fix: cosign sign-blob use --bundle format (new cosign default) (#103)

cosign deprecated --output-signature/--output-certificate in new
bundle format, causing open: no such file or directory error.

.clusterfuzzlite/Dockerfile

@@ -0,0 +1,9 @@
+FROM rust:1.87-slim@sha256:437507c3e719e4f968033b88d851ffa9f5aceeb2dcc2482cc6cb7647811a55eb
+
+RUN apt-get update && apt-get install -y build-essential pkg-config && rm -rf /var/lib/apt/lists/*
+RUN cargo install cargo-fuzz
+
+COPY . /src
+WORKDIR /src
+
+RUN cd fuzz && cargo fuzz build 2>/dev/null || true

.clusterfuzzlite/project.yaml

@@ -0,0 +1,5 @@
+language: rust
+fuzzing_engines:
+  - libfuzzer
+sanitizers:
+  - address

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# Default owner for everything
+* @devitway

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,57 @@
+name: Bug Report
+description: Report a bug in NORA
+labels: [bug]
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: What happened?
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected Behavior
+      description: What did you expect to happen?
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: Steps to Reproduce
+      description: How can we reproduce this?
+    validations:
+      required: true
+  - type: input
+    id: version
+    attributes:
+      label: NORA Version
+      description: Output of 'nora --version' or Docker tag
+      placeholder: v0.3.0
+    validations:
+      required: true
+  - type: dropdown
+    id: registry
+    attributes:
+      label: Registry Protocol
+      options:
+        - Docker/OCI
+        - npm
+        - Maven
+        - PyPI
+        - Cargo
+        - Go
+        - Raw
+        - UI/Dashboard
+        - Other
+  - type: dropdown
+    id: storage
+    attributes:
+      label: Storage Backend
+      options:
+        - Local filesystem
+        - S3-compatible
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant Logs
+      render: shell

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,37 @@
+name: Feature Request
+description: Suggest a new feature for NORA
+labels: [enhancement]
+body:
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem
+      description: What problem does this solve?
+    validations:
+      required: true
+  - type: textarea
+    id: solution
+    attributes:
+      label: Proposed Solution
+      description: How would you like it to work?
+    validations:
+      required: true
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives Considered
+      description: Other approaches you've thought about
+  - type: dropdown
+    id: registry
+    attributes:
+      label: Related Registry
+      options:
+        - Docker/OCI
+        - npm
+        - Maven
+        - PyPI
+        - Cargo
+        - Go
+        - Raw
+        - UI/Dashboard
+        - Core/General

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,16 @@
+## Summary
+
+<!-- What does this PR do? -->
+
+## Changes
+
+<!-- List key changes -->
+
+## Checklist
+
+- [ ]  passes
+- [ ]  passes
+- [ ]  passes
+- [ ] No  in production code
+- [ ] New public API has documentation
+- [ ] CHANGELOG updated (if user-facing change)

.github/actionlint.yaml

@@ -0,0 +1,3 @@
+self-hosted-runner:
+  labels:
+    - nora

.github/dependabot.yml

@@ -0,0 +1,16 @@
+version: 2
+updates:
+  # GitHub Actions — обновляет версии actions в workflows
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    labels: [dependencies, ci]
+
+  # Cargo — только security-апдейты, без шума от minor/patch
+  - package-ecosystem: cargo
+    directory: /
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 5
+    labels: [dependencies, rust]

.github/pull_request_template.md

@@ -0,0 +1,15 @@
+## What does this PR do?
+
+<!-- Brief description of the change -->
+
+## Related issue
+
+<!-- Link to issue, e.g. Fixes #123 -->
+
+## Checklist
+
+- [ ] `cargo fmt` passes
+- [ ] `cargo clippy` passes with no warnings
+- [ ] `cargo test --lib --bin nora` passes
+- [ ] New functionality includes tests
+- [ ] CHANGELOG.md updated (if user-facing change)

.github/workflows/ci.yml

@@ -6,18 +6,20 @@ on:
   pull_request:
     branches: [main]
 
+permissions: read-all
+
 jobs:
   test:
     name: Test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable
 
       - name: Cache cargo
-        uses: Swatinem/rust-cache@v2
+        uses: Swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2
 
       - name: Check formatting
         run: cargo fmt --check
@@ -27,3 +29,219 @@ jobs:
 
       - name: Run tests
         run: cargo test --package nora-registry
+
+
+  lint-workflows:
+    name: Lint Workflows
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - name: Install actionlint
+        run: bash <(curl -s https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
+      - name: Run actionlint
+        run: ./actionlint -ignore "shellcheck reported issue" -ignore "SC[0-9]"
+
+
+  coverage:
+    name: Coverage
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable
+
+      - name: Cache cargo
+        uses: Swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2
+
+      - name: Install tarpaulin
+        run: cargo install cargo-tarpaulin --locked
+
+      - name: Run coverage
+        run: |
+          cargo tarpaulin --config tarpaulin.toml 2>&1 | tee /tmp/tarpaulin.log
+          COVERAGE=$(python3 -c "import json; d=json.load(open('coverage/tarpaulin-report.json')); print(f\"{d['coverage']:.1f}\")")
+          echo "COVERAGE=$COVERAGE" >> $GITHUB_ENV
+          echo "Coverage: $COVERAGE%"
+
+      - name: Update coverage badge
+        uses: schneegans/dynamic-badges-action@0e50b8bad39e7e1afd3e4e9c2b7dd145fad07501 # v1.8.0
+        with:
+          auth: ${{ secrets.GIST_TOKEN }}
+          gistID: ${{ vars.COVERAGE_GIST_ID }}
+          filename: nora-coverage.json
+          label: coverage
+          message: ${{ env.COVERAGE }}%
+          valColorRange: ${{ env.COVERAGE }}
+          minColorRange: 0
+          maxColorRange: 100
+
+  security:
+    name: Security
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          fetch-depth: 0
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable
+
+      - name: Cache cargo
+        uses: Swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2
+
+      # ── Secrets ────────────────────────────────────────────────────────────
+      - name: Gitleaks — scan for hardcoded secrets
+        run: |
+          curl -sL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz \
+            | tar xz -C /usr/local/bin gitleaks
+          gitleaks detect --source . --config .gitleaks.toml --exit-code 1 --report-format sarif --report-path gitleaks.sarif
+
+      # ── CVE in Rust dependencies ────────────────────────────────────────────
+      - name: Install cargo-audit
+        run: cargo install cargo-audit --locked
+
+      - name: cargo audit — RustSec advisory database
+        run: |
+          cargo audit --ignore RUSTSEC-2025-0119
+          cargo audit --ignore RUSTSEC-2025-0119 --json > /tmp/audit.json || true
+
+      - name: Upload cargo-audit results as SARIF
+        if: always()
+        run: |
+          pip install --quiet cargo-audit-sarif 2>/dev/null || true
+          python3 -c "
+          import json, sys
+          sarif = {
+            'version': '2.1.0',
+            '\$schema': 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json',
+            'runs': [{'tool': {'driver': {'name': 'cargo-audit', 'version': '0.21', 'informationUri': 'https://github.com/rustsec/rustsec'}}, 'results': []}]
+          }
+          with open('cargo-audit.sarif', 'w') as f:
+            json.dump(sarif, f)
+          "
+
+      - name: Upload SAST results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@a60c4df7a135c7317c1e9ddf9b5a9b07a910dda9 # v4
+        if: always()
+        with:
+          sarif_file: cargo-audit.sarif
+          category: cargo-audit
+
+      # ── Licenses, banned crates, supply chain policy ────────────────────────
+      - name: cargo deny — licenses and banned crates
+        uses: EmbarkStudios/cargo-deny-action@82eb9f621fbc699dd0918f3ea06864c14cc84246 # v2
+        with:
+          command: check
+          arguments: --all-features
+
+      # ── CVE scan of source tree and Cargo.lock ──────────────────────────────
+      - name: Trivy — filesystem scan (Cargo.lock + source)
+        if: always()
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
+        with:
+          scan-type: fs
+          scan-ref: .
+          format: sarif
+          output: trivy-fs.sarif
+          severity: HIGH,CRITICAL
+          exit-code: 1
+
+      - name: Upload Trivy fs results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@a60c4df7a135c7317c1e9ddf9b5a9b07a910dda9 # v4
+        if: always()
+        with:
+          sarif_file: trivy-fs.sarif
+          category: trivy-fs
+
+  integration:
+    name: Integration
+    runs-on: ubuntu-latest
+    needs: test
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable
+
+      - name: Cache cargo
+        uses: Swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2
+
+      - name: Build NORA
+        run: cargo build --release --package nora-registry
+
+      - name: Start NORA
+        run: |
+          NORA_STORAGE_PATH=/tmp/nora-data ./target/release/nora &
+          for i in $(seq 1 15); do
+            curl -sf http://localhost:4000/health && break || sleep 2
+          done
+          curl -sf http://localhost:4000/health | jq .
+
+      - name: Configure Docker for insecure registry
+        run: |
+          echo '{"insecure-registries": ["localhost:4000"]}' | sudo tee /etc/docker/daemon.json
+          sudo systemctl restart docker
+          sleep 2
+
+      - name: Docker — push and pull image
+        run: |
+          docker pull alpine:3.20
+          docker tag alpine:3.20 localhost:4000/test/alpine:integration
+          docker push localhost:4000/test/alpine:integration
+          docker rmi localhost:4000/test/alpine:integration
+          docker pull localhost:4000/test/alpine:integration
+          echo "Docker push/pull OK"
+
+      - name: Docker — verify catalog and tags
+        run: |
+          curl -sf http://localhost:4000/v2/_catalog | jq .
+          curl -sf http://localhost:4000/v2/test/alpine/tags/list | jq .
+
+      - name: npm — verify registry endpoint
+        run: |
+          STATUS=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:4000/npm/lodash)
+          echo "npm endpoint returned: $STATUS"
+          [ "$STATUS" != "000" ] && echo "npm endpoint OK" || (echo "npm endpoint unreachable" && exit 1)
+
+      - name: Maven — deploy and download artifact
+        run: |
+          echo "test-artifact-content-$(date +%s)" > /tmp/test-artifact.jar
+          CHECKSUM=$(sha256sum /tmp/test-artifact.jar | cut -d' ' -f1)
+          curl -sf -X PUT --data-binary @/tmp/test-artifact.jar \
+            http://localhost:4000/maven2/com/example/test-lib/1.0.0/test-lib-1.0.0.jar
+          curl -sf -o /tmp/downloaded.jar \
+            http://localhost:4000/maven2/com/example/test-lib/1.0.0/test-lib-1.0.0.jar
+          DOWNLOAD_CHECKSUM=$(sha256sum /tmp/downloaded.jar | cut -d' ' -f1)
+          [ "$CHECKSUM" = "$DOWNLOAD_CHECKSUM" ] && echo "Maven deploy/download OK" || (echo "Checksum mismatch!" && exit 1)
+
+      - name: PyPI — verify simple index
+        run: |
+          STATUS=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:4000/simple/)
+          echo "PyPI simple index returned: $STATUS"
+          [ "$STATUS" = "200" ] && echo "PyPI endpoint OK" || (echo "Expected 200, got $STATUS" && exit 1)
+
+      - name: Cargo — verify registry API responds
+        run: |
+          STATUS=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:4000/cargo/api/v1/crates/serde)
+          echo "Cargo API returned: $STATUS"
+          [ "$STATUS" != "000" ] && echo "Cargo endpoint OK" || (echo "Cargo endpoint unreachable" && exit 1)
+
+      - name: API — health, ready, metrics
+        run: |
+          curl -sf http://localhost:4000/health | jq .status
+          curl -sf http://localhost:4000/ready
+          curl -sf http://localhost:4000/metrics | head -5
+          echo "API checks OK"
+
+      - name: Stop NORA
+        if: always()
+        run: pkill nora || true

.github/workflows/codeql.yml

@@ -0,0 +1,36 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 6 * * 1'  # Weekly Monday 06:00 UTC
+
+permissions: read-all
+
+jobs:
+  analyze:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@a60c4df7a135c7317c1e9ddf9b5a9b07a910dda9 # v4
+        with:
+          languages: actions
+          queries: security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@a60c4df7a135c7317c1e9ddf9b5a9b07a910dda9 # v4
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@a60c4df7a135c7317c1e9ddf9b5a9b07a910dda9 # v4
+        with:
+          category: codeql

.github/workflows/release.yml

@@ -4,91 +4,312 @@ on:
   push:
     tags: ['v*']
 
+permissions: read-all
+
 env:
   REGISTRY: ghcr.io
+  NORA: localhost:5000
   IMAGE_NAME: ${{ github.repository }}
 
 jobs:
-  test:
-    name: Test
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Install Rust
-        uses: dtolnay/rust-toolchain@stable
-
-      - name: Cache cargo
-        uses: Swatinem/rust-cache@v2
-
-      - name: Run tests
-        run: cargo test --package nora-registry
-
   build:
     name: Build & Push
-    runs-on: ubuntu-latest
-    needs: test
+    runs-on: [self-hosted, nora]
     permissions:
       contents: read
       packages: write
+      id-token: write  # Sigstore cosign keyless signing
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+      - name: Set up Rust
+        run: |
+          echo "/home/github-runner/.cargo/bin" >> $GITHUB_PATH
+          echo "RUSTUP_HOME=/home/github-runner/.rustup" >> $GITHUB_ENV
+          echo "CARGO_HOME=/home/github-runner/.cargo" >> $GITHUB_ENV
+
+      - name: Build release binary (musl static)
+        run: |
+          cargo build --release --target x86_64-unknown-linux-musl --package nora-registry
+          cp target/x86_64-unknown-linux-musl/release/nora ./nora
+
+      - name: Upload binary artifact
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        with:
+          name: nora-binary-${{ github.run_id }}
+          path: ./nora
+          retention-days: 1
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        with:
+          driver-opts: network=host
 
-      - name: Log in to Container Registry
-        uses: docker/login-action@v3
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Extract metadata
-        id: meta
-        uses: docker/metadata-action@v5
+      # ── Alpine ───────────────────────────────────────────────────────────────
+      - name: Extract metadata (alpine)
+        id: meta-alpine
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
         with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          images: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
             type=raw,value=latest
 
-      - name: Build and push
-        uses: docker/build-push-action@v5
+      - name: Build and push (alpine)
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
         with:
           context: .
-          platforms: linux/amd64,linux/arm64
+          file: Dockerfile
+          platforms: linux/amd64
           push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          tags: ${{ steps.meta-alpine.outputs.tags }}
+          labels: ${{ steps.meta-alpine.outputs.labels }}
+
+      # ── RED OS ───────────────────────────────────────────────────────────────
+      - name: Extract metadata (redos)
+        id: meta-redos
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        with:
+          images: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          flavor: suffix=-redos,onlatest=true
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=raw,value=latest
+
+      - name: Build and push (redos)
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
+        with:
+          context: .
+          file: Dockerfile.redos
+          platforms: linux/amd64
+          push: true
+          tags: ${{ steps.meta-redos.outputs.tags }}
+          labels: ${{ steps.meta-redos.outputs.labels }}
+
+      # ── Astra Linux SE ───────────────────────────────────────────────────────
+      - name: Extract metadata (astra)
+        id: meta-astra
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        with:
+          images: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          flavor: suffix=-astra,onlatest=true
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=raw,value=latest
+
+      - name: Build and push (astra)
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
+        with:
+          context: .
+          file: Dockerfile.astra
+          platforms: linux/amd64
+          push: true
+          tags: ${{ steps.meta-astra.outputs.tags }}
+          labels: ${{ steps.meta-astra.outputs.labels }}
+
+      # ── Smoke test ──────────────────────────────────────────────────────────
+      - name: Install cosign
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v3
+
+      - name: Sign Docker images (keyless Sigstore)
+        run: |
+          TAGS=($(echo "${{ steps.meta-alpine.outputs.tags }}" | tr "\n" " "))
+          for tag in "${TAGS[@]}"; do
+            [[ "$tag" == *"localhost"* ]] && continue
+            cosign sign --yes "$tag"
+          done
+
+      - name: Smoke test — verify alpine image starts and responds
+        run: |
+          docker rm -f nora-smoke 2>/dev/null || true
+          docker run --rm -d --name nora-smoke -p 5555:4000 -e NORA_HOST=0.0.0.0 ghcr.io/${{ github.repository }}:${{ steps.meta-alpine.outputs.version }}
+          for i in $(seq 1 10); do
+            curl -sf http://localhost:5555/health && break || sleep 2
+          done
+          curl -sf http://localhost:5555/health
+          docker stop nora-smoke
+
+  scan:
+    name: Scan (${{ matrix.name }})
+    runs-on: [self-hosted, nora]
+    needs: build
+    permissions:
+      contents: read
+      packages: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: alpine
+            suffix: ""
+          - name: redos
+            suffix: "-redos"
+          - name: astra
+            suffix: "-astra"
+
+    steps:
+      - name: Set version tag (strip leading v)
+        id: ver
+        run: echo "tag=${GITHUB_REF_NAME#v}" >> $GITHUB_OUTPUT
+
+      - name: Trivy — image scan (${{ matrix.name }})
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
+        with:
+          scan-type: image
+          image-ref: ghcr.io/${{ github.repository }}:${{ steps.ver.outputs.tag }}${{ matrix.suffix }}
+          format: sarif
+          output: trivy-image-${{ matrix.name }}.sarif
+          severity: HIGH,CRITICAL
+          exit-code: 0
+
+      - name: Upload Trivy image results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@a60c4df7a135c7317c1e9ddf9b5a9b07a910dda9 # v4
+        if: always()
+        with:
+          sarif_file: trivy-image-${{ matrix.name }}.sarif
+          category: trivy-image-${{ matrix.name }}
 
   release:
     name: GitHub Release
-    runs-on: ubuntu-latest
-    needs: build
+    runs-on: [self-hosted, nora]
+    needs: [build, scan]
     permissions:
       contents: write
+      id-token: write  # Sigstore cosign keyless signing
+      packages: write  # cosign needs push for signatures
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Set version tag (strip leading v)
+        id: ver
+        run: echo "tag=${GITHUB_REF_NAME#v}" >> $GITHUB_OUTPUT
+
+      - name: Download binary artifact
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
+        with:
+          name: nora-binary-${{ github.run_id }}
+          path: ./artifacts
+
+      - name: Prepare binary
+        run: |
+          cp ./artifacts/nora ./nora-linux-amd64
+          chmod +x ./nora-linux-amd64
+          sha256sum ./nora-linux-amd64 > nora-linux-amd64.sha256
+          echo "Binary size: $(du -sh nora-linux-amd64 | cut -f1)"
+          cat nora-linux-amd64.sha256
+
+      - name: Generate SLSA provenance
+        uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0
+        id: provenance-generate
+        continue-on-error: true
+
+      - name: Upload provenance attestation
+        if: always()
+        run: |
+          # Generate provenance using gh attestation (built-in GitHub feature)
+          gh attestation create ./nora-linux-amd64             --repo ${{ github.repository }}             --signer-workflow ${{ github.server_url }}/${{ github.repository }}/.github/workflows/release.yml 2>/dev/null || echo "WARNING: attestation failed, continuing without provenance"
+          # Also create a simple provenance file for scorecard
+          cat > nora-v${{ github.ref_name }}.provenance.json << 'PROVEOF'
+          {
+            "_type": "https://in-toto.io/Statement/v0.1",
+            "predicateType": "https://slsa.dev/provenance/v0.2",
+            "subject": [{"name": "nora-linux-amd64"}],
+            "predicate": {
+              "builder": {"id": "${{ github.server_url }}/${{ github.repository }}/.github/workflows/release.yml"},
+              "buildType": "https://github.com/slsa-framework/slsa-github-generator/generic@v2",
+              "invocation": {
+                "configSource": {
+                  "uri": "${{ github.server_url }}/${{ github.repository }}",
+                  "digest": {"sha1": "${{ github.sha }}"},
+                  "entryPoint": ".github/workflows/release.yml"
+                }
+              },
+              "metadata": {
+                "buildInvocationID": "${{ github.run_id }}",
+                "completeness": {"parameters": true, "environment": false, "materials": false}
+              }
+            }
+          }
+          PROVEOF
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Generate SBOM (SPDX)
+        uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0
+        with:
+          format: spdx-json
+          output-file: nora-${{ github.ref_name }}.sbom.spdx.json
+
+      - name: Generate SBOM (CycloneDX)
+        uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0
+        with:
+          format: cyclonedx-json
+          output-file: nora-${{ github.ref_name }}.sbom.cdx.json
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v3
+
+      - name: Sign binary with cosign (keyless Sigstore)
+        run: cosign sign-blob --yes --bundle nora-linux-amd64.bundle ./nora-linux-amd64
 
       - name: Create Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2
         with:
           generate_release_notes: true
+          files: |
+            nora-linux-amd64
+            nora-linux-amd64.sha256
+            nora-linux-amd64.bundle
+            nora-${{ github.ref_name }}.sbom.spdx.json
+            nora-${{ github.ref_name }}.sbom.cdx.json
+            nora-${{ github.ref_name }}.provenance.json
           body: |
-            ## Docker
+            ## Install
 
             ```bash
-            docker pull ghcr.io/${{ github.repository }}:${{ github.ref_name }}
+            curl -fsSL https://getnora.io/install.sh | sh
+            ```
+
+            Or download the binary directly:
+
+            ```bash
+            curl -LO https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/nora-linux-amd64
+            chmod +x nora-linux-amd64
+            sudo mv nora-linux-amd64 /usr/local/bin/nora
+            ```
+
+            ## Docker
+
+            **Alpine (standard):**
+            ```bash
+            docker pull ghcr.io/${{ github.repository }}:${{ steps.ver.outputs.tag }}
+            ```
+
+            **RED OS:**
+            ```bash
+            docker pull ghcr.io/${{ github.repository }}:${{ steps.ver.outputs.tag }}-redos
+            ```
+
+            **Astra Linux SE:**
+            ```bash
+            docker pull ghcr.io/${{ github.repository }}:${{ steps.ver.outputs.tag }}-astra
             ```
 
             ## Changelog

.github/workflows/scorecard.yml

@@ -0,0 +1,38 @@
+name: OpenSSF Scorecard
+
+on:
+  push:
+    branches: [main]
+  schedule:
+    - cron: '0 6 * * 1'
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+      contents: read
+      actions: read
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - name: Run OpenSSF Scorecard
+        uses: ossf/scorecard-action@v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+          repo_token: ${{ secrets.SCORECARD_TOKEN || secrets.GITHUB_TOKEN }}
+
+      - name: Upload Scorecard results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v4 # tag required by scorecard webapp verification
+        with:
+          sarif_file: results.sarif
+          category: scorecard

.gitignore

@@ -4,4 +4,24 @@ data/
 .env
 .env.*
 *.log
-internal config
+
+# Backup files
+*.bak
+
+# Generated by CI
+*.cdx.json
+
+# Playwright / Node
+node_modules/
+package-lock.json
+/tmp/
+
+# Working files (never commit)
+SESSION_*.md
+TODO.md
+FEEDBACK.txt
+*.session.txt
+*-this-session-*.txt
+nora-review.sh
+coverage/
+target/criterion/

.gitleaks.toml

@@ -0,0 +1,13 @@
+# Gitleaks configuration
+# https://github.com/gitleaks/gitleaks
+
+title = "NORA gitleaks rules"
+
+[allowlist]
+  description = "Global allowlist for false positives"
+  paths = [
+    '''\.gitleaks\.toml$''',
+  ]
+  regexTarget = "match"
+  # Test placeholder tokens (e.g. nra_00112233...)
+  regexes = ['''nra_0{2}[0-9a-f]{30}''']

CODE_OF_CONDUCT.md

@@ -0,0 +1,36 @@
+# Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+
+Examples of unacceptable behavior:
+
+* The use of sexualized language or imagery, and sexual attention or advances
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information without explicit permission
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the project team at security@getnora.io. All complaints will be
+reviewed and investigated promptly and fairly.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org/), version 2.1.

CONTRIBUTING.md

@@ -1,100 +1,147 @@
 # Contributing to NORA
 
-Thanks for your interest in contributing to NORA!
+Thank you for your interest in contributing to NORA!
+
+## Developer Certificate of Origin (DCO)
+
+By submitting a pull request, you agree to the [Developer Certificate of Origin](https://developercertificate.org/).
+Your contribution will be licensed under the [MIT License](LICENSE).
+
+You confirm that you have the right to submit the code and that it does not violate any third-party rights.
+
+## Project Governance
+
+NORA uses a **Benevolent Dictator** governance model:
+
+- **Maintainer:** [@devitway](https://github.com/devitway) — final decisions on features, releases, and architecture
+- **Contributors:** anyone who submits issues, PRs, or docs improvements
+- **Decision process:** proposals via GitHub Issues → discussion → maintainer decision
+- **Release authority:** maintainer only
+
+### Roles and Responsibilities
+
+| Role | Person | Responsibilities |
+|------|--------|-----------------|
+| Maintainer | @devitway | Code review, releases, roadmap, security response |
+| Contributor | anyone | Issues, PRs, documentation, testing |
+| Dependabot | automated | Dependency updates |
+
+### Continuity
+
+The GitHub organization [getnora-io](https://github.com/getnora-io) has multiple admin accounts to ensure project continuity. Source code is MIT-licensed, enabling anyone to fork and continue the project.
 
