
 name = "syn"
-version = "2.0.114"
+version = "2.0.117"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d4d107df263a3013ef9b1879b0df87d706ff80f65a86ea879bd9c31f9b307c2a"
+checksum = "e665b8803e7b1d2a727f4023456bbbbe74da67099c585258af0ad9c5013b9b99"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -2049,9 +2037,9 @@ dependencies = [
 
 [[package]]
 name = "tar"
-version = "0.4.44"
+version = "0.4.45"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1d863878d212c87a19c1a610eb53bb01fe12951c0501cf5a0d65f724914a667a"
+checksum = "22692a6476a21fa75fdfc11d452fda482af402c008cdbaf3476414e122040973"
 dependencies = [
  "filetime",
  "libc",
@@ -2060,15 +2048,15 @@ dependencies = [
 
 [[package]]
 name = "tempfile"
-version = "3.26.0"
+version = "3.27.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "82a72c767771b47409d2345987fda8628641887d5466101319899796367354a0"
+checksum = "32497e9a4c7b38532efcdebeef879707aa9f794296a4f0244f6f69e9bc8574bd"
 dependencies = [
  "fastrand",
  "getrandom 0.4.1",
  "once_cell",
  "rustix",
- "windows-sys 0.60.2",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -2397,9 +2385,9 @@ dependencies = [
 
 [[package]]
 name = "tracing-subscriber"
-version = "0.3.22"
+version = "0.3.23"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2f30143827ddab0d256fd843b7a66d164e9f271cfa0dde49142c5ca0ca291f1e"
+checksum = "cb7f578e5945fb242538965c2d0b04418d38ec25c79d160cd279bf0731c8d319"
 dependencies = [
  "matchers",
  "nu-ansi-term",
@@ -2741,7 +2729,7 @@ version = "0.1.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
 dependencies = [
- "windows-sys 0.60.2",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]

Cargo.toml

@@ -2,12 +2,11 @@
 resolver = "2"
 members = [
     "nora-registry",
-    "nora-storage",
-    "nora-cli",
+    "fuzz",
 ]
 
 [workspace.package]
-version = "0.2.31"
+version = "0.2.35"
 edition = "2021"
 license = "MIT"
 authors = ["DevITWay <devitway@gmail.com>"]

Dockerfile

@@ -1,10 +1,12 @@
 # syntax=docker/dockerfile:1.4
 # Binary is pre-built by CI (cargo build --release) and passed via context
-FROM alpine:3.20
+FROM alpine:3.20@sha256:a4f4213abb84c497377b8544c81b3564f313746700372ec4fe84653e4fb03805
 
-RUN apk add --no-cache ca-certificates && mkdir -p /data
+RUN apk add --no-cache ca-certificates \
+    && addgroup -S nora && adduser -S -G nora nora \
+    && mkdir -p /data && chown nora:nora /data
 
-COPY nora /usr/local/bin/nora
+COPY --chown=nora:nora nora /usr/local/bin/nora
 
 ENV RUST_LOG=info
 ENV NORA_HOST=0.0.0.0
@@ -17,5 +19,7 @@ EXPOSE 4000
 
 VOLUME ["/data"]
 
+USER nora
+
 ENTRYPOINT ["/usr/local/bin/nora"]
 CMD ["serve"]

Dockerfile.astra

@@ -5,12 +5,15 @@
 #   FROM registry.astralinux.ru/library/alse:latest
 #   RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates && rm -rf /var/lib/apt/lists/*
 
-FROM alpine:3.20 AS certs
-RUN apk add --no-cache ca-certificates
+FROM alpine:3.20@sha256:a4f4213abb84c497377b8544c81b3564f313746700372ec4fe84653e4fb03805 AS certs
+RUN apk add --no-cache ca-certificates \
+    && addgroup -S -g 10001 nora && adduser -S -u 10001 -G nora nora
 
 FROM scratch
 
 COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+COPY --from=certs /etc/passwd /etc/passwd
+COPY --from=certs /etc/group /etc/group
 COPY nora /usr/local/bin/nora
 
 ENV RUST_LOG=info
@@ -24,5 +27,7 @@ EXPOSE 4000
 
 VOLUME ["/data"]
 
+USER nora
+
 ENTRYPOINT ["/usr/local/bin/nora"]
 CMD ["serve"]

Dockerfile.redos

@@ -5,12 +5,15 @@
 #   FROM registry.red-soft.ru/redos/redos:8
 #   RUN dnf install -y ca-certificates && dnf clean all
 
-FROM alpine:3.20 AS certs
-RUN apk add --no-cache ca-certificates
+FROM alpine:3.20@sha256:a4f4213abb84c497377b8544c81b3564f313746700372ec4fe84653e4fb03805 AS certs
+RUN apk add --no-cache ca-certificates \
+    && addgroup -S -g 10001 nora && adduser -S -u 10001 -G nora nora
 
 FROM scratch
 
 COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+COPY --from=certs /etc/passwd /etc/passwd
+COPY --from=certs /etc/group /etc/group
 COPY nora /usr/local/bin/nora
 
 ENV RUST_LOG=info
@@ -24,5 +27,7 @@ EXPOSE 4000
 
 VOLUME ["/data"]
 
+USER nora
+
 ENTRYPOINT ["/usr/local/bin/nora"]
 CMD ["serve"]

README.md

@@ -1,45 +1,37 @@
-[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
-[![Release](https://img.shields.io/github/v/release/getnora-io/nora)](https://github.com/getnora-io/nora/releases)
-[![CI](https://img.shields.io/github/actions/workflow/status/getnora-io/nora/ci.yml?label=CI)](https://github.com/getnora-io/nora/actions)
-[![GHCR](https://img.shields.io/badge/ghcr.io-nora-blue?logo=github)](https://github.com/getnora-io/nora/pkgs/container/nora)
-[![GitHub Stars](https://img.shields.io/github/stars/getnora-io/nora?style=flat&logo=github)](https://github.com/getnora-io/nora/stargazers)
-[![Rust](https://img.shields.io/badge/rust-%23000000.svg?logo=rust&logoColor=white)](https://www.rust-lang.org/)
-[![Docs](https://img.shields.io/badge/docs-getnora.dev-green?logo=gitbook)](https://getnora.dev)
-[![Telegram](https://img.shields.io/badge/Telegram-Community-blue?logo=telegram)](https://t.me/getnora)
+# NORA
 
-> **Multi-protocol artifact registry that doesn't suck.**
->
-> One binary. All protocols. Stupidly fast.
+**The artifact registry that grows with you.** Starts with `docker run`, scales to enterprise.
 
-**32 MB** binary | **< 100 MB** RAM | **3s** startup | **5** protocols
+```bash
+docker run -d -p 4000:4000 -v nora-data:/data ghcr.io/getnora-io/nora:latest
+```
 
-## Features
+Open [http://localhost:4000/ui/](http://localhost:4000/ui/) — your registry is ready.
 
-- **Multi-Protocol Support**
-  - Docker Registry v2
-  - Maven repository (+ proxy to Maven Central)
-  - npm registry (+ proxy to npmjs.org)
-  - Cargo registry
-  - PyPI index
+<p align="center">
+  <img src=".github/assets/dashboard.gif" alt="NORA Dashboard" width="960" />
+</p>
 
-- **Storage Backends**
-  - Local filesystem (zero-config default)
-  - S3-compatible (MinIO, AWS S3)
+## Why NORA
 
-- **Production Ready**
-  - Web UI with search and browse
-  - Swagger UI API documentation
-  - Prometheus metrics (`/metrics`)
-  - Health checks (`/health`, `/ready`)
-  - JSON structured logging
-  - Graceful shutdown
+- **Zero-config** — single 32 MB binary, no database, no dependencies. `docker run` and it works.
+- **Production-tested** — Docker, Maven, npm, PyPI, Cargo, Raw. Used in real CI/CD with ArgoCD, Buildx cache, and air-gapped environments.
+- **Secure by default** — [OpenSSF Scorecard](https://scorecard.dev/viewer/?uri=github.com/getnora-io/nora), signed releases, SBOM, fuzz testing, 200+ unit tests.
 
-- **Security**
-  - Basic Auth (htpasswd + bcrypt)
-  - Revocable API tokens with RBAC
-  - ENV-based configuration (12-Factor)
-  - SBOM (SPDX + CycloneDX) in every release
-  - See [SECURITY.md](SECURITY.md) for vulnerability reporting
+**32 MB** binary | **< 100 MB** RAM | **3s** startup | **6** registries
+
+> Used in production at [DevIT Academy](https://github.com/devitway) since January 2026 for Docker images, Maven artifacts, and npm packages.
+
+## Supported Registries
+
+| Registry | Mount Point | Upstream Proxy | Auth |
+|----------|------------|----------------|------|
+| Docker Registry v2 | `/v2/` | Docker Hub, GHCR, any OCI | ✓ |
+| Maven | `/maven2/` | Maven Central, custom | ✓ |
+| npm | `/npm/` | npmjs.org, custom | ✓ |
+| Cargo | `/cargo/` | — | ✓ |
+| PyPI | `/simple/` | pypi.org, custom | ✓ |
+| Raw files | `/raw/` | — | ✓ |
 
 ## Quick Start
 
@@ -49,6 +41,13 @@
 docker run -d -p 4000:4000 -v nora-data:/data ghcr.io/getnora-io/nora:latest
 ```
 
+### Binary
+
+```bash
+curl -fsSL https://github.com/getnora-io/nora/releases/latest/download/nora-linux-amd64 -o nora
+chmod +x nora && ./nora
+```
+
 ### From Source
 
 ```bash
@@ -56,18 +55,13 @@ cargo install nora-registry
 nora
 ```
 
-Open http://localhost:4000/ui/
-
 ## Usage
 
 ### Docker Images
 
 ```bash
-# Tag and push
 docker tag myapp:latest localhost:4000/myapp:latest
 docker push localhost:4000/myapp:latest
-
-# Pull
 docker pull localhost:4000/myapp:latest
 ```
 
@@ -88,31 +82,36 @@ npm config set registry http://localhost:4000/npm/
 npm publish
 ```
 
+## Features
+
+- **Web UI** — dashboard with search, browse, i18n (EN/RU)
+- **Proxy & Cache** — transparent proxy to upstream registries with local cache
+- **Mirror CLI** — offline sync for air-gapped environments (`nora mirror`)
+- **Backup & Restore** — `nora backup` / `nora restore`
+- **Migration** — `nora migrate --from local --to s3`
+- **S3 Storage** — MinIO, AWS S3, any S3-compatible backend
+- **Prometheus Metrics** — `/metrics` endpoint
+- **Health Checks** — `/health`, `/ready` for Kubernetes probes
+- **Swagger UI** — `/api-docs` for API exploration
+- **Rate Limiting** — configurable per-endpoint rate limits
+- **FSTEC Builds** — Astra Linux SE and RED OS images in every release
+
 ## Authentication
 
 NORA supports Basic Auth (htpasswd) and revocable API tokens with RBAC.
 
-### Quick Setup
-
 ```bash
-# 1. Create htpasswd file with bcrypt
+# Create htpasswd file
 htpasswd -cbB users.htpasswd admin yourpassword
-# Add more users:
-htpasswd -bB users.htpasswd ci-user ci-secret
 
-# 2. Start NORA with auth enabled
+# Start with auth enabled
 docker run -d -p 4000:4000 \
   -v nora-data:/data \
   -v ./users.htpasswd:/data/users.htpasswd \
   -e NORA_AUTH_ENABLED=true \
   ghcr.io/getnora-io/nora:latest
-
-# 3. Verify
-curl -u admin:yourpassword http://localhost:4000/v2/_catalog
 ```
 
-### API Tokens (RBAC)
-
 | Role | Pull/Read | Push/Write | Delete/Admin |
 |------|-----------|------------|--------------|
 | `read` | Yes | No | No |
@@ -121,16 +120,6 @@ curl -u admin:yourpassword http://localhost:4000/v2/_catalog
 
 See [Authentication guide](https://getnora.dev/configuration/authentication/) for token management, Docker login, and CI/CD integration.
 
-## CLI Commands
-
-```bash
-nora              # Start server
-nora serve        # Start server (explicit)
-nora backup -o backup.tar.gz
-nora restore -i backup.tar.gz
-nora migrate --from local --to s3
-```
-
 ## Configuration
 
 ### Environment Variables
@@ -143,7 +132,7 @@ nora migrate --from local --to s3
 | `NORA_AUTH_ENABLED` | false | Enable authentication |
 | `NORA_DOCKER_UPSTREAMS` | `https://registry-1.docker.io` | Docker upstreams (`url\|user:pass,...`) |
 
-See [full configuration reference](https://getnora.dev/configuration/settings/) for all environment variables including storage, rate limiting, proxy auth, and secrets.
+See [full configuration reference](https://getnora.dev/configuration/settings/) for all options.
 
 ### config.toml
 
@@ -167,7 +156,16 @@ proxy_timeout = 60
 url = "https://registry-1.docker.io"
 ```
 
-See [full config reference](https://getnora.dev/configuration/settings/) for rate limiting, secrets, proxy auth, and all options.
+## CLI Commands
+
+```bash
+nora              # Start server
+nora serve        # Start server (explicit)
+nora backup -o backup.tar.gz
+nora restore -i backup.tar.gz
+nora migrate --from local --to s3
+nora mirror       # Sync packages for offline use
+```
 
 ## Endpoints
 
@@ -194,21 +192,8 @@ registry.example.com {
 }
 ```
 
-For internal networks without TLS, configure Docker:
-
-```json
-// /etc/docker/daemon.json
-{
-  "insecure-registries": ["192.168.1.100:4000"]
-}
-```
-
 See [TLS / HTTPS guide](https://getnora.dev/configuration/tls/) for Nginx, Traefik, and custom CA setup.
 
-## FSTEC-Certified OS Builds
-
-Dedicated builds for Astra Linux SE and RED OS are published as `-astra` and `-redos` tagged images in every [GitHub Release](https://github.com/getnora-io/nora/releases). Both use `scratch` base with statically-linked binary.
-
 ## Performance
 
 | Metric | NORA | Nexus | JFrog |
@@ -217,6 +202,8 @@ Dedicated builds for Astra Linux SE and RED OS are published as `-astra` and `-r
 | Memory | < 100 MB | 2-4 GB | 2-4 GB |
 | Image Size | 32 MB | 600+ MB | 1+ GB |
 
+[See how NORA compares to other registries](https://getnora.dev)
+
 ## Roadmap
 
 - **OIDC / Workload Identity** — zero-secret auth for GitHub Actions, GitLab CI
@@ -227,14 +214,37 @@ Dedicated builds for Astra Linux SE and RED OS are published as `-astra` and `-r
 
 See [CHANGELOG.md](CHANGELOG.md) for release history.
 
+## Security & Trust
+
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/getnora-io/nora/badge)](https://scorecard.dev/viewer/?uri=github.com/getnora-io/nora)
+[![CII Best Practices](https://www.bestpractices.dev/projects/12207/badge)](https://www.bestpractices.dev/projects/12207)
+[![Coverage](https://img.shields.io/endpoint?url=https://gist.githubusercontent.com/devitway/0f0538f1ed16d5d9951e4f2d3f79b699/raw/nora-coverage.json)](https://github.com/getnora-io/nora/actions/workflows/ci.yml)
+[![CI](https://img.shields.io/github/actions/workflow/status/getnora-io/nora/ci.yml?label=CI)](https://github.com/getnora-io/nora/actions)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
+
+- **Signed releases** — every release is signed with [cosign](https://github.com/sigstore/cosign)
+- **SBOM** — SPDX + CycloneDX in every release
+- **Fuzz testing** — cargo-fuzz + ClusterFuzzLite
+- **Blob verification** — SHA256 digest validation on every upload
+- **Non-root containers** — all images run as non-root
+- **Security headers** — CSP, X-Frame-Options, nosniff
+
+See [SECURITY.md](SECURITY.md) for vulnerability reporting.
+
 ## Author
 
-**Created and maintained by [DevITWay](https://github.com/devitway)**
+Created and maintained by [DevITWay](https://github.com/devitway)
+
+[![Release](https://img.shields.io/github/v/release/getnora-io/nora)](https://github.com/getnora-io/nora/releases)
+[![GHCR](https://img.shields.io/badge/ghcr.io-nora-blue?logo=github)](https://github.com/getnora-io/nora/pkgs/container/nora)
+[![Rust](https://img.shields.io/badge/rust-%23000000.svg?logo=rust&logoColor=white)](https://www.rust-lang.org/)
+[![Docs](https://img.shields.io/badge/docs-getnora.dev-green?logo=gitbook)](https://getnora.dev)
+[![Telegram](https://img.shields.io/badge/Telegram-Community-blue?logo=telegram)](https://t.me/getnora)
+[![GitHub Stars](https://img.shields.io/github/stars/getnora-io/nora?style=flat&logo=github)](https://github.com/getnora-io/nora/stargazers)
 
 - Website: [getnora.dev](https://getnora.dev)
-- Telegram: [@DevITWay](https://t.me/DevITWay)
+- Telegram: [@getnora](https://t.me/getnora)
 - GitHub: [@devitway](https://github.com/devitway)
-- Email: devitway@gmail.com
 
 ## Contributing
 
@@ -242,10 +252,6 @@ NORA welcomes contributions! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelin
 
 ## License
 
-MIT License - see [LICENSE](LICENSE)
+MIT License — see [LICENSE](LICENSE)
 
 Copyright (c) 2026 DevITWay
-
----
-
-**🐿️ N○RA** - Organized like a chipmunk's stash | Built with Rust by [DevITWay](https://t.me/DevITWay)

ROADMAP.md

@@ -0,0 +1,38 @@
+# Roadmap
+
+> This roadmap reflects current priorities. It may change based on community feedback.
+
+## Recently Completed
+
+- **v0.2.32** — Docker dashboard fix for namespaced images, `library/` auto-prepend for Hub official images
+- **v0.2.31** — npm full proxy (URL rewriting, scoped packages, publish, SHA-256 integrity cache, metadata TTL)
+- **v0.2.29** — Upstream authentication for all protocols (Docker, Maven, npm, PyPI)
+
+## In Progress
+
+- **`nora mirror`** — Pre-fetch dependencies from lockfiles for air-gapped environments ([#40](https://github.com/getnora-io/nora/issues/40))
+  - npm: `package-lock.json` (v1/v2/v3)
+  - pip: `requirements.txt`
+  - cargo: `Cargo.lock`
+  - maven: dependency list
+
+## Next Up
+
+- **Consistent env var naming** — Unify `NORA_*_PROXY` / `NORA_*_UPSTREAMS` across all protocols ([#39](https://github.com/getnora-io/nora/issues/39))
+- **Package blocklist** — Deny specific packages or versions via config ([#41](https://github.com/getnora-io/nora/issues/41))
+- **Multiple upstreams for npm/PyPI** — Same as Maven already supports
+- **v1.0.0 release** — Stable API, production-ready
+
+## Future
+
+- Docker image mirroring ([#42](https://github.com/getnora-io/nora/issues/42))
+- Virtual repositories via config (named endpoints with custom search order)
+- Path-based ACL (per-namespace write permissions)
+- OIDC/LDAP authentication
+- HA mode (stateless API + external database)
+- Golang modules proxy
+- Content trust (Cosign/Notation verification)
+
+## How to Influence
+
+Open an issue or join [Telegram](https://t.me/getnora) to discuss priorities.

deny.toml

@@ -9,6 +9,7 @@ ignore = [
 ]
 
 [licenses]
+unused-allowed-license = "allow"
 # Allowed open-source licenses
 allow = [
     "MIT",
@@ -24,6 +25,7 @@ allow = [
     "Zlib",
     "CDLA-Permissive-2.0",   # webpki-roots (CA certificates bundle)
     "MPL-2.0",
+    "NCSA",  # libfuzzer-sys (LLVM fuzzer)
 ]
 