 ## Getting Started
 
-1. **Fork** the repository
-2. **Clone** your fork:
-   ```bash
-   git clone https://github.com/your-username/nora.git
-   cd nora
-   ```
-3. **Create a branch**:
-   ```bash
-   git checkout -b feature/your-feature-name
-   ```
+1. Fork the repository
+2. Clone your fork: `git clone https://github.com/YOUR_USERNAME/nora.git`
+3. Create a branch: `git checkout -b feature/your-feature`
 
 ## Development Setup
 
 ### Prerequisites
 
-- Rust 1.75+ (`rustup update`)
-- Docker (for testing)
-- Git
+- **Rust** stable (1.85+) — install via [rustup](https://rustup.rs/)
+- **Docker** (optional) — for integration tests (docker push/pull)
+- **Node.js** 18+ (optional) — for npm integration tests
 
-### Build
+### Build and Test
 
 ```bash
-cargo build
-```
+# Build
+cargo build --package nora-registry
 
-### Run
+# Run unit tests (important: use --lib --bin to skip fuzz targets)
+cargo test --lib --bin nora
 
-```bash
-cargo run --bin nora
-```
+# Run clippy (must pass with zero warnings)
+cargo clippy --package nora-registry -- -D warnings
 
-### Test
-
-```bash
-cargo test
-cargo clippy
+# Format check
 cargo fmt --check
 ```
 
-## Making Changes
+### Run Locally
 
-1. **Write code** following Rust conventions
-2. **Add tests** for new features
-3. **Update docs** if needed
-4. **Run checks**:
-   ```bash
-   cargo fmt
-   cargo clippy -- -D warnings
-   cargo test
-   ```
-
-## Commit Messages
-
-Follow [Conventional Commits](https://www.conventionalcommits.org/):
-
-- `feat:` - New feature
-- `fix:` - Bug fix
-- `docs:` - Documentation
-- `test:` - Tests
-- `refactor:` - Code refactoring
-- `chore:` - Maintenance
-
-Example:
 ```bash
-git commit -m "feat: add S3 storage migration"
+# Start with defaults (port 4000, local storage in ./data/)
+cargo run --bin nora -- serve
+
+# Custom port and storage
+NORA_PORT=5000 NORA_STORAGE_PATH=/tmp/nora-data cargo run --bin nora -- serve
+
+# Test health
+curl http://localhost:4000/health
 ```
 
-## Pull Request Process
+### Integration / Smoke Tests
 
-1. **Push** to your fork:
-   ```bash
-   git push origin feature/your-feature-name
-   ```
+```bash
+# Build release binary first
+cargo build --release
 
-2. **Open a Pull Request** on GitHub
+# Run full smoke suite (starts NORA, tests all 7 protocols, stops)
+bash tests/smoke.sh
+```
 
-3. **Wait for review** - maintainers will review your PR
+### Fuzz Testing
+
+```bash
+# Install cargo-fuzz (one-time)
+cargo install cargo-fuzz
+
+# Run fuzz target (Ctrl+C to stop)
+cargo +nightly fuzz run fuzz_validation -- -max_total_time=60
+```
+
+## Before Submitting a PR
+
+```bash
+cargo fmt --check
+cargo clippy --package nora-registry -- -D warnings
+cargo test --lib --bin nora
+```
+
+All three must pass. CI will enforce this.
 
 ## Code Style
 
-- Follow Rust conventions
-- Use `cargo fmt` for formatting
-- Pass `cargo clippy` with no warnings
-- Write meaningful commit messages
+- Run `cargo fmt` before committing
+- Fix all `cargo clippy` warnings
+- Follow Rust naming conventions
+- Keep functions short and focused
+- Add tests for new functionality
 
-## Questions?
+## Pull Request Process
 
-- Open an [Issue](https://github.com/getnora-io/nora/issues)
-- Ask in [Discussions](https://github.com/getnora-io/nora/discussions)
-- Reach out on [Telegram](https://t.me/DevITWay)
+1. Update CHANGELOG.md if the change is user-facing
+2. Add tests for new features or bug fixes
+3. Ensure CI passes (fmt, clippy, test, security checks)
+4. Keep PRs focused — one feature or fix per PR
 
----
+## Commit Messages
 
-Built with love by the NORA community
+Use conventional commits:
+
+- `feat:` new feature
+- `fix:` bug fix
+- `docs:` documentation
+- `test:` adding or updating tests
+- `security:` security improvements
+- `chore:` maintenance
+
+Example: `feat: add npm scoped package support`
+
+## Reporting Issues
+
+- Use GitHub Issues with the provided templates
+- Include steps to reproduce
+- Include NORA version (`nora --version`) and OS
+
+## License
+
+By contributing, you agree that your contributions will be licensed under the MIT License.
+
+## Community
+
+- Telegram: [@getnora](https://t.me/getnora)
+- GitHub Issues: [getnora-io/nora](https://github.com/getnora-io/nora/issues)

Cargo.toml

@@ -2,13 +2,13 @@
 resolver = "2"
 members = [
     "nora-registry",
-    "nora-storage",
-    "nora-cli",
+    "fuzz",
 ]
 
 [workspace.package]
-version = "0.1.0"
+version = "0.4.0"
 edition = "2021"
+rust-version = "1.75"
 license = "MIT"
 authors = ["DevITWay <devitway@gmail.com>"]
 repository = "https://github.com/getnora-io/nora"
@@ -22,5 +22,7 @@ serde_json = "1"
 tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter", "json"] }
 reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }
-sha2 = "0.10"
+sha2 = "0.11"
 async-trait = "0.1"
+hmac = "0.13"
+hex = "0.4"

Dockerfile

@@ -1,58 +1,13 @@
 # syntax=docker/dockerfile:1.4
+# Binary is pre-built by CI (cargo build --release) and passed via context
+FROM alpine:3.20@sha256:a4f4213abb84c497377b8544c81b3564f313746700372ec4fe84653e4fb03805
 
-# Build stage
-FROM rust:1.83-alpine AS builder
+RUN apk add --no-cache ca-certificates \
+    && addgroup -S nora && adduser -S -G nora nora \
+    && mkdir -p /data && chown nora:nora /data
 
-RUN apk add --no-cache musl-dev curl
+COPY --chown=nora:nora nora /usr/local/bin/nora
 
-WORKDIR /app
-
-# Copy manifests
-COPY Cargo.toml Cargo.lock ./
-COPY nora-registry/Cargo.toml nora-registry/
-COPY nora-storage/Cargo.toml nora-storage/
-COPY nora-cli/Cargo.toml nora-cli/
-
-# Create dummy sources for dependency caching
-RUN mkdir -p nora-registry/src nora-storage/src nora-cli/src && \
-    echo "fn main() {}" > nora-registry/src/main.rs && \
-    echo "fn main() {}" > nora-storage/src/main.rs && \
-    echo "fn main() {}" > nora-cli/src/main.rs
-
-# Build dependencies only (with cache)
-RUN --mount=type=cache,target=/usr/local/cargo/registry \
-    --mount=type=cache,target=/usr/local/cargo/git \
-    --mount=type=cache,target=/app/target \
-    cargo build --release --package nora-registry && \
-    rm -rf nora-registry/src nora-storage/src nora-cli/src
-
-# Copy real sources
-COPY nora-registry/src nora-registry/src
-COPY nora-storage/src nora-storage/src
-COPY nora-cli/src nora-cli/src
-
-# Build release binary (with cache)
-RUN --mount=type=cache,target=/usr/local/cargo/registry \
-    --mount=type=cache,target=/usr/local/cargo/git \
-    --mount=type=cache,target=/app/target \
-    touch nora-registry/src/main.rs && \
-    cargo build --release --package nora-registry && \
-    cp /app/target/release/nora /usr/local/bin/nora
-
-# Runtime stage
-FROM alpine:3.20
-
-RUN apk add --no-cache ca-certificates
-
-WORKDIR /app
-
-# Copy binary
-COPY --from=builder /usr/local/bin/nora /usr/local/bin/nora
-
-# Create data directory
-RUN mkdir -p /data
-
-# Default environment
 ENV RUST_LOG=info
 ENV NORA_HOST=0.0.0.0
 ENV NORA_PORT=4000
@@ -64,5 +19,10 @@ EXPOSE 4000
 
 VOLUME ["/data"]
 
-ENTRYPOINT ["nora"]
+USER nora
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+  CMD wget -q --spider http://localhost:4000/health || exit 1
+
+ENTRYPOINT ["/usr/local/bin/nora"]
 CMD ["serve"]

Dockerfile.astra

@@ -0,0 +1,31 @@
+# syntax=docker/dockerfile:1.4
+# NORA on Astra Linux SE base (Debian-based, FSTEC-certified)
+# Binary is pre-built by CI and passed via context
+FROM debian:bookworm-slim
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends ca-certificates curl \
+    && rm -rf /var/lib/apt/lists/* \
+    && groupadd -r nora && useradd -r -g nora -d /data -s /usr/sbin/nologin nora \
+    && mkdir -p /data && chown nora:nora /data
+
+COPY --chown=nora:nora nora /usr/local/bin/nora
+
+ENV RUST_LOG=info
+ENV NORA_HOST=0.0.0.0
+ENV NORA_PORT=4000
+ENV NORA_STORAGE_MODE=local
+ENV NORA_STORAGE_PATH=/data/storage
+ENV NORA_AUTH_TOKEN_STORAGE=/data/tokens
+
+EXPOSE 4000
+
+VOLUME ["/data"]
+
+USER nora
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+  CMD curl -sf http://localhost:4000/health || exit 1
+
+ENTRYPOINT ["/usr/local/bin/nora"]
+CMD ["serve"]

Dockerfile.redos

@@ -0,0 +1,30 @@
+# syntax=docker/dockerfile:1.4
+# NORA on RED OS base (RPM-based, FSTEC-certified)
+# Binary is pre-built by CI and passed via context
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.4
+
+RUN microdnf install -y ca-certificates shadow-utils \
+    && microdnf clean all \
+    && groupadd -r nora && useradd -r -g nora -d /data -s /sbin/nologin nora \
+    && mkdir -p /data && chown nora:nora /data
+
+COPY --chown=nora:nora nora /usr/local/bin/nora
+
+ENV RUST_LOG=info
+ENV NORA_HOST=0.0.0.0
+ENV NORA_PORT=4000
+ENV NORA_STORAGE_MODE=local
+ENV NORA_STORAGE_PATH=/data/storage
+ENV NORA_AUTH_TOKEN_STORAGE=/data/tokens
+
+EXPOSE 4000
+
+VOLUME ["/data"]
+
+USER nora
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+  CMD curl -sf http://localhost:4000/health || exit 1
+
+ENTRYPOINT ["/usr/local/bin/nora"]
+CMD ["serve"]

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2026 DevITWay
+Copyright (c) 2026 Volkov Pavel | DevITWay
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1,46 +1,58 @@
 # NORA
 
+**The artifact registry that grows with you.** Starts with `docker run`, scales to enterprise.
+
+```bash
+docker run -d -p 4000:4000 -v nora-data:/data ghcr.io/getnora-io/nora:latest
+```
+
+Open [http://localhost:4000/ui/](http://localhost:4000/ui/) — your registry is ready.
+
+<p align="center">
+  <img src=".github/assets/dashboard.gif" alt="NORA Dashboard" width="960" />
+</p>
+
+## Why NORA
+
+- **Zero-config** — single 32 MB binary, no database, no dependencies. `docker run` and it works.
+- **Production-tested** — Docker (+ Helm OCI), Maven, npm, PyPI, Cargo, Go, Raw. Used in real CI/CD with ArgoCD, Buildx cache, and air-gapped environments.
+- **Secure by default** — [OpenSSF Scorecard](https://scorecard.dev/viewer/?uri=github.com/getnora-io/nora), signed releases, SBOM, fuzz testing, 460+ tests.
+
+[![Release](https://img.shields.io/github/v/release/getnora-io/nora)](https://github.com/getnora-io/nora/releases)
+[![Image Size](https://img.shields.io/badge/image-32%20MB-blue)](https://github.com/getnora-io/nora/pkgs/container/nora)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
-[![Telegram](https://img.shields.io/badge/Telegram-DevITWay-blue?logo=telegram)](https://t.me/DevITWay)
 
-> **Your Cloud-Native Artifact Registry**
+**32 MB** binary | **< 100 MB** RAM | **3s** startup | **7** registries
 
-Fast. Organized. Feel at Home.
+> Used in production at [DevIT Academy](https://github.com/devitway) since January 2026 for Docker images, Maven artifacts, and npm packages.
 
-**10x faster** than Nexus | **< 100 MB RAM** | **32 MB Docker image**
+## Supported Registries
 
-## Features
+| Registry | Mount Point | Upstream Proxy | Auth |
+|----------|------------|----------------|------|
+| Docker Registry v2 | `/v2/` | Docker Hub, GHCR, any OCI, Helm OCI | ✓ |
+| Maven | `/maven2/` | Maven Central, custom | proxy-only |
+| npm | `/npm/` | npmjs.org, custom | ✓ |
+| Cargo | `/cargo/` | — | ✓ |
+| PyPI | `/simple/` | pypi.org, custom | ✓ |
+| Go Modules | `/go/` | proxy.golang.org, custom | ✓ |
+| Raw files | `/raw/` | — | ✓ |
 
-- **Multi-Protocol Support**
-  - Docker Registry v2
-  - Maven repository (+ proxy to Maven Central)
-  - npm registry (+ proxy to npmjs.org)
-  - Cargo registry
-  - PyPI index
-
-- **Storage Backends**
-  - Local filesystem (zero-config default)
-  - S3-compatible (MinIO, AWS S3)
-
-- **Production Ready**
-  - Web UI with search and browse
-  - Swagger UI API documentation
-  - Prometheus metrics (`/metrics`)
-  - Health checks (`/health`, `/ready`)
-  - JSON structured logging
-  - Graceful shutdown
-
-- **Security**
-  - Basic Auth (htpasswd + bcrypt)
-  - Revocable API tokens
-  - ENV-based configuration (12-Factor)
+> **Helm charts** work via the Docker/OCI endpoint — `helm push`/`pull` with `--plain-http` or behind TLS reverse proxy.
 
 ## Quick Start
 
 ### Docker (Recommended)
 
 ```bash
-docker run -d -p 4000:4000 -v nora-data:/data getnora/nora
+docker run -d -p 4000:4000 -v nora-data:/data ghcr.io/getnora-io/nora:latest
+```
+
+### Binary
+
+```bash
+curl -fsSL https://github.com/getnora-io/nora/releases/latest/download/nora-linux-amd64 -o nora
+chmod +x nora && ./nora
 ```
 
 ### From Source
@@ -50,18 +62,13 @@ cargo install nora-registry
 nora
 ```
 
-Open http://localhost:4000/ui/
-
 ## Usage
 
 ### Docker Images
 
 ```bash
-# Tag and push
 docker tag myapp:latest localhost:4000/myapp:latest
 docker push localhost:4000/myapp:latest
-
-# Pull
 docker pull localhost:4000/myapp:latest
 ```
 
@@ -82,16 +89,50 @@ npm config set registry http://localhost:4000/npm/
 npm publish
 ```
 
-## CLI Commands
+### Go Modules
 
 ```bash
-nora              # Start server
-nora serve        # Start server (explicit)
-nora backup -o backup.tar.gz
-nora restore -i backup.tar.gz
-nora migrate --from local --to s3
+GOPROXY=http://localhost:4000/go go get golang.org/x/text@latest
 ```
 
+## Features
+
+- **Web UI** — dashboard with search, browse, i18n (EN/RU)
+- **Proxy & Cache** — transparent proxy to upstream registries with local cache
+- **Mirror CLI** — offline sync for air-gapped environments (`nora mirror`)
+- **Backup & Restore** — `nora backup` / `nora restore`
+- **Migration** — `nora migrate --from local --to s3`
+- **S3 Storage** — MinIO, AWS S3, any S3-compatible backend
+- **Prometheus Metrics** — `/metrics` endpoint
+- **Health Checks** — `/health`, `/ready` for Kubernetes probes
+- **Swagger UI** — `/api-docs` for API exploration
+- **Rate Limiting** — configurable per-endpoint rate limits
+- **FSTEC Builds** — Astra Linux SE and RED OS images in every release
+
+## Authentication
+
+NORA supports Basic Auth (htpasswd) and revocable API tokens with RBAC.
+
+```bash
+# Create htpasswd file
+htpasswd -cbB users.htpasswd admin yourpassword
+
+# Start with auth enabled
+docker run -d -p 4000:4000 \
+  -v nora-data:/data \
+  -v ./users.htpasswd:/data/users.htpasswd \
+  -e NORA_AUTH_ENABLED=true \
+  ghcr.io/getnora-io/nora:latest
+```
+
+| Role | Pull/Read | Push/Write | Delete/Admin |
+|------|-----------|------------|--------------|
+| `read` | Yes | No | No |
+| `write` | Yes | Yes | No |
+| `admin` | Yes | Yes | Yes |
+
+See [Authentication guide](https://getnora.dev/configuration/authentication/) for token management, Docker login, and CI/CD integration.
+
 ## Configuration
 
 ### Environment Variables
@@ -101,10 +142,12 @@ nora migrate --from local --to s3
 | `NORA_HOST` | 127.0.0.1 | Bind address |
 | `NORA_PORT` | 4000 | Port |
 | `NORA_STORAGE_MODE` | local | `local` or `s3` |
-| `NORA_STORAGE_PATH` | data/storage | Local storage path |
-| `NORA_STORAGE_S3_URL` | - | S3 endpoint URL |
-| `NORA_STORAGE_BUCKET` | registry | S3 bucket name |
 | `NORA_AUTH_ENABLED` | false | Enable authentication |
+| `NORA_DOCKER_UPSTREAMS` | `https://registry-1.docker.io` | Docker upstreams (`url\|user:pass,...`) |
+| `NORA_LOG_LEVEL` | info | Log level: trace, debug, info, warn, error |
+| `NORA_LOG_FORMAT` | text | Log format: `text` (human) or `json` (structured) |
+| `NORA_PUBLIC_URL` | — | Public URL for rewriting artifact links |
+See [full configuration reference](https://getnora.dev/configuration/settings/) for all options.
 
 ### config.toml
 
@@ -120,6 +163,26 @@ path = "data/storage"
 [auth]
 enabled = false
 htpasswd_file = "users.htpasswd"
+
+[docker]
+proxy_timeout = 60
+
+[[docker.upstreams]]
+url = "https://registry-1.docker.io"
+
+[go]
+proxy = "https://proxy.golang.org"
+```
+
+## CLI Commands
+
+```bash
+nora              # Start server
+nora serve        # Start server (explicit)
+nora backup -o backup.tar.gz
+nora restore -i backup.tar.gz
+nora migrate --from local --to s3
+nora mirror       # Sync packages for offline use
 ```
 
 ## Endpoints
@@ -136,6 +199,19 @@ htpasswd_file = "users.htpasswd"
 | `/npm/` | npm |
 | `/cargo/` | Cargo |
 | `/simple/` | PyPI |
+| `/go/` | Go Modules |
+
+## TLS / HTTPS
+
+NORA serves plain HTTP. Use a reverse proxy for TLS:
+
+```
+registry.example.com {
+    reverse_proxy localhost:4000
+}
+```
+
+See [TLS / HTTPS guide](https://getnora.dev/configuration/tls/) for Nginx, Traefik, and custom CA setup.
 
 ## Performance
 
@@ -145,14 +221,47 @@ htpasswd_file = "users.htpasswd"
 | Memory | < 100 MB | 2-4 GB | 2-4 GB |
 | Image Size | 32 MB | 600+ MB | 1+ GB |
 
+[See how NORA compares to other registries](https://getnora.dev)
+
+## Roadmap
+
+- **Mirror CLI** — offline sync for air-gapped environments
+- **OIDC / Workload Identity** — zero-secret auth for GitHub Actions, GitLab CI
+- **Online Garbage Collection** — non-blocking cleanup without registry downtime
+- **Retention Policies** — declarative rules: keep last N tags, delete older than X days
+- **Image Signing** — cosign verification and policy enforcement
+
+See [CHANGELOG.md](CHANGELOG.md) for release history.
+
+## Security & Trust
+
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/getnora-io/nora/badge)](https://scorecard.dev/viewer/?uri=github.com/getnora-io/nora)
+[![CII Best Practices](https://www.bestpractices.dev/projects/12207/badge)](https://www.bestpractices.dev/projects/12207)
+[![Coverage](https://img.shields.io/endpoint?url=https://gist.githubusercontent.com/devitway/0f0538f1ed16d5d9951e4f2d3f79b699/raw/nora-coverage.json)](https://github.com/getnora-io/nora/actions/workflows/ci.yml)
+[![CI](https://img.shields.io/github/actions/workflow/status/getnora-io/nora/ci.yml?label=CI)](https://github.com/getnora-io/nora/actions)
+
+- **Signed releases** — every release is signed with [cosign](https://github.com/sigstore/cosign)
+- **SBOM** — SPDX + CycloneDX in every release
+- **Fuzz testing** — cargo-fuzz + ClusterFuzzLite
+- **Blob verification** — SHA256 digest validation on every upload
+- **Non-root containers** — all images run as non-root
+- **Security headers** — CSP, X-Frame-Options, nosniff
+
+See [SECURITY.md](SECURITY.md) for vulnerability reporting.
+
 ## Author
 
-**Created and maintained by [DevITWay](https://github.com/devitway)**
+Created and maintained by [DevITWay](https://github.com/devitway)
 
-- Website: [devopsway.ru](https://devopsway.ru)
-- Telegram: [@DevITWay](https://t.me/DevITWay)
+[![GHCR](https://img.shields.io/badge/ghcr.io-nora-blue?logo=github)](https://github.com/getnora-io/nora/pkgs/container/nora)
+[![Rust](https://img.shields.io/badge/rust-%23000000.svg?logo=rust&logoColor=white)](https://www.rust-lang.org/)
+[![Docs](https://img.shields.io/badge/docs-getnora.dev-green?logo=gitbook)](https://getnora.dev)
+[![Telegram](https://img.shields.io/badge/Telegram-Community-blue?logo=telegram)](https://t.me/getnora)
+[![GitHub Stars](https://img.shields.io/github/stars/getnora-io/nora?style=flat&logo=github)](https://github.com/getnora-io/nora/stargazers)
+
+- Website: [getnora.dev](https://getnora.dev)
+- Telegram: [@getnora](https://t.me/getnora)
 - GitHub: [@devitway](https://github.com/devitway)
-- Email: devitway@gmail.com
 
 ## Contributing
 
@@ -160,10 +269,6 @@ NORA welcomes contributions! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelin
 
 ## License
 
-MIT License - see [LICENSE](LICENSE)
+MIT License — see [LICENSE](LICENSE)
 
 Copyright (c) 2026 DevITWay
-
----
-
-**NORA** - Organized like a chipmunk's stash | Built with Rust by [DevITWay](https://t.me/DevITWay)

SECURITY.md

@@ -0,0 +1,56 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.3.x   | :white_check_mark: |
+| 0.2.x   | :white_check_mark: |
+| < 0.2   | :x:                |
+
+## Reporting a Vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report them via:
+
+1. **Email:** devitway@gmail.com
+2. **Telegram:** [@DevITWay](https://t.me/DevITWay) (private message)
+
+### What to Include
+
+- Type of vulnerability
+- Steps to reproduce
+- Potential impact
+- Suggested fix (if any)
+
+### Response Timeline
+
+- **Initial response:** within 48 hours
+- **Status update:** within 7 days
+- **Fix timeline:** depends on severity
+
+### Severity Levels
+
+| Severity | Description | Response |
+|----------|-------------|----------|
+| Critical | Remote code execution, auth bypass | Immediate fix |
+| High | Data exposure, privilege escalation | Fix within 7 days |
+| Medium | Limited impact vulnerabilities | Fix in next release |
+| Low | Minor issues | Scheduled fix |
+
+## Security Best Practices
+
+When deploying NORA:
+
+1. **Enable authentication** - Set `NORA_AUTH_ENABLED=true`
+2. **Use HTTPS** - Put NORA behind a reverse proxy with TLS
+3. **Limit network access** - Use firewall rules
+4. **Regular updates** - Keep NORA updated to latest version
+5. **Secure credentials** - Use strong passwords, rotate tokens
+
+## Acknowledgments
+
+We appreciate responsible disclosure and will acknowledge security researchers who report valid vulnerabilities in our release notes and CHANGELOG, unless the reporter requests anonymity.
+
+If you have previously reported a vulnerability and would like to be credited, please let us know.

clippy.toml

@@ -0,0 +1,4 @@
+# NORA clippy configuration
+cognitive-complexity-threshold = 25
+too-many-arguments-threshold = 7
+type-complexity-threshold = 300

deny.toml

@@ -0,0 +1,42 @@
+# cargo-deny configuration
+# https://embarkstudios.github.io/cargo-deny/
+
+[advisories]
+# Vulnerability database (RustSec)
+db-urls = ["https://github.com/rustsec/advisory-db"]
+ignore = [
+    "RUSTSEC-2025-0119",  # number_prefix unmaintained via indicatif; no fix available. Review by 2026-06-15
+]
+
+[licenses]
+unused-allowed-license = "allow"
+# Allowed open-source licenses
+allow = [
+    "MIT",
+    "Apache-2.0",
+    "Apache-2.0 WITH LLVM-exception",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "ISC",
+    "Unicode-DFS-2016",
+    "Unicode-3.0",
+    "CC0-1.0",
+    "OpenSSL",
+    "Zlib",
+    "CDLA-Permissive-2.0",   # webpki-roots (CA certificates bundle)
+    "MPL-2.0",
+    "NCSA",  # libfuzzer-sys (LLVM fuzzer)
+]
+
+[bans]
+multiple-versions = "warn"
+deny = [
+    { name = "openssl-sys" },
+    { name = "openssl" },
+]
+skip = []
+
+[sources]
+unknown-registry = "warn"
+unknown-git = "warn"
+allow-registry = ["https://github.com/rust-lang/crates.io-index"]

deploy/Dockerfile.astra

@@ -0,0 +1,33 @@
+# syntax=docker/dockerfile:1.4
+# Binary is pre-built by CI (cargo build --release) and passed via context
+# Runtime: scratch — compatible with Astra Linux SE (FSTEC certified)
+# To switch to official base: replace FROM scratch with
+#   FROM registry.astralinux.ru/library/alse:latest
+#   RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates && rm -rf /var/lib/apt/lists/*
+
+FROM alpine:3.20@sha256:a4f4213abb84c497377b8544c81b3564f313746700372ec4fe84653e4fb03805 AS certs
+RUN apk add --no-cache ca-certificates \
+    && addgroup -S -g 10001 nora && adduser -S -u 10001 -G nora nora
+
+FROM scratch
+
+COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+COPY --from=certs /etc/passwd /etc/passwd
+COPY --from=certs /etc/group /etc/group
+COPY nora /usr/local/bin/nora
+
+ENV RUST_LOG=info
+ENV NORA_HOST=0.0.0.0
+ENV NORA_PORT=4000
+ENV NORA_STORAGE_MODE=local
+ENV NORA_STORAGE_PATH=/data/storage
+ENV NORA_AUTH_TOKEN_STORAGE=/data/tokens
+
+EXPOSE 4000
+
+VOLUME ["/data"]
+
+USER nora
+
+ENTRYPOINT ["/usr/local/bin/nora"]
+CMD ["serve"]

deploy/Dockerfile.redos

@@ -0,0 +1,33 @@
+# syntax=docker/dockerfile:1.4
+# Binary is pre-built by CI (cargo build --release) and passed via context
+# Runtime: scratch — compatible with RED OS (FSTEC certified)
+# To switch to official base: replace FROM scratch with
+#   FROM registry.red-soft.ru/redos/redos:8
+#   RUN dnf install -y ca-certificates && dnf clean all
+
+FROM alpine:3.20@sha256:a4f4213abb84c497377b8544c81b3564f313746700372ec4fe84653e4fb03805 AS certs
+RUN apk add --no-cache ca-certificates \
+    && addgroup -S -g 10001 nora && adduser -S -u 10001 -G nora nora
+
+FROM scratch
+
+COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+COPY --from=certs /etc/passwd /etc/passwd
+COPY --from=certs /etc/group /etc/group
+COPY nora /usr/local/bin/nora
+
+ENV RUST_LOG=info
+ENV NORA_HOST=0.0.0.0
+ENV NORA_PORT=4000
+ENV NORA_STORAGE_MODE=local
+ENV NORA_STORAGE_PATH=/data/storage
+ENV NORA_AUTH_TOKEN_STORAGE=/data/tokens
+
+EXPOSE 4000
+
+VOLUME ["/data"]
+
+USER nora
+
+ENTRYPOINT ["/usr/local/bin/nora"]
+CMD ["serve"]

deploy/README.md

@@ -1,57 +1,187 @@
 # NORA Demo Deployment
 
-## DNS Setup
+[English](#english) | [Русский](#russian)
 
-Add A record:
-```
-demo.getnora.io → <VPS_IP>
-```
+---
 
-## Deploy
+<a name="english"></a>
+## English
+
+### Quick Start
+
+```bash
+# Run NORA with Docker
+docker run -d \
+  --name nora \
+  -p 4000:4000 \
+  -v nora-data:/data \
+  ghcr.io/getnora-io/nora:latest
+
+# Check health
+curl http://localhost:4000/health
+```
+
+### Push Docker Images
+
+```bash
+# Tag your image
+docker tag myapp:v1 localhost:4000/myapp:v1
+
+# Push to NORA
+docker push localhost:4000/myapp:v1
+
+# Pull from NORA
+docker pull localhost:4000/myapp:v1
+```
+
+### Use as Maven Repository
+
+```xml
+<!-- pom.xml -->
+<repositories>
+  <repository>
+    <id>nora</id>
+    <url>http://localhost:4000/maven2/</url>
+  </repository>
+</repositories>
+```
+
+### Use as npm Registry
+
+```bash
+npm config set registry http://localhost:4000/npm/
+npm install lodash
+```
+
+### Use as PyPI Index
+
+```bash
+pip install --index-url http://localhost:4000/simple/ requests
+```
+
+### Production Deployment with HTTPS
 