 [bans]

deploy/demo-traffic.sh

@@ -1,83 +0,0 @@
-#!/bin/bash
-# Demo traffic simulator for NORA registry
-# Generates random registry activity for dashboard demo
-
-REGISTRY="http://localhost:4000"
-LOG_FILE="/var/log/nora-demo-traffic.log"
-
-# Sample packages to fetch
-NPM_PACKAGES=("lodash" "express" "react" "axios" "moment" "underscore" "chalk" "debug")
-MAVEN_ARTIFACTS=(
-    "org/apache/commons/commons-lang3/3.12.0/commons-lang3-3.12.0.pom"
-    "com/google/guava/guava/31.1-jre/guava-31.1-jre.pom"
-    "org/slf4j/slf4j-api/2.0.0/slf4j-api-2.0.0.pom"
-)
-DOCKER_IMAGES=("alpine" "busybox" "hello-world")
-
-log() {
-    echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" >> "$LOG_FILE"
-}
-
-# Random sleep between min and max seconds
-random_sleep() {
-    local min=$1
-    local max=$2
-    local delay=$((RANDOM % (max - min + 1) + min))
-    sleep $delay
-}
-
-# Fetch random npm package
-fetch_npm() {
-    local pkg=${NPM_PACKAGES[$RANDOM % ${#NPM_PACKAGES[@]}]}
-    log "NPM: fetching $pkg"
-    curl -s "$REGISTRY/npm/$pkg" > /dev/null 2>&1
-}
-
-# Fetch random maven artifact
-fetch_maven() {
-    local artifact=${MAVEN_ARTIFACTS[$RANDOM % ${#MAVEN_ARTIFACTS[@]}]}
-    log "MAVEN: fetching $artifact"
-    curl -s "$REGISTRY/maven2/$artifact" > /dev/null 2>&1
-}
-
-# Docker push/pull cycle
-docker_cycle() {
-    local img=${DOCKER_IMAGES[$RANDOM % ${#DOCKER_IMAGES[@]}]}
-    local tag="demo-$(date +%s)"
-
-    log "DOCKER: push/pull cycle for $img"
-
-    # Tag and push
-    docker tag "$img:latest" "localhost:4000/demo/$img:$tag" 2>/dev/null
-    docker push "localhost:4000/demo/$img:$tag" > /dev/null 2>&1
-
-    # Pull back
-    docker rmi "localhost:4000/demo/$img:$tag" > /dev/null 2>&1
-    docker pull "localhost:4000/demo/$img:$tag" > /dev/null 2>&1
-
-    # Cleanup
-    docker rmi "localhost:4000/demo/$img:$tag" > /dev/null 2>&1
-}
-
-# Main loop
-log "Starting demo traffic simulator"
-
-while true; do
-    # Random operation
-    op=$((RANDOM % 10))
-
-    case $op in
-        0|1|2|3)  # 40% npm
-            fetch_npm
-            ;;
-        4|5|6)    # 30% maven
-            fetch_maven
-            ;;
-        7|8|9)    # 30% docker
-            docker_cycle
-            ;;
-    esac
-
-    # Random delay: 30-120 seconds
-    random_sleep 30 120
-done

deploy/nora-demo-traffic.service

@@ -1,15 +0,0 @@
-[Unit]
-Description=NORA Demo Traffic Simulator
-After=docker.service
-Requires=docker.service
-
-[Service]
-Type=simple
-ExecStart=/opt/nora/demo-traffic.sh
-Restart=always
-RestartSec=10
-StandardOutput=journal
-StandardError=journal
-
-[Install]
-WantedBy=multi-user.target

dist/install.sh

@@ -0,0 +1,131 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# NORA Artifact Registry — install script
+# Usage: curl -fsSL https://getnora.io/install.sh | bash
+
+VERSION="${NORA_VERSION:-latest}"
+ARCH=$(uname -m)
+OS=$(uname -s | tr '[:upper:]' '[:lower:]')
+INSTALL_DIR="/usr/local/bin"
+CONFIG_DIR="/etc/nora"
+DATA_DIR="/var/lib/nora"
+LOG_DIR="/var/log/nora"
+
+case "$ARCH" in
+    x86_64|amd64) ARCH="x86_64" ;;
+    aarch64|arm64) ARCH="aarch64" ;;
+    *) echo "Unsupported architecture: $ARCH"; exit 1 ;;
+esac
+
+echo "Installing NORA ($OS/$ARCH)..."
+
+# Download binary
+if [ "$VERSION" = "latest" ]; then
+    DOWNLOAD_URL="https://github.com/getnora-io/nora/releases/latest/download/nora-${OS}-${ARCH}"
+else
+    DOWNLOAD_URL="https://github.com/getnora-io/nora/releases/download/${VERSION}/nora-${OS}-${ARCH}"
+fi
+
+echo "Downloading from $DOWNLOAD_URL..."
+if command -v curl &>/dev/null; then
+    curl -fsSL -o /tmp/nora "$DOWNLOAD_URL"
+elif command -v wget &>/dev/null; then
+    wget -qO /tmp/nora "$DOWNLOAD_URL"
+else
+    echo "Error: curl or wget required"; exit 1
+fi
+
+chmod +x /tmp/nora
+
+# Verify signature if cosign is available
+if command -v cosign &>/dev/null; then
+    echo "Verifying binary signature..."
+    SIG_URL="${DOWNLOAD_URL}.sig"
+    CERT_URL="${DOWNLOAD_URL}.pem"
+    if curl -fsSL -o /tmp/nora.sig "$SIG_URL" 2>/dev/null && \
+       curl -fsSL -o /tmp/nora.pem "$CERT_URL" 2>/dev/null; then
+        cosign verify-blob --signature /tmp/nora.sig --certificate /tmp/nora.pem \
+            --certificate-identity-regexp "github.com/getnora-io/nora" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+            /tmp/nora && echo "Signature verified." || echo "Warning: signature verification failed."
+        rm -f /tmp/nora.sig /tmp/nora.pem
+    else
+        echo "Signature files not available, skipping verification."
+    fi
+else
+    echo "Install cosign for binary signature verification: https://docs.sigstore.dev/cosign/system_config/installation/"
+fi
+
+sudo mv /tmp/nora "$INSTALL_DIR/nora"
+
+# Create system user
+if ! id nora &>/dev/null; then
+    sudo useradd --system --shell /usr/sbin/nologin --home-dir "$DATA_DIR" --create-home nora
+    echo "Created system user: nora"
+fi
+
+# Create directories
+sudo mkdir -p "$CONFIG_DIR" "$DATA_DIR" "$LOG_DIR"
+sudo chown nora:nora "$DATA_DIR" "$LOG_DIR"
+
+# Install default config if not exists
+if [ ! -f "$CONFIG_DIR/nora.env" ]; then
+    cat > /tmp/nora.env << 'ENVEOF'
+NORA_HOST=0.0.0.0
+NORA_PORT=4000
+NORA_STORAGE_PATH=/var/lib/nora
+ENVEOF
+    sudo mv /tmp/nora.env "$CONFIG_DIR/nora.env"
+    sudo chmod 600 "$CONFIG_DIR/nora.env"
+    sudo chown nora:nora "$CONFIG_DIR/nora.env"
+    echo "Created default config: $CONFIG_DIR/nora.env"
+fi
+
+# Install systemd service
+if [ -d /etc/systemd/system ]; then
+    cat > /tmp/nora.service << 'SVCEOF'
+[Unit]
+Description=NORA Artifact Registry
+Documentation=https://getnora.dev
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=nora
+Group=nora
+ExecStart=/usr/local/bin/nora serve
+WorkingDirectory=/etc/nora
+Restart=on-failure
+RestartSec=5
+LimitNOFILE=65535
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=/var/lib/nora /var/log/nora
+PrivateTmp=true
+EnvironmentFile=-/etc/nora/nora.env
+
+[Install]
+WantedBy=multi-user.target
+SVCEOF
+    sudo mv /tmp/nora.service /etc/systemd/system/nora.service
+    sudo systemctl daemon-reload
+    sudo systemctl enable nora
+    echo "Installed systemd service: nora"
+fi
+
+echo ""
+echo "NORA installed successfully!"
+echo ""
+echo "  Binary:  $INSTALL_DIR/nora"
+echo "  Config:  $CONFIG_DIR/nora.env"
+echo "  Data:    $DATA_DIR"
+echo "  Version: $(nora --version 2>/dev/null || echo 'unknown')"
+echo ""
+echo "Next steps:"
+echo "  1. Edit $CONFIG_DIR/nora.env"
+echo "  2. sudo systemctl start nora"
+echo "  3. curl http://localhost:4000/health"
+echo ""

dist/nora.env.example

@@ -0,0 +1,31 @@
+# NORA configuration — environment variables
+# Copy to /etc/nora/nora.env and adjust
+
+# Server
+NORA_HOST=0.0.0.0
+NORA_PORT=4000
+# NORA_PUBLIC_URL=https://registry.example.com
+
+# Storage
+NORA_STORAGE_PATH=/var/lib/nora
+# NORA_STORAGE_MODE=s3
+# NORA_STORAGE_S3_URL=http://minio:9000
+# NORA_STORAGE_BUCKET=registry
+
+# Auth (optional)
+# NORA_AUTH_ENABLED=true
+# NORA_AUTH_HTPASSWD_FILE=/etc/nora/users.htpasswd
+
+# Rate limiting
+# NORA_RATE_LIMIT_ENABLED=true
+
+# npm proxy
+# NORA_NPM_PROXY=https://registry.npmjs.org
+# NORA_NPM_METADATA_TTL=300
+# NORA_NPM_PROXY_AUTH=user:pass
+
+# PyPI proxy
+# NORA_PYPI_PROXY=https://pypi.org/simple/
+
+# Docker upstreams
+# NORA_DOCKER_UPSTREAMS=https://registry-1.docker.io

dist/nora.service

@@ -0,0 +1,28 @@
+[Unit]
+Description=NORA Artifact Registry
+Documentation=https://getnora.dev
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=nora
+Group=nora
+ExecStart=/usr/local/bin/nora serve
+WorkingDirectory=/etc/nora
+Restart=on-failure
+RestartSec=5
+LimitNOFILE=65535
+
+# Security hardening
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=/var/lib/nora /var/log/nora
+PrivateTmp=true
+
+# Environment
+EnvironmentFile=-/etc/nora/nora.env
+
+[Install]
+WantedBy=multi-user.target

docs-ru/README.md

@@ -0,0 +1,13 @@
+# Документация NORA для Росреестра
+
+## Структура
+
+- `ТУ.md` — Технические условия
+- `Руководство.md` — Руководство пользователя
+- `Руководство_администратора.md` — Руководство администратора
+- `SBOM.md` — Перечень компонентов (Software Bill of Materials)
+
+## Статус
+
+Подготовка документации для включения в Единый реестр российских программ
+для электронных вычислительных машин и баз данных (Минцифры РФ).

docs-ru/admin-guide.md

@@ -0,0 +1,301 @@
+# Руководство администратора NORA
+
+**Версия:** 0.2.32
+**Дата:** 2026-03-16
+**Правообладатель:** ООО «ТАИАРС» (торговая марка АРТАИС)
+
+---
+
+## 1. Общие сведения
+
+NORA — многопротокольный реестр артефактов, предназначенный для хранения, кэширования и распространения программных компонентов. Программа обеспечивает централизованное управление зависимостями при разработке и сборке программного обеспечения.
+
+### 1.1. Назначение
+
+- Хранение и раздача артефактов по протоколам Docker (OCI), npm, Maven, PyPI, Cargo, Helm OCI и Raw.
+- Проксирование и кэширование внешних репозиториев для ускорения сборок и обеспечения доступности при отсутствии соединения с сетью Интернет.
+- Контроль целостности артефактов посредством верификации SHA-256.
+- Аудит и протоколирование всех операций.
+
+### 1.2. Системные требования
+
+| Параметр | Минимальные | Рекомендуемые |
+|----------|-------------|---------------|
+| ОС | Linux (amd64, arm64) | Ubuntu 22.04+, RHEL 8+ |
+| ЦПУ | 1 ядро | 2+ ядра |
+| ОЗУ | 256 МБ | 1+ ГБ |
+| Диск | 1 ГБ | 50+ ГБ (зависит от объёма хранимых артефактов) |
+| Сеть | TCP-порт (по умолчанию 4000) | — |
+
+### 1.3. Зависимости
+
+Программа поставляется как единый статически слинкованный исполняемый файл. Внешние зависимости отсутствуют. Перечень библиотек, включённых в состав программы, приведён в файле `nora.cdx.json` (формат CycloneDX).
+
+---
+
+## 2. Установка
+
+### 2.1. Автоматическая установка
+
+```bash
+curl -fsSL https://getnora.io/install.sh | bash
+```
+
+Скрипт выполняет следующие действия:
+
+1. Определяет архитектуру процессора (amd64 или arm64).
+2. Загружает исполняемый файл с GitHub Releases.
+3. Создаёт системного пользователя `nora`.
+4. Создаёт каталоги: `/etc/nora/`, `/var/lib/nora/`, `/var/log/nora/`.
+5. Устанавливает файл конфигурации `/etc/nora/nora.env`.
+6. Устанавливает и активирует systemd-сервис.
+
+### 2.2. Ручная установка
+
+```bash
+# Загрузка
+wget https://github.com/getnora-io/nora/releases/download/v1.0.0/nora-linux-x86_64
+chmod +x nora-linux-x86_64
+mv nora-linux-x86_64 /usr/local/bin/nora
+
+# Создание пользователя
+useradd --system --shell /usr/sbin/nologin --home-dir /var/lib/nora --create-home nora
+
+# Создание каталогов
+mkdir -p /etc/nora /var/lib/nora /var/log/nora
+chown nora:nora /var/lib/nora /var/log/nora
+
+# Установка systemd-сервиса
+cp dist/nora.service /etc/systemd/system/
+systemctl daemon-reload
+systemctl enable nora
+```
+
+### 2.3. Установка из Docker-образа
+
+```bash
+docker run -d \
+  --name nora \
+  -p 4000:4000 \
+  -v nora-data:/data \
+  ghcr.io/getnora-io/nora:latest
+```
+
+---
+
+## 3. Конфигурация
+
+Конфигурация задаётся через переменные окружения, файл `config.toml` или их комбинацию. Приоритет: переменные окружения > config.toml > значения по умолчанию.
+
+### 3.1. Основные параметры
+
+| Переменная | Описание | По умолчанию |
+|-----------|----------|--------------|
+| `NORA_HOST` | Адрес привязки | `127.0.0.1` |
+| `NORA_PORT` | Порт | `4000` |
+| `NORA_PUBLIC_URL` | Внешний URL (для генерации ссылок) | — |
+| `NORA_STORAGE_PATH` | Путь к каталогу хранилища | `data/storage` |
+| `NORA_STORAGE_MODE` | Тип хранилища: `local` или `s3` | `local` |
+| `NORA_BODY_LIMIT_MB` | Максимальный размер тела запроса (МБ) | `2048` |
+
+### 3.2. Аутентификация
+
+| Переменная | Описание | По умолчанию |
+|-----------|----------|--------------|
+| `NORA_AUTH_ENABLED` | Включить аутентификацию | `false` |
+| `NORA_AUTH_HTPASSWD_FILE` | Путь к файлу htpasswd | `users.htpasswd` |
+
+Создание пользователя:
+
+```bash
+htpasswd -Bc /etc/nora/users.htpasswd admin
+```
+
+Роли: `admin` (полный доступ), `write` (чтение и запись), `read` (только чтение, по умолчанию).
+
+### 3.3. Проксирование внешних репозиториев
+
+| Переменная | Описание | По умолчанию |
+|-----------|----------|--------------|
+| `NORA_NPM_PROXY` | URL npm-реестра | `https://registry.npmjs.org` |
+| `NORA_NPM_PROXY_AUTH` | Учётные данные (`user:pass`) | — |
+| `NORA_NPM_METADATA_TTL` | TTL кэша метаданных (секунды) | `300` |
+| `NORA_PYPI_PROXY` | URL PyPI-реестра | `https://pypi.org/simple/` |
+| `NORA_MAVEN_PROXIES` | Список Maven-репозиториев через запятую | `https://repo1.maven.org/maven2` |
+| `NORA_DOCKER_UPSTREAMS` | Docker-реестры, формат: `url\|auth,url2` | `https://registry-1.docker.io` |
+
+### 3.4. Ограничение частоты запросов
+
+| Переменная | Описание | По умолчанию |
+|-----------|----------|--------------|
+| `NORA_RATE_LIMIT_ENABLED` | Включить ограничение | `true` |
+| `NORA_RATE_LIMIT_GENERAL_RPS` | Запросов в секунду (общие) | `100` |
+| `NORA_RATE_LIMIT_AUTH_RPS` | Запросов в секунду (аутентификация) | `1` |
+| `NORA_RATE_LIMIT_UPLOAD_RPS` | Запросов в секунду (загрузка) | `200` |
+
+---
+
+## 4. Управление сервисом
+
+### 4.1. Запуск и остановка
+
+```bash
+systemctl start nora       # Запуск
+systemctl stop nora        # Остановка
+systemctl restart nora     # Перезапуск
+systemctl status nora      # Статус
+journalctl -u nora -f      # Просмотр журнала
+```
+
+### 4.2. Проверка работоспособности
+
+```bash
+curl http://localhost:4000/health
+```
+
+Ответ при нормальной работе:
+```json
+{
+  "status": "healthy",
+  "version": "1.0.0",
+  "storage": { "backend": "local", "reachable": true },
+  "registries": { "docker": "ok", "npm": "ok", "maven": "ok", "cargo": "ok", "pypi": "ok" }
+}
+```
+
+### 4.3. Метрики (Prometheus)
+
+```
+GET /metrics
+```
+
+Экспортируются: количество запросов, латентность, загрузки и выгрузки по протоколам.
+
+---
+
+## 5. Резервное копирование и восстановление
+
+### 5.1. Создание резервной копии
+
+```bash
+nora backup --output /backup/nora-$(date +%Y%m%d).tar.gz
+```
+
+### 5.2. Восстановление
+
+```bash
+nora restore --input /backup/nora-20260316.tar.gz
+```
+
+### 5.3. Сборка мусора
+
+```bash
+nora gc --dry-run    # Просмотр (без удаления)
+nora gc              # Удаление осиротевших блобов
+```
+
+---
+
+## 6. Предварительное кэширование (nora mirror)
+
+Команда `nora mirror` позволяет заранее загрузить зависимости через прокси-кэш NORA. Это обеспечивает доступность артефактов при работе в изолированных средах без доступа к сети Интернет.
+
+### 6.1. Кэширование по lockfile
+
+```bash
+nora mirror npm --lockfile package-lock.json --registry http://localhost:4000
+nora mirror pip --lockfile requirements.txt --registry http://localhost:4000
+nora mirror cargo --lockfile Cargo.lock --registry http://localhost:4000
+```
+
+### 6.2. Кэширование по списку пакетов
+
+```bash
+nora mirror npm --packages lodash,express --registry http://localhost:4000
+nora mirror npm --packages lodash --all-versions --registry http://localhost:4000
+```
+
+### 6.3. Параметры
+
+| Флаг | Описание | По умолчанию |
+|------|----------|--------------|
+| `--registry` | URL экземпляра NORA | `http://localhost:4000` |
+| `--concurrency` | Количество параллельных загрузок | `8` |
+| `--all-versions` | Загрузить все версии (только с `--packages`) | — |
+
+---
+
+## 7. Миграция хранилища
+
+Перенос артефактов между локальным хранилищем и S3:
+
+```bash
+nora migrate --from local --to s3 --dry-run   # Просмотр
+nora migrate --from local --to s3              # Выполнение
+```
+
+---
+
+## 8. Безопасность
+
+### 8.1. Контроль целостности
+
+При проксировании npm-пакетов NORA вычисляет и сохраняет контрольную сумму SHA-256 для каждого тарбола. При повторной выдаче из кэша контрольная сумма проверяется. В случае расхождения запрос отклоняется, а в журнал записывается предупреждение уровня SECURITY.
+
+### 8.2. Защита от подмены пакетов
+
+- Валидация имён файлов при публикации (защита от обхода каталогов).
+- Проверка соответствия имени пакета в URL и теле запроса.
+- Иммутабельность версий: повторная публикация той же версии запрещена.
+
+### 8.3. Аудит
+
+Все операции (загрузка, выгрузка, обращения к кэшу, ошибки) фиксируются в файле `audit.jsonl` в каталоге хранилища. Формат — JSON Lines, одна запись на строку.
+
+### 8.4. Усиление systemd
+
+Файл сервиса содержит параметры безопасности:
+
+- `NoNewPrivileges=true` — запрет повышения привилегий.
+- `ProtectSystem=strict` — файловая система только для чтения, кроме указанных каталогов.
+- `ProtectHome=true` — запрет доступа к домашним каталогам.
+- `PrivateTmp=true` — изолированный каталог временных файлов.
+
+---
+
+## 9. Точки подключения (endpoints)
+
+| Протокол | Endpoint | Описание |
+|----------|----------|----------|
+| Docker / OCI | `/v2/` | Docker Registry V2 API |
+| npm | `/npm/` | npm-реестр (прокси + публикация) |
+| Maven | `/maven2/` | Maven-репозиторий |
+| PyPI | `/simple/` | Python Simple API (PEP 503) |
+| Cargo | `/cargo/` | Cargo-реестр |
+| Helm | `/v2/` (OCI) | Helm-чарты через OCI-протокол |
+| Raw | `/raw/` | Произвольные файлы |
+| Мониторинг | `/health`, `/ready`, `/metrics` | Проверка и метрики |
+| Интерфейс | `/ui/` | Веб-интерфейс управления |
+| Документация API | `/api-docs` | OpenAPI (Swagger UI) |
+
+---
+
+## 10. Устранение неполадок
+
+### Сервис не запускается
+
+```bash
+journalctl -u nora --no-pager -n 50
+```
+
+Частые причины: занят порт, недоступен каталог хранилища, ошибка в конфигурации.
+
+### Прокси-кэш не работает
+
+1. Проверьте доступность внешнего реестра: `curl https://registry.npmjs.org/lodash`.
+2. Убедитесь, что переменная `NORA_NPM_PROXY` задана корректно.
+3. При использовании приватного реестра укажите `NORA_NPM_PROXY_AUTH`.
+
+### Ошибка целостности (Integrity check failed)
+
+Контрольная сумма кэшированного тарбола не совпадает с сохранённой. Возможные причины: повреждение файловой системы или несанкционированное изменение файла. Удалите повреждённый файл из каталога хранилища — NORA загрузит его заново из внешнего реестра.