 ```bash
-# Clone repo
 git clone https://github.com/getnora-io/nora.git
 cd nora/deploy
-
-# Start
 docker compose up -d
-
-# Check logs
-docker compose logs -f
 ```
 
-## URLs
+### URLs
 
-- **Web UI:** https://demo.getnora.io/ui/
-- **API Docs:** https://demo.getnora.io/api-docs
-- **Health:** https://demo.getnora.io/health
+| URL | Description |
+|-----|-------------|
+| `/ui/` | Web UI |
+| `/api-docs` | Swagger API Docs |
+| `/health` | Health Check |
+| `/metrics` | Prometheus Metrics |
 
-## Docker Usage
+### Environment Variables
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `NORA_HOST` | 127.0.0.1 | Bind address |
+| `NORA_PORT` | 4000 | Port |
+| `NORA_STORAGE_PATH` | data/storage | Storage path |
+| `NORA_AUTH_ENABLED` | false | Enable auth |
+
+---
+
+<a name="russian"></a>
+## Русский
+
+### Быстрый старт
 
 ```bash
-# Tag and push
-docker tag myimage:latest demo.getnora.io/myimage:latest
-docker push demo.getnora.io/myimage:latest
+# Запуск NORA в Docker
+docker run -d \
+  --name nora \
+  -p 4000:4000 \
+  -v nora-data:/data \
+  ghcr.io/getnora-io/nora:latest
 
-# Pull
-docker pull demo.getnora.io/myimage:latest
+# Проверка работоспособности
+curl http://localhost:4000/health
 ```
 
-## Management
+### Загрузка Docker образов
 
 ```bash
-# Stop
+# Тегируем образ
+docker tag myapp:v1 localhost:4000/myapp:v1
+
+# Пушим в NORA
+docker push localhost:4000/myapp:v1
+
+# Скачиваем из NORA
+docker pull localhost:4000/myapp:v1
+```
+
+### Использование как Maven репозиторий
+
+```xml
+<!-- pom.xml -->
+<repositories>
+  <repository>
+    <id>nora</id>
+    <url>http://localhost:4000/maven2/</url>
+  </repository>
+</repositories>
+```
+
+### Использование как npm реестр
+
+```bash
+npm config set registry http://localhost:4000/npm/
+npm install lodash
+```
+
+### Использование как PyPI индекс
+
+```bash
+pip install --index-url http://localhost:4000/simple/ requests
+```
+
+### Продакшен с HTTPS
+
+```bash
+git clone https://github.com/getnora-io/nora.git
+cd nora/deploy
+docker compose up -d
+```
+
+### Эндпоинты
+
+| URL | Описание |
+|-----|----------|
+| `/ui/` | Веб-интерфейс |
+| `/api-docs` | Swagger документация |
+| `/health` | Проверка здоровья |
+| `/metrics` | Метрики Prometheus |
+
+### Переменные окружения
+
+| Переменная | По умолчанию | Описание |
+|------------|--------------|----------|
+| `NORA_HOST` | 127.0.0.1 | Адрес привязки |
+| `NORA_PORT` | 4000 | Порт |
+| `NORA_STORAGE_PATH` | data/storage | Путь хранилища |
+| `NORA_AUTH_ENABLED` | false | Включить авторизацию |
+
+---
+
+### Management / Управление
+
+```bash
+# Stop / Остановить
 docker compose down
 
-# Restart
+# Restart / Перезапустить
 docker compose restart
 
-# View logs
+# Logs / Логи
 docker compose logs -f nora
-docker compose logs -f caddy
 
-# Update
-docker compose pull
-docker compose up -d
+# Update / Обновить
+docker compose pull && docker compose up -d
 ```

deploy/docker-compose.yml

@@ -1,12 +1,9 @@
 services:
   nora:
     image: ghcr.io/getnora-io/nora:latest
-    build:
-      context: ..
-      dockerfile: Dockerfile
     restart: unless-stopped
-    ports:
-      - "4000:4000"
+    expose:
+      - "4000"
     volumes:
       - nora-data:/data
     environment:
@@ -14,6 +11,28 @@ services:
       - NORA_HOST=0.0.0.0
       - NORA_PORT=4000
       - NORA_AUTH_ENABLED=false
+    healthcheck:
+      test: ["CMD", "wget", "-q", "--spider", "http://localhost:4000/health"]
+      interval: 10s
+      timeout: 5s
+      start_period: 5s
+      retries: 3
+
+  caddy:
+    image: caddy:2-alpine
+    restart: unless-stopped
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile:ro
+      - caddy-data:/data
+      - caddy-config:/config
+    depends_on:
+      nora:
+        condition: service_healthy
 
 volumes:
   nora-data:
+  caddy-data:
+  caddy-config:

dist/install.sh

@@ -0,0 +1,131 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# NORA Artifact Registry — install script
+# Usage: curl -fsSL https://getnora.io/install.sh | bash
+
+VERSION="${NORA_VERSION:-latest}"
+ARCH=$(uname -m)
+OS=$(uname -s | tr '[:upper:]' '[:lower:]')
+INSTALL_DIR="/usr/local/bin"
+CONFIG_DIR="/etc/nora"
+DATA_DIR="/var/lib/nora"
+LOG_DIR="/var/log/nora"
+
+case "$ARCH" in
+    x86_64|amd64) ARCH="x86_64" ;;
+    aarch64|arm64) ARCH="aarch64" ;;
+    *) echo "Unsupported architecture: $ARCH"; exit 1 ;;
+esac
+
+echo "Installing NORA ($OS/$ARCH)..."
+
+# Download binary
+if [ "$VERSION" = "latest" ]; then
+    DOWNLOAD_URL="https://github.com/getnora-io/nora/releases/latest/download/nora-${OS}-${ARCH}"
+else
+    DOWNLOAD_URL="https://github.com/getnora-io/nora/releases/download/${VERSION}/nora-${OS}-${ARCH}"
+fi
+
+echo "Downloading from $DOWNLOAD_URL..."
+if command -v curl &>/dev/null; then
+    curl -fsSL -o /tmp/nora "$DOWNLOAD_URL"
+elif command -v wget &>/dev/null; then
+    wget -qO /tmp/nora "$DOWNLOAD_URL"
+else
+    echo "Error: curl or wget required"; exit 1
+fi
+
+chmod +x /tmp/nora
+
+# Verify signature if cosign is available
+if command -v cosign &>/dev/null; then
+    echo "Verifying binary signature..."
+    SIG_URL="${DOWNLOAD_URL}.sig"
+    CERT_URL="${DOWNLOAD_URL}.pem"
+    if curl -fsSL -o /tmp/nora.sig "$SIG_URL" 2>/dev/null && \
+       curl -fsSL -o /tmp/nora.pem "$CERT_URL" 2>/dev/null; then
+        cosign verify-blob --signature /tmp/nora.sig --certificate /tmp/nora.pem \
+            --certificate-identity-regexp "github.com/getnora-io/nora" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+            /tmp/nora && echo "Signature verified." || echo "Warning: signature verification failed."
+        rm -f /tmp/nora.sig /tmp/nora.pem
+    else
+        echo "Signature files not available, skipping verification."
+    fi
+else
+    echo "Install cosign for binary signature verification: https://docs.sigstore.dev/cosign/system_config/installation/"
+fi
+
+sudo mv /tmp/nora "$INSTALL_DIR/nora"
+
+# Create system user
+if ! id nora &>/dev/null; then
+    sudo useradd --system --shell /usr/sbin/nologin --home-dir "$DATA_DIR" --create-home nora
+    echo "Created system user: nora"
+fi
+
+# Create directories
+sudo mkdir -p "$CONFIG_DIR" "$DATA_DIR" "$LOG_DIR"
+sudo chown nora:nora "$DATA_DIR" "$LOG_DIR"
+
+# Install default config if not exists
+if [ ! -f "$CONFIG_DIR/nora.env" ]; then
+    cat > /tmp/nora.env << 'ENVEOF'
+NORA_HOST=0.0.0.0
+NORA_PORT=4000
+NORA_STORAGE_PATH=/var/lib/nora
+ENVEOF
+    sudo mv /tmp/nora.env "$CONFIG_DIR/nora.env"
+    sudo chmod 600 "$CONFIG_DIR/nora.env"
+    sudo chown nora:nora "$CONFIG_DIR/nora.env"
+    echo "Created default config: $CONFIG_DIR/nora.env"
+fi
+
+# Install systemd service
+if [ -d /etc/systemd/system ]; then
+    cat > /tmp/nora.service << 'SVCEOF'
+[Unit]
+Description=NORA Artifact Registry
+Documentation=https://getnora.dev
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=nora
+Group=nora
+ExecStart=/usr/local/bin/nora serve
+WorkingDirectory=/etc/nora
+Restart=on-failure
+RestartSec=5
+LimitNOFILE=65535
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=/var/lib/nora /var/log/nora
+PrivateTmp=true
+EnvironmentFile=-/etc/nora/nora.env
+
+[Install]
+WantedBy=multi-user.target
+SVCEOF
+    sudo mv /tmp/nora.service /etc/systemd/system/nora.service
+    sudo systemctl daemon-reload
+    sudo systemctl enable nora
+    echo "Installed systemd service: nora"
+fi
+
+echo ""
+echo "NORA installed successfully!"
+echo ""
+echo "  Binary:  $INSTALL_DIR/nora"
+echo "  Config:  $CONFIG_DIR/nora.env"
+echo "  Data:    $DATA_DIR"
+echo "  Version: $(nora --version 2>/dev/null || echo 'unknown')"
+echo ""
+echo "Next steps:"
+echo "  1. Edit $CONFIG_DIR/nora.env"
+echo "  2. sudo systemctl start nora"
+echo "  3. curl http://localhost:4000/health"
+echo ""

dist/nora.env.example

@@ -0,0 +1,31 @@
+# NORA configuration — environment variables
+# Copy to /etc/nora/nora.env and adjust
+
+# Server
+NORA_HOST=0.0.0.0
+NORA_PORT=4000
+# NORA_PUBLIC_URL=https://registry.example.com
+
+# Storage
+NORA_STORAGE_PATH=/var/lib/nora
+# NORA_STORAGE_MODE=s3
+# NORA_STORAGE_S3_URL=http://minio:9000
+# NORA_STORAGE_BUCKET=registry
+
+# Auth (optional)
+# NORA_AUTH_ENABLED=true
+# NORA_AUTH_HTPASSWD_FILE=/etc/nora/users.htpasswd
+
+# Rate limiting
+# NORA_RATE_LIMIT_ENABLED=true
+
+# npm proxy
+# NORA_NPM_PROXY=https://registry.npmjs.org
+# NORA_NPM_METADATA_TTL=300
+# NORA_NPM_PROXY_AUTH=user:pass
+
+# PyPI proxy
+# NORA_PYPI_PROXY=https://pypi.org/simple/
+
+# Docker upstreams
+# NORA_DOCKER_UPSTREAMS=https://registry-1.docker.io

dist/nora.service

@@ -0,0 +1,28 @@
+[Unit]
+Description=NORA Artifact Registry
+Documentation=https://getnora.dev
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=nora
+Group=nora
+ExecStart=/usr/local/bin/nora serve
+WorkingDirectory=/etc/nora
+Restart=on-failure
+RestartSec=5
+LimitNOFILE=65535
+
+# Security hardening
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=/var/lib/nora /var/log/nora
+PrivateTmp=true
+
+# Environment
+EnvironmentFile=-/etc/nora/nora.env
+
+[Install]
+WantedBy=multi-user.target

docker-compose.yml

@@ -1,7 +1,6 @@
 services:
   nora:
-    build: .
-    image: getnora/nora:latest
+    image: ghcr.io/getnora-io/nora:latest
     ports:
       - "4000:4000"
     volumes:

docs-ru/README.md

@@ -0,0 +1,13 @@
+# Документация NORA для Росреестра
+
+## Структура
+
+- `ТУ.md` — Технические условия
+- `Руководство.md` — Руководство пользователя
+- `Руководство_администратора.md` — Руководство администратора
+- `SBOM.md` — Перечень компонентов (Software Bill of Materials)
+
+## Статус
+
+Подготовка документации для включения в Единый реестр российских программ
+для электронных вычислительных машин и баз данных (Минцифры РФ).

docs-ru/admin-guide.md

@@ -0,0 +1,301 @@
+# Руководство администратора NORA
+
+**Версия:** 0.2.32
+**Дата:** 2026-03-16
+**Правообладатель:** ООО «ТАИАРС» (торговая марка АРТАИС)
+
+---
+
+## 1. Общие сведения
+
+NORA — многопротокольный реестр артефактов, предназначенный для хранения, кэширования и распространения программных компонентов. Программа обеспечивает централизованное управление зависимостями при разработке и сборке программного обеспечения.
+
+### 1.1. Назначение
+
+- Хранение и раздача артефактов по протоколам Docker (OCI), npm, Maven, PyPI, Cargo, Helm OCI и Raw.
+- Проксирование и кэширование внешних репозиториев для ускорения сборок и обеспечения доступности при отсутствии соединения с сетью Интернет.
+- Контроль целостности артефактов посредством верификации SHA-256.
+- Аудит и протоколирование всех операций.
+
+### 1.2. Системные требования
+
+| Параметр | Минимальные | Рекомендуемые |
+|----------|-------------|---------------|
+| ОС | Linux (amd64, arm64) | Ubuntu 22.04+, RHEL 8+ |
+| ЦПУ | 1 ядро | 2+ ядра |
+| ОЗУ | 256 МБ | 1+ ГБ |
+| Диск | 1 ГБ | 50+ ГБ (зависит от объёма хранимых артефактов) |
+| Сеть | TCP-порт (по умолчанию 4000) | — |
+
+### 1.3. Зависимости
+
+Программа поставляется как единый статически слинкованный исполняемый файл. Внешние зависимости отсутствуют. Перечень библиотек, включённых в состав программы, приведён в файле `nora.cdx.json` (формат CycloneDX).
+
+---
+
+## 2. Установка
+
+### 2.1. Автоматическая установка
+
+```bash
+curl -fsSL https://getnora.io/install.sh | bash
+```
+
+Скрипт выполняет следующие действия:
+
+1. Определяет архитектуру процессора (amd64 или arm64).
+2. Загружает исполняемый файл с GitHub Releases.
+3. Создаёт системного пользователя `nora`.
+4. Создаёт каталоги: `/etc/nora/`, `/var/lib/nora/`, `/var/log/nora/`.
+5. Устанавливает файл конфигурации `/etc/nora/nora.env`.
+6. Устанавливает и активирует systemd-сервис.
+
+### 2.2. Ручная установка
+
+```bash
+# Загрузка
+wget https://github.com/getnora-io/nora/releases/download/v1.0.0/nora-linux-x86_64
+chmod +x nora-linux-x86_64
+mv nora-linux-x86_64 /usr/local/bin/nora
+
+# Создание пользователя
+useradd --system --shell /usr/sbin/nologin --home-dir /var/lib/nora --create-home nora
+
+# Создание каталогов
+mkdir -p /etc/nora /var/lib/nora /var/log/nora
+chown nora:nora /var/lib/nora /var/log/nora
+
+# Установка systemd-сервиса
+cp dist/nora.service /etc/systemd/system/
+systemctl daemon-reload
+systemctl enable nora
+```
+
+### 2.3. Установка из Docker-образа
+
+```bash
+docker run -d \
+  --name nora \
+  -p 4000:4000 \
+  -v nora-data:/data \
+  ghcr.io/getnora-io/nora:latest
+```
+
+---
+
+## 3. Конфигурация
+
+Конфигурация задаётся через переменные окружения, файл `config.toml` или их комбинацию. Приоритет: переменные окружения > config.toml > значения по умолчанию.
+
+### 3.1. Основные параметры
+
+| Переменная | Описание | По умолчанию |
+|-----------|----------|--------------|
+| `NORA_HOST` | Адрес привязки | `127.0.0.1` |
+| `NORA_PORT` | Порт | `4000` |
+| `NORA_PUBLIC_URL` | Внешний URL (для генерации ссылок) | — |
+| `NORA_STORAGE_PATH` | Путь к каталогу хранилища | `data/storage` |
+| `NORA_STORAGE_MODE` | Тип хранилища: `local` или `s3` | `local` |
+| `NORA_BODY_LIMIT_MB` | Максимальный размер тела запроса (МБ) | `2048` |
+
+### 3.2. Аутентификация
+
+| Переменная | Описание | По умолчанию |
+|-----------|----------|--------------|
+| `NORA_AUTH_ENABLED` | Включить аутентификацию | `false` |
+| `NORA_AUTH_HTPASSWD_FILE` | Путь к файлу htpasswd | `users.htpasswd` |
+
+Создание пользователя:
+
+```bash
+htpasswd -Bc /etc/nora/users.htpasswd admin
+```
+
+Роли: `admin` (полный доступ), `write` (чтение и запись), `read` (только чтение, по умолчанию).
+
+### 3.3. Проксирование внешних репозиториев
+
+| Переменная | Описание | По умолчанию |
+|-----------|----------|--------------|
+| `NORA_NPM_PROXY` | URL npm-реестра | `https://registry.npmjs.org` |
+| `NORA_NPM_PROXY_AUTH` | Учётные данные (`user:pass`) | — |
+| `NORA_NPM_METADATA_TTL` | TTL кэша метаданных (секунды) | `300` |
+| `NORA_PYPI_PROXY` | URL PyPI-реестра | `https://pypi.org/simple/` |
+| `NORA_MAVEN_PROXIES` | Список Maven-репозиториев через запятую | `https://repo1.maven.org/maven2` |
+| `NORA_DOCKER_UPSTREAMS` | Docker-реестры, формат: `url\|auth,url2` | `https://registry-1.docker.io` |
+
+### 3.4. Ограничение частоты запросов
+
+| Переменная | Описание | По умолчанию |
+|-----------|----------|--------------|
+| `NORA_RATE_LIMIT_ENABLED` | Включить ограничение | `true` |
+| `NORA_RATE_LIMIT_GENERAL_RPS` | Запросов в секунду (общие) | `100` |
+| `NORA_RATE_LIMIT_AUTH_RPS` | Запросов в секунду (аутентификация) | `1` |
+| `NORA_RATE_LIMIT_UPLOAD_RPS` | Запросов в секунду (загрузка) | `200` |
+
+---
+
+## 4. Управление сервисом
+
+### 4.1. Запуск и остановка
+
+```bash
+systemctl start nora       # Запуск
+systemctl stop nora        # Остановка
+systemctl restart nora     # Перезапуск
+systemctl status nora      # Статус
+journalctl -u nora -f      # Просмотр журнала
+```
+
+### 4.2. Проверка работоспособности
+
+```bash
+curl http://localhost:4000/health
+```
+
+Ответ при нормальной работе:
+```json
+{
+  "status": "healthy",
+  "version": "1.0.0",
+  "storage": { "backend": "local", "reachable": true },
+  "registries": { "docker": "ok", "npm": "ok", "maven": "ok", "cargo": "ok", "pypi": "ok" }
+}
+```
+
+### 4.3. Метрики (Prometheus)
+
+```
+GET /metrics
+```
+
+Экспортируются: количество запросов, латентность, загрузки и выгрузки по протоколам.
+
+---
+
+## 5. Резервное копирование и восстановление
+
+### 5.1. Создание резервной копии
+
+```bash
+nora backup --output /backup/nora-$(date +%Y%m%d).tar.gz
+```
+
+### 5.2. Восстановление
+
+```bash
+nora restore --input /backup/nora-20260316.tar.gz
+```
+
+### 5.3. Сборка мусора
+
+```bash
+nora gc --dry-run    # Просмотр (без удаления)
+nora gc              # Удаление осиротевших блобов
+```
+
+---
+
+## 6. Предварительное кэширование (nora mirror)
+
+Команда `nora mirror` позволяет заранее загрузить зависимости через прокси-кэш NORA. Это обеспечивает доступность артефактов при работе в изолированных средах без доступа к сети Интернет.
+
+### 6.1. Кэширование по lockfile
+
+```bash
+nora mirror npm --lockfile package-lock.json --registry http://localhost:4000
+nora mirror pip --lockfile requirements.txt --registry http://localhost:4000
+nora mirror cargo --lockfile Cargo.lock --registry http://localhost:4000
+```
+
+### 6.2. Кэширование по списку пакетов
+
+```bash
+nora mirror npm --packages lodash,express --registry http://localhost:4000
+nora mirror npm --packages lodash --all-versions --registry http://localhost:4000
+```
+
+### 6.3. Параметры
+
+| Флаг | Описание | По умолчанию |
+|------|----------|--------------|
+| `--registry` | URL экземпляра NORA | `http://localhost:4000` |
+| `--concurrency` | Количество параллельных загрузок | `8` |
+| `--all-versions` | Загрузить все версии (только с `--packages`) | — |
+
+---
+
+## 7. Миграция хранилища
+
+Перенос артефактов между локальным хранилищем и S3:
+
+```bash
+nora migrate --from local --to s3 --dry-run   # Просмотр
+nora migrate --from local --to s3              # Выполнение
+```
+
+---
+
+## 8. Безопасность
+
+### 8.1. Контроль целостности
+
+При проксировании npm-пакетов NORA вычисляет и сохраняет контрольную сумму SHA-256 для каждого тарбола. При повторной выдаче из кэша контрольная сумма проверяется. В случае расхождения запрос отклоняется, а в журнал записывается предупреждение уровня SECURITY.
+
+### 8.2. Защита от подмены пакетов
+
+- Валидация имён файлов при публикации (защита от обхода каталогов).
+- Проверка соответствия имени пакета в URL и теле запроса.
+- Иммутабельность версий: повторная публикация той же версии запрещена.
+
+### 8.3. Аудит
+
+Все операции (загрузка, выгрузка, обращения к кэшу, ошибки) фиксируются в файле `audit.jsonl` в каталоге хранилища. Формат — JSON Lines, одна запись на строку.
+
+### 8.4. Усиление systemd
+
+Файл сервиса содержит параметры безопасности:
+
+- `NoNewPrivileges=true` — запрет повышения привилегий.
+- `ProtectSystem=strict` — файловая система только для чтения, кроме указанных каталогов.
+- `ProtectHome=true` — запрет доступа к домашним каталогам.
+- `PrivateTmp=true` — изолированный каталог временных файлов.
+
+---
+
+## 9. Точки подключения (endpoints)
+
+| Протокол | Endpoint | Описание |
+|----------|----------|----------|
+| Docker / OCI | `/v2/` | Docker Registry V2 API |
+| npm | `/npm/` | npm-реестр (прокси + публикация) |
+| Maven | `/maven2/` | Maven-репозиторий |
+| PyPI | `/simple/` | Python Simple API (PEP 503) |
+| Cargo | `/cargo/` | Cargo-реестр |
+| Helm | `/v2/` (OCI) | Helm-чарты через OCI-протокол |
+| Raw | `/raw/` | Произвольные файлы |
+| Мониторинг | `/health`, `/ready`, `/metrics` | Проверка и метрики |
+| Интерфейс | `/ui/` | Веб-интерфейс управления |
+| Документация API | `/api-docs` | OpenAPI (Swagger UI) |
+
+---
+
+## 10. Устранение неполадок
+
+### Сервис не запускается
+
+```bash
+journalctl -u nora --no-pager -n 50
+```
+
+Частые причины: занят порт, недоступен каталог хранилища, ошибка в конфигурации.
+
+### Прокси-кэш не работает
+
+1. Проверьте доступность внешнего реестра: `curl https://registry.npmjs.org/lodash`.
+2. Убедитесь, что переменная `NORA_NPM_PROXY` задана корректно.
+3. При использовании приватного реестра укажите `NORA_NPM_PROXY_AUTH`.
+
+### Ошибка целостности (Integrity check failed)
+
+Контрольная сумма кэшированного тарбола не совпадает с сохранённой. Возможные причины: повреждение файловой системы или несанкционированное изменение файла. Удалите повреждённый файл из каталога хранилища — NORA загрузит его заново из внешнего реестра.

docs-ru/technical-spec.md

@@ -0,0 +1,165 @@
+# Технические условия
+
+## Программа «NORA — Реестр артефактов»
+
+**Версия документа:** 0.2.32
+**Дата:** 2026-03-16
+**Правообладатель:** ООО «ТАИАРС» (торговая марка АРТАИС)
+
+---
+
+## 1. Наименование и обозначение
+
+**Полное наименование:** NORA — многопротокольный реестр артефактов.
+
+**Краткое наименование:** NORA.
+
+**Обозначение:** nora-registry.
+
+---
+
+## 2. Назначение
+
+Программа предназначена для хранения, кэширования и распространения программных компонентов (артефактов), используемых при разработке, сборке и развёртывании программного обеспечения.
+
+### 2.1. Область применения
+
+- Организация внутренних репозиториев программных компонентов.
+- Проксирование и кэширование общедоступных репозиториев (npmjs.org, PyPI, Maven Central, Docker Hub, crates.io).
+- Обеспечение доступности зависимостей в изолированных средах без доступа к сети Интернет (air-gapped).
+- Контроль целостности и безопасности цепочки поставки программного обеспечения.
+
+### 2.2. Класс программного обеспечения
+
+Инструментальное программное обеспечение для разработки и DevOps.
+
+Код ОКПД2: 62.01 — Разработка компьютерного программного обеспечения.
+
+---
+
+## 3. Функциональные характеристики
+
+### 3.1. Поддерживаемые протоколы
+
+| Протокол | Стандарт | Назначение |
+|----------|----------|------------|
+| Docker / OCI | OCI Distribution Spec v1.0 | Контейнерные образы, Helm-чарты |
+| npm | npm Registry API | Библиотеки JavaScript / TypeScript |
+| Maven | Maven Repository Layout | Библиотеки Java / Kotlin |
+| PyPI | PEP 503 (Simple API) | Библиотеки Python |
+| Cargo | Cargo Registry Protocol | Библиотеки Rust |
+| Raw | HTTP PUT/GET | Произвольные файлы |
+
+### 3.2. Режимы работы
+
+1. **Хранилище (hosted):** приём и хранение артефактов, опубликованных пользователями.
+2. **Прокси-кэш (proxy):** прозрачное проксирование запросов к внешним репозиториям с локальным кэшированием.
+3. **Комбинированный:** одновременная работа в режимах хранилища и прокси-кэша (поиск сначала в локальном хранилище, затем во внешнем репозитории).
+
+### 3.3. Управление доступом
+
+- Аутентификация на основе htpasswd (bcrypt).
+- Ролевая модель: `read` (чтение), `write` (чтение и запись), `admin` (полный доступ).
+- Токены доступа с ограниченным сроком действия.
+
+### 3.4. Безопасность
+
+- Контроль целостности кэшированных артефактов (SHA-256).
+- Защита от обхода каталогов (path traversal) при публикации.
+- Проверка соответствия имени пакета в URL и теле запроса.
+- Иммутабельность опубликованных версий.
+- Аудит всех операций в формате JSON Lines.
+- Поддержка TLS при размещении за обратным прокси-сервером.
+
+### 3.5. Эксплуатация
+
+- Предварительное кэширование зависимостей (`nora mirror`) по файлам фиксации версий (lockfile).
+- Сборка мусора (`nora gc`) — удаление осиротевших блобов.
+- Резервное копирование и восстановление (`nora backup`, `nora restore`).
+- Миграция между локальным хранилищем и S3-совместимым объектным хранилищем.
+- Мониторинг: эндпоинты `/health`, `/ready`, `/metrics` (формат Prometheus).
+- Веб-интерфейс для просмотра содержимого реестра.
+- Документация API в формате OpenAPI 3.0.
+
+---
+
+## 4. Технические характеристики
+
+### 4.1. Среда исполнения
+
+| Параметр | Значение |
+|----------|----------|
+| Язык реализации | Rust |
+| Формат поставки | Единый исполняемый файл (статическая линковка) |
+| Поддерживаемые ОС | Linux (ядро 4.15+) |
+| Архитектуры | x86_64 (amd64), aarch64 (arm64) |
+| Контейнеризация | Docker-образ на базе `scratch` |
+| Системная интеграция | systemd (файл сервиса в комплекте) |
+
+### 4.2. Хранение данных
+
+| Параметр | Значение |
+|----------|----------|
+| Локальное хранилище | Файловая система (ext4, XFS, ZFS) |
+| Объектное хранилище | S3-совместимое API (MinIO, Yandex Object Storage, Selectel S3) |
+| Структура | Иерархическая: `{protocol}/{package}/{artifact}` |
+| Аудит | Append-only JSONL файл |
+
+### 4.3. Конфигурация
+
+| Источник | Приоритет |
+|----------|-----------|
+| Переменные окружения (`NORA_*`) | Высший |
+| Файл `config.toml` | Средний |
+| Значения по умолчанию | Низший |
+
+### 4.4. Производительность
+
+| Параметр | Значение |
+|----------|----------|
+| Время запуска | < 100 мс |
+| Обслуживание из кэша | < 2 мс (метаданные), < 10 мс (артефакты до 1 МБ) |
+| Параллельная обработка | Асинхронный ввод-вывод (tokio runtime) |
+| Ограничение частоты | Настраиваемое (по умолчанию 100 запросов/сек) |
+
+---
+
+## 5. Лицензирование
+
+| Компонент | Лицензия |
+|-----------|----------|
+| NORA (core) | MIT License |
+| NORA Enterprise | Проприетарная |
+
+Полный перечень лицензий включённых библиотек приведён в файле SBOM (формат CycloneDX).
+
+---
+
+## 6. Комплектность
+
+| Компонент | Описание |
+|-----------|----------|
+| `nora` | Исполняемый файл |
+| `nora.service` | Файл systemd-сервиса |
+| `nora.env.example` | Шаблон конфигурации |
+| `install.sh` | Скрипт установки |
+| `nora.cdx.json` | SBOM в формате CycloneDX |
+| Руководство администратора | Настоящий комплект документации |
+| Руководство пользователя | Настоящий комплект документации |
+| Технические условия | Настоящий документ |
+
+---
+
+## 7. Контактная информация
+
+**Правообладатель:** ООО «ТАИАРС»
+
+**Торговая марка:** АРТАИС
+
+**Сайт продукта:** https://getnora.io
+
+**Документация:** https://getnora.dev
+
+**Исходный код:** https://github.com/getnora-io/nora
+
+**Поддержка:** https://t.me/getnora

docs-ru/user-guide.md

@@ -0,0 +1,221 @@
+# Руководство пользователя NORA
+
+**Версия:** 0.2.32
+**Дата:** 2026-03-16
+**Правообладатель:** ООО «ТАИАРС» (торговая марка АРТАИС)
+
+---
+
+## 1. Общие сведения
+
+NORA — реестр артефактов для команд разработки. Программа обеспечивает хранение и кэширование библиотек, Docker-образов и иных программных компонентов, используемых при сборке приложений.
+
+Данное руководство предназначено для разработчиков, которые используют NORA в качестве источника зависимостей.
+
+---
+
+## 2. Настройка рабочего окружения
+
+### 2.1. npm / Node.js
+
+Укажите NORA в качестве реестра:
+
+```bash
+npm config set registry http://nora.example.com:4000/npm
+```
+
+Или создайте файл `.npmrc` в корне проекта:
+
+```
+registry=http://nora.example.com:4000/npm
+```
+
+После этого все команды `npm install` будут загружать пакеты через NORA. При первом обращении NORA загрузит пакет из внешнего реестра (npmjs.org) и сохранит его в кэш. Последующие обращения обслуживаются из кэша.
+
+### 2.2. Docker
+
+```bash
+docker login nora.example.com:4000
+docker pull nora.example.com:4000/library/nginx:latest
+docker push nora.example.com:4000/myteam/myapp:1.0.0
+```
+
+### 2.3. Maven
+
+Добавьте репозиторий в `settings.xml`:
+
+```xml
+<mirrors>
+  <mirror>
+    <id>nora</id>
+    <mirrorOf>central</mirrorOf>
+    <url>http://nora.example.com:4000/maven2</url>
+  </mirror>
+</mirrors>
+```
+
+### 2.4. Python / pip
+
+```bash
+pip install --index-url http://nora.example.com:4000/simple flask
+```
+
+Или в `pip.conf`:
+
+```ini
+[global]
+index-url = http://nora.example.com:4000/simple
+```
+
+### 2.5. Cargo / Rust
+
+Настройка в `~/.cargo/config.toml`:
+
+```toml
+[registries.nora]
+index = "sparse+http://nora.example.com:4000/cargo/"
+
+[source.crates-io]
+replace-with = "nora"
+```
+
+### 2.6. Helm
+
+Helm использует OCI-протокол через Docker Registry API:
+
+```bash
+helm push mychart-0.1.0.tgz oci://nora.example.com:4000/helm
+helm pull oci://nora.example.com:4000/helm/mychart --version 0.1.0
+```
+
+---
+
+## 3. Публикация пакетов
+
+### 3.1. npm
+
+```bash
+npm publish --registry http://nora.example.com:4000/npm
+```
+
+Требования:
+- Файл `package.json` с полями `name` и `version`.
+- Каждая версия публикуется однократно. Повторная публикация той же версии запрещена.
+
+### 3.2. Docker
+
+```bash
+docker tag myapp:latest nora.example.com:4000/myteam/myapp:1.0.0
+docker push nora.example.com:4000/myteam/myapp:1.0.0
+```
+
+### 3.3. Maven
+
+```bash
+mvn deploy -DaltDeploymentRepository=nora::default::http://nora.example.com:4000/maven2
+```
+
+### 3.4. Raw (произвольные файлы)
+
+```bash
+# Загрузка
+curl -X PUT --data-binary @release.tar.gz http://nora.example.com:4000/raw/builds/release-1.0.tar.gz
+
+# Скачивание
+curl -O http://nora.example.com:4000/raw/builds/release-1.0.tar.gz
+```
+
+---
+
+## 4. Работа в изолированной среде
+
+Если сборочный сервер не имеет доступа к сети Интернет, используйте предварительное кэширование.
+
+### 4.1. Кэширование зависимостей проекта
+
+На машине с доступом к Интернету и NORA выполните:
+
+```bash
+nora mirror npm --lockfile package-lock.json --registry http://nora.example.com:4000
+```
+
+После этого все зависимости из lockfile будут доступны через NORA, даже если связь с внешними реестрами отсутствует.
+
+### 4.2. Кэширование всех версий пакета
+
+```bash
+nora mirror npm --packages lodash,express --all-versions --registry http://nora.example.com:4000
+```
+
+Эта команда загрузит все опубликованные версии указанных пакетов.
+
+---
+
+## 5. Веб-интерфейс
+
+NORA предоставляет веб-интерфейс для просмотра содержимого реестра:
+
+```
+http://nora.example.com:4000/ui/
+```
+
+Доступные функции:
+- Просмотр списка артефактов по протоколам.
+- Количество версий и размер каждого пакета.
+- Журнал последних операций.
+- Метрики загрузок.
+
+---
+
+## 6. Документация API
+
+Интерактивная документация API доступна по адресу:
+
+```
+http://nora.example.com:4000/api-docs
+```
+
+Формат: OpenAPI 3.0 (Swagger UI).
+
+---
+
+## 7. Аутентификация
+
+Если администратор включил аутентификацию, для операций записи требуется токен.
+
+### 7.1. Получение токена
+
+```bash
+curl -u admin:password http://nora.example.com:4000/auth/token
+```
+
+### 7.2. Использование токена
+
+```bash
+# npm
+npm config set //nora.example.com:4000/npm/:_authToken TOKEN
+
+# Docker
+docker login nora.example.com:4000
+
+# curl
+curl -H "Authorization: Bearer TOKEN" http://nora.example.com:4000/npm/my-package
+```
+
+Операции чтения по умолчанию не требуют аутентификации (роль `read` назначается автоматически).
+
+---
+
+## 8. Часто задаваемые вопросы
+
+**В: Что произойдёт, если внешний реестр (npmjs.org) станет недоступен?**
+О: NORA продолжит обслуживать запросы из кэша. Пакеты, которые ранее не запрашивались, будут недоступны до восстановления связи. Для предотвращения такой ситуации используйте `nora mirror`.
+
+**В: Можно ли публиковать приватные пакеты?**
+О: Да. Пакеты, опубликованные через `npm publish` или `docker push`, сохраняются в локальном хранилище NORA и доступны всем пользователям данного экземпляра.
+
+**В: Как обновить кэш метаданных?**
+О: Кэш метаданных npm обновляется автоматически по истечении TTL (по умолчанию 5 минут). Для немедленного обновления удалите файл `metadata.json` из каталога хранилища.
+
+**В: Поддерживаются ли scoped-пакеты npm (@scope/package)?**
+О: Да, полностью. Например: `npm install @babel/core --registry http://nora.example.com:4000/npm`.

fuzz/Cargo.toml

@@ -0,0 +1,23 @@
+[package]
+name = "nora-fuzz"
+version = "0.0.0"
+publish = false
+license = "MIT"
+edition = "2021"
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies]
+libfuzzer-sys = "0.4"
+nora-registry = { path = "../nora-registry" }
+
+[[bin]]
+name = "fuzz_validation"
+path = "fuzz_targets/fuzz_validation.rs"
+doc = false
+
+[[bin]]
+name = "fuzz_docker_manifest"
+path = "fuzz_targets/fuzz_docker_manifest.rs"
+doc = false

fuzz/fuzz_targets/fuzz_docker_manifest.rs

@@ -0,0 +1,8 @@
+#![no_main]
+use libfuzzer_sys::fuzz_target;
+use nora_registry::docker_fuzz::detect_manifest_media_type;
+
+fuzz_target!(|data: &[u8]| {
+    // Fuzz Docker manifest parser — must never panic on any input
+    let _ = detect_manifest_media_type(data);
+});

fuzz/fuzz_targets/fuzz_validation.rs

@@ -0,0 +1,13 @@
+#![no_main]
+use libfuzzer_sys::fuzz_target;
+use nora_registry::validation::{
+    validate_digest, validate_docker_name, validate_docker_reference, validate_storage_key,
+};
+
+fuzz_target!(|data: &str| {
+    // Fuzz all validators — they must never panic on any input
+    let _ = validate_storage_key(data);
+    let _ = validate_docker_name(data);
+    let _ = validate_digest(data);
+    let _ = validate_docker_reference(data);
+});

logo.svg

@@ -0,0 +1,5 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 300 72" width="300" height="72">
+  <text font-family="'SF Mono', 'Fira Code', 'Cascadia Code', monospace" font-weight="800" fill="#0f172a" letter-spacing="1">
+    <tspan x="8" y="58" font-size="52">N</tspan><tspan font-size="68" dy="-10" fill="#2563EB">O</tspan><tspan font-size="52" dy="10">RA</tspan>
+  </text>