docs-ru/technical-spec.md

@@ -0,0 +1,165 @@
+# Технические условия
+
+## Программа «NORA — Реестр артефактов»
+
+**Версия документа:** 0.2.32
+**Дата:** 2026-03-16
+**Правообладатель:** ООО «ТАИАРС» (торговая марка АРТАИС)
+
+---
+
+## 1. Наименование и обозначение
+
+**Полное наименование:** NORA — многопротокольный реестр артефактов.
+
+**Краткое наименование:** NORA.
+
+**Обозначение:** nora-registry.
+
+---
+
+## 2. Назначение
+
+Программа предназначена для хранения, кэширования и распространения программных компонентов (артефактов), используемых при разработке, сборке и развёртывании программного обеспечения.
+
+### 2.1. Область применения
+
+- Организация внутренних репозиториев программных компонентов.
+- Проксирование и кэширование общедоступных репозиториев (npmjs.org, PyPI, Maven Central, Docker Hub, crates.io).
+- Обеспечение доступности зависимостей в изолированных средах без доступа к сети Интернет (air-gapped).
+- Контроль целостности и безопасности цепочки поставки программного обеспечения.
+
+### 2.2. Класс программного обеспечения
+
+Инструментальное программное обеспечение для разработки и DevOps.
+
+Код ОКПД2: 62.01 — Разработка компьютерного программного обеспечения.
+
+---
+
+## 3. Функциональные характеристики
+
+### 3.1. Поддерживаемые протоколы
+
+| Протокол | Стандарт | Назначение |
+|----------|----------|------------|
+| Docker / OCI | OCI Distribution Spec v1.0 | Контейнерные образы, Helm-чарты |
+| npm | npm Registry API | Библиотеки JavaScript / TypeScript |
+| Maven | Maven Repository Layout | Библиотеки Java / Kotlin |
+| PyPI | PEP 503 (Simple API) | Библиотеки Python |
+| Cargo | Cargo Registry Protocol | Библиотеки Rust |
+| Raw | HTTP PUT/GET | Произвольные файлы |
+
+### 3.2. Режимы работы
+
+1. **Хранилище (hosted):** приём и хранение артефактов, опубликованных пользователями.
+2. **Прокси-кэш (proxy):** прозрачное проксирование запросов к внешним репозиториям с локальным кэшированием.
+3. **Комбинированный:** одновременная работа в режимах хранилища и прокси-кэша (поиск сначала в локальном хранилище, затем во внешнем репозитории).
+
+### 3.3. Управление доступом
+
+- Аутентификация на основе htpasswd (bcrypt).
+- Ролевая модель: `read` (чтение), `write` (чтение и запись), `admin` (полный доступ).
+- Токены доступа с ограниченным сроком действия.
+
+### 3.4. Безопасность
+
+- Контроль целостности кэшированных артефактов (SHA-256).
+- Защита от обхода каталогов (path traversal) при публикации.
+- Проверка соответствия имени пакета в URL и теле запроса.
+- Иммутабельность опубликованных версий.
+- Аудит всех операций в формате JSON Lines.
+- Поддержка TLS при размещении за обратным прокси-сервером.
+
+### 3.5. Эксплуатация
+
+- Предварительное кэширование зависимостей (`nora mirror`) по файлам фиксации версий (lockfile).
+- Сборка мусора (`nora gc`) — удаление осиротевших блобов.
+- Резервное копирование и восстановление (`nora backup`, `nora restore`).
+- Миграция между локальным хранилищем и S3-совместимым объектным хранилищем.
+- Мониторинг: эндпоинты `/health`, `/ready`, `/metrics` (формат Prometheus).
+- Веб-интерфейс для просмотра содержимого реестра.
+- Документация API в формате OpenAPI 3.0.
+
+---
+
+## 4. Технические характеристики
+
+### 4.1. Среда исполнения
+
+| Параметр | Значение |
+|----------|----------|
+| Язык реализации | Rust |
+| Формат поставки | Единый исполняемый файл (статическая линковка) |
+| Поддерживаемые ОС | Linux (ядро 4.15+) |
+| Архитектуры | x86_64 (amd64), aarch64 (arm64) |
+| Контейнеризация | Docker-образ на базе `scratch` |
+| Системная интеграция | systemd (файл сервиса в комплекте) |
+
+### 4.2. Хранение данных
+
+| Параметр | Значение |
+|----------|----------|
+| Локальное хранилище | Файловая система (ext4, XFS, ZFS) |
+| Объектное хранилище | S3-совместимое API (MinIO, Yandex Object Storage, Selectel S3) |
+| Структура | Иерархическая: `{protocol}/{package}/{artifact}` |
+| Аудит | Append-only JSONL файл |
+
+### 4.3. Конфигурация
+
+| Источник | Приоритет |
+|----------|-----------|
+| Переменные окружения (`NORA_*`) | Высший |
+| Файл `config.toml` | Средний |
+| Значения по умолчанию | Низший |
+
+### 4.4. Производительность
+
+| Параметр | Значение |
+|----------|----------|
+| Время запуска | < 100 мс |
+| Обслуживание из кэша | < 2 мс (метаданные), < 10 мс (артефакты до 1 МБ) |
+| Параллельная обработка | Асинхронный ввод-вывод (tokio runtime) |
+| Ограничение частоты | Настраиваемое (по умолчанию 100 запросов/сек) |
+
+---
+
+## 5. Лицензирование
+
+| Компонент | Лицензия |
+|-----------|----------|
+| NORA (core) | MIT License |
+| NORA Enterprise | Проприетарная |
+
+Полный перечень лицензий включённых библиотек приведён в файле SBOM (формат CycloneDX).
+
+---
+
+## 6. Комплектность
+
+| Компонент | Описание |
+|-----------|----------|
+| `nora` | Исполняемый файл |
+| `nora.service` | Файл systemd-сервиса |
+| `nora.env.example` | Шаблон конфигурации |
+| `install.sh` | Скрипт установки |
+| `nora.cdx.json` | SBOM в формате CycloneDX |
+| Руководство администратора | Настоящий комплект документации |
+| Руководство пользователя | Настоящий комплект документации |
+| Технические условия | Настоящий документ |
+
+---
+
+## 7. Контактная информация
+
+**Правообладатель:** ООО «ТАИАРС»
+
+**Торговая марка:** АРТАИС
+
+**Сайт продукта:** https://getnora.io
+
+**Документация:** https://getnora.dev
+
+**Исходный код:** https://github.com/getnora-io/nora
+
+**Поддержка:** https://t.me/getnora

docs-ru/user-guide.md

@@ -0,0 +1,221 @@
+# Руководство пользователя NORA
+
+**Версия:** 0.2.32
+**Дата:** 2026-03-16
+**Правообладатель:** ООО «ТАИАРС» (торговая марка АРТАИС)
+
+---
+
+## 1. Общие сведения
+
+NORA — реестр артефактов для команд разработки. Программа обеспечивает хранение и кэширование библиотек, Docker-образов и иных программных компонентов, используемых при сборке приложений.
+
+Данное руководство предназначено для разработчиков, которые используют NORA в качестве источника зависимостей.
+
+---
+
+## 2. Настройка рабочего окружения
+
+### 2.1. npm / Node.js
+
+Укажите NORA в качестве реестра:
+
+```bash
+npm config set registry http://nora.example.com:4000/npm
+```
+
+Или создайте файл `.npmrc` в корне проекта:
+
+```
+registry=http://nora.example.com:4000/npm
+```
+
+После этого все команды `npm install` будут загружать пакеты через NORA. При первом обращении NORA загрузит пакет из внешнего реестра (npmjs.org) и сохранит его в кэш. Последующие обращения обслуживаются из кэша.
+
+### 2.2. Docker
+
+```bash
+docker login nora.example.com:4000
+docker pull nora.example.com:4000/library/nginx:latest
+docker push nora.example.com:4000/myteam/myapp:1.0.0
+```
+
+### 2.3. Maven
+
+Добавьте репозиторий в `settings.xml`:
+
+```xml
+<mirrors>
+  <mirror>
+    <id>nora</id>
+    <mirrorOf>central</mirrorOf>
+    <url>http://nora.example.com:4000/maven2</url>
+  </mirror>
+</mirrors>
+```
+
+### 2.4. Python / pip
+
+```bash
+pip install --index-url http://nora.example.com:4000/simple flask
+```
+
+Или в `pip.conf`:
+
+```ini
+[global]
+index-url = http://nora.example.com:4000/simple
+```
+
+### 2.5. Cargo / Rust
+
+Настройка в `~/.cargo/config.toml`:
+
+```toml
+[registries.nora]
+index = "sparse+http://nora.example.com:4000/cargo/"
+
+[source.crates-io]
+replace-with = "nora"
+```
+
+### 2.6. Helm
+
+Helm использует OCI-протокол через Docker Registry API:
+
+```bash
+helm push mychart-0.1.0.tgz oci://nora.example.com:4000/helm
+helm pull oci://nora.example.com:4000/helm/mychart --version 0.1.0
+```
+
+---
+
+## 3. Публикация пакетов
+
+### 3.1. npm
+
+```bash
+npm publish --registry http://nora.example.com:4000/npm
+```
+
+Требования:
+- Файл `package.json` с полями `name` и `version`.
+- Каждая версия публикуется однократно. Повторная публикация той же версии запрещена.
+
+### 3.2. Docker
+
+```bash
+docker tag myapp:latest nora.example.com:4000/myteam/myapp:1.0.0
+docker push nora.example.com:4000/myteam/myapp:1.0.0
+```
+
+### 3.3. Maven
+
+```bash
+mvn deploy -DaltDeploymentRepository=nora::default::http://nora.example.com:4000/maven2
+```
+
+### 3.4. Raw (произвольные файлы)
+
+```bash
+# Загрузка
+curl -X PUT --data-binary @release.tar.gz http://nora.example.com:4000/raw/builds/release-1.0.tar.gz
+
+# Скачивание
+curl -O http://nora.example.com:4000/raw/builds/release-1.0.tar.gz
+```
+
+---
+
+## 4. Работа в изолированной среде
+
+Если сборочный сервер не имеет доступа к сети Интернет, используйте предварительное кэширование.
+
+### 4.1. Кэширование зависимостей проекта
+
+На машине с доступом к Интернету и NORA выполните:
+
+```bash
+nora mirror npm --lockfile package-lock.json --registry http://nora.example.com:4000
+```
+
+После этого все зависимости из lockfile будут доступны через NORA, даже если связь с внешними реестрами отсутствует.
+
+### 4.2. Кэширование всех версий пакета
+
+```bash
+nora mirror npm --packages lodash,express --all-versions --registry http://nora.example.com:4000
+```
+
+Эта команда загрузит все опубликованные версии указанных пакетов.
+
+---
+
+## 5. Веб-интерфейс
+
+NORA предоставляет веб-интерфейс для просмотра содержимого реестра:
+
+```
+http://nora.example.com:4000/ui/
+```
+
+Доступные функции:
+- Просмотр списка артефактов по протоколам.
+- Количество версий и размер каждого пакета.
+- Журнал последних операций.
+- Метрики загрузок.
+
+---
+
+## 6. Документация API
+
+Интерактивная документация API доступна по адресу:
+
+```
+http://nora.example.com:4000/api-docs
+```
+
+Формат: OpenAPI 3.0 (Swagger UI).
+
+---
+
+## 7. Аутентификация
+
+Если администратор включил аутентификацию, для операций записи требуется токен.
+
+### 7.1. Получение токена
+
+```bash
+curl -u admin:password http://nora.example.com:4000/auth/token
+```
+
+### 7.2. Использование токена
+
+```bash
+# npm
+npm config set //nora.example.com:4000/npm/:_authToken TOKEN
+
+# Docker
+docker login nora.example.com:4000
+
+# curl
+curl -H "Authorization: Bearer TOKEN" http://nora.example.com:4000/npm/my-package
+```
+
+Операции чтения по умолчанию не требуют аутентификации (роль `read` назначается автоматически).
+
+---
+
+## 8. Часто задаваемые вопросы
+
+**В: Что произойдёт, если внешний реестр (npmjs.org) станет недоступен?**
+О: NORA продолжит обслуживать запросы из кэша. Пакеты, которые ранее не запрашивались, будут недоступны до восстановления связи. Для предотвращения такой ситуации используйте `nora mirror`.
+
+**В: Можно ли публиковать приватные пакеты?**
+О: Да. Пакеты, опубликованные через `npm publish` или `docker push`, сохраняются в локальном хранилище NORA и доступны всем пользователям данного экземпляра.
+
+**В: Как обновить кэш метаданных?**
+О: Кэш метаданных npm обновляется автоматически по истечении TTL (по умолчанию 5 минут). Для немедленного обновления удалите файл `metadata.json` из каталога хранилища.
+
+**В: Поддерживаются ли scoped-пакеты npm (@scope/package)?**
+О: Да, полностью. Например: `npm install @babel/core --registry http://nora.example.com:4000/npm`.

fuzz/Cargo.toml

@@ -0,0 +1,23 @@
+[package]
+name = "nora-fuzz"
+version = "0.0.0"
+publish = false
+license = "MIT"
+edition = "2021"
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies]
+libfuzzer-sys = "0.4"
+nora-registry = { path = "../nora-registry" }
+
+[[bin]]
+name = "fuzz_validation"
+path = "fuzz_targets/fuzz_validation.rs"
+doc = false
+
+[[bin]]
+name = "fuzz_docker_manifest"
+path = "fuzz_targets/fuzz_docker_manifest.rs"
+doc = false

fuzz/fuzz_targets/fuzz_docker_manifest.rs

@@ -0,0 +1,8 @@
+#![no_main]
+use libfuzzer_sys::fuzz_target;
+use nora_registry::docker_fuzz::detect_manifest_media_type;
+
+fuzz_target!(|data: &[u8]| {
+    // Fuzz Docker manifest parser — must never panic on any input
+    let _ = detect_manifest_media_type(data);
+});

fuzz/fuzz_targets/fuzz_validation.rs

@@ -0,0 +1,13 @@
+#![no_main]
+use libfuzzer_sys::fuzz_target;
+use nora_registry::validation::{
+    validate_digest, validate_docker_name, validate_docker_reference, validate_storage_key,
+};
+
+fuzz_target!(|data: &str| {
+    // Fuzz all validators — they must never panic on any input
+    let _ = validate_storage_key(data);
+    let _ = validate_docker_name(data);
+    let _ = validate_digest(data);
+    let _ = validate_docker_reference(data);
+});

install.sh

@@ -1,98 +0,0 @@
-#!/usr/bin/env sh
-# NORA installer — https://getnora.io/install.sh
-# Usage: curl -fsSL https://getnora.io/install.sh | sh
-
-set -e
-
-REPO="getnora-io/nora"
-BINARY="nora"
-INSTALL_DIR="/usr/local/bin"
-
-# ── Detect OS and architecture ──────────────────────────────────────────────
-
-OS="$(uname -s)"
-ARCH="$(uname -m)"
-
-case "$OS" in
-  Linux)  os="linux" ;;
-  Darwin) os="darwin" ;;
-  *)
-    echo "Unsupported OS: $OS"
-    echo "Please download manually: https://github.com/$REPO/releases/latest"
-    exit 1
-    ;;
-esac
-
-case "$ARCH" in
-  x86_64 | amd64) arch="amd64" ;;
-  aarch64 | arm64) arch="arm64" ;;
-  *)
-    echo "Unsupported architecture: $ARCH"
-    echo "Please download manually: https://github.com/$REPO/releases/latest"
-    exit 1
-    ;;
-esac
-
-ASSET="${BINARY}-${os}-${arch}"
-
-# ── Get latest release version ──────────────────────────────────────────────
-
-VERSION="$(curl -fsSL "https://api.github.com/repos/$REPO/releases/latest" \
-  | grep '"tag_name"' \
-  | sed 's/.*"tag_name": *"\([^"]*\)".*/\1/')"
-
-if [ -z "$VERSION" ]; then
-  echo "Failed to get latest version"
-  exit 1
-fi
-
-echo "Installing NORA $VERSION ($os/$arch)..."
-
-# ── Download binary and checksum ────────────────────────────────────────────
-
-BASE_URL="https://github.com/$REPO/releases/download/$VERSION"
-TMP_DIR="$(mktemp -d)"
-trap 'rm -rf "$TMP_DIR"' EXIT
-
-echo "Downloading $ASSET..."
-curl -fsSL "$BASE_URL/$ASSET" -o "$TMP_DIR/$BINARY"
-curl -fsSL "$BASE_URL/$ASSET.sha256" -o "$TMP_DIR/$ASSET.sha256"
-
-# ── Verify checksum ─────────────────────────────────────────────────────────
-
-echo "Verifying checksum..."
-EXPECTED="$(awk '{print $1}' "$TMP_DIR/$ASSET.sha256")"
-ACTUAL="$(sha256sum "$TMP_DIR/$BINARY" | awk '{print $1}')"
-
-if [ "$EXPECTED" != "$ACTUAL" ]; then
-  echo "Checksum mismatch!"
-  echo "  Expected: $EXPECTED"
-  echo "  Actual:   $ACTUAL"
-  exit 1
-fi
-
-echo "Checksum OK"
-
-# ── Install ─────────────────────────────────────────────────────────────────
-
-chmod +x "$TMP_DIR/$BINARY"
-
-if [ -w "$INSTALL_DIR" ]; then
-  mv "$TMP_DIR/$BINARY" "$INSTALL_DIR/$BINARY"
-elif command -v sudo >/dev/null 2>&1; then
-  sudo mv "$TMP_DIR/$BINARY" "$INSTALL_DIR/$BINARY"
-else
-  # Fallback to ~/.local/bin
-  INSTALL_DIR="$HOME/.local/bin"
-  mkdir -p "$INSTALL_DIR"
-  mv "$TMP_DIR/$BINARY" "$INSTALL_DIR/$BINARY"
-  echo "Installed to $INSTALL_DIR/$BINARY"
-  echo "Make sure $INSTALL_DIR is in your PATH"
-fi
-
-# ── Done ────────────────────────────────────────────────────────────────────
-
-echo ""
-echo "NORA $VERSION installed to $INSTALL_DIR/$BINARY"
-echo ""
-nora --version 2>/dev/null || true

nora-cli/Cargo.toml

@@ -1,23 +0,0 @@
-[package]
-name = "nora-cli"
-version.workspace = true
-edition.workspace = true
-license.workspace = true
-authors.workspace = true
-repository.workspace = true
-homepage.workspace = true
-description = "CLI tool for NORA registry"
-
-[[bin]]
-name = "nora-cli"
-path = "src/main.rs"
-
-[dependencies]
-tokio.workspace = true
-reqwest.workspace = true
-serde.workspace = true
-serde_json.workspace = true
-clap = { version = "4", features = ["derive"] }
-indicatif = "0.18"
-tar = "0.4"
-flate2 = "1.1"

nora-cli/src/main.rs

@@ -1,55 +0,0 @@
-// Copyright (c) 2026 Volkov Pavel | DevITWay
-// SPDX-License-Identifier: MIT
-
-use clap::{Parser, Subcommand};
-
-#[derive(Parser)]
-#[command(name = "nora-cli")]
-#[command(about = "CLI tool for Nora registry")]
-struct Cli {
-    #[command(subcommand)]
-    command: Commands,
-}
-
-#[derive(Subcommand)]
-enum Commands {
-    /// Login to a registry
-    Login {
-        #[arg(long)]
-        registry: String,
-        #[arg(short, long)]
-        username: String,
-    },
-    /// Push an artifact
-    Push {
-        #[arg(long)]
-        registry: String,
-        path: String,
-    },
-    /// Pull an artifact
-    Pull {
-        #[arg(long)]
-        registry: String,
-        artifact: String,
-    },
-}
-
-#[tokio::main]
-async fn main() {
-    let cli = Cli::parse();
-
-    match cli.command {
-        Commands::Login { registry, username } => {
-            println!("Logging in to {} as {}", registry, username);
-            // TODO: implement
-        }
-        Commands::Push { registry, path } => {
-            println!("Pushing {} to {}", path, registry);
-            // TODO: implement
-        }
-        Commands::Pull { registry, artifact } => {
-            println!("Pulling {} from {}", artifact, registry);
-            // TODO: implement
-        }
-    }
-}

nora-registry/Cargo.toml

@@ -10,6 +10,10 @@ description = "Cloud-Native Artifact Registry - Fast, lightweight, multi-protoco
 keywords = ["registry", "docker", "artifacts", "cloud-native", "devops"]
 categories = ["command-line-utilities", "development-tools", "web-programming"]
 
+[lib]
+name = "nora_registry"
+path = "src/lib.rs"
+
 [[bin]]
 name = "nora"
 path = "src/main.rs"
@@ -45,6 +49,7 @@ tower_governor = "0.8"
 governor = "0.10"
 parking_lot = "0.12"
 zeroize = { version = "1.8", features = ["derive"] }
+tower-http = { version = "0.6", features = ["set-header"] }
 
 [dev-dependencies]
 tempfile = "3"

nora-registry/src/activity_log.rs

@@ -99,3 +99,139 @@ impl Default for ActivityLog {
         Self::new(50)
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_action_type_display() {
+        assert_eq!(ActionType::Pull.to_string(), "PULL");
+        assert_eq!(ActionType::Push.to_string(), "PUSH");
+        assert_eq!(ActionType::CacheHit.to_string(), "CACHE");
+        assert_eq!(ActionType::ProxyFetch.to_string(), "PROXY");
+    }
+
+    #[test]
+    fn test_action_type_equality() {
+        assert_eq!(ActionType::Pull, ActionType::Pull);
+        assert_ne!(ActionType::Pull, ActionType::Push);
+    }
+
+    #[test]
+    fn test_activity_entry_new() {
+        let entry = ActivityEntry::new(
+            ActionType::Pull,
+            "nginx:latest".to_string(),
+            "docker",
+            "LOCAL",
+        );
+        assert_eq!(entry.action, ActionType::Pull);
+        assert_eq!(entry.artifact, "nginx:latest");
+        assert_eq!(entry.registry, "docker");
+        assert_eq!(entry.source, "LOCAL");
+    }
+
+    #[test]
+    fn test_activity_log_push_and_len() {
+        let log = ActivityLog::new(10);
+        assert!(log.is_empty());
+        assert_eq!(log.len(), 0);
+
+        log.push(ActivityEntry::new(
+            ActionType::Push,
+            "test:v1".to_string(),
+            "docker",
+            "LOCAL",
+        ));
+        assert!(!log.is_empty());
+        assert_eq!(log.len(), 1);
+    }
+
+    #[test]
+    fn test_activity_log_recent() {
+        let log = ActivityLog::new(10);
+        for i in 0..5 {
+            log.push(ActivityEntry::new(
+                ActionType::Pull,
+                format!("image:{}", i),
+                "docker",
+                "LOCAL",
+            ));
+        }
+
+        let recent = log.recent(3);
+        assert_eq!(recent.len(), 3);
+        // newest first
+        assert_eq!(recent[0].artifact, "image:4");
+        assert_eq!(recent[1].artifact, "image:3");
+        assert_eq!(recent[2].artifact, "image:2");
+    }
+
+    #[test]
+    fn test_activity_log_all() {
+        let log = ActivityLog::new(10);
+        for i in 0..3 {
+            log.push(ActivityEntry::new(
+                ActionType::Pull,
+                format!("pkg:{}", i),
+                "npm",
+                "PROXY",
+            ));
+        }
+
+        let all = log.all();
+        assert_eq!(all.len(), 3);
+        assert_eq!(all[0].artifact, "pkg:2"); // newest first
+    }
+
+    #[test]
+    fn test_activity_log_bounded_size() {
+        let log = ActivityLog::new(3);
+        for i in 0..5 {
+            log.push(ActivityEntry::new(
+                ActionType::Pull,
+                format!("item:{}", i),
+                "cargo",
+                "CACHE",
+            ));
+        }
+
+        assert_eq!(log.len(), 3);
+        let all = log.all();
+        // oldest entries should be dropped
+        assert_eq!(all[0].artifact, "item:4");
+        assert_eq!(all[1].artifact, "item:3");
+        assert_eq!(all[2].artifact, "item:2");
+    }
+
+    #[test]
+    fn test_activity_log_recent_more_than_available() {
+        let log = ActivityLog::new(10);
+        log.push(ActivityEntry::new(
+            ActionType::Push,
+            "one".to_string(),
+            "maven",
+            "LOCAL",
+        ));
+
+        let recent = log.recent(100);
+        assert_eq!(recent.len(), 1);
+    }
+
+    #[test]
+    fn test_activity_log_default() {
+        let log = ActivityLog::default();
+        assert!(log.is_empty());
+        // default capacity is 50
+        for i in 0..60 {
+            log.push(ActivityEntry::new(
+                ActionType::Pull,
+                format!("x:{}", i),
+                "docker",
+                "LOCAL",
+            ));
+        }
+        assert_eq!(log.len(), 50);
+    }
+}

nora-registry/src/audit.rs

@@ -71,3 +71,69 @@ impl AuditLog {
         &self.path
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use tempfile::TempDir;
+
+    #[test]
+    fn test_audit_entry_new() {
+        let entry = AuditEntry::new(
+            "push",
+            "admin",
+            "nginx:latest",
+            "docker",
+            "uploaded manifest",
+        );
+        assert_eq!(entry.action, "push");
+        assert_eq!(entry.actor, "admin");
+        assert_eq!(entry.artifact, "nginx:latest");
+        assert_eq!(entry.registry, "docker");
+        assert_eq!(entry.detail, "uploaded manifest");
+    }
+
+    #[test]
+    fn test_audit_log_new_and_path() {
+        let tmp = TempDir::new().unwrap();
+        let log = AuditLog::new(tmp.path().to_str().unwrap());
+        assert!(log.path().ends_with("audit.jsonl"));
+    }
+
+    #[test]
+    fn test_audit_log_write_entry() {
+        let tmp = TempDir::new().unwrap();
+        let log = AuditLog::new(tmp.path().to_str().unwrap());
+
+        let entry = AuditEntry::new("pull", "user1", "lodash", "npm", "downloaded");
+        log.log(entry);
+
+        // Verify file contains the entry
+        let content = std::fs::read_to_string(log.path()).unwrap();
+        assert!(content.contains(r#""action":"pull""#));
+        assert!(content.contains(r#""actor":"user1""#));
+        assert!(content.contains(r#""artifact":"lodash""#));
+    }
+
+    #[test]
+    fn test_audit_log_multiple_entries() {
+        let tmp = TempDir::new().unwrap();
+        let log = AuditLog::new(tmp.path().to_str().unwrap());
+
+        log.log(AuditEntry::new("push", "admin", "a", "docker", ""));
+        log.log(AuditEntry::new("pull", "user", "b", "npm", ""));
+        log.log(AuditEntry::new("delete", "admin", "c", "maven", ""));
+
+        let content = std::fs::read_to_string(log.path()).unwrap();
+        let lines: Vec<&str> = content.lines().collect();
+        assert_eq!(lines.len(), 3);
+    }
+
+    #[test]
+    fn test_audit_entry_serialization() {
+        let entry = AuditEntry::new("push", "ci", "app:v1", "docker", "ci build");
+        let json = serde_json::to_string(&entry).unwrap();
+        assert!(json.contains(r#""action":"push""#));
+        assert!(json.contains(r#""ts":""#));
+    }
+}

nora-registry/src/auth.rs

@@ -94,6 +94,16 @@ pub async fn auth_middleware(
         return next.run(request).await;
     }
 