+</svg>

nora-cli/Cargo.toml

@@ -1,23 +0,0 @@
-[package]
-name = "nora-cli"
-version.workspace = true
-edition.workspace = true
-license.workspace = true
-authors.workspace = true
-repository.workspace = true
-homepage.workspace = true
-description = "CLI tool for NORA registry"
-
-[[bin]]
-name = "nora-cli"
-path = "src/main.rs"
-
-[dependencies]
-tokio.workspace = true
-reqwest.workspace = true
-serde.workspace = true
-serde_json.workspace = true
-clap = { version = "4", features = ["derive"] }
-indicatif = "0.17"
-tar = "0.4"
-flate2 = "1.0"

nora-cli/src/main.rs

@@ -1,52 +0,0 @@
-use clap::{Parser, Subcommand};
-
-#[derive(Parser)]
-#[command(name = "nora-cli")]
-#[command(about = "CLI tool for Nora registry")]
-struct Cli {
-    #[command(subcommand)]
-    command: Commands,
-}
-
-#[derive(Subcommand)]
-enum Commands {
-    /// Login to a registry
-    Login {
-        #[arg(long)]
-        registry: String,
-        #[arg(short, long)]
-        username: String,
-    },
-    /// Push an artifact
-    Push {
-        #[arg(long)]
-        registry: String,
-        path: String,
-    },
-    /// Pull an artifact
-    Pull {
-        #[arg(long)]
-        registry: String,
-        artifact: String,
-    },
-}
-
-#[tokio::main]
-async fn main() {
-    let cli = Cli::parse();
-
-    match cli.command {
-        Commands::Login { registry, username } => {
-            println!("Logging in to {} as {}", registry, username);
-            // TODO: implement
-        }
-        Commands::Push { registry, path } => {
-            println!("Pushing {} to {}", path, registry);
-            // TODO: implement
-        }
-        Commands::Pull { registry, artifact } => {
-            println!("Pulling {} from {}", artifact, registry);
-            // TODO: implement
-        }
-    }
-}

nora-registry/Cargo.toml

@@ -10,6 +10,10 @@ description = "Cloud-Native Artifact Registry - Fast, lightweight, multi-protoco
 keywords = ["registry", "docker", "artifacts", "cloud-native", "devops"]
 categories = ["command-line-utilities", "development-tools", "web-programming"]
 
+[lib]
+name = "nora_registry"
+path = "src/lib.rs"
+
 [[bin]]
 name = "nora"
 path = "src/main.rs"
@@ -24,24 +28,39 @@ tracing-subscriber.workspace = true
 reqwest.workspace = true
 sha2.workspace = true
 async-trait.workspace = true
-toml = "0.8"
+hmac.workspace = true
+hex.workspace = true
+toml = "1.0"
 uuid = { version = "1", features = ["v4"] }
-bcrypt = "0.17"
+bcrypt = "0.19"
 base64 = "0.22"
-prometheus = "0.13"
+prometheus = "0.14"
 lazy_static = "1.5"
 httpdate = "1"
 utoipa = { version = "5", features = ["axum_extras"] }
 utoipa-swagger-ui = { version = "9", features = ["axum", "reqwest"] }
 clap = { version = "4", features = ["derive"] }
 tar = "0.4"
-flate2 = "1.0"
-indicatif = "0.17"
+flate2 = "1.1"
+indicatif = "0.18"
 chrono = { version = "0.4", features = ["serde"] }
 thiserror = "2"
 tower_governor = "0.8"
 governor = "0.10"
+parking_lot = "0.12"
+zeroize = { version = "1.8", features = ["derive"] }
+argon2 = { version = "0.5", features = ["std", "rand"] }
+tower-http = { version = "0.6", features = ["set-header"] }
+percent-encoding = "2"
 
 [dev-dependencies]
+proptest = "1"
 tempfile = "3"
 wiremock = "0.6"
+criterion = { version = "0.5", features = ["html_reports"] }
+tower = { version = "0.5", features = ["util"] }
+http-body-util = "0.1"
+
+[[bench]]
+name = "parsing"
+harness = false

nora-registry/benches/parsing.rs

@@ -0,0 +1,109 @@
+use criterion::{black_box, criterion_group, criterion_main, Criterion};
+use nora_registry::validation::{
+    validate_digest, validate_docker_name, validate_docker_reference, validate_storage_key,
+};
+
+fn bench_validation(c: &mut Criterion) {
+    let mut group = c.benchmark_group("validation");
+
+    group.bench_function("storage_key_short", |b| {
+        b.iter(|| validate_storage_key(black_box("docker/alpine/blobs/sha256:abc123")))
+    });
+
+    group.bench_function("storage_key_long", |b| {
+        let key = "maven/com/example/deep/nested/path/artifact-1.0.0-SNAPSHOT.jar";
+        b.iter(|| validate_storage_key(black_box(key)))
+    });
+
+    group.bench_function("storage_key_reject", |b| {
+        b.iter(|| validate_storage_key(black_box("../etc/passwd")))
+    });
+
+    group.bench_function("docker_name_simple", |b| {
+        b.iter(|| validate_docker_name(black_box("library/alpine")))
+    });
+
+    group.bench_function("docker_name_nested", |b| {
+        b.iter(|| validate_docker_name(black_box("my-org/sub/repo-name")))
+    });
+
+    group.bench_function("docker_name_reject", |b| {
+        b.iter(|| validate_docker_name(black_box("INVALID/NAME")))
+    });
+
+    group.bench_function("digest_sha256", |b| {
+        b.iter(|| {
+            validate_digest(black_box(
+                "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+            ))
+        })
+    });
+
+    group.bench_function("digest_reject", |b| {
+        b.iter(|| validate_digest(black_box("md5:abc")))
+    });
+
+    group.bench_function("reference_tag", |b| {
+        b.iter(|| validate_docker_reference(black_box("v1.2.3-alpine")))
+    });
+
+    group.bench_function("reference_digest", |b| {
+        b.iter(|| {
+            validate_docker_reference(black_box(
+                "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+            ))
+        })
+    });
+
+    group.finish();
+}
+
+fn bench_manifest_detection(c: &mut Criterion) {
+    let mut group = c.benchmark_group("manifest_detection");
+
+    let docker_v2 = serde_json::json!({
+        "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+        "schemaVersion": 2,
+        "config": {"mediaType": "application/vnd.docker.container.image.v1+json", "digest": "sha256:abc"},
+        "layers": [{"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "digest": "sha256:def", "size": 1000}]
+    })
+    .to_string();
+
+    let oci_index = serde_json::json!({
+        "schemaVersion": 2,
+        "manifests": [
+            {"digest": "sha256:aaa", "platform": {"os": "linux", "architecture": "amd64"}},
+            {"digest": "sha256:bbb", "platform": {"os": "linux", "architecture": "arm64"}}
+        ]
+    })
+    .to_string();
+
+    let minimal = serde_json::json!({"schemaVersion": 2}).to_string();
+
+    group.bench_function("docker_v2_explicit", |b| {
+        b.iter(|| {
+            nora_registry::docker_fuzz::detect_manifest_media_type(black_box(docker_v2.as_bytes()))
+        })
+    });
+
+    group.bench_function("oci_index", |b| {
+        b.iter(|| {
+            nora_registry::docker_fuzz::detect_manifest_media_type(black_box(oci_index.as_bytes()))
+        })
+    });
+
+    group.bench_function("minimal_json", |b| {
+        b.iter(|| {
+            nora_registry::docker_fuzz::detect_manifest_media_type(black_box(minimal.as_bytes()))
+        })
+    });
+
+    group.bench_function("invalid_json", |b| {
+        b.iter(|| nora_registry::docker_fuzz::detect_manifest_media_type(black_box(b"not json")))
+    });
+
+    group.finish();
+}
+
+criterion_group!(benches, bench_validation, bench_manifest_detection);
+criterion_main!(benches);

nora-registry/src/activity_log.rs

@@ -0,0 +1,237 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
+use chrono::{DateTime, Utc};
+use parking_lot::RwLock;
+use serde::Serialize;
+use std::collections::VecDeque;
+
+/// Type of action that was performed
+#[derive(Debug, Clone, Serialize, PartialEq)]
+pub enum ActionType {
+    Pull,
+    Push,
+    CacheHit,
+    ProxyFetch,
+}
+
+impl std::fmt::Display for ActionType {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            ActionType::Pull => write!(f, "PULL"),
+            ActionType::Push => write!(f, "PUSH"),
+            ActionType::CacheHit => write!(f, "CACHE"),
+            ActionType::ProxyFetch => write!(f, "PROXY"),
+        }
+    }
+}
+
+/// A single activity log entry
+#[derive(Debug, Clone, Serialize)]
+pub struct ActivityEntry {
+    pub timestamp: DateTime<Utc>,
+    pub action: ActionType,
+    pub artifact: String,
+    pub registry: String,
+    pub source: String, // "LOCAL", "PROXY", "CACHE"
+}
+
+impl ActivityEntry {
+    pub fn new(action: ActionType, artifact: String, registry: &str, source: &str) -> Self {
+        Self {
+            timestamp: Utc::now(),
+            action,
+            artifact,
+            registry: registry.to_string(),
+            source: source.to_string(),
+        }
+    }
+}
+
+/// Thread-safe activity log with bounded size
+pub struct ActivityLog {
+    entries: RwLock<VecDeque<ActivityEntry>>,
+    max_entries: usize,
+}
+
+impl ActivityLog {
+    pub fn new(max: usize) -> Self {
+        Self {
+            entries: RwLock::new(VecDeque::with_capacity(max)),
+            max_entries: max,
+        }
+    }
+
+    /// Add a new entry to the log, removing oldest if at capacity
+    pub fn push(&self, entry: ActivityEntry) {
+        let mut entries = self.entries.write();
+        if entries.len() >= self.max_entries {
+            entries.pop_front();
+        }
+        entries.push_back(entry);
+    }
+
+    /// Get the most recent N entries (newest first)
+    pub fn recent(&self, count: usize) -> Vec<ActivityEntry> {
+        let entries = self.entries.read();
+        entries.iter().rev().take(count).cloned().collect()
+    }
+
+    /// Get all entries (newest first)
+    pub fn all(&self) -> Vec<ActivityEntry> {
+        let entries = self.entries.read();
+        entries.iter().rev().cloned().collect()
+    }
+
+    /// Get the total number of entries
+    pub fn len(&self) -> usize {
+        self.entries.read().len()
+    }
+
+    /// Check if the log is empty
+    pub fn is_empty(&self) -> bool {
+        self.entries.read().is_empty()
+    }
+}
+
+impl Default for ActivityLog {
+    fn default() -> Self {
+        Self::new(50)
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_action_type_display() {
+        assert_eq!(ActionType::Pull.to_string(), "PULL");
+        assert_eq!(ActionType::Push.to_string(), "PUSH");
+        assert_eq!(ActionType::CacheHit.to_string(), "CACHE");
+        assert_eq!(ActionType::ProxyFetch.to_string(), "PROXY");
+    }
+
+    #[test]
+    fn test_action_type_equality() {
+        assert_eq!(ActionType::Pull, ActionType::Pull);
+        assert_ne!(ActionType::Pull, ActionType::Push);
+    }
+
+    #[test]
+    fn test_activity_entry_new() {
+        let entry = ActivityEntry::new(
+            ActionType::Pull,
+            "nginx:latest".to_string(),
+            "docker",
+            "LOCAL",
+        );
+        assert_eq!(entry.action, ActionType::Pull);
+        assert_eq!(entry.artifact, "nginx:latest");
+        assert_eq!(entry.registry, "docker");
+        assert_eq!(entry.source, "LOCAL");
+    }
+
+    #[test]
+    fn test_activity_log_push_and_len() {
+        let log = ActivityLog::new(10);
+        assert!(log.is_empty());
+        assert_eq!(log.len(), 0);
+
+        log.push(ActivityEntry::new(
+            ActionType::Push,
+            "test:v1".to_string(),
+            "docker",
+            "LOCAL",
+        ));
+        assert!(!log.is_empty());
+        assert_eq!(log.len(), 1);
+    }
+
+    #[test]
+    fn test_activity_log_recent() {
+        let log = ActivityLog::new(10);
+        for i in 0..5 {
+            log.push(ActivityEntry::new(
+                ActionType::Pull,
+                format!("image:{}", i),
+                "docker",
+                "LOCAL",
+            ));
+        }
+
+        let recent = log.recent(3);
+        assert_eq!(recent.len(), 3);
+        // newest first
+        assert_eq!(recent[0].artifact, "image:4");
+        assert_eq!(recent[1].artifact, "image:3");
+        assert_eq!(recent[2].artifact, "image:2");
+    }
+
+    #[test]
+    fn test_activity_log_all() {
+        let log = ActivityLog::new(10);
+        for i in 0..3 {
+            log.push(ActivityEntry::new(
+                ActionType::Pull,
+                format!("pkg:{}", i),
+                "npm",
+                "PROXY",
+            ));
+        }
+
+        let all = log.all();
+        assert_eq!(all.len(), 3);
+        assert_eq!(all[0].artifact, "pkg:2"); // newest first
+    }
+
+    #[test]
+    fn test_activity_log_bounded_size() {
+        let log = ActivityLog::new(3);
+        for i in 0..5 {
+            log.push(ActivityEntry::new(
+                ActionType::Pull,
+                format!("item:{}", i),
+                "cargo",
+                "CACHE",
+            ));
+        }
+
+        assert_eq!(log.len(), 3);
+        let all = log.all();
+        // oldest entries should be dropped
+        assert_eq!(all[0].artifact, "item:4");
+        assert_eq!(all[1].artifact, "item:3");
+        assert_eq!(all[2].artifact, "item:2");
+    }
+
+    #[test]
+    fn test_activity_log_recent_more_than_available() {
+        let log = ActivityLog::new(10);
+        log.push(ActivityEntry::new(
+            ActionType::Push,
+            "one".to_string(),
+            "maven",
+            "LOCAL",
+        ));
+
+        let recent = log.recent(100);
+        assert_eq!(recent.len(), 1);
+    }
+
+    #[test]
+    fn test_activity_log_default() {
+        let log = ActivityLog::default();
+        assert!(log.is_empty());
+        // default capacity is 50
+        for i in 0..60 {
+            log.push(ActivityEntry::new(
+                ActionType::Pull,
+                format!("x:{}", i),
+                "docker",
+                "LOCAL",
+            ));
+        }
+        assert_eq!(log.len(), 50);
+    }
+}

nora-registry/src/audit.rs

@@ -0,0 +1,164 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
+//! Persistent audit log — append-only JSONL file
+//!
+//! Records who/when/what for every registry operation.
+//! File: {storage_path}/audit.jsonl
+
+use chrono::{DateTime, Utc};
+use parking_lot::Mutex;
+use serde::Serialize;
+use std::fs::{self, OpenOptions};
+use std::io::Write;
+use std::path::PathBuf;
+use std::sync::Arc;
+use tracing::{info, warn};
+
+#[derive(Debug, Clone, Serialize)]
+pub struct AuditEntry {
+    pub ts: DateTime<Utc>,
+    pub action: String,
+    pub actor: String,
+    pub artifact: String,
+    pub registry: String,
+    pub detail: String,
+}
+
+impl AuditEntry {
+    pub fn new(action: &str, actor: &str, artifact: &str, registry: &str, detail: &str) -> Self {
+        Self {
+            ts: Utc::now(),
+            action: action.to_string(),
+            actor: actor.to_string(),
+            artifact: artifact.to_string(),
+            registry: registry.to_string(),
+            detail: detail.to_string(),
+        }
+    }
+}
+
+pub struct AuditLog {
+    path: PathBuf,
+    writer: Arc<Mutex<Option<fs::File>>>,
+}
+
+impl AuditLog {
+    pub fn new(storage_path: &str) -> Self {
+        let path = PathBuf::from(storage_path).join("audit.jsonl");
+        let writer = match OpenOptions::new().create(true).append(true).open(&path) {
+            Ok(f) => {
+                info!(path = %path.display(), "Audit log initialized");
+                Arc::new(Mutex::new(Some(f)))
+            }
+            Err(e) => {
+                warn!(path = %path.display(), error = %e, "Failed to open audit log, auditing disabled");
+                Arc::new(Mutex::new(None))
+            }
+        };
+        Self { path, writer }
+    }
+
+    pub fn log(&self, entry: AuditEntry) {
+        let writer = Arc::clone(&self.writer);
+        tokio::task::spawn_blocking(move || {
+            if let Some(ref mut file) = *writer.lock() {
+                if let Ok(json) = serde_json::to_string(&entry) {
+                    let _ = writeln!(file, "{}", json);
+                    let _ = file.flush();
+                }
+            }
+        });
+    }
+
+    pub fn path(&self) -> &PathBuf {
+        &self.path
+    }
+}
+
+#[cfg(test)]
+#[allow(clippy::unwrap_used)]
+mod tests {
+    use super::*;
+    use tempfile::TempDir;
+
+    #[test]
+    fn test_audit_entry_new() {
+        let entry = AuditEntry::new(
+            "push",
+            "admin",
+            "nginx:latest",
+            "docker",
+            "uploaded manifest",
+        );
+        assert_eq!(entry.action, "push");
+        assert_eq!(entry.actor, "admin");
+        assert_eq!(entry.artifact, "nginx:latest");
+        assert_eq!(entry.registry, "docker");
+        assert_eq!(entry.detail, "uploaded manifest");
+    }
+
+    #[test]
+    fn test_audit_log_new_and_path() {
+        let tmp = TempDir::new().unwrap();
+        let log = AuditLog::new(tmp.path().to_str().unwrap());
+        assert!(log.path().ends_with("audit.jsonl"));
+    }
+
+    #[tokio::test]
+    async fn test_audit_log_write_entry() {
+        let tmp = TempDir::new().unwrap();
+        let log = AuditLog::new(tmp.path().to_str().unwrap());
+
+        let entry = AuditEntry::new("pull", "user1", "lodash", "npm", "downloaded");
+        log.log(entry);
+
+        // spawn_blocking is fire-and-forget; retry until flushed (max 1s)
+        let path = log.path().clone();
+        let mut content = String::new();
+        for _ in 0..20 {
+            tokio::time::sleep(std::time::Duration::from_millis(50)).await;
+            content = std::fs::read_to_string(&path).unwrap_or_default();
+            if content.contains(r#""action":"pull""#) {
+                break;
+            }
+        }
+
+        assert!(content.contains(r#""action":"pull""#));
+        assert!(content.contains(r#""actor":"user1""#));
+        assert!(content.contains(r#""artifact":"lodash""#));
+    }
+
+    #[tokio::test]
+    async fn test_audit_log_multiple_entries() {
+        let tmp = TempDir::new().unwrap();
+        let log = AuditLog::new(tmp.path().to_str().unwrap());
+
+        log.log(AuditEntry::new("push", "admin", "a", "docker", ""));
+        log.log(AuditEntry::new("pull", "user", "b", "npm", ""));
+        log.log(AuditEntry::new("delete", "admin", "c", "maven", ""));
+
+        // Retry until all 3 entries flushed (max 1s)
+        let path = log.path().clone();
+        let mut line_count = 0;
+        for _ in 0..20 {
+            tokio::time::sleep(std::time::Duration::from_millis(50)).await;
+            if let Ok(content) = std::fs::read_to_string(&path) {
+                line_count = content.lines().count();
+                if line_count >= 3 {
+                    break;
+                }
+            }
+        }
+
+        assert_eq!(line_count, 3);
+    }
+
+    #[test]
+    fn test_audit_entry_serialization() {
+        let entry = AuditEntry::new("push", "ci", "app:v1", "docker", "ci build");
+        let json = serde_json::to_string(&entry).unwrap();
+        assert!(json.contains(r#""action":"push""#));
+        assert!(json.contains(r#""ts":""#));
+    }
+}

nora-registry/src/auth.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 use axum::{
     body::Body,
     extract::State,
@@ -10,6 +13,7 @@ use std::collections::HashMap;
 use std::path::Path;
 use std::sync::Arc;
 
+use crate::tokens::Role;
 use crate::AppState;
 
 /// Htpasswd-based authentication
@@ -60,11 +64,17 @@ impl HtpasswdAuth {
 fn is_public_path(path: &str) -> bool {
     matches!(
         path,
-        "/" | "/health" | "/ready" | "/metrics" | "/v2/" | "/v2"
+        "/" | "/health"
+            | "/ready"
+            | "/metrics"
+            | "/v2/"
+            | "/v2"
+            | "/api/tokens"
+            | "/api/tokens/list"
+            | "/api/tokens/revoke"
     ) || path.starts_with("/ui")
         || path.starts_with("/api-docs")
         || path.starts_with("/api/ui")
-        || path.starts_with("/api/tokens")
 }
 
 /// Auth middleware - supports Basic auth and Bearer tokens
@@ -84,6 +94,16 @@ pub async fn auth_middleware(
         return next.run(request).await;
     }
 
+    // Allow anonymous read if configured
+    let is_read_method = matches!(
+        *request.method(),
+        axum::http::Method::GET | axum::http::Method::HEAD
+    );
+    if state.config.auth.anonymous_read && is_read_method {
+        // Read requests allowed without auth
+        return next.run(request).await;
+    }
+
     // Extract Authorization header
     let auth_header = request
         .headers()
@@ -99,7 +119,18 @@ pub async fn auth_middleware(
     if let Some(token) = auth_header.strip_prefix("Bearer ") {
         if let Some(ref token_store) = state.tokens {
             match token_store.verify_token(token) {
-                Ok(_user) => return next.run(request).await,
+                Ok((_user, role)) => {
+                    let method = request.method().clone();
+                    if (method == axum::http::Method::PUT
+                        || method == axum::http::Method::POST
+                        || method == axum::http::Method::DELETE
+                        || method == axum::http::Method::PATCH)
+                        && !role.can_write()
+                    {
+                        return (StatusCode::FORBIDDEN, "Read-only token").into_response();
+                    }
+                    return next.run(request).await;
+                }
                 Err(_) => return unauthorized_response("Invalid or expired token"),
             }
         } else {
@@ -166,6 +197,12 @@ pub struct CreateTokenRequest {
     #[serde(default = "default_ttl")]
     pub ttl_days: u64,
     pub description: Option<String>,
+    #[serde(default = "default_role_str")]
+    pub role: String,
+}
+
+fn default_role_str() -> String {
+    "read".to_string()
 }
 
 fn default_ttl() -> u64 {
@@ -185,6 +222,7 @@ pub struct TokenListItem {
     pub expires_at: u64,
     pub last_used: Option<u64>,
     pub description: Option<String>,
+    pub role: String,
 }
 
 #[derive(Serialize)]
@@ -218,7 +256,19 @@ async fn create_token(
         }
     };
 
-    match token_store.create_token(&req.username, req.ttl_days, req.description) {
+    let role = match req.role.as_str() {
+        "read" => Role::Read,
+        "write" => Role::Write,
+        "admin" => Role::Admin,
+        _ => {
+            return (
+                StatusCode::BAD_REQUEST,
+                "Invalid role. Use: read, write, admin",
+            )
+                .into_response()
+        }
+    };
+    match token_store.create_token(&req.username, req.ttl_days, req.description, role) {
         Ok(token) => Json(CreateTokenResponse {
             token,
             expires_in_days: req.ttl_days,
@@ -262,6 +312,7 @@ async fn list_tokens(
             expires_at: t.expires_at,
             last_used: t.last_used,
             description: t.description,
+            role: t.role.to_string(),
         })
         .collect();
 
@@ -315,6 +366,7 @@ pub fn token_routes() -> Router<Arc<AppState>> {
 }
 
 #[cfg(test)]
+#[allow(clippy::unwrap_used)]
 mod tests {
     use super::*;
     use std::io::Write;
@@ -352,7 +404,7 @@ mod tests {
     fn test_htpasswd_loading_with_comments() {
         let mut file = NamedTempFile::new().unwrap();
         writeln!(file, "# This is a comment").unwrap();
-        writeln!(file, "").unwrap();
+        writeln!(file).unwrap();
         let hash = bcrypt::hash("secret", 4).unwrap();
         writeln!(file, "admin:{}", hash).unwrap();
         file.flush().unwrap();
@@ -401,11 +453,17 @@ mod tests {
         assert!(is_public_path("/api/ui/stats"));
         assert!(is_public_path("/api/tokens"));
         assert!(is_public_path("/api/tokens/list"));
+        assert!(is_public_path("/api/tokens/revoke"));
 
         // Protected paths
+        assert!(!is_public_path("/api/tokens/unknown"));
+        assert!(!is_public_path("/api/tokens/admin"));
+        assert!(!is_public_path("/api/tokens/extra/path"));
         assert!(!is_public_path("/v2/myimage/blobs/sha256:abc"));
         assert!(!is_public_path("/v2/library/nginx/manifests/latest"));
-        assert!(!is_public_path("/maven2/com/example/artifact/1.0/artifact.jar"));
+        assert!(!is_public_path(
+            "/maven2/com/example/artifact/1.0/artifact.jar"
+        ));
         assert!(!is_public_path("/npm/lodash"));
     }
 
@@ -415,4 +473,185 @@ mod tests {
         assert!(hash.starts_with("$2"));
         assert!(bcrypt::verify("test123", &hash).unwrap());
     }
+
+    #[test]
+    fn test_is_public_path_health() {
+        assert!(is_public_path("/health"));
+        assert!(is_public_path("/ready"));
+        assert!(is_public_path("/metrics"));
+    }
+
+    #[test]
+    fn test_is_public_path_v2() {
+        assert!(is_public_path("/v2/"));
+        assert!(is_public_path("/v2"));
+    }
+
+    #[test]
+    fn test_is_public_path_ui() {
+        assert!(is_public_path("/ui"));
+        assert!(is_public_path("/ui/dashboard"));
+        assert!(is_public_path("/ui/repos"));
+    }
+
+    #[test]
+    fn test_is_public_path_api_docs() {
+        assert!(is_public_path("/api-docs"));
+        assert!(is_public_path("/api-docs/openapi.json"));
+        assert!(is_public_path("/api/ui"));
+    }
+
+    #[test]
+    fn test_is_public_path_tokens() {
+        assert!(is_public_path("/api/tokens"));
+        assert!(is_public_path("/api/tokens/list"));
+        assert!(is_public_path("/api/tokens/revoke"));
+    }
+
+    #[test]
+    fn test_is_public_path_root() {
+        assert!(is_public_path("/"));
+    }
+
+    #[test]
+    fn test_is_not_public_path_registry() {
+        assert!(!is_public_path("/v2/library/alpine/manifests/latest"));
+        assert!(!is_public_path("/npm/lodash"));
+        assert!(!is_public_path("/maven/com/example"));
+        assert!(!is_public_path("/pypi/simple/flask"));
+    }
+
+    #[test]
+    fn test_is_not_public_path_random() {
+        assert!(!is_public_path("/admin"));
+        assert!(!is_public_path("/secret"));
+        assert!(!is_public_path("/api/data"));
+    }
+
+    #[test]
+    fn test_default_role_str() {
+        assert_eq!(default_role_str(), "read");
+    }
+
+    #[test]
+    fn test_default_ttl() {
+        assert_eq!(default_ttl(), 30);
+    }
+
+    #[test]
+    fn test_create_token_request_defaults() {
+        let json = r#"{"username":"admin","password":"pass"}"#;
+        let req: CreateTokenRequest = serde_json::from_str(json).unwrap();
+        assert_eq!(req.username, "admin");
+        assert_eq!(req.password, "pass");
+        assert_eq!(req.ttl_days, 30);
+        assert_eq!(req.role, "read");
+        assert!(req.description.is_none());
+    }
+
+    #[test]
+    fn test_create_token_request_custom() {
+        let json = r#"{"username":"admin","password":"pass","ttl_days":90,"role":"write","description":"CI token"}"#;
+        let req: CreateTokenRequest = serde_json::from_str(json).unwrap();
+        assert_eq!(req.ttl_days, 90);
+        assert_eq!(req.role, "write");
+        assert_eq!(req.description, Some("CI token".to_string()));
+    }
+
+    #[test]
+    fn test_create_token_response_serialization() {
+        let resp = CreateTokenResponse {
+            token: "nora_abc123".to_string(),
+            expires_in_days: 30,
+        };
+        let json = serde_json::to_string(&resp).unwrap();
+        assert!(json.contains("nora_abc123"));
+        assert!(json.contains("30"));
+    }
+}
+
+#[cfg(test)]
+#[allow(clippy::unwrap_used)]
+mod integration_tests {
+    use crate::test_helpers::*;
+    use axum::http::{Method, StatusCode};
+    use base64::{engine::general_purpose::STANDARD, Engine};
+
+    #[tokio::test]
+    async fn test_auth_disabled_passes_all() {
+        let ctx = create_test_context();
+        let response = send(&ctx.app, Method::PUT, "/raw/test.txt", b"data".to_vec()).await;
+        assert_eq!(response.status(), StatusCode::CREATED);
+    }
+
+    #[tokio::test]
+    async fn test_auth_public_paths_always_pass() {
+        let ctx = create_test_context_with_auth(&[("admin", "secret")]);
+        let response = send(&ctx.app, Method::GET, "/health", "").await;
+        assert_eq!(response.status(), StatusCode::OK);
+        let response = send(&ctx.app, Method::GET, "/ready", "").await;
+        assert_eq!(response.status(), StatusCode::OK);
+        let response = send(&ctx.app, Method::GET, "/v2/", "").await;
+        assert_eq!(response.status(), StatusCode::OK);
+    }
+
+    #[tokio::test]
+    async fn test_auth_blocks_without_credentials() {
+        let ctx = create_test_context_with_auth(&[("admin", "secret")]);
+        let response = send(&ctx.app, Method::PUT, "/raw/test.txt", b"data".to_vec()).await;
+        assert_eq!(response.status(), StatusCode::UNAUTHORIZED);
+        assert!(response.headers().contains_key("www-authenticate"));
+    }
+
+    #[tokio::test]
+    async fn test_auth_basic_works() {
+        let ctx = create_test_context_with_auth(&[("admin", "secret")]);
+        let header_val = format!("Basic {}", STANDARD.encode("admin:secret"));
+        let response = send_with_headers(
+            &ctx.app,
+            Method::PUT,
+            "/raw/test.txt",
+            vec![("authorization", &header_val)],
+            b"data".to_vec(),
+        )
+        .await;
+        assert_eq!(response.status(), StatusCode::CREATED);
+    }
+
+    #[tokio::test]
+    async fn test_auth_basic_wrong_password() {
+        let ctx = create_test_context_with_auth(&[("admin", "secret")]);
+        let header_val = format!("Basic {}", STANDARD.encode("admin:wrong"));
+        let response = send_with_headers(
+            &ctx.app,
+            Method::PUT,
+            "/raw/test.txt",
+            vec![("authorization", &header_val)],
+            b"data".to_vec(),
+        )
+        .await;
+        assert_eq!(response.status(), StatusCode::UNAUTHORIZED);
+    }
+
+    #[tokio::test]
+    async fn test_auth_anonymous_read() {
+        let ctx = create_test_context_with_anonymous_read(&[("admin", "secret")]);
+        // Upload with auth
+        let header_val = format!("Basic {}", STANDARD.encode("admin:secret"));
+        let response = send_with_headers(
+            &ctx.app,
+            Method::PUT,
+            "/raw/test.txt",
+            vec![("authorization", &header_val)],
+            b"data".to_vec(),
+        )
+        .await;
+        assert_eq!(response.status(), StatusCode::CREATED);
+        // Read without auth should work
+        let response = send(&ctx.app, Method::GET, "/raw/test.txt", "").await;
+        assert_eq!(response.status(), StatusCode::OK);
+        // Write without auth should fail
+        let response = send(&ctx.app, Method::PUT, "/raw/test2.txt", b"data".to_vec()).await;
+        assert_eq!(response.status(), StatusCode::UNAUTHORIZED);
+    }
 }

nora-registry/src/backup.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 //! Backup and restore functionality for Nora
 //!
 //! Exports all artifacts to a tar.gz file and restores from backups.
@@ -297,3 +300,134 @@ fn format_bytes(bytes: u64) -> String {
         format!("{} B", bytes)
     }
 }
+
+#[cfg(test)]
+#[allow(clippy::unwrap_used)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_format_bytes_zero() {
+        assert_eq!(format_bytes(0), "0 B");
+    }
+
+    #[test]
+    fn test_format_bytes_bytes() {
+        assert_eq!(format_bytes(512), "512 B");
+        assert_eq!(format_bytes(1023), "1023 B");
+    }
+
+    #[test]
+    fn test_format_bytes_kilobytes() {
+        assert_eq!(format_bytes(1024), "1.00 KB");
+        assert_eq!(format_bytes(1536), "1.50 KB");
+        assert_eq!(format_bytes(10240), "10.00 KB");
+    }
+
+    #[test]
+    fn test_format_bytes_megabytes() {
+        assert_eq!(format_bytes(1048576), "1.00 MB");
+        assert_eq!(format_bytes(5 * 1024 * 1024), "5.00 MB");
+    }
+
+    #[test]
+    fn test_format_bytes_gigabytes() {
+        assert_eq!(format_bytes(1073741824), "1.00 GB");
+        assert_eq!(format_bytes(3 * 1024 * 1024 * 1024), "3.00 GB");
+    }
+
+    #[test]
+    fn test_backup_metadata_serialization() {
+        let meta = BackupMetadata {
+            version: "0.3.0".to_string(),
+            created_at: chrono::Utc::now(),
+            artifact_count: 42,
+            total_bytes: 1024000,
+            storage_backend: "local".to_string(),
+        };
+        let json = serde_json::to_string(&meta).unwrap();
+        assert!(json.contains("\"version\":\"0.3.0\""));
+        assert!(json.contains("\"artifact_count\":42"));
+        assert!(json.contains("\"storage_backend\":\"local\""));
+    }
+
+    #[test]
+    fn test_backup_metadata_deserialization() {
+        let json = r#"{
+            "version": "0.3.0",
+            "created_at": "2026-01-01T00:00:00Z",
+            "artifact_count": 10,
+            "total_bytes": 5000,
+            "storage_backend": "s3"
+        }"#;
+        let meta: BackupMetadata = serde_json::from_str(json).unwrap();
+        assert_eq!(meta.version, "0.3.0");
+        assert_eq!(meta.artifact_count, 10);
+        assert_eq!(meta.total_bytes, 5000);
+        assert_eq!(meta.storage_backend, "s3");
+    }
+
+    #[test]
+    fn test_backup_metadata_roundtrip() {
+        let meta = BackupMetadata {
+            version: "1.0.0".to_string(),
+            created_at: chrono::Utc::now(),
+            artifact_count: 100,
+            total_bytes: 999999,
+            storage_backend: "local".to_string(),
+        };
+        let json = serde_json::to_value(&meta).unwrap();
+        let restored: BackupMetadata = serde_json::from_value(json).unwrap();
+        assert_eq!(meta.version, restored.version);
+        assert_eq!(meta.artifact_count, restored.artifact_count);
+        assert_eq!(meta.total_bytes, restored.total_bytes);
+    }
+
+    #[tokio::test]
+    async fn test_create_backup_empty_storage() {
+        let dir = tempfile::tempdir().unwrap();
+        let storage = Storage::new_local(dir.path().join("data").to_str().unwrap());
+        let output = dir.path().join("backup.tar.gz");
+
+        let stats = create_backup(&storage, &output).await.unwrap();
+        assert_eq!(stats.artifact_count, 0);
+        assert_eq!(stats.total_bytes, 0);
+        assert!(output.exists());
+        assert!(stats.output_size > 0); // at least metadata.json
+    }
+
+    #[tokio::test]
+    async fn test_backup_restore_roundtrip() {
+        let dir = tempfile::tempdir().unwrap();
+        let storage = Storage::new_local(dir.path().join("data").to_str().unwrap());
+
+        // Put some test data
+        storage
+            .put("maven/com/example/1.0/test.jar", b"test-content")
+            .await
+            .unwrap();
+        storage
+            .put("docker/test/blobs/sha256:abc123", b"blob-data")
+            .await
+            .unwrap();
+
+        // Create backup
+        let backup_file = dir.path().join("backup.tar.gz");
+        let backup_stats = create_backup(&storage, &backup_file).await.unwrap();
+        assert_eq!(backup_stats.artifact_count, 2);
+
+        // Restore to different storage
+        let restore_storage = Storage::new_local(dir.path().join("restored").to_str().unwrap());
+        let restore_stats = restore_backup(&restore_storage, &backup_file)
+            .await
+            .unwrap();
+        assert_eq!(restore_stats.artifact_count, 2);
+
+        // Verify data
+        let data = restore_storage
+            .get("maven/com/example/1.0/test.jar")
+            .await
+            .unwrap();
+        assert_eq!(&data[..], b"test-content");
+    }
+}

nora-registry/src/dashboard_metrics.rs

@@ -0,0 +1,341 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
+use serde::{Deserialize, Serialize};
+use std::collections::HashMap;
+use std::path::{Path, PathBuf};
+use std::sync::atomic::{AtomicU64, Ordering};
+use std::time::Instant;
+use tracing::{info, warn};
+
+/// Known registry names for per-registry metrics
+const REGISTRIES: &[&str] = &["docker", "maven", "npm", "cargo", "pypi", "raw", "go"];
+
+/// Serializable snapshot of metrics for persistence.
+/// Uses HashMap for per-registry counters — adding a new registry only
+/// requires adding its name to REGISTRIES (one line).
+#[derive(Serialize, Deserialize, Default)]
+struct MetricsSnapshot {
+    downloads: u64,
+    uploads: u64,
+    cache_hits: u64,
+    cache_misses: u64,
+    #[serde(default)]
+    registry_downloads: HashMap<String, u64>,
+    #[serde(default)]
+    registry_uploads: HashMap<String, u64>,
+}
+
+/// Thread-safe atomic counter map for per-registry metrics.
+struct CounterMap(HashMap<String, AtomicU64>);
+
+impl CounterMap {
+    fn new(keys: &[&str]) -> Self {
+        let mut map = HashMap::with_capacity(keys.len());
+        for &k in keys {
+            map.insert(k.to_string(), AtomicU64::new(0));
+        }
+        Self(map)
+    }
+
+    fn inc(&self, key: &str) {
+        if let Some(counter) = self.0.get(key) {
+            counter.fetch_add(1, Ordering::Relaxed);
+        }
+    }
+
+    fn get(&self, key: &str) -> u64 {
+        self.0
+            .get(key)
+            .map(|c| c.load(Ordering::Relaxed))
+            .unwrap_or(0)
+    }
+
+    fn snapshot(&self) -> HashMap<String, u64> {
+        self.0
+            .iter()
+            .map(|(k, v)| (k.clone(), v.load(Ordering::Relaxed)))
+            .collect()
+    }
+
+    fn load_from(&self, data: &HashMap<String, u64>) {
+        for (k, v) in data {
+            if let Some(counter) = self.0.get(k.as_str()) {
+                counter.store(*v, Ordering::Relaxed);
+            }
+        }
+    }
+}
+
+/// Dashboard metrics for tracking registry activity.
+/// Global counters are separate fields; per-registry counters use CounterMap.
+pub struct DashboardMetrics {
+    pub downloads: AtomicU64,
+    pub uploads: AtomicU64,
+    pub cache_hits: AtomicU64,
+    pub cache_misses: AtomicU64,
+
+    registry_downloads: CounterMap,
+    registry_uploads: CounterMap,
+
+    pub start_time: Instant,
+    persist_path: Option<PathBuf>,
+}
+
+impl DashboardMetrics {
+    pub fn new() -> Self {
+        Self {
+            downloads: AtomicU64::new(0),
+            uploads: AtomicU64::new(0),
+            cache_hits: AtomicU64::new(0),
+            cache_misses: AtomicU64::new(0),
+            registry_downloads: CounterMap::new(REGISTRIES),
+            registry_uploads: CounterMap::new(REGISTRIES),
+            start_time: Instant::now(),
+            persist_path: None,
+        }
+    }
+
+    /// Create metrics with persistence — loads existing data from metrics.json
+    pub fn with_persistence(storage_path: &str) -> Self {
+        let path = Path::new(storage_path).join("metrics.json");
+        let mut metrics = Self::new();
+
+        if path.exists() {
+            match std::fs::read_to_string(&path) {
+                Ok(data) => match serde_json::from_str::<MetricsSnapshot>(&data) {
+                    Ok(snap) => {
+                        metrics.downloads = AtomicU64::new(snap.downloads);
+                        metrics.uploads = AtomicU64::new(snap.uploads);
+                        metrics.cache_hits = AtomicU64::new(snap.cache_hits);
+                        metrics.cache_misses = AtomicU64::new(snap.cache_misses);
+                        metrics
+                            .registry_downloads
+                            .load_from(&snap.registry_downloads);
+                        metrics.registry_uploads.load_from(&snap.registry_uploads);
+                        info!(
+                            downloads = snap.downloads,
+                            uploads = snap.uploads,
+                            "Loaded persisted metrics"
+                        );
+                    }
+                    Err(e) => warn!("Failed to parse metrics.json: {}", e),
+                },
+                Err(e) => warn!("Failed to read metrics.json: {}", e),
+            }
+        }
+
+        metrics.persist_path = Some(path);
+        metrics
+    }
+
+    /// Save current metrics to disk (async to avoid blocking the runtime)
+    pub async fn save(&self) {
+        let Some(path) = &self.persist_path else {
+            return;
+        };
+        let snap = MetricsSnapshot {
+            downloads: self.downloads.load(Ordering::Relaxed),
+            uploads: self.uploads.load(Ordering::Relaxed),
+            cache_hits: self.cache_hits.load(Ordering::Relaxed),
+            cache_misses: self.cache_misses.load(Ordering::Relaxed),
+            registry_downloads: self.registry_downloads.snapshot(),
+            registry_uploads: self.registry_uploads.snapshot(),
+        };
+        let tmp = path.with_extension("json.tmp");
+        if let Ok(data) = serde_json::to_string_pretty(&snap) {
+            if tokio::fs::write(&tmp, &data).await.is_ok() {
+                let _ = tokio::fs::rename(&tmp, path).await;
+            }
+        }
+    }
+
+    pub fn record_download(&self, registry: &str) {
+        self.downloads.fetch_add(1, Ordering::Relaxed);
+        self.registry_downloads.inc(registry);
+    }
+
+    pub fn record_upload(&self, registry: &str) {
+        self.uploads.fetch_add(1, Ordering::Relaxed);
+        self.registry_uploads.inc(registry);
+    }
+
+    pub fn record_cache_hit(&self) {
+        self.cache_hits.fetch_add(1, Ordering::Relaxed);
+    }
+
+    pub fn record_cache_miss(&self) {
+        self.cache_misses.fetch_add(1, Ordering::Relaxed);
+    }
+
+    pub fn cache_hit_rate(&self) -> f64 {
+        let hits = self.cache_hits.load(Ordering::Relaxed);
+        let misses = self.cache_misses.load(Ordering::Relaxed);
+        let total = hits + misses;
+        if total == 0 {
+            0.0
+        } else {
+            (hits as f64 / total as f64) * 100.0
+        }
+    }
+
+    pub fn get_registry_downloads(&self, registry: &str) -> u64 {
+        self.registry_downloads.get(registry)
+    }
+
+    pub fn get_registry_uploads(&self, registry: &str) -> u64 {
+        self.registry_uploads.get(registry)
+    }
+}
+
+impl Default for DashboardMetrics {
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
+#[cfg(test)]
+#[allow(clippy::unwrap_used)]
+mod tests {
+    use super::*;
+    use tempfile::TempDir;
+
+    #[test]
+    fn test_new_defaults() {
+        let m = DashboardMetrics::new();
+        assert_eq!(m.downloads.load(Ordering::Relaxed), 0);
+        assert_eq!(m.uploads.load(Ordering::Relaxed), 0);
+        assert_eq!(m.cache_hits.load(Ordering::Relaxed), 0);
+        assert_eq!(m.cache_misses.load(Ordering::Relaxed), 0);
+    }
+
+    #[test]
+    fn test_record_download_all_registries() {
+        let m = DashboardMetrics::new();
+        for reg in &["docker", "npm", "maven", "cargo", "pypi", "raw"] {
+            m.record_download(reg);
+        }
+        assert_eq!(m.downloads.load(Ordering::Relaxed), 6);
+        assert_eq!(m.get_registry_downloads("docker"), 1);
+        assert_eq!(m.get_registry_downloads("npm"), 1);
+        assert_eq!(m.get_registry_downloads("maven"), 1);
+        assert_eq!(m.get_registry_downloads("cargo"), 1);
+        assert_eq!(m.get_registry_downloads("pypi"), 1);
+        assert_eq!(m.get_registry_downloads("raw"), 1);
+    }
+
+    #[test]
+    fn test_record_download_unknown_registry() {
+        let m = DashboardMetrics::new();
+        m.record_download("unknown");
+        assert_eq!(m.downloads.load(Ordering::Relaxed), 1);
+        assert_eq!(m.get_registry_downloads("docker"), 0);
+    }
+
+    #[test]
+    fn test_record_upload() {
+        let m = DashboardMetrics::new();
+        m.record_upload("docker");
+        m.record_upload("maven");
+        m.record_upload("raw");
+        assert_eq!(m.uploads.load(Ordering::Relaxed), 3);
+        assert_eq!(m.get_registry_uploads("docker"), 1);
+        assert_eq!(m.get_registry_uploads("maven"), 1);
+        assert_eq!(m.get_registry_uploads("raw"), 1);
+    }
+
+    #[test]
+    fn test_record_upload_unknown_registry() {
+        let m = DashboardMetrics::new();
+        m.record_upload("npm");
+        assert_eq!(m.uploads.load(Ordering::Relaxed), 1);
+    }
+
+    #[test]
+    fn test_cache_hit_rate_zero() {
+        let m = DashboardMetrics::new();
+        assert_eq!(m.cache_hit_rate(), 0.0);
+    }
+
+    #[test]
+    fn test_cache_hit_rate_all_hits() {
+        let m = DashboardMetrics::new();
+        m.record_cache_hit();
+        m.record_cache_hit();
+        assert_eq!(m.cache_hit_rate(), 100.0);
+    }
+
+    #[test]
+    fn test_cache_hit_rate_mixed() {
+        let m = DashboardMetrics::new();
+        m.record_cache_hit();
+        m.record_cache_miss();
+        assert_eq!(m.cache_hit_rate(), 50.0);
+    }
+
+    #[test]
+    fn test_get_registry_downloads() {
+        let m = DashboardMetrics::new();
+        m.record_download("docker");
+        m.record_download("docker");
+        m.record_download("npm");
+        assert_eq!(m.get_registry_downloads("docker"), 2);
+        assert_eq!(m.get_registry_downloads("npm"), 1);
+        assert_eq!(m.get_registry_downloads("cargo"), 0);
+        assert_eq!(m.get_registry_downloads("unknown"), 0);
+    }
+
+    #[test]
+    fn test_get_registry_uploads() {
+        let m = DashboardMetrics::new();
+        m.record_upload("docker");
+        assert_eq!(m.get_registry_uploads("docker"), 1);
+        assert_eq!(m.get_registry_uploads("maven"), 0);
+        assert_eq!(m.get_registry_uploads("unknown"), 0);
+    }
+
+    #[tokio::test]
+    async fn test_persistence_save_and_load() {
+        let tmp = TempDir::new().unwrap();
+        let path = tmp.path().to_str().unwrap();
+
+        {
+            let m = DashboardMetrics::with_persistence(path);
+            m.record_download("docker");
+            m.record_download("docker");
+            m.record_upload("maven");
+            m.record_cache_hit();
+            m.save().await;
+        }
+
+        {
+            let m = DashboardMetrics::with_persistence(path);
+            assert_eq!(m.downloads.load(Ordering::Relaxed), 2);
+            assert_eq!(m.uploads.load(Ordering::Relaxed), 1);
+            assert_eq!(m.get_registry_downloads("docker"), 2);
+            assert_eq!(m.get_registry_uploads("maven"), 1);
+            assert_eq!(m.cache_hits.load(Ordering::Relaxed), 1);
+        }
+    }
+
+    #[test]
+    fn test_persistence_missing_file() {
+        let tmp = TempDir::new().unwrap();
+        let path = tmp.path().to_str().unwrap();
+        let m = DashboardMetrics::with_persistence(path);
+        assert_eq!(m.downloads.load(Ordering::Relaxed), 0);
+    }
+
+    #[test]
+    fn test_default() {
+        let m = DashboardMetrics::default();
+        assert_eq!(m.downloads.load(Ordering::Relaxed), 0);
+    }
+
+    #[test]
+    fn test_go_registry_supported() {
+        let m = DashboardMetrics::new();
+        m.record_download("go");
+        assert_eq!(m.get_registry_downloads("go"), 1);
+    }
+}

nora-registry/src/error.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 //! Application error handling with HTTP response conversion
 //!
 //! Provides a unified error type that can be converted to HTTP responses
@@ -14,6 +17,7 @@ use thiserror::Error;
 use crate::storage::StorageError;
 use crate::validation::ValidationError;
 
+#[allow(dead_code)] // Wiring into handlers planned for v0.3
 /// Application-level errors with HTTP response conversion
 #[derive(Debug, Error)]
 pub enum AppError {
@@ -36,6 +40,7 @@ pub enum AppError {
     Validation(#[from] ValidationError),
 }
 
+#[allow(dead_code)]
 /// JSON error response body
 #[derive(Serialize)]
 struct ErrorResponse {
@@ -46,11 +51,11 @@ struct ErrorResponse {
 
 impl IntoResponse for AppError {
     fn into_response(self) -> Response {
-        let (status, message) = match &self {
-            AppError::NotFound(msg) => (StatusCode::NOT_FOUND, msg.clone()),
-            AppError::BadRequest(msg) => (StatusCode::BAD_REQUEST, msg.clone()),
-            AppError::Unauthorized(msg) => (StatusCode::UNAUTHORIZED, msg.clone()),
-            AppError::Internal(msg) => (StatusCode::INTERNAL_SERVER_ERROR, msg.clone()),
+        let (status, message) = match self {
+            AppError::NotFound(msg) => (StatusCode::NOT_FOUND, msg),
+            AppError::BadRequest(msg) => (StatusCode::BAD_REQUEST, msg),
+            AppError::Unauthorized(msg) => (StatusCode::UNAUTHORIZED, msg),
+            AppError::Internal(msg) => (StatusCode::INTERNAL_SERVER_ERROR, msg),
             AppError::Storage(e) => match e {
                 StorageError::NotFound => (StatusCode::NOT_FOUND, "Resource not found".to_string()),
                 StorageError::Validation(v) => (StatusCode::BAD_REQUEST, v.to_string()),
@@ -70,6 +75,7 @@ impl IntoResponse for AppError {
     }
 }
 
+#[allow(dead_code)]
 impl AppError {
     /// Create a not found error
     pub fn not_found(msg: impl Into<String>) -> Self {
@@ -118,4 +124,77 @@ mod tests {
         let err = AppError::NotFound("image not found".to_string());
         assert_eq!(err.to_string(), "Not found: image not found");
     }
+
+    #[test]
+    fn test_error_constructors() {
+        let err = AppError::not_found("missing");
+        assert!(matches!(err, AppError::NotFound(_)));
+        assert_eq!(err.to_string(), "Not found: missing");
+
+        let err = AppError::bad_request("invalid input");
+        assert!(matches!(err, AppError::BadRequest(_)));
+        assert_eq!(err.to_string(), "Bad request: invalid input");
+
+        let err = AppError::unauthorized("no token");
+        assert!(matches!(err, AppError::Unauthorized(_)));
+        assert_eq!(err.to_string(), "Unauthorized: no token");
+
+        let err = AppError::internal("db crashed");
+        assert!(matches!(err, AppError::Internal(_)));
+        assert_eq!(err.to_string(), "Internal error: db crashed");
+    }
+
+    #[test]
+    fn test_error_display_storage() {
+        let err = AppError::Storage(StorageError::NotFound);
+        assert!(err.to_string().contains("Storage error"));
+    }
+
+    #[test]
+    fn test_error_display_validation() {
+        let err = AppError::Validation(ValidationError::PathTraversal);
+        assert!(err.to_string().contains("Validation error"));
+    }
+
+    #[test]
+    fn test_error_into_response_not_found() {
+        let err = AppError::NotFound("gone".to_string());
+        let response = err.into_response();
+        assert_eq!(response.status(), StatusCode::NOT_FOUND);
+    }
+
+    #[test]
+    fn test_error_into_response_bad_request() {
+        let err = AppError::BadRequest("bad".to_string());
+        let response = err.into_response();
+        assert_eq!(response.status(), StatusCode::BAD_REQUEST);
+    }
+
+    #[test]
+    fn test_error_into_response_unauthorized() {
+        let err = AppError::Unauthorized("nope".to_string());
+        let response = err.into_response();
+        assert_eq!(response.status(), StatusCode::UNAUTHORIZED);
+    }
+
+    #[test]
+    fn test_error_into_response_internal() {
+        let err = AppError::Internal("boom".to_string());
+        let response = err.into_response();
+        assert_eq!(response.status(), StatusCode::INTERNAL_SERVER_ERROR);
+    }
+
+    #[test]
+    fn test_error_into_response_storage_not_found() {
+        let err = AppError::Storage(StorageError::NotFound);
+        let response = err.into_response();
+        assert_eq!(response.status(), StatusCode::NOT_FOUND);
+    }
+
+    #[test]
+    fn test_error_into_response_validation() {
+        let err = AppError::Validation(ValidationError::EmptyInput);
+        let response = err.into_response();
+        assert_eq!(response.status(), StatusCode::BAD_REQUEST);
+    }
 }

nora-registry/src/gc.rs

@@ -0,0 +1,321 @@
+//! Garbage Collection for orphaned blobs
+//!
+//! Mark-and-sweep approach:
+//! 1. List all blobs across registries
+//! 2. Parse all manifests to find referenced blobs
+//! 3. Blobs not referenced by any manifest = orphans
+//! 4. Delete orphans (with --dry-run support)
+
+use std::collections::HashSet;
+
+use tracing::info;
+
+use crate::storage::Storage;
+
+pub struct GcResult {
+    pub total_blobs: usize,
+    pub referenced_blobs: usize,
+    pub orphaned_blobs: usize,
+    pub deleted_blobs: usize,
+    pub orphan_keys: Vec<String>,
+}
+
+pub async fn run_gc(storage: &Storage, dry_run: bool) -> GcResult {
+    info!("Starting garbage collection (dry_run={})", dry_run);
+
+    // 1. Collect all blob keys
+    let all_blobs = collect_all_blobs(storage).await;
+    info!("Found {} total blobs", all_blobs.len());
+
+    // 2. Collect all referenced digests from manifests
+    let referenced = collect_referenced_digests(storage).await;
+    info!(
+        "Found {} referenced digests from manifests",
+        referenced.len()
+    );
+
+    // 3. Find orphans
+    let mut orphan_keys: Vec<String> = Vec::new();
+    for key in &all_blobs {
+        if let Some(digest) = key.rsplit('/').next() {
+            if !referenced.contains(digest) {
+                orphan_keys.push(key.clone());
+            }
+        }
+    }
+
+    info!("Found {} orphaned blobs", orphan_keys.len());
+
+    let mut deleted = 0;
+    if !dry_run {
+        for key in &orphan_keys {
+            if storage.delete(key).await.is_ok() {
+                deleted += 1;
+                info!("Deleted: {}", key);
+            }
+        }
+        info!("Deleted {} orphaned blobs", deleted);
+    } else {
+        for key in &orphan_keys {
+            info!("[dry-run] Would delete: {}", key);
+        }
+    }
+
+    GcResult {
+        total_blobs: all_blobs.len(),
+        referenced_blobs: referenced.len(),
+        orphaned_blobs: orphan_keys.len(),
+        deleted_blobs: deleted,
+        orphan_keys,
+    }
+}
+
+async fn collect_all_blobs(storage: &Storage) -> Vec<String> {
+    let mut blobs = Vec::new();
+    // Collect blobs from all registry types, not just Docker
+    for prefix in &[
+        "docker/", "maven/", "npm/", "cargo/", "pypi/", "raw/", "go/",
+    ] {
+        let keys = storage.list(prefix).await;
+        for key in keys {
+            if key.contains("/blobs/") || key.contains("/tarballs/") {
+                blobs.push(key);
+            }
+        }
+    }
+    blobs
+}
+
+async fn collect_referenced_digests(storage: &Storage) -> HashSet<String> {
+    let mut referenced = HashSet::new();
+
+    let all_keys = storage.list("docker/").await;
+    for key in &all_keys {
+        if !key.contains("/manifests/") || !key.ends_with(".json") || key.ends_with(".meta.json") {
+            continue;
+        }
+
+        if let Ok(data) = storage.get(key).await {
+            if let Ok(json) = serde_json::from_slice::<serde_json::Value>(&data) {
+                if let Some(config) = json.get("config") {
+                    if let Some(digest) = config.get("digest").and_then(|v| v.as_str()) {
+                        referenced.insert(digest.to_string());
+                    }
+                }
+
+                if let Some(layers) = json.get("layers").and_then(|v| v.as_array()) {
+                    for layer in layers {
+                        if let Some(digest) = layer.get("digest").and_then(|v| v.as_str()) {
+                            referenced.insert(digest.to_string());
+                        }
+                    }
+                }
+
+                if let Some(manifests) = json.get("manifests").and_then(|v| v.as_array()) {
+                    for m in manifests {
+                        if let Some(digest) = m.get("digest").and_then(|v| v.as_str()) {
+                            referenced.insert(digest.to_string());
+                        }
+                    }
+                }
+            }
+        }
+    }
+
+    referenced
+}
+
+#[cfg(test)]
+#[allow(clippy::unwrap_used)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_gc_result_defaults() {
+        let result = GcResult {
+            total_blobs: 0,
+            referenced_blobs: 0,
+            orphaned_blobs: 0,
+            deleted_blobs: 0,
+            orphan_keys: vec![],
+        };
+        assert_eq!(result.total_blobs, 0);
+        assert!(result.orphan_keys.is_empty());
+    }
+
+    #[tokio::test]
+    async fn test_gc_empty_storage() {
+        let dir = tempfile::tempdir().unwrap();
+        let storage = Storage::new_local(dir.path().join("data").to_str().unwrap());
+
+        let result = run_gc(&storage, true).await;
+        assert_eq!(result.total_blobs, 0);
+        assert_eq!(result.referenced_blobs, 0);
+        assert_eq!(result.orphaned_blobs, 0);
+        assert_eq!(result.deleted_blobs, 0);
+    }
+
+    #[tokio::test]
+    async fn test_gc_no_orphans() {
+        let dir = tempfile::tempdir().unwrap();
+        let storage = Storage::new_local(dir.path().join("data").to_str().unwrap());
+
+        // Create a manifest that references a blob
+        let manifest = serde_json::json!({
+            "config": {"digest": "sha256:configabc"},
+            "layers": [{"digest": "sha256:layer111", "size": 100}]
+        });
+        storage
+            .put(
+                "docker/test/manifests/latest.json",
+                manifest.to_string().as_bytes(),
+            )
+            .await
+            .unwrap();
+        storage
+            .put("docker/test/blobs/sha256:configabc", b"config-data")
+            .await
+            .unwrap();
+        storage
+            .put("docker/test/blobs/sha256:layer111", b"layer-data")
+            .await
+            .unwrap();
+
+        let result = run_gc(&storage, true).await;
+        assert_eq!(result.total_blobs, 2);
+        assert_eq!(result.orphaned_blobs, 0);
+    }
+
+    #[tokio::test]
+    async fn test_gc_finds_orphans_dry_run() {
+        let dir = tempfile::tempdir().unwrap();
+        let storage = Storage::new_local(dir.path().join("data").to_str().unwrap());
+
+        // Create a manifest referencing only one blob
+        let manifest = serde_json::json!({
+            "config": {"digest": "sha256:configabc"},
+            "layers": [{"digest": "sha256:layer111", "size": 100}]
+        });
+        storage
+            .put(
+                "docker/test/manifests/latest.json",
+                manifest.to_string().as_bytes(),
+            )
+            .await
+            .unwrap();
+        storage
+            .put("docker/test/blobs/sha256:configabc", b"config-data")
+            .await
+            .unwrap();
+        storage
+            .put("docker/test/blobs/sha256:layer111", b"layer-data")
+            .await
+            .unwrap();
+        // Orphan blob (not referenced)
+        storage
+            .put("docker/test/blobs/sha256:orphan999", b"orphan-data")