+    // Allow anonymous read if configured
+    let is_read_method = matches!(
+        *request.method(),
+        axum::http::Method::GET | axum::http::Method::HEAD
+    );
+    if state.config.auth.anonymous_read && is_read_method {
+        // Read requests allowed without auth
+        return next.run(request).await;
+    }
+
     // Extract Authorization header
     let auth_header = request
         .headers()

nora-registry/src/config.rs

@@ -200,6 +200,9 @@ fn default_max_file_size() -> u64 {
 pub struct AuthConfig {
     #[serde(default)]
     pub enabled: bool,
+    /// Allow anonymous read access (pull/download without auth, push requires auth)
+    #[serde(default)]
+    pub anonymous_read: bool,
     #[serde(default = "default_htpasswd_file")]
     pub htpasswd_file: String,
     #[serde(default = "default_token_storage")]
@@ -279,6 +282,7 @@ impl Default for AuthConfig {
     fn default() -> Self {
         Self {
             enabled: false,
+            anonymous_read: false,
             htpasswd_file: "users.htpasswd".to_string(),
             token_storage: "data/tokens".to_string(),
         }
@@ -457,6 +461,9 @@ impl Config {
         if let Ok(val) = env::var("NORA_AUTH_ENABLED") {
             self.auth.enabled = val.to_lowercase() == "true" || val == "1";
         }
+        if let Ok(val) = env::var("NORA_AUTH_ANONYMOUS_READ") {
+            self.auth.anonymous_read = val.to_lowercase() == "true" || val == "1";
+        }
         if let Ok(val) = env::var("NORA_AUTH_HTPASSWD_FILE") {
             self.auth.htpasswd_file = val;
         }
@@ -666,4 +673,378 @@ mod tests {
         assert_eq!(config.rate_limit.upload_burst, 1000);
         assert_eq!(config.rate_limit.auth_burst, 5); // default
     }
+
+    #[test]
+    fn test_basic_auth_header() {
+        let header = basic_auth_header("user:pass");
+        assert_eq!(header, "Basic dXNlcjpwYXNz");
+    }
+
+    #[test]
+    fn test_basic_auth_header_empty() {
+        let header = basic_auth_header("");
+        assert!(header.starts_with("Basic "));
+    }
+
+    #[test]
+    fn test_config_default() {
+        let config = Config::default();
+        assert_eq!(config.server.host, "127.0.0.1");
+        assert_eq!(config.server.port, 4000);
+        assert_eq!(config.server.body_limit_mb, 2048);
+        assert!(config.server.public_url.is_none());
+        assert_eq!(config.storage.path, "data/storage");
+        assert_eq!(config.storage.mode, StorageMode::Local);
+        assert_eq!(config.storage.bucket, "registry");
+        assert_eq!(config.storage.s3_region, "us-east-1");
+        assert!(!config.auth.enabled);
+        assert_eq!(config.auth.htpasswd_file, "users.htpasswd");
+        assert_eq!(config.auth.token_storage, "data/tokens");
+    }
+
+    #[test]
+    fn test_maven_config_default() {
+        let m = MavenConfig::default();
+        assert_eq!(m.proxy_timeout, 30);
+        assert_eq!(m.proxies.len(), 1);
+        assert_eq!(m.proxies[0].url(), "https://repo1.maven.org/maven2");
+        assert!(m.proxies[0].auth().is_none());
+    }
+
+    #[test]
+    fn test_npm_config_default() {
+        let n = NpmConfig::default();
+        assert_eq!(n.proxy, Some("https://registry.npmjs.org".to_string()));
+        assert!(n.proxy_auth.is_none());
+        assert_eq!(n.proxy_timeout, 30);
+        assert_eq!(n.metadata_ttl, 300);
+    }
+
+    #[test]
+    fn test_pypi_config_default() {
+        let p = PypiConfig::default();
+        assert_eq!(p.proxy, Some("https://pypi.org/simple/".to_string()));
+        assert!(p.proxy_auth.is_none());
+        assert_eq!(p.proxy_timeout, 30);
+    }
+
+    #[test]
+    fn test_docker_config_default() {
+        let d = DockerConfig::default();
+        assert_eq!(d.proxy_timeout, 60);
+        assert_eq!(d.upstreams.len(), 1);
+        assert_eq!(d.upstreams[0].url, "https://registry-1.docker.io");
+        assert!(d.upstreams[0].auth.is_none());
+    }
+
+    #[test]
+    fn test_raw_config_default() {
+        let r = RawConfig::default();
+        assert!(r.enabled);
+        assert_eq!(r.max_file_size, 104_857_600);
+    }
+
+    #[test]
+    fn test_auth_config_default() {
+        let a = AuthConfig::default();
+        assert!(!a.enabled);
+        assert!(!a.anonymous_read);
+        assert_eq!(a.htpasswd_file, "users.htpasswd");
+        assert_eq!(a.token_storage, "data/tokens");
+    }
+
+    #[test]
+    fn test_auth_anonymous_read_from_toml() {
+        let toml = r#"
+            [server]
+            host = "127.0.0.1"
+            port = 4000
+
+            [storage]
+            mode = "local"
+
+            [auth]
+            enabled = true
+            anonymous_read = true
+        "#;
+
+        let config: Config = toml::from_str(toml).unwrap();
+        assert!(config.auth.enabled);
+        assert!(config.auth.anonymous_read);
+    }
+
+    #[test]
+    fn test_env_override_anonymous_read() {
+        let mut config = Config::default();
+        std::env::set_var("NORA_AUTH_ANONYMOUS_READ", "true");
+        config.apply_env_overrides();
+        assert!(config.auth.anonymous_read);
+        std::env::remove_var("NORA_AUTH_ANONYMOUS_READ");
+    }
+
+    #[test]
+    fn test_maven_proxy_entry_simple() {
+        let entry = MavenProxyEntry::Simple("https://repo.example.com".to_string());
+        assert_eq!(entry.url(), "https://repo.example.com");
+        assert!(entry.auth().is_none());
+    }
+
+    #[test]
+    fn test_maven_proxy_entry_full() {
+        let entry = MavenProxyEntry::Full(MavenProxy {
+            url: "https://private.repo.com".to_string(),
+            auth: Some("user:secret".to_string()),
+        });
+        assert_eq!(entry.url(), "https://private.repo.com");
+        assert_eq!(entry.auth(), Some("user:secret"));
+    }
+
+    #[test]
+    fn test_maven_proxy_entry_full_no_auth() {
+        let entry = MavenProxyEntry::Full(MavenProxy {
+            url: "https://repo.com".to_string(),
+            auth: None,
+        });
+        assert_eq!(entry.url(), "https://repo.com");
+        assert!(entry.auth().is_none());
+    }
+
+    #[test]
+    fn test_storage_mode_default() {
+        let mode = StorageMode::default();
+        assert_eq!(mode, StorageMode::Local);
+    }
+
+    #[test]
+    fn test_env_override_server() {
+        let mut config = Config::default();
+        std::env::set_var("NORA_HOST", "0.0.0.0");
+        std::env::set_var("NORA_PORT", "8080");
+        std::env::set_var("NORA_PUBLIC_URL", "registry.example.com");
+        std::env::set_var("NORA_BODY_LIMIT_MB", "4096");
+        config.apply_env_overrides();
+        assert_eq!(config.server.host, "0.0.0.0");
+        assert_eq!(config.server.port, 8080);
+        assert_eq!(
+            config.server.public_url,
+            Some("registry.example.com".to_string())
+        );
+        assert_eq!(config.server.body_limit_mb, 4096);
+        std::env::remove_var("NORA_HOST");
+        std::env::remove_var("NORA_PORT");
+        std::env::remove_var("NORA_PUBLIC_URL");
+        std::env::remove_var("NORA_BODY_LIMIT_MB");
+    }
+
+    #[test]
+    fn test_env_override_storage() {
+        let mut config = Config::default();
+        std::env::set_var("NORA_STORAGE_MODE", "s3");
+        std::env::set_var("NORA_STORAGE_PATH", "/data/nora");
+        std::env::set_var("NORA_STORAGE_BUCKET", "my-bucket");
+        std::env::set_var("NORA_STORAGE_S3_REGION", "eu-west-1");
+        config.apply_env_overrides();
+        assert_eq!(config.storage.mode, StorageMode::S3);
+        assert_eq!(config.storage.path, "/data/nora");
+        assert_eq!(config.storage.bucket, "my-bucket");
+        assert_eq!(config.storage.s3_region, "eu-west-1");
+        std::env::remove_var("NORA_STORAGE_MODE");
+        std::env::remove_var("NORA_STORAGE_PATH");
+        std::env::remove_var("NORA_STORAGE_BUCKET");
+        std::env::remove_var("NORA_STORAGE_S3_REGION");
+    }
+
+    #[test]
+    fn test_env_override_auth() {
+        let mut config = Config::default();
+        std::env::set_var("NORA_AUTH_ENABLED", "true");
+        std::env::set_var("NORA_AUTH_HTPASSWD_FILE", "/etc/nora/users");
+        std::env::set_var("NORA_AUTH_TOKEN_STORAGE", "/data/tokens");
+        config.apply_env_overrides();
+        assert!(config.auth.enabled);
+        assert_eq!(config.auth.htpasswd_file, "/etc/nora/users");
+        assert_eq!(config.auth.token_storage, "/data/tokens");
+        std::env::remove_var("NORA_AUTH_ENABLED");
+        std::env::remove_var("NORA_AUTH_HTPASSWD_FILE");
+        std::env::remove_var("NORA_AUTH_TOKEN_STORAGE");
+    }
+
+    #[test]
+    fn test_env_override_maven_proxies() {
+        let mut config = Config::default();
+        std::env::set_var(
+            "NORA_MAVEN_PROXIES",
+            "https://repo1.com,https://repo2.com|user:pass",
+        );
+        config.apply_env_overrides();
+        assert_eq!(config.maven.proxies.len(), 2);
+        assert_eq!(config.maven.proxies[0].url(), "https://repo1.com");
+        assert!(config.maven.proxies[0].auth().is_none());
+        assert_eq!(config.maven.proxies[1].url(), "https://repo2.com");
+        assert_eq!(config.maven.proxies[1].auth(), Some("user:pass"));
+        std::env::remove_var("NORA_MAVEN_PROXIES");
+    }
+
+    #[test]
+    fn test_env_override_docker_upstreams() {
+        let mut config = Config::default();
+        std::env::set_var(
+            "NORA_DOCKER_UPSTREAMS",
+            "https://mirror.gcr.io,https://private.io|token123",
+        );
+        config.apply_env_overrides();
+        assert_eq!(config.docker.upstreams.len(), 2);
+        assert_eq!(config.docker.upstreams[0].url, "https://mirror.gcr.io");
+        assert!(config.docker.upstreams[0].auth.is_none());
+        assert_eq!(config.docker.upstreams[1].url, "https://private.io");
+        assert_eq!(
+            config.docker.upstreams[1].auth,
+            Some("token123".to_string())
+        );
+        std::env::remove_var("NORA_DOCKER_UPSTREAMS");
+    }
+
+    #[test]
+    fn test_env_override_npm() {
+        let mut config = Config::default();
+        std::env::set_var("NORA_NPM_PROXY", "https://npm.company.com");
+        std::env::set_var("NORA_NPM_PROXY_AUTH", "user:token");
+        std::env::set_var("NORA_NPM_PROXY_TIMEOUT", "60");
+        std::env::set_var("NORA_NPM_METADATA_TTL", "600");
+        config.apply_env_overrides();
+        assert_eq!(
+            config.npm.proxy,
+            Some("https://npm.company.com".to_string())
+        );
+        assert_eq!(config.npm.proxy_auth, Some("user:token".to_string()));
+        assert_eq!(config.npm.proxy_timeout, 60);
+        assert_eq!(config.npm.metadata_ttl, 600);
+        std::env::remove_var("NORA_NPM_PROXY");
+        std::env::remove_var("NORA_NPM_PROXY_AUTH");
+        std::env::remove_var("NORA_NPM_PROXY_TIMEOUT");
+        std::env::remove_var("NORA_NPM_METADATA_TTL");
+    }
+
+    #[test]
+    fn test_env_override_raw() {
+        let mut config = Config::default();
+        std::env::set_var("NORA_RAW_ENABLED", "false");
+        std::env::set_var("NORA_RAW_MAX_FILE_SIZE", "524288000");
+        config.apply_env_overrides();
+        assert!(!config.raw.enabled);
+        assert_eq!(config.raw.max_file_size, 524288000);
+        std::env::remove_var("NORA_RAW_ENABLED");
+        std::env::remove_var("NORA_RAW_MAX_FILE_SIZE");
+    }
+
+    #[test]
+    fn test_env_override_rate_limit() {
+        let mut config = Config::default();
+        std::env::set_var("NORA_RATE_LIMIT_ENABLED", "false");
+        std::env::set_var("NORA_RATE_LIMIT_AUTH_RPS", "10");
+        std::env::set_var("NORA_RATE_LIMIT_GENERAL_BURST", "500");
+        config.apply_env_overrides();
+        assert!(!config.rate_limit.enabled);
+        assert_eq!(config.rate_limit.auth_rps, 10);
+        assert_eq!(config.rate_limit.general_burst, 500);
+        std::env::remove_var("NORA_RATE_LIMIT_ENABLED");
+        std::env::remove_var("NORA_RATE_LIMIT_AUTH_RPS");
+        std::env::remove_var("NORA_RATE_LIMIT_GENERAL_BURST");
+    }
+
+    #[test]
+    fn test_config_from_toml_full() {
+        let toml = r#"
+            [server]
+            host = "0.0.0.0"
+            port = 8080
+            public_url = "nora.example.com"
+            body_limit_mb = 4096
+
+            [storage]
+            mode = "s3"
+            path = "/data"
+            s3_url = "http://minio:9000"
+            bucket = "artifacts"
+            s3_region = "eu-central-1"
+
+            [auth]
+            enabled = true
+            htpasswd_file = "/etc/nora/users.htpasswd"
+
+            [raw]
+            enabled = false
+            max_file_size = 500000000
+        "#;
+
+        let config: Config = toml::from_str(toml).unwrap();
+        assert_eq!(config.server.host, "0.0.0.0");
+        assert_eq!(config.server.port, 8080);
+        assert_eq!(
+            config.server.public_url,
+            Some("nora.example.com".to_string())
+        );
+        assert_eq!(config.server.body_limit_mb, 4096);
+        assert_eq!(config.storage.mode, StorageMode::S3);
+        assert_eq!(config.storage.s3_url, "http://minio:9000");
+        assert_eq!(config.storage.bucket, "artifacts");
+        assert!(config.auth.enabled);
+        assert!(!config.raw.enabled);
+        assert_eq!(config.raw.max_file_size, 500000000);
+    }
+
+    #[test]
+    fn test_config_from_toml_minimal() {
+        let toml = r#"
+            [server]
+            host = "127.0.0.1"
+            port = 4000
+
+            [storage]
+            mode = "local"
+        "#;
+
+        let config: Config = toml::from_str(toml).unwrap();
+        // Defaults should be filled
+        assert_eq!(config.storage.path, "data/storage");
+        assert_eq!(config.maven.proxies.len(), 1);
+        assert_eq!(
+            config.npm.proxy,
+            Some("https://registry.npmjs.org".to_string())
+        );
+        assert_eq!(config.docker.upstreams.len(), 1);
+        assert!(config.raw.enabled);
+        assert!(!config.auth.enabled);
+    }
+
+    #[test]
+    fn test_config_toml_docker_upstreams() {
+        let toml = r#"
+            [server]
+            host = "127.0.0.1"
+            port = 4000
+
+            [storage]
+            mode = "local"
+
+            [docker]
+            proxy_timeout = 120
+
+            [[docker.upstreams]]
+            url = "https://mirror.gcr.io"
+
+            [[docker.upstreams]]
+            url = "https://private.registry.io"
+            auth = "user:pass"
+        "#;
+
+        let config: Config = toml::from_str(toml).unwrap();
+        assert_eq!(config.docker.proxy_timeout, 120);
+        assert_eq!(config.docker.upstreams.len(), 2);
+        assert!(config.docker.upstreams[0].auth.is_none());
+        assert_eq!(
+            config.docker.upstreams[1].auth,
+            Some("user:pass".to_string())
+        );
+    }
 }

nora-registry/src/dashboard_metrics.rs

@@ -216,3 +216,146 @@ impl Default for DashboardMetrics {
         Self::new()
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use tempfile::TempDir;
+
+    #[test]
+    fn test_new_defaults() {
+        let m = DashboardMetrics::new();
+        assert_eq!(m.downloads.load(Ordering::Relaxed), 0);
+        assert_eq!(m.uploads.load(Ordering::Relaxed), 0);
+        assert_eq!(m.cache_hits.load(Ordering::Relaxed), 0);
+        assert_eq!(m.cache_misses.load(Ordering::Relaxed), 0);
+    }
+
+    #[test]
+    fn test_record_download_all_registries() {
+        let m = DashboardMetrics::new();
+        for reg in &["docker", "npm", "maven", "cargo", "pypi", "raw"] {
+            m.record_download(reg);
+        }
+        assert_eq!(m.downloads.load(Ordering::Relaxed), 6);
+        assert_eq!(m.docker_downloads.load(Ordering::Relaxed), 1);
+        assert_eq!(m.npm_downloads.load(Ordering::Relaxed), 1);
+        assert_eq!(m.maven_downloads.load(Ordering::Relaxed), 1);
+        assert_eq!(m.cargo_downloads.load(Ordering::Relaxed), 1);
+        assert_eq!(m.pypi_downloads.load(Ordering::Relaxed), 1);
+        assert_eq!(m.raw_downloads.load(Ordering::Relaxed), 1);
+    }
+
+    #[test]
+    fn test_record_download_unknown_registry() {
+        let m = DashboardMetrics::new();
+        m.record_download("unknown");
+        assert_eq!(m.downloads.load(Ordering::Relaxed), 1);
+        // no per-registry counter should increment
+        assert_eq!(m.docker_downloads.load(Ordering::Relaxed), 0);
+    }
+
+    #[test]
+    fn test_record_upload() {
+        let m = DashboardMetrics::new();
+        m.record_upload("docker");
+        m.record_upload("maven");
+        m.record_upload("raw");
+        assert_eq!(m.uploads.load(Ordering::Relaxed), 3);
+        assert_eq!(m.docker_uploads.load(Ordering::Relaxed), 1);
+        assert_eq!(m.maven_uploads.load(Ordering::Relaxed), 1);
+        assert_eq!(m.raw_uploads.load(Ordering::Relaxed), 1);
+    }
+
+    #[test]
+    fn test_record_upload_unknown_registry() {
+        let m = DashboardMetrics::new();
+        m.record_upload("npm"); // npm has no upload counter
+        assert_eq!(m.uploads.load(Ordering::Relaxed), 1);
+    }
+
+    #[test]
+    fn test_cache_hit_rate_zero() {
+        let m = DashboardMetrics::new();
+        assert_eq!(m.cache_hit_rate(), 0.0);
+    }
+
+    #[test]
+    fn test_cache_hit_rate_all_hits() {
+        let m = DashboardMetrics::new();
+        m.record_cache_hit();
+        m.record_cache_hit();
+        assert_eq!(m.cache_hit_rate(), 100.0);
+    }
+
+    #[test]
+    fn test_cache_hit_rate_mixed() {
+        let m = DashboardMetrics::new();
+        m.record_cache_hit();
+        m.record_cache_miss();
+        assert_eq!(m.cache_hit_rate(), 50.0);
+    }
+
+    #[test]
+    fn test_get_registry_downloads() {
+        let m = DashboardMetrics::new();
+        m.record_download("docker");
+        m.record_download("docker");
+        m.record_download("npm");
+        assert_eq!(m.get_registry_downloads("docker"), 2);
+        assert_eq!(m.get_registry_downloads("npm"), 1);
+        assert_eq!(m.get_registry_downloads("cargo"), 0);
+        assert_eq!(m.get_registry_downloads("unknown"), 0);
+    }
+
+    #[test]
+    fn test_get_registry_uploads() {
+        let m = DashboardMetrics::new();
+        m.record_upload("docker");
+        assert_eq!(m.get_registry_uploads("docker"), 1);
+        assert_eq!(m.get_registry_uploads("maven"), 0);
+        assert_eq!(m.get_registry_uploads("unknown"), 0);
+    }
+
+    #[test]
+    fn test_persistence_save_and_load() {
+        let tmp = TempDir::new().unwrap();
+        let path = tmp.path().to_str().unwrap();
+
+        // Create metrics, record some data, save
+        {
+            let m = DashboardMetrics::with_persistence(path);
+            m.record_download("docker");
+            m.record_download("docker");
+            m.record_upload("maven");
+            m.record_cache_hit();
+            m.save();
+        }
+
+        // Load in new instance
+        {
+            let m = DashboardMetrics::with_persistence(path);
+            assert_eq!(m.downloads.load(Ordering::Relaxed), 2);
+            assert_eq!(m.uploads.load(Ordering::Relaxed), 1);
+            assert_eq!(m.docker_downloads.load(Ordering::Relaxed), 2);
+            assert_eq!(m.maven_uploads.load(Ordering::Relaxed), 1);
+            assert_eq!(m.cache_hits.load(Ordering::Relaxed), 1);
+        }
+    }
+
+    #[test]
+    fn test_persistence_missing_file() {
+        let tmp = TempDir::new().unwrap();
+        let path = tmp.path().to_str().unwrap();
+
+        // Should work even without existing metrics.json
+        let m = DashboardMetrics::with_persistence(path);
+        assert_eq!(m.downloads.load(Ordering::Relaxed), 0);
+    }
+
+    #[test]
+    fn test_default() {
+        let m = DashboardMetrics::default();
+        assert_eq!(m.downloads.load(Ordering::Relaxed), 0);
+    }
+}

nora-registry/src/error.rs

@@ -124,4 +124,77 @@ mod tests {
         let err = AppError::NotFound("image not found".to_string());
         assert_eq!(err.to_string(), "Not found: image not found");
     }
+
+    #[test]
+    fn test_error_constructors() {
+        let err = AppError::not_found("missing");
+        assert!(matches!(err, AppError::NotFound(_)));
+        assert_eq!(err.to_string(), "Not found: missing");
+
+        let err = AppError::bad_request("invalid input");
+        assert!(matches!(err, AppError::BadRequest(_)));
+        assert_eq!(err.to_string(), "Bad request: invalid input");
+
+        let err = AppError::unauthorized("no token");
+        assert!(matches!(err, AppError::Unauthorized(_)));
+        assert_eq!(err.to_string(), "Unauthorized: no token");
+
+        let err = AppError::internal("db crashed");
+        assert!(matches!(err, AppError::Internal(_)));
+        assert_eq!(err.to_string(), "Internal error: db crashed");
+    }
+
+    #[test]
+    fn test_error_display_storage() {
+        let err = AppError::Storage(StorageError::NotFound);
+        assert!(err.to_string().contains("Storage error"));
+    }
+
+    #[test]
+    fn test_error_display_validation() {
+        let err = AppError::Validation(ValidationError::PathTraversal);
+        assert!(err.to_string().contains("Validation error"));
+    }
+
+    #[test]
+    fn test_error_into_response_not_found() {
+        let err = AppError::NotFound("gone".to_string());
+        let response = err.into_response();
+        assert_eq!(response.status(), StatusCode::NOT_FOUND);
+    }
+
+    #[test]
+    fn test_error_into_response_bad_request() {
+        let err = AppError::BadRequest("bad".to_string());
+        let response = err.into_response();
+        assert_eq!(response.status(), StatusCode::BAD_REQUEST);
+    }
+
+    #[test]
+    fn test_error_into_response_unauthorized() {
+        let err = AppError::Unauthorized("nope".to_string());
+        let response = err.into_response();
+        assert_eq!(response.status(), StatusCode::UNAUTHORIZED);
+    }
+
+    #[test]
+    fn test_error_into_response_internal() {
+        let err = AppError::Internal("boom".to_string());
+        let response = err.into_response();
+        assert_eq!(response.status(), StatusCode::INTERNAL_SERVER_ERROR);
+    }
+
+    #[test]
+    fn test_error_into_response_storage_not_found() {
+        let err = AppError::Storage(StorageError::NotFound);
+        let response = err.into_response();
+        assert_eq!(response.status(), StatusCode::NOT_FOUND);
+    }
+
+    #[test]
+    fn test_error_into_response_validation() {
+        let err = AppError::Validation(ValidationError::EmptyInput);
+        let response = err.into_response();
+        assert_eq!(response.status(), StatusCode::BAD_REQUEST);
+    }
 }

nora-registry/src/lib.rs

@@ -0,0 +1,28 @@
+//! NORA Registry — library interface for fuzzing and testing
+
+pub mod validation;
+
+/// Re-export Docker manifest parsing for fuzz targets
+pub mod docker_fuzz {
+    pub fn detect_manifest_media_type(data: &[u8]) -> String {
+        let Ok(value) = serde_json::from_slice::<serde_json::Value>(data) else {
+            return "application/octet-stream".to_string();
+        };
+        if let Some(mt) = value.get("mediaType").and_then(|v| v.as_str()) {
+            return mt.to_string();
+        }
+        if value.get("manifests").is_some() {
+            return "application/vnd.oci.image.index.v1+json".to_string();
+        }
+        if value.get("schemaVersion").and_then(|v| v.as_i64()) == Some(2) {
+            if value.get("layers").is_some() {
+                return "application/vnd.oci.image.manifest.v1+json".to_string();
+            }
+            return "application/vnd.docker.distribution.manifest.v2+json".to_string();
+        }
+        if value.get("schemaVersion").and_then(|v| v.as_i64()) == Some(1) {
+            return "application/vnd.docker.distribution.manifest.v1+json".to_string();
+        }
+        "application/vnd.docker.distribution.manifest.v2+json".to_string()
+    }
+}

nora-registry/src/main.rs

@@ -12,6 +12,7 @@ mod gc;
 mod health;
 mod metrics;
 mod migrate;
+mod mirror;
 mod openapi;
 mod rate_limit;
 mod registry;
@@ -23,7 +24,7 @@ mod tokens;
 mod ui;
 mod validation;
 
-use axum::{extract::DefaultBodyLimit, middleware, Router};
+use axum::{extract::DefaultBodyLimit, http::HeaderValue, middleware, Router};
 use clap::{Parser, Subcommand};
 use std::path::{Path, PathBuf};
 use std::sync::Arc;
@@ -82,6 +83,17 @@ enum Commands {
         #[arg(long, default_value = "false")]
         dry_run: bool,
     },
+    /// Pre-fetch dependencies through NORA proxy cache
+    Mirror {
+        #[command(subcommand)]
+        format: mirror::MirrorFormat,
+        /// NORA registry URL
+        #[arg(long, default_value = "http://localhost:4000", global = true)]
+        registry: String,
+        /// Max concurrent downloads
+        #[arg(long, default_value = "8", global = true)]
+        concurrency: usize,
+    },
 }
 
 pub struct AppState {
@@ -164,6 +176,16 @@ async fn main() {
                 println!("\nRun without --dry-run to delete orphaned blobs.");
             }
         }
+        Some(Commands::Mirror {
+            format,
+            registry,
+            concurrency,
+        }) => {
+            if let Err(e) = mirror::run_mirror(format, &registry, concurrency).await {
+                error!("Mirror failed: {}", e);
+                std::process::exit(1);
+            }
+        }
         Some(Commands::Migrate { from, to, dry_run }) => {
             let source = match from.as_str() {
                 "local" => Storage::new_local(&config.storage.path),
@@ -353,6 +375,22 @@ async fn run_server(config: Config, storage: Storage) {
         .layer(DefaultBodyLimit::max(
             state.config.server.body_limit_mb * 1024 * 1024,
         ))
+        .layer(tower_http::set_header::SetResponseHeaderLayer::overriding(
+            axum::http::header::HeaderName::from_static("x-content-type-options"),
+            HeaderValue::from_static("nosniff"),
+        ))
+        .layer(tower_http::set_header::SetResponseHeaderLayer::overriding(
+            axum::http::header::HeaderName::from_static("x-frame-options"),
+            HeaderValue::from_static("DENY"),
+        ))
+        .layer(tower_http::set_header::SetResponseHeaderLayer::overriding(
+            axum::http::header::HeaderName::from_static("referrer-policy"),
+            HeaderValue::from_static("strict-origin-when-cross-origin"),
+        ))
+        .layer(tower_http::set_header::SetResponseHeaderLayer::overriding(
+            axum::http::header::HeaderName::from_static("content-security-policy"),
+            HeaderValue::from_static("default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com https://unpkg.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'"),
+        ))
         .layer(middleware::from_fn(request_id::request_id_middleware))
         .layer(middleware::from_fn(metrics::metrics_middleware))
         .layer(middleware::from_fn_with_state(

nora-registry/src/metrics.rs

@@ -148,3 +148,56 @@ pub fn record_storage_op(operation: &str, success: bool) {
         .with_label_values(&[operation, status])
         .inc();
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_detect_registry_docker() {
+        assert_eq!(detect_registry("/v2/nginx/manifests/latest"), "docker");
+        assert_eq!(detect_registry("/v2/"), "docker");
+        assert_eq!(
+            detect_registry("/v2/library/alpine/blobs/sha256:abc"),
+            "docker"
+        );
+    }
+
+    #[test]
+    fn test_detect_registry_maven() {
+        assert_eq!(detect_registry("/maven2/com/example/artifact"), "maven");
+    }
+
+    #[test]
+    fn test_detect_registry_npm() {
+        assert_eq!(detect_registry("/npm/lodash"), "npm");
+        assert_eq!(detect_registry("/npm/@scope/package"), "npm");
+    }
+
+    #[test]
+    fn test_detect_registry_cargo() {
+        assert_eq!(detect_registry("/cargo/api/v1/crates"), "cargo");
+    }
+
+    #[test]
+    fn test_detect_registry_pypi() {
+        assert_eq!(detect_registry("/simple/requests/"), "pypi");
+        assert_eq!(
+            detect_registry("/packages/requests/1.0/requests-1.0.tar.gz"),
+            "pypi"
+        );
+    }
+
+    #[test]
+    fn test_detect_registry_ui() {
+        assert_eq!(detect_registry("/ui/dashboard"), "ui");
+        assert_eq!(detect_registry("/ui"), "ui");
+    }
+
+    #[test]
+    fn test_detect_registry_other() {
+        assert_eq!(detect_registry("/health"), "other");
+        assert_eq!(detect_registry("/ready"), "other");
+        assert_eq!(detect_registry("/unknown/path"), "other");
+    }
+}

nora-registry/src/mirror/mod.rs

@@ -0,0 +1,325 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
+//! `nora mirror` — pre-fetch dependencies through NORA proxy cache.
+
+mod npm;
+
+use clap::Subcommand;
+use indicatif::{ProgressBar, ProgressStyle};
+use std::path::PathBuf;
+use std::time::Instant;
+
+#[derive(Subcommand)]
+pub enum MirrorFormat {
+    /// Mirror npm packages
+    Npm {
+        /// Path to package-lock.json (v1/v2/v3)
+        #[arg(long, conflicts_with = "packages")]
+        lockfile: Option<PathBuf>,
+        /// Comma-separated package names
+        #[arg(long, conflicts_with = "lockfile", value_delimiter = ',')]
+        packages: Option<Vec<String>>,
+        /// Fetch all versions (only with --packages)
+        #[arg(long)]
+        all_versions: bool,
+    },
+    /// Mirror Python packages
+    Pip {
+        /// Path to requirements.txt
+        #[arg(long)]
+        lockfile: PathBuf,
+    },
+    /// Mirror Cargo crates
+    Cargo {
+        /// Path to Cargo.lock
+        #[arg(long)]
+        lockfile: PathBuf,
+    },
+    /// Mirror Maven artifacts
+    Maven {
+        /// Path to dependency list (mvn dependency:list output)
+        #[arg(long)]
+        lockfile: PathBuf,
+    },
+}
+
+#[derive(Debug, Clone, Hash, Eq, PartialEq)]
+pub struct MirrorTarget {
+    pub name: String,
+    pub version: String,
+}
+
+pub struct MirrorResult {
+    pub total: usize,
+    pub fetched: usize,
+    pub failed: usize,
+    pub bytes: u64,
+}
+
+pub fn create_progress_bar(total: u64) -> ProgressBar {
+    let pb = ProgressBar::new(total);
+    pb.set_style(
+        ProgressStyle::default_bar()
+            .template(
+                "{spinner:.green} [{elapsed_precise}] [{bar:40.cyan/blue}] {pos}/{len} ({eta}) {msg}",
+            )
+            .unwrap()
+            .progress_chars("=>-"),
+    );
+    pb
+}
+
+pub async fn run_mirror(
+    format: MirrorFormat,
+    registry: &str,
+    concurrency: usize,
+) -> Result<(), String> {
+    let client = reqwest::Client::builder()
+        .timeout(std::time::Duration::from_secs(120))
+        .build()
+        .map_err(|e| format!("Failed to create HTTP client: {}", e))?;
+
+    // Health check
+    let health_url = format!("{}/health", registry.trim_end_matches('/'));
+    match client.get(&health_url).send().await {
+        Ok(r) if r.status().is_success() => {}
+        _ => {
+            return Err(format!(
+                "Cannot connect to NORA at {}. Is `nora serve` running?",
+                registry
+            ))
+        }
+    }
+
+    let start = Instant::now();
+
+    let result = match format {
+        MirrorFormat::Npm {
+            lockfile,
+            packages,
+            all_versions,
+        } => {
+            npm::run_npm_mirror(
+                &client,
+                registry,
+                lockfile,
+                packages,
+                all_versions,
+                concurrency,
+            )
+            .await?
+        }
+        MirrorFormat::Pip { lockfile } => {
+            mirror_lockfile(&client, registry, "pip", &lockfile).await?
+        }
+        MirrorFormat::Cargo { lockfile } => {
+            mirror_lockfile(&client, registry, "cargo", &lockfile).await?
+        }
+        MirrorFormat::Maven { lockfile } => {
+            mirror_lockfile(&client, registry, "maven", &lockfile).await?
+        }
+    };
+
+    let elapsed = start.elapsed();
+    println!("\nMirror complete:");
+    println!("  Total:    {}", result.total);
+    println!("  Fetched:  {}", result.fetched);
+    println!("  Failed:   {}", result.failed);
+    println!("  Size:     {:.1} MB", result.bytes as f64 / 1_048_576.0);
+    println!("  Time:     {:.1}s", elapsed.as_secs_f64());
+
+    if result.failed > 0 {
+        Err(format!("{} packages failed to mirror", result.failed))
+    } else {
+        Ok(())
+    }
+}
+
+async fn mirror_lockfile(
+    client: &reqwest::Client,
+    registry: &str,
+    format: &str,
+    lockfile: &PathBuf,
+) -> Result<MirrorResult, String> {
+    let content = std::fs::read_to_string(lockfile)
+        .map_err(|e| format!("Cannot read {}: {}", lockfile.display(), e))?;
+
+    let targets = match format {
+        "pip" => parse_requirements_txt(&content),
+        "cargo" => parse_cargo_lock(&content)?,
+        "maven" => parse_maven_deps(&content),
+        _ => vec![],
+    };
+
+    if targets.is_empty() {
+        println!("No packages found in {}", lockfile.display());
+        return Ok(MirrorResult {
+            total: 0,
+            fetched: 0,
+            failed: 0,
+            bytes: 0,
+        });
+    }
+
+    let pb = create_progress_bar(targets.len() as u64);
+    let base = registry.trim_end_matches('/');
+    let mut fetched = 0;
+    let mut failed = 0;
+    let mut bytes = 0u64;
+
+    for target in &targets {
+        let url = match format {
+            "pip" => format!("{}/simple/{}/", base, target.name),
+            "cargo" => format!(
+                "{}/cargo/api/v1/crates/{}/{}/download",
+                base, target.name, target.version
+            ),
+            "maven" => {
+                let parts: Vec<&str> = target.name.split(':').collect();
+                if parts.len() == 2 {
+                    let group_path = parts[0].replace('.', "/");
+                    format!(
+                        "{}/maven2/{}/{}/{}/{}-{}.jar",
+                        base, group_path, parts[1], target.version, parts[1], target.version
+                    )
+                } else {
+                    pb.inc(1);
+                    failed += 1;
+                    continue;
+                }
+            }
+            _ => continue,
+        };
+
+        match client.get(&url).send().await {
+            Ok(r) if r.status().is_success() => {
+                if let Ok(body) = r.bytes().await {
+                    bytes += body.len() as u64;
+                }
+                fetched += 1;
+            }
+            _ => failed += 1,
+        }
+
+        pb.set_message(format!("{}@{}", target.name, target.version));
+        pb.inc(1);
+    }
+
+    pb.finish_with_message("done");
+    Ok(MirrorResult {
+        total: targets.len(),
+        fetched,
+        failed,
+        bytes,
+    })
+}
+
+fn parse_requirements_txt(content: &str) -> Vec<MirrorTarget> {
+    content
+        .lines()
+        .filter(|l| !l.trim().is_empty() && !l.starts_with('#') && !l.starts_with('-'))
+        .filter_map(|line| {
+            let line = line.split('#').next().unwrap().trim();
+            if let Some((name, version)) = line.split_once("==") {
+                Some(MirrorTarget {
+                    name: name.trim().to_string(),
+                    version: version.trim().to_string(),
+                })
+            } else {
+                let name = line.split(['>', '<', '=', '!', '~', ';']).next()?.trim();
+                if name.is_empty() {
+                    None
+                } else {
+                    Some(MirrorTarget {
+                        name: name.to_string(),
+                        version: "latest".to_string(),
+                    })
+                }
+            }
+        })
+        .collect()
+}
+
+fn parse_cargo_lock(content: &str) -> Result<Vec<MirrorTarget>, String> {
+    let lock: toml::Value =
+        toml::from_str(content).map_err(|e| format!("Invalid Cargo.lock: {}", e))?;
+    let packages = lock
+        .get("package")
+        .and_then(|p| p.as_array())
+        .cloned()
+        .unwrap_or_default();
+    Ok(packages
+        .iter()
+        .filter(|p| {
+            p.get("source")
+                .and_then(|s| s.as_str())
+                .map(|s| s.starts_with("registry+"))
+                .unwrap_or(false)
+        })
+        .filter_map(|p| {
+            let name = p.get("name")?.as_str()?.to_string();
+            let version = p.get("version")?.as_str()?.to_string();
+            Some(MirrorTarget { name, version })
+        })
+        .collect())
+}
+
+fn parse_maven_deps(content: &str) -> Vec<MirrorTarget> {
+    content
+        .lines()
+        .filter_map(|line| {
+            let line = line.trim().trim_start_matches("[INFO]").trim();
+            let parts: Vec<&str> = line.split(':').collect();
+            if parts.len() >= 4 {
+                let name = format!("{}:{}", parts[0], parts[1]);
+                let version = parts[3].to_string();
+                Some(MirrorTarget { name, version })
+            } else {
+                None
+            }
+        })
+        .collect()
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_parse_requirements_txt() {
+        let content = "flask==2.3.0\nrequests>=2.28.0\n# comment\nnumpy==1.24.3\n";
+        let targets = parse_requirements_txt(content);
+        assert_eq!(targets.len(), 3);
+        assert_eq!(targets[0].name, "flask");
+        assert_eq!(targets[0].version, "2.3.0");
+        assert_eq!(targets[1].name, "requests");
+        assert_eq!(targets[1].version, "latest");
+    }
+
+    #[test]
+    fn test_parse_cargo_lock() {
+        let content = "\
+[[package]]
+name = \"serde\"
+version = \"1.0.197\"
+source = \"registry+https://github.com/rust-lang/crates.io-index\"
+
+[[package]]
+name = \"my-local-crate\"
+version = \"0.1.0\"
+";
+        let targets = parse_cargo_lock(content).unwrap();
+        assert_eq!(targets.len(), 1);
+        assert_eq!(targets[0].name, "serde");
+    }
+
+    #[test]
+    fn test_parse_maven_deps() {
+        let content = "[INFO]    org.apache.commons:commons-lang3:jar:3.12.0:compile\n";
+        let targets = parse_maven_deps(content);
+        assert_eq!(targets.len(), 1);
+        assert_eq!(targets[0].name, "org.apache.commons:commons-lang3");
+        assert_eq!(targets[0].version, "3.12.0");
+    }
+}