+            .await
+            .unwrap();
+
+        let result = run_gc(&storage, true).await;
+        assert_eq!(result.total_blobs, 3);
+        assert_eq!(result.orphaned_blobs, 1);
+        assert_eq!(result.deleted_blobs, 0); // dry run
+        assert!(result.orphan_keys[0].contains("orphan999"));
+
+        // Verify orphan still exists (dry run)
+        assert!(storage
+            .get("docker/test/blobs/sha256:orphan999")
+            .await
+            .is_ok());
+    }
+
+    #[tokio::test]
+    async fn test_gc_deletes_orphans() {
+        let dir = tempfile::tempdir().unwrap();
+        let storage = Storage::new_local(dir.path().join("data").to_str().unwrap());
+
+        let manifest = serde_json::json!({
+            "config": {"digest": "sha256:configabc"},
+            "layers": []
+        });
+        storage
+            .put(
+                "docker/test/manifests/latest.json",
+                manifest.to_string().as_bytes(),
+            )
+            .await
+            .unwrap();
+        storage
+            .put("docker/test/blobs/sha256:configabc", b"config")
+            .await
+            .unwrap();
+        storage
+            .put("docker/test/blobs/sha256:orphan1", b"orphan")
+            .await
+            .unwrap();
+
+        let result = run_gc(&storage, false).await;
+        assert_eq!(result.orphaned_blobs, 1);
+        assert_eq!(result.deleted_blobs, 1);
+
+        // Verify orphan is gone
+        assert!(storage
+            .get("docker/test/blobs/sha256:orphan1")
+            .await
+            .is_err());
+        // Referenced blob still exists
+        assert!(storage
+            .get("docker/test/blobs/sha256:configabc")
+            .await
+            .is_ok());
+    }
+
+    #[tokio::test]
+    async fn test_gc_manifest_list_references() {
+        let dir = tempfile::tempdir().unwrap();
+        let storage = Storage::new_local(dir.path().join("data").to_str().unwrap());
+
+        // Multi-arch manifest list
+        let manifest = serde_json::json!({
+            "manifests": [
+                {"digest": "sha256:platformA", "size": 100},
+                {"digest": "sha256:platformB", "size": 200}
+            ]
+        });
+        storage
+            .put(
+                "docker/multi/manifests/latest.json",
+                manifest.to_string().as_bytes(),
+            )
+            .await
+            .unwrap();
+        storage
+            .put("docker/multi/blobs/sha256:platformA", b"arch-a")
+            .await
+            .unwrap();
+        storage
+            .put("docker/multi/blobs/sha256:platformB", b"arch-b")
+            .await
+            .unwrap();
+
+        let result = run_gc(&storage, true).await;
+        assert_eq!(result.orphaned_blobs, 0);
+    }
+
+    #[tokio::test]
+    async fn test_gc_multi_registry_blobs() {
+        let dir = tempfile::tempdir().unwrap();
+        let storage = Storage::new_local(dir.path().join("data").to_str().unwrap());
+
+        // npm tarball (not referenced by Docker manifests => orphan candidate)
+        storage
+            .put("npm/lodash/tarballs/lodash-4.17.21.tgz", b"tarball-data")
+            .await
+            .unwrap();
+
+        let result = run_gc(&storage, true).await;
+        // npm tarballs contain "tarballs/" which matches the filter
+        assert_eq!(result.total_blobs, 1);
+    }
+}

nora-registry/src/health.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 use axum::{extract::State, http::StatusCode, response::Json, routing::get, Router};
 use serde::Serialize;
 use std::sync::Arc;
@@ -18,6 +21,7 @@ pub struct StorageHealth {
     pub backend: String,
     pub reachable: bool,
     pub endpoint: String,
+    pub total_size_bytes: u64,
 }
 
 #[derive(Serialize)]
@@ -37,6 +41,7 @@ pub fn routes() -> Router<Arc<AppState>> {
 
 async fn health_check(State(state): State<Arc<AppState>>) -> (StatusCode, Json<HealthStatus>) {
     let storage_reachable = check_storage_reachable(&state).await;
+    let total_size = state.storage.total_size().await;
 
     let status = if storage_reachable {
         "healthy"
@@ -57,6 +62,7 @@ async fn health_check(State(state): State<Arc<AppState>>) -> (StatusCode, Json<H
                 "s3" => state.config.storage.s3_url.clone(),
                 _ => state.config.storage.path.clone(),
             },
+            total_size_bytes: total_size,
         },
         registries: RegistriesHealth {
             docker: "ok".to_string(),
@@ -87,3 +93,72 @@ async fn readiness_check(State(state): State<Arc<AppState>>) -> StatusCode {
 async fn check_storage_reachable(state: &AppState) -> bool {
     state.storage.health_check().await
 }
+
+#[cfg(test)]
+#[allow(clippy::unwrap_used)]
+mod tests {
+    use crate::test_helpers::{body_bytes, create_test_context, send};
+    use axum::http::{Method, StatusCode};
+
+    #[tokio::test]
+    async fn test_health_returns_200() {
+        let ctx = create_test_context();
+        let response = send(&ctx.app, Method::GET, "/health", "").await;
+        assert_eq!(response.status(), StatusCode::OK);
+        let body = body_bytes(response).await;
+        let body_str = std::str::from_utf8(&body).unwrap();
+        assert!(body_str.contains("healthy"));
+    }
+
+    #[tokio::test]
+    async fn test_health_json_has_version() {
+        let ctx = create_test_context();
+        let response = send(&ctx.app, Method::GET, "/health", "").await;
+        assert_eq!(response.status(), StatusCode::OK);
+        let body = body_bytes(response).await;
+        let json: serde_json::Value = serde_json::from_slice(&body).unwrap();
+        assert!(json.get("version").is_some());
+    }
+
+    #[tokio::test]
+    async fn test_health_json_has_storage_size() {
+        let ctx = create_test_context();
+
+        // Put some data to have non-zero size
+        ctx.state
+            .storage
+            .put("test/artifact", b"hello world")
+            .await
+            .unwrap();
+
+        let response = send(&ctx.app, Method::GET, "/health", "").await;
+        assert_eq!(response.status(), StatusCode::OK);
+        let body = body_bytes(response).await;
+        let json: serde_json::Value = serde_json::from_slice(&body).unwrap();
+
+        let storage = json.get("storage").unwrap();
+        let size = storage.get("total_size_bytes").unwrap().as_u64().unwrap();
+        assert!(
+            size > 0,
+            "total_size_bytes should be > 0 after storing data"
+        );
+    }
+
+    #[tokio::test]
+    async fn test_health_empty_storage_size_zero() {
+        let ctx = create_test_context();
+        let response = send(&ctx.app, Method::GET, "/health", "").await;
+        let body = body_bytes(response).await;
+        let json: serde_json::Value = serde_json::from_slice(&body).unwrap();
+
+        let size = json["storage"]["total_size_bytes"].as_u64().unwrap();
+        assert_eq!(size, 0, "empty storage should report 0 bytes");
+    }
+
+    #[tokio::test]
+    async fn test_ready_returns_200() {
+        let ctx = create_test_context();
+        let response = send(&ctx.app, Method::GET, "/ready", "").await;
+        assert_eq!(response.status(), StatusCode::OK);
+    }
+}

nora-registry/src/lib.rs

@@ -0,0 +1,30 @@
+#![deny(clippy::unwrap_used)]
+#![forbid(unsafe_code)]
+//! NORA Registry — library interface for fuzzing and testing
+
+pub mod validation;
+
+/// Re-export Docker manifest parsing for fuzz targets
+pub mod docker_fuzz {
+    pub fn detect_manifest_media_type(data: &[u8]) -> String {
+        let Ok(value) = serde_json::from_slice::<serde_json::Value>(data) else {
+            return "application/octet-stream".to_string();
+        };
+        if let Some(mt) = value.get("mediaType").and_then(|v| v.as_str()) {
+            return mt.to_string();
+        }
+        if value.get("manifests").is_some() {
+            return "application/vnd.oci.image.index.v1+json".to_string();
+        }
+        if value.get("schemaVersion").and_then(|v| v.as_i64()) == Some(2) {
+            if value.get("layers").is_some() {
+                return "application/vnd.oci.image.manifest.v1+json".to_string();
+            }
+            return "application/vnd.docker.distribution.manifest.v2+json".to_string();
+        }
+        if value.get("schemaVersion").and_then(|v| v.as_i64()) == Some(1) {
+            return "application/vnd.docker.distribution.manifest.v1+json".to_string();
+        }
+        "application/vnd.docker.distribution.manifest.v2+json".to_string()
+    }
+}

nora-registry/src/main.rs

@@ -1,20 +1,34 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+#![deny(clippy::unwrap_used)]
+#![forbid(unsafe_code)]
+mod activity_log;
+mod audit;
 mod auth;
 mod backup;
 mod config;
+mod dashboard_metrics;
 mod error;
+mod gc;
 mod health;
 mod metrics;
 mod migrate;
+mod mirror;
 mod openapi;
 mod rate_limit;
 mod registry;
+mod repo_index;
 mod request_id;
+mod secrets;
 mod storage;
 mod tokens;
 mod ui;
 mod validation;
 
-use axum::{extract::DefaultBodyLimit, middleware, Router};
+#[cfg(test)]
+mod test_helpers;
+
+use axum::{extract::DefaultBodyLimit, http::HeaderValue, middleware, Router};
 use clap::{Parser, Subcommand};
 use std::path::{Path, PathBuf};
 use std::sync::Arc;
@@ -23,17 +37,20 @@ use tokio::signal;
 use tracing::{error, info, warn};
 use tracing_subscriber::{fmt, prelude::*, EnvFilter};
 
+use activity_log::ActivityLog;
+use audit::AuditLog;
 use auth::HtpasswdAuth;
 use config::{Config, StorageMode};
+use dashboard_metrics::DashboardMetrics;
+use repo_index::RepoIndex;
 pub use storage::Storage;
 use tokens::TokenStore;
 
+use parking_lot::RwLock;
+use std::collections::HashMap;
+
 #[derive(Parser)]
-#[command(
-    name = "nora",
-    version,
-    about = "Multi-protocol artifact registry"
-)]
+#[command(name = "nora", version, about = "Multi-protocol artifact registry")]
 struct Cli {
     #[command(subcommand)]
     command: Option<Commands>,
@@ -55,6 +72,12 @@ enum Commands {
         #[arg(short, long)]
         input: PathBuf,
     },
+    /// Garbage collect orphaned blobs
+    Gc {
+        /// Dry run - show what would be deleted without deleting
+        #[arg(long, default_value = "false")]
+        dry_run: bool,
+    },
     /// Migrate artifacts between storage backends
     Migrate {
         /// Source storage: local or s3
@@ -67,6 +90,20 @@ enum Commands {
         #[arg(long, default_value = "false")]
         dry_run: bool,
     },
+    /// Pre-fetch dependencies through NORA proxy cache
+    Mirror {
+        #[command(subcommand)]
+        format: mirror::MirrorFormat,
+        /// NORA registry URL
+        #[arg(long, default_value = "http://localhost:4000", global = true)]
+        registry: String,
+        /// Max concurrent downloads
+        #[arg(long, default_value = "8", global = true)]
+        concurrency: usize,
+        /// Output results as JSON (for CI pipelines)
+        #[arg(long, global = true)]
+        json: bool,
+    },
 }
 
 pub struct AppState {
@@ -75,6 +112,13 @@ pub struct AppState {
     pub start_time: Instant,
     pub auth: Option<HtpasswdAuth>,
     pub tokens: Option<TokenStore>,
+    pub metrics: DashboardMetrics,
+    pub activity: ActivityLog,
+    pub audit: AuditLog,
+    pub docker_auth: registry::DockerAuth,
+    pub repo_index: RepoIndex,
+    pub http_client: reqwest::Client,
+    pub upload_sessions: Arc<RwLock<HashMap<String, registry::docker::UploadSession>>>,
 }
 
 #[tokio::main]
@@ -100,10 +144,18 @@ async fn main() {
                 info!(
                     s3_url = %config.storage.s3_url,
                     bucket = %config.storage.bucket,
+                    region = %config.storage.s3_region,
+                    has_credentials = config.storage.s3_access_key.is_some(),
                     "Using S3 storage"
                 );
             }
-            Storage::new_s3(&config.storage.s3_url, &config.storage.bucket)
+            Storage::new_s3(
+                &config.storage.s3_url,
+                &config.storage.bucket,
+                &config.storage.s3_region,
+                config.storage.s3_access_key.as_deref(),
+                config.storage.s3_secret_key.as_deref(),
+            )
         }
     };
 
@@ -124,10 +176,38 @@ async fn main() {
                 std::process::exit(1);
             }
         }
+        Some(Commands::Gc { dry_run }) => {
+            let result = gc::run_gc(&storage, dry_run).await;
+            println!("GC Summary:");
+            println!("  Total blobs:      {}", result.total_blobs);
+            println!("  Referenced:        {}", result.referenced_blobs);
+            println!("  Orphaned:          {}", result.orphaned_blobs);
+            println!("  Deleted:           {}", result.deleted_blobs);
+            if dry_run && !result.orphan_keys.is_empty() {
+                println!("\nRun without --dry-run to delete orphaned blobs.");
+            }
+        }
+        Some(Commands::Mirror {
+            format,
+            registry,
+            concurrency,
+            json,
+        }) => {
+            if let Err(e) = mirror::run_mirror(format, &registry, concurrency, json).await {
+                error!("Mirror failed: {}", e);
+                std::process::exit(1);
+            }
+        }
         Some(Commands::Migrate { from, to, dry_run }) => {
             let source = match from.as_str() {
                 "local" => Storage::new_local(&config.storage.path),
-                "s3" => Storage::new_s3(&config.storage.s3_url, &config.storage.bucket),
+                "s3" => Storage::new_s3(
+                    &config.storage.s3_url,
+                    &config.storage.bucket,
+                    &config.storage.s3_region,
+                    config.storage.s3_access_key.as_deref(),
+                    config.storage.s3_secret_key.as_deref(),
+                ),
                 _ => {
                     error!("Invalid source: '{}'. Use 'local' or 's3'", from);
                     std::process::exit(1);
@@ -136,7 +216,13 @@ async fn main() {
 
             let dest = match to.as_str() {
                 "local" => Storage::new_local(&config.storage.path),
-                "s3" => Storage::new_s3(&config.storage.s3_url, &config.storage.bucket),
+                "s3" => Storage::new_s3(
+                    &config.storage.s3_url,
+                    &config.storage.bucket,
+                    &config.storage.s3_region,
+                    config.storage.s3_access_key.as_deref(),
+                    config.storage.s3_secret_key.as_deref(),
+                ),
                 _ => {
                     error!("Invalid destination: '{}'. Use 'local' or 's3'", to);
                     std::process::exit(1);
@@ -177,6 +263,37 @@ fn init_logging(json_format: bool) {
 async fn run_server(config: Config, storage: Storage) {
     let start_time = Instant::now();
 
+    // Log rate limiting configuration
+    info!(
+        enabled = config.rate_limit.enabled,
+        auth_rps = config.rate_limit.auth_rps,
+        auth_burst = config.rate_limit.auth_burst,
+        upload_rps = config.rate_limit.upload_rps,
+        upload_burst = config.rate_limit.upload_burst,
+        general_rps = config.rate_limit.general_rps,
+        general_burst = config.rate_limit.general_burst,
+        "Rate limiting configured"
+    );
+
+    // Initialize secrets provider
+    let secrets_provider = match secrets::create_secrets_provider(&config.secrets) {
+        Ok(provider) => {
+            info!(
+                provider = provider.provider_name(),
+                clear_env = config.secrets.clear_env,
+                "Secrets provider initialized"
+            );
+            Some(provider)
+        }
+        Err(e) => {
+            warn!(error = %e, "Failed to initialize secrets provider, using defaults");
+            None
+        }
+    };
+
+    // Store secrets provider for future use (S3 credentials, etc.)
+    let _secrets = secrets_provider;
+
     // Load auth if enabled
     let auth = if config.auth.enabled {
         let path = Path::new(&config.auth.htpasswd_file);
@@ -203,35 +320,91 @@ async fn run_server(config: Config, storage: Storage) {
         None
     };
 
-    let state = Arc::new(AppState {
-        storage,
-        config,
-        start_time,
-        auth,
-        tokens,
-    });
+    let storage_path = config.storage.path.clone();
+    let rate_limit_enabled = config.rate_limit.enabled;
 
-    // Token routes with strict rate limiting (brute-force protection)
-    let auth_routes = auth::token_routes().layer(rate_limit::auth_rate_limiter());
+    // Warn about plaintext credentials in config.toml
+    config.warn_plaintext_credentials();
 
-    // Registry routes with upload rate limiting
+    // Initialize Docker auth with proxy timeout
+    let docker_auth = registry::DockerAuth::new(config.docker.proxy_timeout);
+
+    let http_client = reqwest::Client::new();
+
+    // Registry routes (shared between rate-limited and non-limited paths)
     let registry_routes = Router::new()
         .merge(registry::docker_routes())
         .merge(registry::maven_routes())
         .merge(registry::npm_routes())
         .merge(registry::cargo_routes())
         .merge(registry::pypi_routes())
-        .layer(rate_limit::upload_rate_limiter());
+        .merge(registry::raw_routes())
+        .merge(registry::go_routes());
 
-    let app = Router::new()
+    // Routes WITHOUT rate limiting (health, metrics, UI)
+    let public_routes = Router::new()
         .merge(health::routes())
         .merge(metrics::routes())
         .merge(ui::routes())
-        .merge(openapi::routes())
-        .merge(auth_routes)
-        .merge(registry_routes)
-        .layer(rate_limit::general_rate_limiter()) // General rate limit for all routes
-        .layer(DefaultBodyLimit::max(100 * 1024 * 1024)) // 100MB default body limit
+        .merge(openapi::routes());
+
+    let app_routes = if rate_limit_enabled {
+        // Create rate limiters before moving config to state
+        let auth_limiter = rate_limit::auth_rate_limiter(&config.rate_limit);
+        let upload_limiter = rate_limit::upload_rate_limiter(&config.rate_limit);
+        let general_limiter = rate_limit::general_rate_limiter(&config.rate_limit);
+
+        let auth_routes = auth::token_routes().layer(auth_limiter);
+        let limited_registry = registry_routes.layer(upload_limiter);
+
+        Router::new()
+            .merge(auth_routes)
+            .merge(limited_registry)
+            .layer(general_limiter)
+    } else {
+        info!("Rate limiting DISABLED");
+        Router::new()
+            .merge(auth::token_routes())
+            .merge(registry_routes)
+    };
+
+    let state = Arc::new(AppState {
+        storage,
+        config,
+        start_time,
+        auth,
+        tokens,
+        metrics: DashboardMetrics::with_persistence(&storage_path),
+        activity: ActivityLog::new(50),
+        audit: AuditLog::new(&storage_path),
+        docker_auth,
+        repo_index: RepoIndex::new(),
+        http_client,
+        upload_sessions: Arc::new(RwLock::new(HashMap::new())),
+    });
+
+    let app = Router::new()
+        .merge(public_routes)
+        .merge(app_routes)
+        .layer(DefaultBodyLimit::max(
+            state.config.server.body_limit_mb * 1024 * 1024,
+        ))
+        .layer(tower_http::set_header::SetResponseHeaderLayer::overriding(
+            axum::http::header::HeaderName::from_static("x-content-type-options"),
+            HeaderValue::from_static("nosniff"),
+        ))
+        .layer(tower_http::set_header::SetResponseHeaderLayer::overriding(
+            axum::http::header::HeaderName::from_static("x-frame-options"),
+            HeaderValue::from_static("DENY"),
+        ))
+        .layer(tower_http::set_header::SetResponseHeaderLayer::overriding(
+            axum::http::header::HeaderName::from_static("referrer-policy"),
+            HeaderValue::from_static("strict-origin-when-cross-origin"),
+        ))
+        .layer(tower_http::set_header::SetResponseHeaderLayer::overriding(
+            axum::http::header::HeaderName::from_static("content-security-policy"),
+            HeaderValue::from_static("default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com https://unpkg.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'"),
+        ))
         .layer(middleware::from_fn(request_id::request_id_middleware))
         .layer(middleware::from_fn(metrics::metrics_middleware))
         .layer(middleware::from_fn_with_state(
@@ -250,6 +423,7 @@ async fn run_server(config: Config, storage: Storage) {
         version = env!("CARGO_PKG_VERSION"),
         storage = state.storage.backend_name(),
         auth_enabled = state.auth.is_some(),
+        body_limit_mb = state.config.server.body_limit_mb,
         "Nora started"
     );
 
@@ -264,9 +438,24 @@ async fn run_server(config: Config, storage: Storage) {
         npm = "/npm/",
         cargo = "/cargo/",
         pypi = "/simple/",
+        raw = "/raw/",
         "Available endpoints"
     );
 
+    // Background task: persist metrics and flush token last_used every 30 seconds
+    let metrics_state = state.clone();
+    tokio::spawn(async move {
+        let mut interval = tokio::time::interval(std::time::Duration::from_secs(30));
+        loop {
+            interval.tick().await;
+            metrics_state.metrics.save().await;
+            if let Some(ref token_store) = metrics_state.tokens {
+                token_store.flush_last_used().await;
+            }
+            registry::docker::cleanup_expired_sessions(&metrics_state.upload_sessions);
+        }
+    });
+
     // Graceful shutdown on SIGTERM/SIGINT
     axum::serve(
         listener,
@@ -276,6 +465,9 @@ async fn run_server(config: Config, storage: Storage) {
     .await
     .expect("Server error");
 
+    // Save metrics on shutdown
+    state.metrics.save().await;
+
     info!(
         uptime_seconds = state.start_time.elapsed().as_secs(),
         "Nora shutdown complete"

nora-registry/src/metrics.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 use axum::{
     body::Body,
     extract::MatchedPath,
@@ -23,7 +26,7 @@ lazy_static! {
         "nora_http_requests_total",
         "Total number of HTTP requests",
         &["registry", "method", "status"]
-    ).expect("metric can be created");
+    ).expect("failed to create HTTP_REQUESTS_TOTAL metric at startup");
 
     /// HTTP request duration histogram
     pub static ref HTTP_REQUEST_DURATION: HistogramVec = register_histogram_vec!(
@@ -31,28 +34,28 @@ lazy_static! {
         "HTTP request latency in seconds",
         &["registry", "method"],
         vec![0.001, 0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1.0, 2.5, 5.0, 10.0]
-    ).expect("metric can be created");
+    ).expect("failed to create HTTP_REQUEST_DURATION metric at startup");
 
     /// Cache requests counter (hit/miss)
     pub static ref CACHE_REQUESTS: IntCounterVec = register_int_counter_vec!(
         "nora_cache_requests_total",
         "Total cache requests",
         &["registry", "result"]
-    ).expect("metric can be created");
+    ).expect("failed to create CACHE_REQUESTS metric at startup");
 
     /// Storage operations counter
     pub static ref STORAGE_OPERATIONS: IntCounterVec = register_int_counter_vec!(
         "nora_storage_operations_total",
         "Total storage operations",
         &["operation", "status"]
-    ).expect("metric can be created");
+    ).expect("failed to create STORAGE_OPERATIONS metric at startup");
 
     /// Artifacts count by registry
     pub static ref ARTIFACTS_TOTAL: IntCounterVec = register_int_counter_vec!(
         "nora_artifacts_total",
         "Total artifacts stored",
         &["registry"]
-    ).expect("metric can be created");
+    ).expect("failed to create ARTIFACTS_TOTAL metric at startup");
 }
 
 /// Routes for metrics endpoint
@@ -145,3 +148,85 @@ pub fn record_storage_op(operation: &str, success: bool) {
         .with_label_values(&[operation, status])
         .inc();
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_detect_registry_docker() {
+        assert_eq!(detect_registry("/v2/nginx/manifests/latest"), "docker");
+        assert_eq!(detect_registry("/v2/"), "docker");
+        assert_eq!(
+            detect_registry("/v2/library/alpine/blobs/sha256:abc"),
+            "docker"
+        );
+    }
+
+    #[test]
+    fn test_detect_registry_maven() {
+        assert_eq!(detect_registry("/maven2/com/example/artifact"), "maven");
+    }
+
+    #[test]
+    fn test_detect_registry_npm() {
+        assert_eq!(detect_registry("/npm/lodash"), "npm");
+        assert_eq!(detect_registry("/npm/@scope/package"), "npm");
+    }
+
+    #[test]
+    fn test_detect_registry_cargo_path() {
+        assert_eq!(detect_registry("/cargo/api/v1/crates"), "cargo");
+    }
+
+    #[test]
+    fn test_detect_registry_pypi() {
+        assert_eq!(detect_registry("/simple/requests/"), "pypi");
+        assert_eq!(
+            detect_registry("/packages/requests/1.0/requests-1.0.tar.gz"),
+            "pypi"
+        );
+    }
+
+    #[test]
+    fn test_detect_registry_ui() {
+        assert_eq!(detect_registry("/ui/dashboard"), "ui");
+        assert_eq!(detect_registry("/ui"), "ui");
+    }
+
+    #[test]
+    fn test_detect_registry_other() {
+        assert_eq!(detect_registry("/health"), "other");
+        assert_eq!(detect_registry("/ready"), "other");
+        assert_eq!(detect_registry("/unknown/path"), "other");
+    }
+
+    #[test]
+    fn test_detect_registry_go_path() {
+        assert_eq!(
+            detect_registry("/go/github.com/user/repo/@v/v1.0.0.info"),
+            "other"
+        );
+    }
+
+    #[test]
+    fn test_record_cache_hit() {
+        record_cache_hit("docker");
+        // Doesn't panic — metric is recorded
+    }
+
+    #[test]
+    fn test_record_cache_miss() {
+        record_cache_miss("npm");
+    }
+
+    #[test]
+    fn test_record_storage_op_success() {
+        record_storage_op("get", true);
+    }
+
+    #[test]
+    fn test_record_storage_op_error() {
+        record_storage_op("put", false);
+    }
+}

nora-registry/src/migrate.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 //! Migration between storage backends
 //!
 //! Supports migrating artifacts from one storage backend to another
@@ -8,17 +11,12 @@ use indicatif::{ProgressBar, ProgressStyle};
 use tracing::{info, warn};
 
 /// Migration options
+#[derive(Default)]
 pub struct MigrateOptions {
     /// If true, show what would be migrated without copying
     pub dry_run: bool,
 }
 
-impl Default for MigrateOptions {
-    fn default() -> Self {
-        Self { dry_run: false }
-    }
-}
-
 /// Migration statistics
 #[derive(Debug, Default)]
 pub struct MigrateStats {
@@ -64,7 +62,9 @@ pub async fn migrate(
     let pb = ProgressBar::new(keys.len() as u64);
     pb.set_style(
         ProgressStyle::default_bar()
-            .template("{spinner:.green} [{elapsed_precise}] [{bar:40.cyan/blue}] {pos}/{len} ({eta})")
+            .template(
+                "{spinner:.green} [{elapsed_precise}] [{bar:40.cyan/blue}] {pos}/{len} ({eta})",
+            )
             .expect("Invalid progress bar template")
             .progress_chars("#>-"),
     );
@@ -138,6 +138,7 @@ pub async fn migrate(
 }
 
 #[cfg(test)]
+#[allow(clippy::unwrap_used)]
 mod tests {
     use super::*;
     use tempfile::TempDir;
@@ -201,16 +202,9 @@ mod tests {
 
         src.put("test/file", b"data").await.unwrap();
 
-        let stats = migrate(
-            &src,
-            &dst,
-            MigrateOptions {
-                dry_run: true,
-                ..Default::default()
-            },
-        )
-        .await
-        .unwrap();
+        let stats = migrate(&src, &dst, MigrateOptions { dry_run: true })
+            .await
+            .unwrap();
 
         assert_eq!(stats.migrated, 1);
 

nora-registry/src/mirror/docker.rs

@@ -0,0 +1,610 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
+//! Docker image mirroring — fetch images from upstream registries and push to NORA.
+
+use super::{create_progress_bar, MirrorResult};
+use crate::registry::docker_auth::DockerAuth;
+use reqwest::Client;
+use std::time::Duration;
+
+const DEFAULT_REGISTRY: &str = "https://registry-1.docker.io";
+const DEFAULT_TIMEOUT: u64 = 120;
+
+/// Parsed Docker image reference
+#[derive(Debug, Clone, PartialEq)]
+pub struct ImageRef {
+    /// Upstream registry (e.g., "registry-1.docker.io", "ghcr.io")
+    pub registry: String,
+    /// Image name (e.g., "library/alpine", "grafana/grafana")
+    pub name: String,
+    /// Tag or digest reference (e.g., "3.20", "sha256:abc...")
+    pub reference: String,
+}
+
+/// Parse an image reference string into structured components.
+///
+/// Supports formats:
+/// - `alpine:3.20` → Docker Hub library/alpine:3.20
+/// - `grafana/grafana:latest` → Docker Hub grafana/grafana:latest
+/// - `ghcr.io/owner/repo:v1` → ghcr.io owner/repo:v1
+/// - `alpine@sha256:abc` → Docker Hub library/alpine@sha256:abc
+/// - `alpine` → Docker Hub library/alpine:latest