nora-registry/src/mirror/npm.rs

@@ -0,0 +1,323 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
+//! npm lockfile parser + mirror logic.
+
+use super::{create_progress_bar, MirrorResult, MirrorTarget};
+use std::collections::HashSet;
+use std::path::PathBuf;
+use tokio::sync::Semaphore;
+
+/// Entry point for npm mirroring
+pub async fn run_npm_mirror(
+    client: &reqwest::Client,
+    registry: &str,
+    lockfile: Option<PathBuf>,
+    packages: Option<Vec<String>>,
+    all_versions: bool,
+    concurrency: usize,
+) -> Result<MirrorResult, String> {
+    let targets = if let Some(path) = lockfile {
+        let content = std::fs::read_to_string(&path)
+            .map_err(|e| format!("Cannot read {}: {}", path.display(), e))?;
+        parse_npm_lockfile(&content)?
+    } else if let Some(names) = packages {
+        resolve_npm_packages(client, registry, &names, all_versions).await?
+    } else {
+        return Err("Specify --lockfile or --packages".to_string());
+    };
+
+    if targets.is_empty() {
+        println!("No npm packages to mirror");
+        return Ok(MirrorResult {
+            total: 0,
+            fetched: 0,
+            failed: 0,
+            bytes: 0,
+        });
+    }
+
+    println!(
+        "Mirroring {} npm packages via {}...",
+        targets.len(),
+        registry
+    );
+    mirror_npm_packages(client, registry, &targets, concurrency).await
+}
+
+/// Parse package-lock.json (v1, v2, v3)
+fn parse_npm_lockfile(content: &str) -> Result<Vec<MirrorTarget>, String> {
+    let json: serde_json::Value =
+        serde_json::from_str(content).map_err(|e| format!("Invalid JSON: {}", e))?;
+
+    let version = json
+        .get("lockfileVersion")
+        .and_then(|v| v.as_u64())
+        .unwrap_or(1);
+
+    let mut seen = HashSet::new();
+    let mut targets = Vec::new();
+
+    if version >= 2 {
+        // v2/v3: use "packages" object
+        if let Some(packages) = json.get("packages").and_then(|p| p.as_object()) {
+            for (key, pkg) in packages {
+                if key.is_empty() {
+                    continue; // root package
+                }
+                if let Some(name) = extract_package_name(key) {
+                    if let Some(ver) = pkg.get("version").and_then(|v| v.as_str()) {
+                        let pair = (name.to_string(), ver.to_string());
+                        if seen.insert(pair.clone()) {
+                            targets.push(MirrorTarget {
+                                name: pair.0,
+                                version: pair.1,
+                            });
+                        }
+                    }
+                }
+            }
+        }
+    }
+
+    if version == 1 || targets.is_empty() {
+        // v1 fallback: recursive "dependencies"
+        if let Some(deps) = json.get("dependencies").and_then(|d| d.as_object()) {
+            parse_v1_deps(deps, &mut targets, &mut seen);
+        }
+    }
+
+    Ok(targets)
+}
+
+/// Extract package name from lockfile key like "node_modules/@babel/core"
+fn extract_package_name(key: &str) -> Option<&str> {
+    // Handle nested: "node_modules/foo/node_modules/@scope/bar" → "@scope/bar"
+    let last_nm = key.rfind("node_modules/")?;
+    let after = &key[last_nm + "node_modules/".len()..];
+    let name = after.trim_end_matches('/');
+    if name.is_empty() {
+        None
+    } else {
+        Some(name)
+    }
+}
+
+/// Recursively parse v1 lockfile "dependencies"
+fn parse_v1_deps(
+    deps: &serde_json::Map<String, serde_json::Value>,
+    targets: &mut Vec<MirrorTarget>,
+    seen: &mut HashSet<(String, String)>,
+) {
+    for (name, pkg) in deps {
+        if let Some(ver) = pkg.get("version").and_then(|v| v.as_str()) {
+            let pair = (name.clone(), ver.to_string());
+            if seen.insert(pair.clone()) {
+                targets.push(MirrorTarget {
+                    name: pair.0,
+                    version: pair.1,
+                });
+            }
+        }
+        // Recurse into nested dependencies
+        if let Some(nested) = pkg.get("dependencies").and_then(|d| d.as_object()) {
+            parse_v1_deps(nested, targets, seen);
+        }
+    }
+}
+
+/// Resolve --packages list by fetching metadata from NORA
+async fn resolve_npm_packages(
+    client: &reqwest::Client,
+    registry: &str,
+    names: &[String],
+    all_versions: bool,
+) -> Result<Vec<MirrorTarget>, String> {
+    let base = registry.trim_end_matches('/');
+    let mut targets = Vec::new();
+
+    for name in names {
+        let url = format!("{}/npm/{}", base, name);
+        let resp = client.get(&url).send().await.map_err(|e| e.to_string())?;
+
+        if !resp.status().is_success() {
+            eprintln!("Warning: {} not found (HTTP {})", name, resp.status());
+            continue;
+        }
+
+        let json: serde_json::Value = resp.json().await.map_err(|e| e.to_string())?;
+
+        if all_versions {
+            if let Some(versions) = json.get("versions").and_then(|v| v.as_object()) {
+                for ver in versions.keys() {
+                    targets.push(MirrorTarget {
+                        name: name.clone(),
+                        version: ver.clone(),
+                    });
+                }
+            }
+        } else {
+            // Just latest
+            let latest = json
+                .get("dist-tags")
+                .and_then(|d| d.get("latest"))
+                .and_then(|v| v.as_str())
+                .unwrap_or("latest");
+            targets.push(MirrorTarget {
+                name: name.clone(),
+                version: latest.to_string(),
+            });
+        }
+    }
+
+    Ok(targets)
+}
+
+/// Fetch packages through NORA (triggers proxy cache)
+async fn mirror_npm_packages(
+    client: &reqwest::Client,
+    registry: &str,
+    targets: &[MirrorTarget],
+    concurrency: usize,
+) -> Result<MirrorResult, String> {
+    let base = registry.trim_end_matches('/');
+    let pb = create_progress_bar(targets.len() as u64);
+    let sem = std::sync::Arc::new(Semaphore::new(concurrency));
+
+    // Deduplicate metadata fetches (one per package name)
+    let unique_names: HashSet<&str> = targets.iter().map(|t| t.name.as_str()).collect();
+    pb.set_message("fetching metadata...");
+    for name in &unique_names {
+        let url = format!("{}/npm/{}", base, name);
+        let _ = client.get(&url).send().await; // trigger metadata cache
+    }
+
+    // Fetch tarballs concurrently
+    let fetched = std::sync::Arc::new(std::sync::atomic::AtomicUsize::new(0));
+    let failed = std::sync::Arc::new(std::sync::atomic::AtomicUsize::new(0));
+    let bytes = std::sync::Arc::new(std::sync::atomic::AtomicU64::new(0));
+
+    let mut handles = Vec::new();
+
+    for target in targets {
+        let permit = sem.clone().acquire_owned().await.unwrap();
+        let client = client.clone();
+        let pb = pb.clone();
+        let fetched = fetched.clone();
+        let failed = failed.clone();
+        let bytes = bytes.clone();
+
+        let short_name = target.name.split('/').next_back().unwrap_or(&target.name);
+        let tarball_url = format!(
+            "{}/npm/{}/-/{}-{}.tgz",
+            base, target.name, short_name, target.version
+        );
+        let label = format!("{}@{}", target.name, target.version);
+
+        handles.push(tokio::spawn(async move {
+            let _permit = permit;
+            match client.get(&tarball_url).send().await {
+                Ok(r) if r.status().is_success() => {
+                    if let Ok(body) = r.bytes().await {
+                        bytes.fetch_add(body.len() as u64, std::sync::atomic::Ordering::Relaxed);
+                    }
+                    fetched.fetch_add(1, std::sync::atomic::Ordering::Relaxed);
+                }
+                _ => {
+                    failed.fetch_add(1, std::sync::atomic::Ordering::Relaxed);
+                }
+            }
+            pb.set_message(label);
+            pb.inc(1);
+        }));
+    }
+
+    for h in handles {
+        let _ = h.await;
+    }
+
+    pb.finish_with_message("done");
+
+    Ok(MirrorResult {
+        total: targets.len(),
+        fetched: fetched.load(std::sync::atomic::Ordering::Relaxed),
+        failed: failed.load(std::sync::atomic::Ordering::Relaxed),
+        bytes: bytes.load(std::sync::atomic::Ordering::Relaxed),
+    })
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_extract_package_name() {
+        assert_eq!(extract_package_name("node_modules/lodash"), Some("lodash"));
+        assert_eq!(
+            extract_package_name("node_modules/@babel/core"),
+            Some("@babel/core")
+        );
+        assert_eq!(
+            extract_package_name("node_modules/foo/node_modules/bar"),
+            Some("bar")
+        );
+        assert_eq!(
+            extract_package_name("node_modules/foo/node_modules/@types/node"),
+            Some("@types/node")
+        );
+        assert_eq!(extract_package_name(""), None);
+    }
+
+    #[test]
+    fn test_parse_lockfile_v3() {
+        let content = r#"{
+            "lockfileVersion": 3,
+            "packages": {
+                "": { "name": "test" },
+                "node_modules/lodash": { "version": "4.17.21" },
+                "node_modules/@babel/core": { "version": "7.26.0" },
+                "node_modules/@babel/core/node_modules/semver": { "version": "6.3.1" }
+            }
+        }"#;
+        let targets = parse_npm_lockfile(content).unwrap();
+        assert_eq!(targets.len(), 3);
+        let names: HashSet<&str> = targets.iter().map(|t| t.name.as_str()).collect();
+        assert!(names.contains("lodash"));
+        assert!(names.contains("@babel/core"));
+        assert!(names.contains("semver"));
+    }
+
+    #[test]
+    fn test_parse_lockfile_v1() {
+        let content = r#"{
+            "lockfileVersion": 1,
+            "dependencies": {
+                "express": {
+                    "version": "4.18.2",
+                    "dependencies": {
+                        "accepts": { "version": "1.3.8" }
+                    }
+                }
+            }
+        }"#;
+        let targets = parse_npm_lockfile(content).unwrap();
+        assert_eq!(targets.len(), 2);
+        assert_eq!(targets[0].name, "express");
+        assert_eq!(targets[1].name, "accepts");
+    }
+
+    #[test]
+    fn test_deduplication() {
+        let content = r#"{
+            "lockfileVersion": 3,
+            "packages": {
+                "": {},
+                "node_modules/debug": { "version": "4.3.4" },
+                "node_modules/express/node_modules/debug": { "version": "4.3.4" }
+            }
+        }"#;
+        let targets = parse_npm_lockfile(content).unwrap();
+        assert_eq!(targets.len(), 1); // deduplicated
+        assert_eq!(targets[0].name, "debug");
+    }
+}

nora-registry/src/registry/docker.rs

@@ -44,11 +44,57 @@ pub struct LayerInfo {
     pub size: u64,
 }
 
+/// In-progress upload session with metadata
+struct UploadSession {
+    data: Vec<u8>,
+    name: String,
+    created_at: std::time::Instant,
+}
+
+/// Max concurrent upload sessions (prevent memory exhaustion)
+const DEFAULT_MAX_UPLOAD_SESSIONS: usize = 100;
+/// Max data per session (default 2 GB, configurable via NORA_MAX_UPLOAD_SESSION_SIZE_MB)
+const DEFAULT_MAX_SESSION_SIZE_MB: usize = 2048;
+/// Session TTL (30 minutes)
+const SESSION_TTL: Duration = Duration::from_secs(30 * 60);
+
+/// Read max upload sessions from env or use default
+fn max_upload_sessions() -> usize {
+    std::env::var("NORA_MAX_UPLOAD_SESSIONS")
+        .ok()
+        .and_then(|v| v.parse().ok())
+        .unwrap_or(DEFAULT_MAX_UPLOAD_SESSIONS)
+}
+
+/// Read max session size from env (in MB) or use default
+fn max_session_size() -> usize {
+    let mb = std::env::var("NORA_MAX_UPLOAD_SESSION_SIZE_MB")
+        .ok()
+        .and_then(|v| v.parse::<usize>().ok())
+        .unwrap_or(DEFAULT_MAX_SESSION_SIZE_MB);
+    mb.saturating_mul(1024 * 1024)
+}
+
 /// In-progress upload sessions for chunked uploads
-/// Maps UUID -> accumulated data
-static UPLOAD_SESSIONS: std::sync::LazyLock<RwLock<HashMap<String, Vec<u8>>>> =
+/// Maps UUID -> UploadSession with limits and TTL
+static UPLOAD_SESSIONS: std::sync::LazyLock<RwLock<HashMap<String, UploadSession>>> =
     std::sync::LazyLock::new(|| RwLock::new(HashMap::new()));
 
+/// Remove expired upload sessions (called periodically)
+fn cleanup_expired_sessions() {
+    let mut sessions = UPLOAD_SESSIONS.write();
+    let before = sessions.len();
+    sessions.retain(|_, s| s.created_at.elapsed() < SESSION_TTL);
+    let removed = before - sessions.len();
+    if removed > 0 {
+        tracing::info!(
+            removed = removed,
+            remaining = sessions.len(),
+            "Cleaned up expired upload sessions"
+        );
+    }
+}
+
 pub fn routes() -> Router<Arc<AppState>> {
     Router::new()
         .route("/v2/", get(check))
@@ -108,9 +154,19 @@ async fn catalog(State(state): State<Arc<AppState>>) -> Json<Value> {
     let mut repos: Vec<String> = keys
         .iter()
         .filter_map(|k| {
-            k.strip_prefix("docker/")
-                .and_then(|rest| rest.split('/').next())
-                .map(String::from)
+            let rest = k.strip_prefix("docker/")?;
+            // Find the first known directory separator (manifests/ or blobs/)
+            let name = if let Some(idx) = rest.find("/manifests/") {
+                &rest[..idx]
+            } else if let Some(idx) = rest.find("/blobs/") {
+                &rest[..idx]
+            } else {
+                return None;
+            };
+            if name.is_empty() {
+                return None;
+            }
+            Some(name.to_string())
         })
         .collect();
 
@@ -214,6 +270,38 @@ async fn download_blob(
         }
     }
 
+    // Auto-prepend library/ for single-segment names (Docker Hub official images)
+    if !name.contains('/') {
+        let library_name = format!("library/{}", name);
+        for upstream in &state.config.docker.upstreams {
+            if let Ok(data) = fetch_blob_from_upstream(
+                &state.http_client,
+                &upstream.url,
+                &library_name,
+                &digest,
+                &state.docker_auth,
+                state.config.docker.proxy_timeout,
+                upstream.auth.as_deref(),
+            )
+            .await
+            {
+                let storage = state.storage.clone();
+                let key_clone = key.clone();
+                let data_clone = data.clone();
+                tokio::spawn(async move {
+                    let _ = storage.put(&key_clone, &data_clone).await;
+                });
+
+                return (
+                    StatusCode::OK,
+                    [(header::CONTENT_TYPE, "application/octet-stream")],
+                    Bytes::from(data),
+                )
+                    .into_response();
+            }
+        }
+    }
+
     StatusCode::NOT_FOUND.into_response()
 }
 
@@ -222,7 +310,38 @@ async fn start_upload(Path(name): Path<String>) -> Response {
         return (StatusCode::BAD_REQUEST, e.to_string()).into_response();
     }
 
+    // Cleanup expired sessions before checking limits
+    cleanup_expired_sessions();
+
+    // Enforce max concurrent sessions
+    {
+        let sessions = UPLOAD_SESSIONS.read();
+        let max_sessions = max_upload_sessions();
+        if sessions.len() >= max_sessions {
+            tracing::warn!(
+                max = max_sessions,
+                current = sessions.len(),
+                "Upload session limit reached — rejecting new upload"
+            );
+            return (StatusCode::TOO_MANY_REQUESTS, "Too many concurrent uploads").into_response();
+        }
+    }
+
     let uuid = uuid::Uuid::new_v4().to_string();
+
+    // Create session with metadata
+    {
+        let mut sessions = UPLOAD_SESSIONS.write();
+        sessions.insert(
+            uuid.clone(),
+            UploadSession {
+                data: Vec::new(),
+                name: name.clone(),
+                created_at: std::time::Instant::now(),
+            },
+        );
+    }
+
     let location = format!("/v2/{}/blobs/uploads/{}", name, uuid);
     (
         StatusCode::ACCEPTED,
@@ -244,9 +363,47 @@ async fn patch_blob(Path((name, uuid)): Path<(String, String)>, body: Bytes) ->
     // Append data to the upload session and get total size
     let total_size = {
         let mut sessions = UPLOAD_SESSIONS.write();
-        let session = sessions.entry(uuid.clone()).or_default();
-        session.extend_from_slice(&body);
-        session.len()
+        let session = match sessions.get_mut(&uuid) {
+            Some(s) => s,
+            None => {
+                return (StatusCode::NOT_FOUND, "Upload session not found or expired")
+                    .into_response();
+            }
+        };
+
+        // Verify session belongs to this repository
+        if session.name != name {
+            tracing::warn!(
+                session_name = %session.name,
+                request_name = %name,
+                "SECURITY: upload session name mismatch — possible session fixation"
+            );
+            return (
+                StatusCode::BAD_REQUEST,
+                "Session does not belong to this repository",
+            )
+                .into_response();
+        }
+
+        // Check session TTL
+        if session.created_at.elapsed() >= SESSION_TTL {
+            sessions.remove(&uuid);
+            return (StatusCode::NOT_FOUND, "Upload session expired").into_response();
+        }
+
+        // Check size limit
+        let new_size = session.data.len() + body.len();
+        if new_size > max_session_size() {
+            sessions.remove(&uuid);
+            return (
+                StatusCode::PAYLOAD_TOO_LARGE,
+                "Upload session exceeds size limit",
+            )
+                .into_response();
+        }
+
+        session.data.extend_from_slice(&body);
+        session.data.len()
     };
 
     let location = format!("/v2/{}/blobs/uploads/{}", name, uuid);
@@ -293,8 +450,22 @@ async fn upload_blob(
     // Get data from chunked session if exists, otherwise use body directly
     let data = {
         let mut sessions = UPLOAD_SESSIONS.write();
-        if let Some(mut session_data) = sessions.remove(&uuid) {
+        if let Some(session) = sessions.remove(&uuid) {
+            // Verify session belongs to this repository
+            if session.name != name {
+                tracing::warn!(
+                    session_name = %session.name,
+                    request_name = %name,
+                    "SECURITY: upload finalization name mismatch"
+                );
+                return (
+                    StatusCode::BAD_REQUEST,
+                    "Session does not belong to this repository",
+                )
+                    .into_response();
+            }
             // Chunked upload: append any final body data and use session
+            let mut session_data = session.data;
             if !body.is_empty() {
                 session_data.extend_from_slice(&body);
             }
@@ -305,6 +476,40 @@ async fn upload_blob(
         }
     };
 
+    // Only sha256 digests are supported for verification
+    if !digest.starts_with("sha256:") {
+        return (
+            StatusCode::BAD_REQUEST,
+            "Only sha256 digests are supported for blob uploads",
+        )
+            .into_response();
+    }
+
+    // Verify digest matches uploaded content (Docker Distribution Spec)
+    {
+        use sha2::Digest as _;
+        let computed = format!("sha256:{:x}", sha2::Sha256::digest(&data));
+        if computed != *digest {
+            tracing::warn!(
+                expected = %digest,
+                computed = %computed,
+                name = %name,
+                "SECURITY: blob digest mismatch — rejecting upload"
+            );
+            return (
+                StatusCode::BAD_REQUEST,
+                Json(json!({
+                    "errors": [{
+                        "code": "DIGEST_INVALID",
+                        "message": "provided digest did not match uploaded content",
+                        "detail": { "expected": digest, "computed": computed }
+                    }]
+                })),
+            )
+                .into_response();
+        }
+    }
+
     let key = format!("docker/{}/blobs/{}", name, digest);
     match state.storage.put(&key, &data).await {
         Ok(()) => {
@@ -453,6 +658,57 @@ async fn get_manifest(
         }
     }
 
+    // Auto-prepend library/ for single-segment names (Docker Hub official images)
+    // e.g., "nginx" -> "library/nginx", "alpine" -> "library/alpine"
+    if !name.contains('/') {
+        let library_name = format!("library/{}", name);
+        for upstream in &state.config.docker.upstreams {
+            if let Ok((data, content_type)) = fetch_manifest_from_upstream(
+                &state.http_client,
+                &upstream.url,
+                &library_name,
+                &reference,
+                &state.docker_auth,
+                state.config.docker.proxy_timeout,
+                upstream.auth.as_deref(),
+            )
+            .await
+            {
+                state.metrics.record_download("docker");
+                state.metrics.record_cache_miss();
+                state.activity.push(ActivityEntry::new(
+                    ActionType::ProxyFetch,
+                    format!("{}:{}", name, reference),
+                    "docker",
+                    "PROXY",
+                ));
+
+                use sha2::Digest;
+                let digest = format!("sha256:{:x}", sha2::Sha256::digest(&data));
+
+                // Cache under original name for future local hits
+                let storage = state.storage.clone();
+                let key_clone = key.clone();
+                let data_clone = data.clone();
+                tokio::spawn(async move {
+                    let _ = storage.put(&key_clone, &data_clone).await;
+                });
+
+                state.repo_index.invalidate("docker");
+
+                return (
+                    StatusCode::OK,
+                    [
+                        (header::CONTENT_TYPE, content_type),
+                        (HeaderName::from_static("docker-content-digest"), digest),
+                    ],
+                    Bytes::from(data),
+                )
+                    .into_response();
+            }
+        }
+    }
+
     StatusCode::NOT_FOUND.into_response()
 }
 
@@ -536,6 +792,7 @@ async fn list_tags(State(state): State<Arc<AppState>>, Path(name): Path<String>)
                 .and_then(|t| t.strip_suffix(".json"))
                 .map(String::from)
         })
+        .filter(|t| !t.ends_with(".meta") && !t.contains(".meta."))
         .collect();
     (StatusCode::OK, Json(json!({"name": name, "tags": tags}))).into_response()
 }

nora-registry/src/repo_index.rs

@@ -3,7 +3,7 @@
 
 //! In-memory repository index with lazy rebuild on invalidation.
 //!
-//! Design (designed for efficiency):
+//! Design:
 //! - Rebuild happens ONLY on write operations, not TTL
 //! - Double-checked locking prevents duplicate rebuilds
 //! - Arc<Vec> for zero-cost reads
@@ -173,9 +173,14 @@ async fn build_docker_index(storage: &Storage) -> Vec<RepoInfo> {
         }
 
         if let Some(rest) = key.strip_prefix("docker/") {
+            // Support both single-segment and namespaced images:
+            // docker/alpine/manifests/latest.json → name="alpine"
+            // docker/library/alpine/manifests/latest.json → name="library/alpine"
             let parts: Vec<_> = rest.split('/').collect();
-            if parts.len() >= 3 && parts[1] == "manifests" && key.ends_with(".json") {
-                let name = parts[0].to_string();
+            let manifest_pos = parts.iter().position(|&p| p == "manifests");
+            if let Some(pos) = manifest_pos {
+                if pos >= 1 && key.ends_with(".json") {
+                    let name = parts[..pos].join("/");
                     let entry = repos.entry(name).or_insert((0, 0, 0));
                     entry.0 += 1;
 
@@ -207,6 +212,7 @@ async fn build_docker_index(storage: &Storage) -> Vec<RepoInfo> {
                 }
             }
         }
+    }
 
     to_sorted_vec(repos)
 }
@@ -355,3 +361,164 @@ pub fn paginate<T: Clone>(data: &[T], page: usize, limit: usize) -> (Vec<T>, usi
     let end = (start + limit).min(total);
     (data[start..end].to_vec(), total)
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_paginate_first_page() {
+        let data = vec![1, 2, 3, 4, 5, 6, 7, 8, 9, 10];
+        let (page, total) = paginate(&data, 1, 3);
+        assert_eq!(page, vec![1, 2, 3]);
+        assert_eq!(total, 10);
+    }
+
+    #[test]
+    fn test_paginate_second_page() {
+        let data = vec![1, 2, 3, 4, 5, 6, 7, 8, 9, 10];
+        let (page, total) = paginate(&data, 2, 3);
+        assert_eq!(page, vec![4, 5, 6]);
+        assert_eq!(total, 10);
+    }
+
+    #[test]
+    fn test_paginate_last_page_partial() {
+        let data = vec![1, 2, 3, 4, 5, 6, 7, 8, 9, 10];
+        let (page, total) = paginate(&data, 4, 3);
+        assert_eq!(page, vec![10]);
+        assert_eq!(total, 10);
+    }
+
+    #[test]
+    fn test_paginate_beyond_range() {
+        let data = vec![1, 2, 3];
+        let (page, total) = paginate(&data, 5, 3);
+        assert!(page.is_empty());
+        assert_eq!(total, 3);
+    }
+
+    #[test]
+    fn test_paginate_empty_data() {
+        let data: Vec<i32> = vec![];
+        let (page, total) = paginate(&data, 1, 10);
+        assert!(page.is_empty());
+        assert_eq!(total, 0);
+    }
+
+    #[test]
+    fn test_paginate_page_zero() {
+        // page 0 with saturating_sub becomes 0, so start = 0
+        let data = vec![1, 2, 3];
+        let (page, _) = paginate(&data, 0, 2);
+        assert_eq!(page, vec![1, 2]);
+    }
+
+    #[test]
+    fn test_paginate_large_limit() {
+        let data = vec![1, 2, 3];
+        let (page, total) = paginate(&data, 1, 100);
+        assert_eq!(page, vec![1, 2, 3]);
+        assert_eq!(total, 3);
+    }
+
+    #[test]
+    fn test_registry_index_new() {
+        let idx = RegistryIndex::new();
+        assert_eq!(idx.count(), 0);
+        assert!(idx.is_dirty());
+    }
+
+    #[test]
+    fn test_registry_index_invalidate() {
+        let idx = RegistryIndex::new();
+        // Initially dirty
+        assert!(idx.is_dirty());
+
+        // Set data clears dirty
+        idx.set(vec![RepoInfo {
+            name: "test".to_string(),
+            versions: 1,
+            size: 100,
+            updated: "2026-01-01".to_string(),
+        }]);
+        assert!(!idx.is_dirty());
+        assert_eq!(idx.count(), 1);
+
+        // Invalidate makes it dirty again
+        idx.invalidate();
+        assert!(idx.is_dirty());
+    }
+
+    #[test]
+    fn test_registry_index_get_cached() {
+        let idx = RegistryIndex::new();
+        idx.set(vec![
+            RepoInfo {
+                name: "a".to_string(),
+                versions: 2,
+                size: 200,
+                updated: "today".to_string(),
+            },
+            RepoInfo {
+                name: "b".to_string(),
+                versions: 1,
+                size: 100,
+                updated: "yesterday".to_string(),
+            },
+        ]);
+
+        let cached = idx.get_cached();
+        assert_eq!(cached.len(), 2);
+        assert_eq!(cached[0].name, "a");
+    }
+
+    #[test]
+    fn test_registry_index_default() {
+        let idx = RegistryIndex::default();
+        assert_eq!(idx.count(), 0);
+    }
+
+    #[test]
+    fn test_repo_index_new() {
+        let idx = RepoIndex::new();
+        let (d, m, n, c, p) = idx.counts();
+        assert_eq!((d, m, n, c, p), (0, 0, 0, 0, 0));
+    }
+
+    #[test]
+    fn test_repo_index_invalidate() {
+        let idx = RepoIndex::new();
+        // Should not panic for any registry
+        idx.invalidate("docker");
+        idx.invalidate("maven");
+        idx.invalidate("npm");
+        idx.invalidate("cargo");
+        idx.invalidate("pypi");
+        idx.invalidate("unknown"); // should be a no-op
+    }
+
+    #[test]
+    fn test_repo_index_default() {
+        let idx = RepoIndex::default();
+        let (d, m, n, c, p) = idx.counts();
+        assert_eq!((d, m, n, c, p), (0, 0, 0, 0, 0));
+    }
+
+    #[test]
+    fn test_to_sorted_vec() {
+        let mut map = std::collections::HashMap::new();
+        map.insert("zebra".to_string(), (3usize, 100u64, 0u64));
+        map.insert("alpha".to_string(), (1, 50, 1700000000));
+
+        let result = to_sorted_vec(map);
+        assert_eq!(result.len(), 2);
+        assert_eq!(result[0].name, "alpha");
+        assert_eq!(result[0].versions, 1);
+        assert_eq!(result[0].size, 50);
+        assert_ne!(result[0].updated, "N/A");
+        assert_eq!(result[1].name, "zebra");
+        assert_eq!(result[1].versions, 3);
+        assert_eq!(result[1].updated, "N/A"); // modified = 0
+    }
+}

nora-registry/src/ui/components.rs

@@ -333,9 +333,9 @@ pub fn render_mount_points_table(
             format!(
                 r##"
                 <tr class="border-b border-slate-700">
-                    <td class="py-3 text-slate-300">{}</td>
-                    <td class="py-3 font-mono text-blue-400">{}</td>
-                    <td class="py-3 text-slate-400">{}</td>
+                    <td class="px-4 py-3 text-slate-300">{}</td>
+                    <td class="px-4 py-3 font-mono text-blue-400">{}</td>
+                    <td class="px-4 py-3 text-slate-400">{}</td>
                 </tr>
                 "##,
                 registry, mount_path, proxy_display
@@ -358,7 +358,7 @@ pub fn render_mount_points_table(
                             <th class="px-4 py-2">{}</th>
                         </tr>
                     </thead>
-                    <tbody class="px-4">
+                    <tbody>
                         {}
                     </tbody>
                 </table>
@@ -388,11 +388,11 @@ pub fn render_activity_row(
     format!(
         r##"
         <tr class="border-b border-slate-700/50 text-sm">
-            <td class="py-2 text-slate-500">{}</td>
-            <td class="py-2 font-medium {}"><span class="px-2 py-0.5 bg-slate-700 rounded">{}</span></td>
-            <td class="py-2 text-slate-300 font-mono text-xs">{}</td>
-            <td class="py-2 text-slate-400">{}</td>
-            <td class="py-2 text-slate-500">{}</td>
+            <td class="px-4 py-2 text-slate-500">{}</td>
+            <td class="px-4 py-2 font-medium {}"><span class="px-2 py-0.5 bg-slate-700 rounded">{}</span></td>
+            <td class="px-4 py-2 text-slate-300 font-mono text-xs">{}</td>
+            <td class="px-4 py-2 text-slate-400">{}</td>
+            <td class="px-4 py-2 text-slate-500">{}</td>
         </tr>
         "##,
         timestamp,
@@ -424,7 +424,7 @@ pub fn render_activity_log(rows: &str, t: &Translations) -> String {
                             <th class="px-4 py-2">{}</th>
                         </tr>
                     </thead>
-                    <tbody class="px-4">
+                    <tbody>
                         {}
                     </tbody>
                 </table>

nora-registry/src/ui/templates.rs

@@ -74,16 +74,56 @@ pub fn render_dashboard(data: &DashboardResponse, lang: Lang) -> String {
             t.no_activity
         )
     } else {
-        data.activity
+        // Group consecutive identical entries (same action+artifact+registry+source)
+        struct GroupedActivity {
+            time: String,
+            action: String,
+            artifact: String,
+            registry: String,
+            source: String,
+            count: usize,
+        }
+
+        let mut grouped: Vec<GroupedActivity> = Vec::new();
+        for entry in &data.activity {
+            let action = entry.action.to_string();
+            let is_repeat = grouped.last().is_some_and(|last| {
+                last.action == action
+                    && last.artifact == entry.artifact
+                    && last.registry == entry.registry
+                    && last.source == entry.source
+            });
+
+            if is_repeat {
+                if let Some(last) = grouped.last_mut() {
+                    last.count += 1;
+                }
+            } else {
+                grouped.push(GroupedActivity {
+                    time: format_relative_time(&entry.timestamp),
+                    action,
+                    artifact: entry.artifact.clone(),
+                    registry: entry.registry.clone(),
+                    source: entry.source.clone(),
+                    count: 1,
+                });
+            }
+        }
+
+        grouped
             .iter()
-            .map(|entry| {
-                let time_ago = format_relative_time(&entry.timestamp);
+            .map(|g| {
+                let display_artifact = if g.count > 1 {
+                    format!("{} (x{})", g.artifact, g.count)
+                } else {
+                    g.artifact.clone()
+                };
                 render_activity_row(
-                    &time_ago,
-                    &entry.action.to_string(),
-                    &entry.artifact,
-                    &entry.registry,
-                    &entry.source,
+                    &g.time,
+                    &g.action,
+                    &display_artifact,
+                    &g.registry,
+                    &g.source,
                 )
             })
             .collect()

nora-storage/Cargo.toml

@@ -1,28 +0,0 @@
-[package]
-name = "nora-storage"
-version.workspace = true
-edition.workspace = true
-license.workspace = true
-authors.workspace = true
-repository.workspace = true
-homepage.workspace = true
-description = "S3-compatible storage server for NORA"
-
-[[bin]]
-name = "nora-storage"
-path = "src/main.rs"
-
-[dependencies]
-tokio.workspace = true
-axum.workspace = true
-serde.workspace = true
-serde_json.workspace = true
-tracing.workspace = true
-tracing-subscriber.workspace = true
-toml = "1.0"
-uuid = { version = "1", features = ["v4"] }
-sha2 = "0.10"
-base64 = "0.22"
-httpdate = "1"
-chrono = { version = "0.4", features = ["serde"] }
-quick-xml = { version = "0.39", features = ["serialize"] }

nora-storage/src/config.rs

@@ -1,47 +0,0 @@
-// Copyright (c) 2026 Volkov Pavel | DevITWay
-// SPDX-License-Identifier: MIT
-
-use serde::{Deserialize, Serialize};
-use std::fs;
-
-#[derive(Debug, Clone, Serialize, Deserialize)]
-pub struct Config {
-    pub server: ServerConfig,
-    pub storage: StorageConfig,
-}
-
-#[derive(Debug, Clone, Serialize, Deserialize)]
-pub struct ServerConfig {
-    pub host: String,
-    pub port: u16,
-}
-
-#[derive(Debug, Clone, Serialize, Deserialize)]
-pub struct StorageConfig {
-    pub data_dir: String,
-    pub max_body_size: usize,
-}
-
-impl Config {
-    pub fn load() -> Self {
-        fs::read_to_string("config.toml")
-            .ok()
-            .and_then(|content| toml::from_str(&content).ok())
-            .unwrap_or_default()
-    }
-}
-
-impl Default for Config {
-    fn default() -> Self {
-        Self {
-            server: ServerConfig {
-                host: String::from("127.0.0.1"),
-                port: 3000,
-            },
-            storage: StorageConfig {
-                data_dir: String::from("data"),
-                max_body_size: 1024 * 1024 * 1024, // 1GB
-            },
-        }
-    }
-}

nora-storage/src/main.rs

@@ -1,311 +0,0 @@
-// Copyright (c) 2026 Volkov Pavel | DevITWay
-// SPDX-License-Identifier: MIT
-
-mod config;
-
-use axum::extract::DefaultBodyLimit;
-use axum::{
-    body::Bytes,
-    extract::{Path, State},
-    http::StatusCode,
-    response::{IntoResponse, Response},
-    routing::{delete, get, put},
-    Router,
-};
-use chrono::Utc;
-use config::Config;
-use quick_xml::se::to_string as to_xml;
-use serde::Serialize;
-use std::fs;
-use std::sync::Arc;
-use tracing::info;
-
-pub struct AppState {
-    pub config: Config,
-}
-
-#[derive(Serialize)]
-#[serde(rename = "ListAllMyBucketsResult")]
-struct ListBucketsResult {
-    #[serde(rename = "Buckets")]
-    buckets: Buckets,
-}
-
-#[derive(Serialize)]
-struct Buckets {
-    #[serde(rename = "Bucket")]
-    bucket: Vec<BucketInfo>,
-}
-
-#[derive(Serialize)]
-struct BucketInfo {
-    #[serde(rename = "Name")]
-    name: String,
-    #[serde(rename = "CreationDate")]
-    creation_date: String,
-}
-
-#[derive(Serialize)]
-#[serde(rename = "ListBucketResult")]
-struct ListObjectsResult {
-    #[serde(rename = "Name")]
-    name: String,
-    #[serde(rename = "Contents")]
-    contents: Vec<ObjectInfo>,
-}
-
-#[derive(Serialize)]
-struct ObjectInfo {
-    #[serde(rename = "Key")]
-    key: String,
-    #[serde(rename = "Size")]
-    size: u64,
-    #[serde(rename = "LastModified")]
-    last_modified: String,
-}
-
-#[derive(Serialize)]
-#[serde(rename = "Error")]
-struct S3Error {
-    #[serde(rename = "Code")]
-    code: String,
-    #[serde(rename = "Message")]
-    message: String,
-}
-
-fn xml_response<T: Serialize>(data: T) -> Response {
-    let xml = format!(
-        "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n{}",
-        to_xml(&data).unwrap_or_default()
-    );
-    (
-        StatusCode::OK,
-        [(axum::http::header::CONTENT_TYPE, "application/xml")],
-        xml,
-    )
-        .into_response()
-}
-
-fn error_response(status: StatusCode, code: &str, message: &str) -> Response {
-    let error = S3Error {
-        code: code.to_string(),
-        message: message.to_string(),
-    };
-    let xml = format!(
-        "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n{}",
-        to_xml(&error).unwrap_or_default()
-    );
-    (
-        status,
-        [(axum::http::header::CONTENT_TYPE, "application/xml")],
-        xml,
-    )
-        .into_response()
-}
-
-#[tokio::main]
-async fn main() {
-    tracing_subscriber::fmt()
-        .with_env_filter(
-            tracing_subscriber::EnvFilter::from_default_env()
-                .add_directive("nora_storage=info".parse().expect("valid directive")),
-        )
-        .init();
-
-    let config = Config::load();
-    fs::create_dir_all(&config.storage.data_dir).expect("Failed to create data directory");
-
-    let state = Arc::new(AppState {
-        config: config.clone(),
-    });
-
-    let app = Router::new()
-        .route("/", get(list_buckets))
-        .route("/{bucket}", get(list_objects))
-        .route("/{bucket}", put(create_bucket))
-        .route("/{bucket}", delete(delete_bucket))
-        .route("/{bucket}/{*key}", put(put_object))
-        .route("/{bucket}/{*key}", get(get_object))
-        .route("/{bucket}/{*key}", delete(delete_object))
-        .layer(DefaultBodyLimit::max(config.storage.max_body_size))
-        .with_state(state);
-
-    let addr = format!("{}:{}", config.server.host, config.server.port);
-    let listener = tokio::net::TcpListener::bind(&addr)
-        .await
-        .expect("Failed to bind to address");
-
-    info!("nora-storage (S3 compatible) running on http://{}", addr);
-    axum::serve(listener, app).await.expect("Server error");
-}
-
-async fn list_buckets(State(state): State<Arc<AppState>>) -> Response {
-    let data_dir = &state.config.storage.data_dir;
-    let entries = match fs::read_dir(data_dir) {
-        Ok(e) => e,
-        Err(_) => {
-            return error_response(
-                StatusCode::INTERNAL_SERVER_ERROR,
-                "InternalError",
-                "Failed to read data",
-            )
-        }
-    };
-
-    let bucket_list: Vec<BucketInfo> = entries
-        .filter_map(|e| e.ok())
-        .filter(|e| e.path().is_dir())
-        .filter_map(|e| {
-            let name = e.file_name().into_string().ok()?;
-            let modified = e.metadata().ok()?.modified().ok()?;
-            let datetime: chrono::DateTime<Utc> = modified.into();
-            Some(BucketInfo {
-                name,
-                creation_date: datetime.format("%Y-%m-%dT%H:%M:%SZ").to_string(),
-            })
-        })
-        .collect();
-
-    xml_response(ListBucketsResult {
-        buckets: Buckets {
-            bucket: bucket_list,
-        },
-    })
-}
-
-async fn list_objects(State(state): State<Arc<AppState>>, Path(bucket): Path<String>) -> Response {
-    let bucket_path = format!("{}/{}", state.config.storage.data_dir, bucket);
-
-    if !std::path::Path::new(&bucket_path).is_dir() {
-        return error_response(
-            StatusCode::NOT_FOUND,
-            "NoSuchBucket",
-            "The specified bucket does not exist",
-        );
-    }
-
-    let objects = collect_files(std::path::Path::new(&bucket_path), "");
-    xml_response(ListObjectsResult {
-        name: bucket,
-        contents: objects,
-    })
-}
-
-fn collect_files(dir: &std::path::Path, prefix: &str) -> Vec<ObjectInfo> {
-    let mut objects = Vec::new();
-    if let Ok(entries) = fs::read_dir(dir) {
-        for entry in entries.filter_map(|e| e.ok()) {
-            let path = entry.path();
-            let name = entry.file_name().into_string().unwrap_or_default();
-            let key = if prefix.is_empty() {
-                name.clone()
-            } else {
-                format!("{}/{}", prefix, name)
-            };
-
-            if path.is_dir() {
-                objects.extend(collect_files(&path, &key));
-            } else if let Ok(metadata) = entry.metadata() {
-                if let Ok(modified) = metadata.modified() {
-                    let datetime: chrono::DateTime<Utc> = modified.into();
-                    objects.push(ObjectInfo {
-                        key,
-                        size: metadata.len(),
-                        last_modified: datetime.format("%Y-%m-%dT%H:%M:%SZ").to_string(),
-                    });
-                }
-            }
-        }
-    }
-    objects
-}
-
-async fn create_bucket(State(state): State<Arc<AppState>>, Path(bucket): Path<String>) -> Response {
-    let bucket_path = format!("{}/{}", state.config.storage.data_dir, bucket);
-    match fs::create_dir(&bucket_path) {
-        Ok(_) => (StatusCode::OK, "").into_response(),
-        Err(_) => error_response(
-            StatusCode::CONFLICT,
-            "BucketAlreadyExists",
-            "Bucket already exists",
-        ),
-    }
-}
-
-async fn put_object(
-    State(state): State<Arc<AppState>>,
-    Path((bucket, key)): Path<(String, String)>,
-    body: Bytes,
-) -> Response {
-    let file_path = format!("{}/{}/{}", state.config.storage.data_dir, bucket, key);
-
-    if let Some(parent) = std::path::Path::new(&file_path).parent() {
-        let _ = fs::create_dir_all(parent);
-    }
-
-    match fs::write(&file_path, &body) {
-        Ok(_) => {
-            println!("PUT {}/{} ({} bytes)", bucket, key, body.len());
-            (StatusCode::OK, "").into_response()
-        }
-        Err(e) => {
-            println!("ERROR writing {}/{}: {}", bucket, key, e);
-            error_response(
-                StatusCode::INTERNAL_SERVER_ERROR,
-                "InternalError",
-                "Failed to write object",
-            )
-        }
-    }
-}
-
-async fn get_object(
-    State(state): State<Arc<AppState>>,
-    Path((bucket, key)): Path<(String, String)>,
-) -> Response {
-    let file_path = format!("{}/{}/{}", state.config.storage.data_dir, bucket, key);
-
-    match fs::read(&file_path) {
-        Ok(data) => (StatusCode::OK, data).into_response(),
-        Err(_) => error_response(
-            StatusCode::NOT_FOUND,
-            "NoSuchKey",
-            "The specified key does not exist",
-        ),
-    }
-}
-
-async fn delete_object(
-    State(state): State<Arc<AppState>>,
-    Path((bucket, key)): Path<(String, String)>,
-) -> Response {
-    let file_path = format!("{}/{}/{}", state.config.storage.data_dir, bucket, key);
-
-    match fs::remove_file(&file_path) {
-        Ok(_) => {
-            println!("DELETE {}/{}", bucket, key);
-            (StatusCode::NO_CONTENT, "").into_response()
-        }
-        Err(_) => error_response(
-            StatusCode::NOT_FOUND,
-            "NoSuchKey",
-            "The specified key does not exist",
-        ),
-    }
-}
-
-async fn delete_bucket(State(state): State<Arc<AppState>>, Path(bucket): Path<String>) -> Response {
-    let bucket_path = format!("{}/{}", state.config.storage.data_dir, bucket);
-
-    match fs::remove_dir(&bucket_path) {
-        Ok(_) => {
-            println!("DELETE bucket {}", bucket);
-            (StatusCode::NO_CONTENT, "").into_response()
-        }
-        Err(_) => error_response(
-            StatusCode::CONFLICT,
-            "BucketNotEmpty",
-            "The bucket is not empty",
-        ),
-    }
-}

tests/e2e/.gitignore

@@ -0,0 +1,3 @@
+node_modules/
+test-results/
+playwright-report/

tests/e2e/package-lock.json

@@ -0,0 +1,76 @@
+{
+  "name": "nora-e2e",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "nora-e2e",
+      "devDependencies": {
+        "@playwright/test": "^1.50.0"
+      }
+    },
+    "node_modules/@playwright/test": {
+      "version": "1.58.2",
+      "resolved": "https://registry.npmjs.org/@playwright/test/-/test-1.58.2.tgz",
+      "integrity": "sha512-akea+6bHYBBfA9uQqSYmlJXn61cTa+jbO87xVLCWbTqbWadRVmhxlXATaOjOgcBaWU4ePo0wB41KMFv3o35IXA==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "playwright": "1.58.2"
+      },
+      "bin": {
+        "playwright": "cli.js"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/fsevents": {
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz",
+      "integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==",
+      "dev": true,
+      "hasInstallScript": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
+      }
+    },
+    "node_modules/playwright": {
+      "version": "1.58.2",
+      "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.58.2.tgz",
+      "integrity": "sha512-vA30H8Nvkq/cPBnNw4Q8TWz1EJyqgpuinBcHET0YVJVFldr8JDNiU9LaWAE1KqSkRYazuaBhTpB5ZzShOezQ6A==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "playwright-core": "1.58.2"
+      },
+      "bin": {
+        "playwright": "cli.js"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "optionalDependencies": {
+        "fsevents": "2.3.2"
+      }
+    },
+    "node_modules/playwright-core": {
+      "version": "1.58.2",
+      "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.58.2.tgz",
+      "integrity": "sha512-yZkEtftgwS8CsfYo7nm0KE8jsvm6i/PTgVtB8DL726wNf6H2IMsDuxCpJj59KDaxCtSnrWan2AeDqM7JBaultg==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "bin": {
+        "playwright-core": "cli.js"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    }
+  }
+}

tests/e2e/package.json

@@ -0,0 +1,11 @@
+{
+  "name": "nora-e2e",
+  "private": true,
+  "scripts": {
+    "test": "npx playwright test",
+    "test:ui": "npx playwright test --ui"
+  },
+  "devDependencies": {
+    "@playwright/test": "^1.50.0"
+  }
+}

tests/e2e/playwright.config.ts

@@ -0,0 +1,18 @@
+import { defineConfig } from '@playwright/test';
+
+export default defineConfig({
+  testDir: './tests',
+  timeout: 30000,
+  retries: 1,
+  use: {
+    baseURL: process.env.NORA_URL || 'http://localhost:4000',
+    screenshot: 'only-on-failure',
+    trace: 'retain-on-failure',
+  },
+  projects: [
+    {
+      name: 'chromium',
+      use: { browserName: 'chromium' },
+    },
+  ],
+});

tests/e2e/tests/dashboard.spec.ts

@@ -0,0 +1,82 @@
+import { test, expect } from '@playwright/test';
+
+test.describe('NORA Dashboard', () => {
+
+  test('dashboard page loads and shows title', async ({ page }) => {
+    await page.goto('/ui/');
+    await expect(page).toHaveTitle(/NORA|nora/i);
+  });
+
+  test('dashboard shows registry sections', async ({ page }) => {
+    await page.goto('/ui/');
+
+    // All registry types should be visible
+    await expect(page.getByText(/Docker/i).first()).toBeVisible();
+    await expect(page.getByText(/npm/i).first()).toBeVisible();
+    await expect(page.getByText(/Maven/i).first()).toBeVisible();
+    await expect(page.getByText(/PyPI/i).first()).toBeVisible();
+    await expect(page.getByText(/Cargo/i).first()).toBeVisible();
+  });
+
+  test('dashboard shows non-zero npm count after proxy fetch', async ({ page, request }) => {
+    // Trigger npm proxy cache by fetching a package
+    await request.get('/npm/chalk');
+    await request.get('/npm/chalk/-/chalk-5.4.1.tgz');
+
+    // Wait a moment for index rebuild
+    await page.waitForTimeout(1000);
+
+    await page.goto('/ui/');
+
+    // npm section should show at least 1 package
+    // Look for a number > 0 near npm section
+    const statsResponse = await request.get('/api/ui/stats');
+    const stats = await statsResponse.json();
+    expect(stats.npm).toBeGreaterThan(0);
+
+    // Verify it's actually rendered on the page
+    await page.goto('/ui/');
+    await page.waitForTimeout(500);
+
+    // The page should contain the package count somewhere
+    const content = await page.textContent('body');
+    expect(content).not.toBeNull();
+    // Should not show all zeros for npm
+    expect(content).toContain('npm');
+  });
+
+  test('dashboard shows Docker images after proxy fetch', async ({ page, request }) => {
+    // Check stats API
+    const statsResponse = await request.get('/api/ui/stats');
+    const stats = await statsResponse.json();
+
+    // Docker count should be accessible (may be 0 if no images pulled yet)
+    expect(stats).toHaveProperty('docker');
+  });
+
+  test('health endpoint returns healthy', async ({ request }) => {
+    const response = await request.get('/health');
+    expect(response.ok()).toBeTruthy();
+
+    const health = await response.json();
+    expect(health.status).toBe('healthy');
+    expect(health.registries.npm).toBe('ok');
+    expect(health.registries.docker).toBe('ok');
+    expect(health.registries.maven).toBe('ok');
+    expect(health.registries.pypi).toBe('ok');
+    expect(health.registries.cargo).toBe('ok');
+  });
+
+  test('OpenAPI docs endpoint accessible', async ({ request }) => {
+    const response = await request.get('/api-docs', { maxRedirects: 0 });
+    // api-docs redirects to swagger UI
+    expect([200, 303]).toContain(response.status());
+  });
+
+  test('metrics endpoint returns prometheus format', async ({ request }) => {
+    const response = await request.get('/metrics');
+    expect(response.ok()).toBeTruthy();
+    const text = await response.text();
+    expect(text).toContain('nora_http_request_duration_seconds');
+  });
+});

tests/e2e/tests/docker-proxy.spec.ts

@@ -0,0 +1,74 @@
+import { test, expect } from '@playwright/test';
+
+test.describe('Docker Registry', () => {
+
+  test('v2 check returns empty JSON', async ({ request }) => {
+    const response = await request.get('/v2/');
+    expect(response.ok()).toBeTruthy();
+    const body = await response.json();
+    expect(body).toEqual({});
+  });
+
+  test('catalog endpoint returns 200', async ({ request }) => {
+    const response = await request.get('/v2/_catalog');
+    expect(response.ok()).toBeTruthy();
+  });
+
+  test('put and get manifest works', async ({ request }) => {
+    // Push a simple blob
+    const blobData = 'test-blob-content';
+    const crypto = require('crypto');
+    const blobDigest = 'sha256:' + crypto.createHash('sha256').update(blobData).digest('hex');
+
+    await request.post(`/v2/e2e-test/blobs/uploads/?digest=${blobDigest}`, {
+      data: blobData,
+      headers: { 'Content-Type': 'application/octet-stream' },
+    });
+
+    // Push config blob
+    const configData = '{}';
+    const configDigest = 'sha256:' + crypto.createHash('sha256').update(configData).digest('hex');
+
+    await request.post(`/v2/e2e-test/blobs/uploads/?digest=${configDigest}`, {
+      data: configData,
+      headers: { 'Content-Type': 'application/octet-stream' },
+    });
+
+    // Push manifest
+    const manifest = {
+      schemaVersion: 2,
+      mediaType: 'application/vnd.oci.image.manifest.v1+json',
+      config: {
+        mediaType: 'application/vnd.oci.image.config.v1+json',
+        digest: configDigest,
+        size: configData.length,
+      },
+      layers: [
+        {
+          mediaType: 'application/vnd.oci.image.layer.v1.tar+gzip',
+          digest: blobDigest,
+          size: blobData.length,
+        },
+      ],
+    };
+
+    const putResponse = await request.put('/v2/e2e-test/manifests/1.0.0', {
+      data: manifest,
+      headers: { 'Content-Type': 'application/vnd.oci.image.manifest.v1+json' },
+    });
+    expect(putResponse.status()).toBe(201);
+
+    // Pull manifest back
+    const getResponse = await request.get('/v2/e2e-test/manifests/1.0.0');
+    expect(getResponse.ok()).toBeTruthy();
+    const pulled = await getResponse.json();
+    expect(pulled.schemaVersion).toBe(2);
+    expect(pulled.layers).toHaveLength(1);
+  });
+
+  test('tags list returns pushed tags', async ({ request }) => {
+    const response = await request.get('/v2/e2e-test/tags/list');
+    // May or may not have tags depending on test order
+    expect([200, 404]).toContain(response.status());
+  });
+});

tests/e2e/tests/npm-proxy.spec.ts

@@ -0,0 +1,132 @@
+import { test, expect } from '@playwright/test';
+
+test.describe('npm Proxy', () => {
+
+  test('metadata proxy returns rewritten tarball URLs', async ({ request }) => {
+    const response = await request.get('/npm/chalk');
+    expect(response.ok()).toBeTruthy();
+
+    const metadata = await response.json();
+    expect(metadata.name).toBe('chalk');
+    expect(metadata.versions).toBeDefined();
+
+    // Tarball URL must point to NORA, not npmjs.org
+    const version = metadata.versions['5.4.1'];
+    expect(version).toBeDefined();
+    expect(version.dist.tarball).not.toContain('registry.npmjs.org');
+    expect(version.dist.tarball).toContain('/npm/chalk/-/chalk-5.4.1.tgz');
+  });
+
+  test('scoped package @babel/parser works', async ({ request }) => {
+    const response = await request.get('/npm/@babel/parser');
+    expect(response.ok()).toBeTruthy();
+
+    const metadata = await response.json();
+    expect(metadata.name).toBe('@babel/parser');
+
+    // Check tarball URL rewriting for scoped package
+    const versions = Object.keys(metadata.versions);
+    expect(versions.length).toBeGreaterThan(0);
+
+    const firstVersion = metadata.versions[versions[0]];
+    if (firstVersion?.dist?.tarball) {
+      expect(firstVersion.dist.tarball).toContain('/npm/@babel/parser/-/');
+      expect(firstVersion.dist.tarball).not.toContain('registry.npmjs.org');
+    }
+  });
+
+  test('tarball download returns gzip data', async ({ request }) => {
+    // Ensure metadata is cached first
+    await request.get('/npm/chalk');
+
+    const response = await request.get('/npm/chalk/-/chalk-5.4.1.tgz');
+    expect(response.ok()).toBeTruthy();
+    expect(response.headers()['content-type']).toBe('application/octet-stream');
+
+    const body = await response.body();
+    expect(body.length).toBeGreaterThan(100);
+    // gzip magic bytes
+    expect(body[0]).toBe(0x1f);
+    expect(body[1]).toBe(0x8b);
+  });
+
+  test('npm publish creates package', async ({ request }) => {
+    const pkgName = `e2e-pub-${Date.now()}`;
+    const publishBody = {
+      name: pkgName,
+      versions: {
+        '1.0.0': {
+          name: pkgName,
+          version: '1.0.0',
+          dist: {},
+        },
+      },
+      'dist-tags': { latest: '1.0.0' },
+      _attachments: {
+        [`${pkgName}-1.0.0.tgz`]: {
+          data: 'dGVzdA==',
+          content_type: 'application/octet-stream',
+        },
+      },
+    };
+
+    const response = await request.put(`/npm/${pkgName}`, {
+      data: publishBody,
+      headers: { 'Content-Type': 'application/json' },
+    });
+    expect(response.status()).toBe(201);
+
+    // Verify published package is accessible
+    const getResponse = await request.get(`/npm/${pkgName}`);
+    expect(getResponse.ok()).toBeTruthy();
+    const metadata = await getResponse.json();
+    expect(metadata.name).toBe(pkgName);
+    expect(metadata.versions['1.0.0']).toBeDefined();
+  });
+
+  test('npm publish rejects duplicate version (409)', async ({ request }) => {
+    const pkgName = `e2e-dupe-${Date.now()}`;
+    const body = {
+      name: pkgName,
+      versions: { '1.0.0': { name: pkgName, version: '1.0.0', dist: {} } },
+      'dist-tags': { latest: '1.0.0' },
+      _attachments: { [`${pkgName}-1.0.0.tgz`]: { data: 'dGVzdA==' } },
+    };
+
+    await request.put(`/npm/${pkgName}`, {
+      data: body,
+      headers: { 'Content-Type': 'application/json' },
+    });
+
+    // Publish same version again
+    const response = await request.put(`/npm/${pkgName}`, {
+      data: body,
+      headers: { 'Content-Type': 'application/json' },
+    });
+    expect(response.status()).toBe(409);
+  });
+
+  test('npm publish rejects name mismatch (400)', async ({ request }) => {
+    const response = await request.put('/npm/legitimate-pkg', {
+      data: {
+        name: 'evil-pkg',
+        versions: { '1.0.0': {} },
+        _attachments: { 'a.tgz': { data: 'dGVzdA==' } },
+      },
+      headers: { 'Content-Type': 'application/json' },
+    });
+    expect(response.status()).toBe(400);
+  });
+
+  test('npm publish rejects path traversal filename (400)', async ({ request }) => {
+    const response = await request.put('/npm/safe-pkg', {
+      data: {
+        name: 'safe-pkg',
+        versions: { '1.0.0': {} },
+        _attachments: { '../../etc/passwd': { data: 'dGVzdA==' } },
+      },
+      headers: { 'Content-Type': 'application/json' },
+    });
+    expect(response.status()).toBe(400);
+  });
+});

tests/e2e/tests/other-registries.spec.ts

@@ -0,0 +1,51 @@
+import { test, expect } from '@playwright/test';
+
+test.describe('Maven Proxy', () => {
+  test('download Maven artifact', async ({ request }) => {
+    const response = await request.get(
+      '/maven2/org/apache/commons/commons-lang3/3.17.0/commons-lang3-3.17.0.pom'
+    );
+    expect(response.ok()).toBeTruthy();
+    const text = await response.text();
+    expect(text).toContain('commons-lang3');
+  });
+
+  test('Maven upload works', async ({ request }) => {
+    const response = await request.put('/maven2/com/test/smoke/1.0/smoke-1.0.jar', {
+      data: 'test-jar-content',
+    });
+    expect(response.status()).toBe(201);
+  });
+});
+
+test.describe('PyPI Proxy', () => {
+  test('simple index returns HTML', async ({ request }) => {
+    const response = await request.get('/simple/');
+    expect(response.ok()).toBeTruthy();
+    const text = await response.text();
+    expect(text).toContain('Simple Index');
+  });
+
+  test('package page returns links', async ({ request }) => {
+    const response = await request.get('/simple/requests/');
+    expect(response.ok()).toBeTruthy();
+    const text = await response.text();
+    expect(text).toContain('requests');
+  });
+});
+
+test.describe('Raw Storage', () => {
+  test('upload and download file', async ({ request }) => {
+    const data = 'raw-e2e-test-content-' + Date.now();
+
+    const putResponse = await request.put('/raw/e2e/test.txt', {
+      data: data,
+    });
+    expect(putResponse.status()).toBe(201);
+
+    const getResponse = await request.get('/raw/e2e/test.txt');
+    expect(getResponse.ok()).toBeTruthy();
+    const body = await getResponse.text();
+    expect(body).toBe(data);
+  });
+});

tests/smoke.sh

@@ -0,0 +1,210 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# NORA E2E Smoke Test
+# Starts NORA, runs real-world scenarios, verifies results.
+# Exit code 0 = all passed, non-zero = failures.
+
+NORA_BIN="${NORA_BIN:-./target/release/nora}"
+PORT="${NORA_TEST_PORT:-14000}"
+BASE="http://localhost:${PORT}"
+STORAGE_DIR=$(mktemp -d)
+PASSED=0
+FAILED=0
+NORA_PID=""
+
+cleanup() {
+    [ -n "$NORA_PID" ] && kill "$NORA_PID" 2>/dev/null || true
+    rm -rf "$STORAGE_DIR"
+}
+trap cleanup EXIT
+
+fail() {
+    echo "  FAIL: $1"
+    FAILED=$((FAILED + 1))
+}
+
+pass() {
+    echo "  PASS: $1"
+    PASSED=$((PASSED + 1))
+}
+
+check() {
+    local desc="$1"
+    shift
+    if "$@" >/dev/null 2>&1; then
+        pass "$desc"
+    else
+        fail "$desc"
+    fi
+}
+
+echo "=== NORA Smoke Test ==="
+echo "Binary: $NORA_BIN"
+echo "Port:   $PORT"
+echo "Storage: $STORAGE_DIR"
+echo ""
+
+# Start NORA
+NORA_HOST=127.0.0.1 \
+NORA_PORT=$PORT \
+NORA_STORAGE_PATH="$STORAGE_DIR" \
+NORA_RATE_LIMIT_ENABLED=false \
+NORA_PUBLIC_URL="$BASE" \
+"$NORA_BIN" serve &
+NORA_PID=$!
+
+# Wait for startup
+for i in $(seq 1 20); do
+    curl -sf "$BASE/health" >/dev/null 2>&1 && break
+    sleep 0.5
+done
+
+echo "--- Health & Monitoring ---"
+check "GET /health returns healthy" \
+    curl -sf "$BASE/health"
+
+check "GET /ready returns 200" \
+    curl -sf "$BASE/ready"
+
+check "GET /metrics returns prometheus" \
+    curl -sf "$BASE/metrics"
+
+echo ""
+echo "--- npm Proxy ---"
+
+# Fetch metadata — triggers proxy cache
+METADATA=$(curl -sf "$BASE/npm/chalk" 2>/dev/null || echo "{}")
+
+check "npm metadata returns 200" \
+    curl -sf "$BASE/npm/chalk"
+
+# URL rewriting check
+TARBALL_URL=$(echo "$METADATA" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('versions',{}).get('5.4.1',{}).get('dist',{}).get('tarball',''))" 2>/dev/null || echo "")
+if echo "$TARBALL_URL" | grep -q "localhost:${PORT}/npm"; then
+    pass "npm tarball URL rewritten to NORA"
+else
+    fail "npm tarball URL not rewritten: $TARBALL_URL"
+fi
+
+# Fetch tarball
+check "npm tarball download" \
+    curl -sf "$BASE/npm/chalk/-/chalk-5.4.1.tgz" -o /dev/null
+
+# Scoped package
+check "npm scoped package @babel/parser" \
+    curl -sf "$BASE/npm/@babel/parser"
+
+# Publish
+PUBLISH_RESULT=$(curl -s -o /dev/null -w "%{http_code}" -X PUT \
+    -H "Content-Type: application/json" \
+    -d '{"name":"smoke-test-pkg","versions":{"1.0.0":{"name":"smoke-test-pkg","version":"1.0.0","dist":{}}},"dist-tags":{"latest":"1.0.0"},"_attachments":{"smoke-test-pkg-1.0.0.tgz":{"data":"dGVzdA==","content_type":"application/octet-stream"}}}' \
+    "$BASE/npm/smoke-test-pkg")
+if [ "$PUBLISH_RESULT" = "201" ]; then
+    pass "npm publish returns 201"
+else
+    fail "npm publish returned $PUBLISH_RESULT"
+fi
+
+# Version immutability
+DUPE_RESULT=$(curl -s -o /dev/null -w "%{http_code}" -X PUT \
+    -H "Content-Type: application/json" \
+    -d '{"name":"smoke-test-pkg","versions":{"1.0.0":{"name":"smoke-test-pkg","version":"1.0.0","dist":{}}},"dist-tags":{"latest":"1.0.0"},"_attachments":{"smoke-test-pkg-1.0.0.tgz":{"data":"dGVzdA==","content_type":"application/octet-stream"}}}' \
+    "$BASE/npm/smoke-test-pkg")
+if [ "$DUPE_RESULT" = "409" ]; then
+    pass "npm version immutability (409 on duplicate)"
+else
+    fail "npm duplicate publish returned $DUPE_RESULT, expected 409"
+fi
+
+# Security: name mismatch
+MISMATCH_RESULT=$(curl -s -o /dev/null -w "%{http_code}" -X PUT \
+    -H "Content-Type: application/json" \
+    -d '{"name":"evil-pkg","versions":{"1.0.0":{}},"_attachments":{"a.tgz":{"data":"dGVzdA=="}}}' \
+    "$BASE/npm/lodash")
+if [ "$MISMATCH_RESULT" = "400" ]; then
+    pass "npm name mismatch rejected (400)"
+else
+    fail "npm name mismatch returned $MISMATCH_RESULT, expected 400"
+fi
+
+# Security: path traversal
+TRAVERSAL_RESULT=$(curl -s -o /dev/null -w "%{http_code}" -X PUT \
+    -H "Content-Type: application/json" \
+    -d '{"name":"test-pkg","versions":{"1.0.0":{}},"_attachments":{"../../etc/passwd":{"data":"dGVzdA=="}}}' \
+    "$BASE/npm/test-pkg")
+if [ "$TRAVERSAL_RESULT" = "400" ]; then
+    pass "npm path traversal rejected (400)"
+else
+    fail "npm path traversal returned $TRAVERSAL_RESULT, expected 400"
+fi
+
+echo ""
+echo "--- Maven ---"
+check "Maven proxy download" \
+    curl -sf "$BASE/maven2/org/apache/commons/commons-lang3/3.17.0/commons-lang3-3.17.0.pom" -o /dev/null
+
+echo ""
+echo "--- PyPI ---"
+check "PyPI simple index" \
+    curl -sf "$BASE/simple/"
+
+check "PyPI package page" \
+    curl -sf "$BASE/simple/requests/"
+
+echo ""
+echo "--- Docker ---"
+check "Docker v2 check" \
+    curl -sf "$BASE/v2/"
+
+echo ""
+echo "--- Raw ---"
+echo "raw-test-data" | curl -sf -X PUT --data-binary @- "$BASE/raw/smoke/test.txt" >/dev/null 2>&1
+check "Raw upload" \
+    curl -sf "$BASE/raw/smoke/test.txt" -o /dev/null
+
+echo ""
+echo "--- UI & API ---"
+check "UI dashboard loads" \
+    curl -sf "$BASE/ui/"
+
+check "OpenAPI docs" \
+    curl -sf "$BASE/api-docs" -o /dev/null
+
+# Dashboard stats — check npm count > 0 after proxy fetches
+sleep 1
+STATS=$(curl -sf "$BASE/ui/api/stats" 2>/dev/null || echo "{}")
+NPM_COUNT=$(echo "$STATS" | python3 -c "import sys,json; print(json.load(sys.stdin).get('npm',0))" 2>/dev/null || echo "0")
+if [ "$NPM_COUNT" -gt 0 ] 2>/dev/null; then
+    pass "Dashboard npm count > 0 (got $NPM_COUNT)"
+else
+    fail "Dashboard npm count is $NPM_COUNT, expected > 0"
+fi
+
+echo ""
+echo "--- Mirror CLI ---"
+# Create a minimal lockfile
+LOCKFILE=$(mktemp)
+cat > "$LOCKFILE" << 'EOF'
+{
+  "lockfileVersion": 3,
+  "packages": {
+    "": { "name": "test" },
+    "node_modules/chalk": { "version": "5.4.1" }
+  }
+}
+EOF
+MIRROR_RESULT=$("$NORA_BIN" mirror --registry "$BASE" npm --lockfile "$LOCKFILE" 2>&1)
+if echo "$MIRROR_RESULT" | grep -q "Failed:   0"; then
+    pass "nora mirror npm --lockfile (0 failures)"
+else
+    fail "nora mirror: $MIRROR_RESULT"
+fi
+rm -f "$LOCKFILE"
+
+echo ""
+echo "================================"
+echo "Results: $PASSED passed, $FAILED failed"
+echo "================================"
+
+[ "$FAILED" -eq 0 ] && exit 0 || exit 1