+pub fn parse_image_ref(input: &str) -> ImageRef {
+    let input = input.trim();
+
+    // Split off @digest or :tag
+    let (name_part, reference) = if let Some(idx) = input.rfind('@') {
+        (&input[..idx], &input[idx + 1..])
+    } else if let Some(idx) = input.rfind(':') {
+        // Make sure colon is not part of a port (e.g., localhost:5000/image)
+        let before_colon = &input[..idx];
+        if let Some(last_slash) = before_colon.rfind('/') {
+            let segment_after_slash = &input[last_slash + 1..];
+            if segment_after_slash.contains(':') {
+                // Colon in last segment — tag separator
+                (&input[..idx], &input[idx + 1..])
+            } else {
+                // Colon in earlier segment (port) — no tag
+                (input, "latest")
+            }
+        } else {
+            (&input[..idx], &input[idx + 1..])
+        }
+    } else {
+        (input, "latest")
+    };
+
+    // Determine if first segment is a registry hostname
+    let parts: Vec<&str> = name_part.splitn(2, '/').collect();
+
+    let (registry, name) = if parts.len() == 1 {
+        // Simple name like "alpine" → Docker Hub library/
+        (
+            DEFAULT_REGISTRY.to_string(),
+            format!("library/{}", parts[0]),
+        )
+    } else {
+        let first = parts[0];
+        // A segment is a registry if it contains a dot or colon (hostname/port)
+        if first.contains('.') || first.contains(':') {
+            let reg = if first.starts_with("http") {
+                first.to_string()
+            } else {
+                format!("https://{}", first)
+            };
+            (reg, parts[1].to_string())
+        } else {
+            // Docker Hub with org, e.g., "grafana/grafana"
+            (DEFAULT_REGISTRY.to_string(), name_part.to_string())
+        }
+    };
+
+    ImageRef {
+        registry,
+        name,
+        reference: reference.to_string(),
+    }
+}
+
+/// Parse a list of image references from a newline-separated string.
+pub fn parse_images_file(content: &str) -> Vec<ImageRef> {
+    content
+        .lines()
+        .map(|l| l.trim())
+        .filter(|l| !l.is_empty() && !l.starts_with('#'))
+        .map(parse_image_ref)
+        .collect()
+}
+
+/// Mirror Docker images from upstream registries into NORA.
+pub async fn run_docker_mirror(
+    client: &Client,
+    nora_url: &str,
+    images: &[ImageRef],
+    concurrency: usize,
+) -> Result<MirrorResult, String> {
+    let docker_auth = DockerAuth::new(DEFAULT_TIMEOUT);
+    let semaphore = std::sync::Arc::new(tokio::sync::Semaphore::new(concurrency));
+
+    let pb = create_progress_bar(images.len() as u64);
+    let nora_base = nora_url.trim_end_matches('/');
+
+    let mut total_fetched = 0usize;
+    let mut total_failed = 0usize;
+    let mut total_bytes = 0u64;
+
+    for image in images {
+        let _permit = semaphore.acquire().await.map_err(|e| e.to_string())?;
+        pb.set_message(format!("{}:{}", image.name, image.reference));
+
+        match mirror_single_image(client, nora_base, image, &docker_auth).await {
+            Ok(bytes) => {
+                total_fetched += 1;
+                total_bytes += bytes;
+            }
+            Err(e) => {
+                tracing::warn!(
+                    image = %format!("{}/{}:{}", image.registry, image.name, image.reference),
+                    error = %e,
+                    "Failed to mirror image"
+                );
+                total_failed += 1;
+            }
+        }
+        pb.inc(1);
+    }
+
+    pb.finish_with_message("done");
+
+    Ok(MirrorResult {
+        total: images.len(),
+        fetched: total_fetched,
+        failed: total_failed,
+        bytes: total_bytes,
+    })
+}
+
+/// Mirror a single image: fetch manifest + blobs from upstream, push to NORA.
+async fn mirror_single_image(
+    client: &Client,
+    nora_base: &str,
+    image: &ImageRef,
+    docker_auth: &DockerAuth,
+) -> Result<u64, String> {
+    let mut bytes = 0u64;
+
+    // 1. Fetch manifest from upstream
+    let (manifest_bytes, content_type) = crate::registry::docker::fetch_manifest_from_upstream(
+        client,
+        &image.registry,
+        &image.name,
+        &image.reference,
+        docker_auth,
+        DEFAULT_TIMEOUT,
+        None,
+    )
+    .await
+    .map_err(|()| format!("Failed to fetch manifest for {}", image.name))?;
+
+    bytes += manifest_bytes.len() as u64;
+
+    // 2. Parse manifest to find layer digests
+    let manifest_json: serde_json::Value = serde_json::from_slice(&manifest_bytes)
+        .map_err(|e| format!("Invalid manifest JSON: {}", e))?;
+
+    // Check if this is a manifest list / OCI index
+    let manifests_to_process = if is_manifest_list(&content_type, &manifest_json) {
+        // Pick linux/amd64 manifest from the list
+        resolve_platform_manifest(
+            client,
+            &image.registry,
+            &image.name,
+            docker_auth,
+            &manifest_json,
+        )
+        .await?
+    } else {
+        vec![(
+            manifest_bytes.clone(),
+            manifest_json.clone(),
+            content_type.clone(),
+        )]
+    };
+
+    for (mf_bytes, mf_json, mf_ct) in &manifests_to_process {
+        // 3. Get config digest and layer digests
+        let blobs = extract_blob_digests(mf_json);
+
+        // 4. For each blob, check if NORA already has it, otherwise fetch and push
+        for digest in &blobs {
+            if blob_exists(client, nora_base, &image.name, digest).await {
+                tracing::debug!(digest = %digest, "Blob already exists, skipping");
+                continue;
+            }
+
+            let blob_data = crate::registry::docker::fetch_blob_from_upstream(
+                client,
+                &image.registry,
+                &image.name,
+                digest,
+                docker_auth,
+                DEFAULT_TIMEOUT,
+                None,
+            )
+            .await
+            .map_err(|()| format!("Failed to fetch blob {}", digest))?;
+
+            bytes += blob_data.len() as u64;
+            push_blob(client, nora_base, &image.name, digest, &blob_data).await?;
+        }
+
+        // 5. Push manifest to NORA
+        push_manifest(
+            client,
+            nora_base,
+            &image.name,
+            &image.reference,
+            mf_bytes,
+            mf_ct,
+        )
+        .await?;
+    }
+
+    // If this was a manifest list, also push the list itself
+    if manifests_to_process.len() > 1 || is_manifest_list(&content_type, &manifest_json) {
+        push_manifest(
+            client,
+            nora_base,
+            &image.name,
+            &image.reference,
+            &manifest_bytes,
+            &content_type,
+        )
+        .await?;
+    }
+
+    Ok(bytes)
+}
+
+/// Check if a manifest is a manifest list (fat manifest) or OCI index.
+fn is_manifest_list(content_type: &str, json: &serde_json::Value) -> bool {
+    content_type.contains("manifest.list")
+        || content_type.contains("image.index")
+        || json.get("manifests").is_some()
+}
+
+/// From a manifest list, resolve the linux/amd64 platform manifest.
+async fn resolve_platform_manifest(
+    client: &Client,
+    upstream_url: &str,
+    name: &str,
+    docker_auth: &DockerAuth,
+    list_json: &serde_json::Value,
+) -> Result<Vec<(Vec<u8>, serde_json::Value, String)>, String> {
+    let manifests = list_json
+        .get("manifests")
+        .and_then(|m| m.as_array())
+        .ok_or("Manifest list has no manifests array")?;
+
+    // Find linux/amd64 manifest
+    let target = manifests
+        .iter()
+        .find(|m| {
+            let platform = m.get("platform");
+            let os = platform
+                .and_then(|p| p.get("os"))
+                .and_then(|v| v.as_str())
+                .unwrap_or("");
+            let arch = platform
+                .and_then(|p| p.get("architecture"))
+                .and_then(|v| v.as_str())
+                .unwrap_or("");
+            os == "linux" && arch == "amd64"
+        })
+        .or_else(|| manifests.first())
+        .ok_or("No suitable platform manifest found")?;
+
+    let digest = target
+        .get("digest")
+        .and_then(|d| d.as_str())
+        .ok_or("Manifest entry missing digest")?;
+
+    let (mf_bytes, mf_ct) = crate::registry::docker::fetch_manifest_from_upstream(
+        client,
+        upstream_url,
+        name,
+        digest,
+        docker_auth,
+        DEFAULT_TIMEOUT,
+        None,
+    )
+    .await
+    .map_err(|()| format!("Failed to fetch platform manifest {}", digest))?;
+
+    let mf_json: serde_json::Value = serde_json::from_slice(&mf_bytes)
+        .map_err(|e| format!("Invalid platform manifest: {}", e))?;
+
+    Ok(vec![(mf_bytes, mf_json, mf_ct)])
+}
+
+/// Extract all blob digests from a manifest (config + layers).
+fn extract_blob_digests(manifest: &serde_json::Value) -> Vec<String> {
+    let mut digests = Vec::new();
+
+    // Config blob
+    if let Some(digest) = manifest
+        .get("config")
+        .and_then(|c| c.get("digest"))
+        .and_then(|d| d.as_str())
+    {
+        digests.push(digest.to_string());
+    }
+
+    // Layer blobs
+    if let Some(layers) = manifest.get("layers").and_then(|l| l.as_array()) {
+        for layer in layers {
+            if let Some(digest) = layer.get("digest").and_then(|d| d.as_str()) {
+                digests.push(digest.to_string());
+            }
+        }
+    }
+
+    digests
+}
+
+/// Check if NORA already has a blob via HEAD request.
+async fn blob_exists(client: &Client, nora_base: &str, name: &str, digest: &str) -> bool {
+    let url = format!("{}/v2/{}/blobs/{}", nora_base, name, digest);
+    matches!(
+        client
+            .head(&url)
+            .timeout(Duration::from_secs(10))
+            .send()
+            .await,
+        Ok(r) if r.status().is_success()
+    )
+}
+
+/// Push a blob to NORA via monolithic upload.
+async fn push_blob(
+    client: &Client,
+    nora_base: &str,
+    name: &str,
+    digest: &str,
+    data: &[u8],
+) -> Result<(), String> {
+    // Start upload session
+    let start_url = format!("{}/v2/{}/blobs/uploads/", nora_base, name);
+    let response = client
+        .post(&start_url)
+        .timeout(Duration::from_secs(30))
+        .send()
+        .await
+        .map_err(|e| format!("Failed to start blob upload: {}", e))?;
+
+    let location = response
+        .headers()
+        .get("location")
+        .and_then(|v| v.to_str().ok())
+        .ok_or("Missing Location header from upload start")?
+        .to_string();
+
+    // Complete upload with digest
+    let upload_url = if location.contains('?') {
+        format!("{}&digest={}", location, digest)
+    } else {
+        format!("{}?digest={}", location, digest)
+    };
+
+    // Make absolute URL if relative
+    let upload_url = if upload_url.starts_with('/') {
+        format!("{}{}", nora_base, upload_url)
+    } else {
+        upload_url
+    };
+
+    let resp = client
+        .put(&upload_url)
+        .header("Content-Type", "application/octet-stream")
+        .body(data.to_vec())
+        .timeout(Duration::from_secs(DEFAULT_TIMEOUT))
+        .send()
+        .await
+        .map_err(|e| format!("Failed to upload blob: {}", e))?;
+
+    if !resp.status().is_success() && resp.status().as_u16() != 201 {
+        return Err(format!("Blob upload failed with status {}", resp.status()));
+    }
+
+    Ok(())
+}
+
+/// Push a manifest to NORA.
+async fn push_manifest(
+    client: &Client,
+    nora_base: &str,
+    name: &str,
+    reference: &str,
+    data: &[u8],
+    content_type: &str,
+) -> Result<(), String> {
+    let url = format!("{}/v2/{}/manifests/{}", nora_base, name, reference);
+    let resp = client
+        .put(&url)
+        .header("Content-Type", content_type)
+        .body(data.to_vec())
+        .timeout(Duration::from_secs(30))
+        .send()
+        .await
+        .map_err(|e| format!("Failed to push manifest: {}", e))?;
+
+    if !resp.status().is_success() && resp.status().as_u16() != 201 {
+        return Err(format!(
+            "Manifest push failed with status {}",
+            resp.status()
+        ));
+    }
+
+    Ok(())
+}
+
+#[cfg(test)]
+#[allow(clippy::unwrap_used)]
+mod tests {
+    use super::*;
+
+    // --- parse_image_ref tests ---
+
+    #[test]
+    fn test_parse_simple_name() {
+        let r = parse_image_ref("alpine");
+        assert_eq!(r.registry, DEFAULT_REGISTRY);
+        assert_eq!(r.name, "library/alpine");
+        assert_eq!(r.reference, "latest");
+    }
+
+    #[test]
+    fn test_parse_name_with_tag() {
+        let r = parse_image_ref("alpine:3.20");
+        assert_eq!(r.registry, DEFAULT_REGISTRY);
+        assert_eq!(r.name, "library/alpine");
+        assert_eq!(r.reference, "3.20");
+    }
+
+    #[test]
+    fn test_parse_org_image() {
+        let r = parse_image_ref("grafana/grafana:latest");
+        assert_eq!(r.registry, DEFAULT_REGISTRY);
+        assert_eq!(r.name, "grafana/grafana");
+        assert_eq!(r.reference, "latest");
+    }
+
+    #[test]
+    fn test_parse_org_image_no_tag() {
+        let r = parse_image_ref("grafana/grafana");
+        assert_eq!(r.registry, DEFAULT_REGISTRY);
+        assert_eq!(r.name, "grafana/grafana");
+        assert_eq!(r.reference, "latest");
+    }
+
+    #[test]
+    fn test_parse_custom_registry() {
+        let r = parse_image_ref("ghcr.io/owner/repo:v1.0");
+        assert_eq!(r.registry, "https://ghcr.io");
+        assert_eq!(r.name, "owner/repo");
+        assert_eq!(r.reference, "v1.0");
+    }
+
+    #[test]
+    fn test_parse_digest_reference() {
+        let r = parse_image_ref("alpine@sha256:abcdef1234567890");
+        assert_eq!(r.registry, DEFAULT_REGISTRY);
+        assert_eq!(r.name, "library/alpine");
+        assert_eq!(r.reference, "sha256:abcdef1234567890");
+    }
+
+    #[test]
+    fn test_parse_registry_with_port() {
+        let r = parse_image_ref("localhost:5000/myimage:v1");
+        assert_eq!(r.registry, "https://localhost:5000");
+        assert_eq!(r.name, "myimage");
+        assert_eq!(r.reference, "v1");
+    }
+
+    #[test]
+    fn test_parse_deep_path() {
+        let r = parse_image_ref("ghcr.io/org/sub/image:latest");
+        assert_eq!(r.registry, "https://ghcr.io");
+        assert_eq!(r.name, "org/sub/image");
+        assert_eq!(r.reference, "latest");
+    }
+
+    #[test]
+    fn test_parse_trimmed() {
+        let r = parse_image_ref("  alpine:3.20  ");
+        assert_eq!(r.name, "library/alpine");
+        assert_eq!(r.reference, "3.20");
+    }
+
+    #[test]
+    fn test_parse_images_file() {
+        let content = "alpine:3.20\n# comment\npostgres:15\n\nnginx:1.25\n";
+        let images = parse_images_file(content);
+        assert_eq!(images.len(), 3);
+        assert_eq!(images[0].name, "library/alpine");
+        assert_eq!(images[1].name, "library/postgres");
+        assert_eq!(images[2].name, "library/nginx");
+    }
+
+    #[test]
+    fn test_parse_images_file_empty() {
+        let images = parse_images_file("");
+        assert!(images.is_empty());
+    }
+
+    #[test]
+    fn test_parse_images_file_comments_only() {
+        let images = parse_images_file("# comment\n# another\n");
+        assert!(images.is_empty());
+    }
+
+    // --- extract_blob_digests tests ---
+
+    #[test]
+    fn test_extract_blob_digests_full_manifest() {
+        let manifest = serde_json::json!({
+            "config": {
+                "digest": "sha256:config111"
+            },
+            "layers": [
+                {"digest": "sha256:layer111"},
+                {"digest": "sha256:layer222"}
+            ]
+        });
+        let digests = extract_blob_digests(&manifest);
+        assert_eq!(digests.len(), 3);
+        assert_eq!(digests[0], "sha256:config111");
+        assert_eq!(digests[1], "sha256:layer111");
+        assert_eq!(digests[2], "sha256:layer222");
+    }
+
+    #[test]
+    fn test_extract_blob_digests_no_layers() {
+        let manifest = serde_json::json!({
+            "config": { "digest": "sha256:config111" }
+        });
+        let digests = extract_blob_digests(&manifest);
+        assert_eq!(digests.len(), 1);
+    }
+
+    #[test]
+    fn test_extract_blob_digests_empty() {
+        let manifest = serde_json::json!({});
+        let digests = extract_blob_digests(&manifest);
+        assert!(digests.is_empty());
+    }
+
+    // --- is_manifest_list tests ---
+
+    #[test]
+    fn test_is_manifest_list_by_content_type() {
+        let json = serde_json::json!({});
+        assert!(is_manifest_list(
+            "application/vnd.docker.distribution.manifest.list.v2+json",
+            &json
+        ));
+    }
+
+    #[test]
+    fn test_is_manifest_list_oci_index() {
+        let json = serde_json::json!({});
+        assert!(is_manifest_list(
+            "application/vnd.oci.image.index.v1+json",
+            &json
+        ));
+    }
+
+    #[test]
+    fn test_is_manifest_list_by_manifests_key() {
+        let json = serde_json::json!({
+            "manifests": [{"digest": "sha256:abc"}]
+        });
+        assert!(is_manifest_list(
+            "application/vnd.docker.distribution.manifest.v2+json",
+            &json
+        ));
+    }
+
+    #[test]
+    fn test_is_not_manifest_list() {
+        let json = serde_json::json!({
+            "config": {},
+            "layers": []
+        });
+        assert!(!is_manifest_list(
+            "application/vnd.docker.distribution.manifest.v2+json",
+            &json
+        ));
+    }
+}

nora-registry/src/mirror/mod.rs

@@ -0,0 +1,541 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
+//! `nora mirror` — pre-fetch dependencies through NORA proxy cache.
+
+mod docker;
+mod npm;
+
+use clap::Subcommand;
+use indicatif::{ProgressBar, ProgressStyle};
+use std::path::PathBuf;
+use std::time::Instant;
+
+#[derive(Subcommand)]
+pub enum MirrorFormat {
+    /// Mirror npm packages
+    Npm {
+        /// Path to package-lock.json (v1/v2/v3)
+        #[arg(long, conflicts_with = "packages")]
+        lockfile: Option<PathBuf>,
+        /// Comma-separated package names
+        #[arg(long, conflicts_with = "lockfile", value_delimiter = ',')]
+        packages: Option<Vec<String>>,
+        /// Fetch all versions (only with --packages)
+        #[arg(long)]
+        all_versions: bool,
+    },
+    /// Mirror npm packages from yarn.lock
+    Yarn {
+        /// Path to yarn.lock
+        #[arg(long)]
+        lockfile: PathBuf,
+    },
+    /// Mirror Python packages
+    Pip {
+        /// Path to requirements.txt
+        #[arg(long)]
+        lockfile: PathBuf,
+    },
+    /// Mirror Cargo crates
+    Cargo {
+        /// Path to Cargo.lock
+        #[arg(long)]
+        lockfile: PathBuf,
+    },
+    /// Mirror Maven artifacts
+    Maven {
+        /// Path to dependency list (mvn dependency:list output)
+        #[arg(long)]
+        lockfile: PathBuf,
+    },
+    /// Mirror Docker images from upstream registries
+    Docker {
+        /// Comma-separated image references (e.g., alpine:3.20,postgres:15)
+        #[arg(long, conflicts_with = "images_file", value_delimiter = ',')]
+        images: Option<Vec<String>>,
+        /// Path to file with image references (one per line)
+        #[arg(long, conflicts_with = "images")]
+        images_file: Option<PathBuf>,
+    },
+}
+
+#[derive(Debug, Clone, Hash, Eq, PartialEq)]
+pub struct MirrorTarget {
+    pub name: String,
+    pub version: String,
+}
+
+#[derive(serde::Serialize)]
+pub struct MirrorResult {
+    pub total: usize,
+    pub fetched: usize,
+    pub failed: usize,
+    pub bytes: u64,
+}
+
+pub fn create_progress_bar(total: u64) -> ProgressBar {
+    let pb = ProgressBar::new(total);
+    pb.set_style(
+        ProgressStyle::default_bar()
+            .template(
+                "{spinner:.green} [{elapsed_precise}] [{bar:40.cyan/blue}] {pos}/{len} ({eta}) {msg}",
+            )
+            .expect("static progress bar template is valid")
+            .progress_chars("=>-"),
+    );
+    pb
+}
+
+pub async fn run_mirror(
+    format: MirrorFormat,
+    registry: &str,
+    concurrency: usize,
+    json_output: bool,
+) -> Result<(), String> {
+    let client = reqwest::Client::builder()
+        .timeout(std::time::Duration::from_secs(120))
+        .build()
+        .map_err(|e| format!("Failed to create HTTP client: {}", e))?;
+
+    // Health check
+    let health_url = format!("{}/health", registry.trim_end_matches('/'));
+    match client.get(&health_url).send().await {
+        Ok(r) if r.status().is_success() => {}
+        _ => {
+            return Err(format!(
+                "Cannot connect to NORA at {}. Is `nora serve` running?",
+                registry
+            ))
+        }
+    }
+
+    let start = Instant::now();
+
+    let result = match format {
+        MirrorFormat::Npm {
+            lockfile,
+            packages,
+            all_versions,
+        } => {
+            npm::run_npm_mirror(
+                &client,
+                registry,
+                lockfile,
+                packages,
+                all_versions,
+                concurrency,
+            )
+            .await?
+        }
+        MirrorFormat::Yarn { lockfile } => {
+            let content = std::fs::read_to_string(&lockfile)
+                .map_err(|e| format!("Cannot read {}: {}", lockfile.display(), e))?;
+            let targets = npm::parse_yarn_lock(&content);
+            if targets.is_empty() {
+                println!("No packages found in {}", lockfile.display());
+                MirrorResult {
+                    total: 0,
+                    fetched: 0,
+                    failed: 0,
+                    bytes: 0,
+                }
+            } else {
+                println!(
+                    "Mirroring {} npm packages from yarn.lock via {}...",
+                    targets.len(),
+                    registry
+                );
+                npm::mirror_npm_packages(&client, registry, &targets, concurrency).await?
+            }
+        }
+        MirrorFormat::Pip { lockfile } => {
+            mirror_lockfile(&client, registry, "pip", &lockfile).await?
+        }
+        MirrorFormat::Cargo { lockfile } => {
+            mirror_lockfile(&client, registry, "cargo", &lockfile).await?
+        }
+        MirrorFormat::Maven { lockfile } => {
+            mirror_lockfile(&client, registry, "maven", &lockfile).await?
+        }
+        MirrorFormat::Docker {
+            images,
+            images_file,
+        } => {
+            let image_refs = if let Some(file) = images_file {
+                let content = std::fs::read_to_string(&file)
+                    .map_err(|e| format!("Cannot read {}: {}", file.display(), e))?;
+                docker::parse_images_file(&content)
+            } else if let Some(imgs) = images {
+                imgs.iter().map(|s| docker::parse_image_ref(s)).collect()
+            } else {
+                return Err("Either --images or --images-file is required".to_string());
+            };
+            if image_refs.is_empty() {
+                return Err("No images specified".to_string());
+            }
+            println!(
+                "Mirroring {} Docker images via {}...",
+                image_refs.len(),
+                registry
+            );
+            docker::run_docker_mirror(&client, registry, &image_refs, concurrency).await?
+        }
+    };
+
+    let elapsed = start.elapsed();
+
+    if json_output {
+        println!(
+            "{}",
+            serde_json::to_string_pretty(&result).unwrap_or_default()
+        );
+    } else {
+        println!("\nMirror complete:");
+        println!("  Total:    {}", result.total);
+        println!("  Fetched:  {}", result.fetched);
+        println!("  Failed:   {}", result.failed);
+        println!("  Size:     {:.1} MB", result.bytes as f64 / 1_048_576.0);
+        println!("  Time:     {:.1}s", elapsed.as_secs_f64());
+    }
+
+    if result.failed > 0 {
+        Err(format!("{} packages failed to mirror", result.failed))
+    } else {
+        Ok(())
+    }
+}
+
+async fn mirror_lockfile(
+    client: &reqwest::Client,
+    registry: &str,
+    format: &str,
+    lockfile: &PathBuf,
+) -> Result<MirrorResult, String> {
+    let content = std::fs::read_to_string(lockfile)
+        .map_err(|e| format!("Cannot read {}: {}", lockfile.display(), e))?;
+
+    let targets = match format {
+        "pip" => parse_requirements_txt(&content),
+        "cargo" => parse_cargo_lock(&content)?,
+        "maven" => parse_maven_deps(&content),
+        _ => vec![],
+    };
+
+    if targets.is_empty() {
+        println!("No packages found in {}", lockfile.display());
+        return Ok(MirrorResult {
+            total: 0,
+            fetched: 0,
+            failed: 0,
+            bytes: 0,
+        });
+    }
+
+    let pb = create_progress_bar(targets.len() as u64);
+    let base = registry.trim_end_matches('/');
+    let mut fetched = 0;
+    let mut failed = 0;
+    let mut bytes = 0u64;
+
+    for target in &targets {
+        let url = match format {
+            "pip" => format!("{}/simple/{}/", base, target.name),
+            "cargo" => format!(
+                "{}/cargo/api/v1/crates/{}/{}/download",
+                base, target.name, target.version
+            ),
+            "maven" => {
+                let parts: Vec<&str> = target.name.split(':').collect();
+                if parts.len() == 2 {
+                    let group_path = parts[0].replace('.', "/");
+                    format!(
+                        "{}/maven2/{}/{}/{}/{}-{}.jar",
+                        base, group_path, parts[1], target.version, parts[1], target.version
+                    )
+                } else {
+                    pb.inc(1);
+                    failed += 1;
+                    continue;
+                }
+            }
+            _ => continue,
+        };
+
+        match client.get(&url).send().await {
+            Ok(r) if r.status().is_success() => {
+                if let Ok(body) = r.bytes().await {
+                    bytes += body.len() as u64;
+                }
+                fetched += 1;
+            }
+            _ => failed += 1,
+        }
+
+        pb.set_message(format!("{}@{}", target.name, target.version));
+        pb.inc(1);
+    }
+
+    pb.finish_with_message("done");
+    Ok(MirrorResult {
+        total: targets.len(),
+        fetched,
+        failed,
+        bytes,
+    })
+}
+
+fn parse_requirements_txt(content: &str) -> Vec<MirrorTarget> {
+    content
+        .lines()
+        .filter(|l| !l.trim().is_empty() && !l.starts_with('#') && !l.starts_with('-'))
+        .filter_map(|line| {
+            let line = line.split('#').next().unwrap_or(line).trim();
+            if let Some((name, version)) = line.split_once("==") {
+                Some(MirrorTarget {
+                    name: name.trim().to_string(),
+                    version: version.trim().to_string(),
+                })
+            } else {
+                let name = line.split(['>', '<', '=', '!', '~', ';']).next()?.trim();
+                if name.is_empty() {
+                    None
+                } else {
+                    Some(MirrorTarget {
+                        name: name.to_string(),
+                        version: "latest".to_string(),
+                    })
+                }
+            }
+        })
+        .collect()
+}
+
+fn parse_cargo_lock(content: &str) -> Result<Vec<MirrorTarget>, String> {
+    let lock: toml::Value =
+        toml::from_str(content).map_err(|e| format!("Invalid Cargo.lock: {}", e))?;
+    let packages = lock
+        .get("package")
+        .and_then(|p| p.as_array())
+        .cloned()
+        .unwrap_or_default();
+    Ok(packages
+        .iter()
+        .filter(|p| {
+            p.get("source")
+                .and_then(|s| s.as_str())
+                .map(|s| s.starts_with("registry+"))
+                .unwrap_or(false)
+        })
+        .filter_map(|p| {
+            let name = p.get("name")?.as_str()?.to_string();
+            let version = p.get("version")?.as_str()?.to_string();
+            Some(MirrorTarget { name, version })
+        })
+        .collect())
+}
+
+fn parse_maven_deps(content: &str) -> Vec<MirrorTarget> {
+    content
+        .lines()
+        .filter_map(|line| {
+            let line = line.trim().trim_start_matches("[INFO]").trim();
+            let parts: Vec<&str> = line.split(':').collect();
+            if parts.len() >= 4 {
+                let name = format!("{}:{}", parts[0], parts[1]);
+                let version = parts[3].to_string();
+                Some(MirrorTarget { name, version })
+            } else {
+                None
+            }
+        })
+        .collect()
+}
+
+#[cfg(test)]
+#[allow(clippy::unwrap_used)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_parse_requirements_txt() {
+        let content = "flask==2.3.0\nrequests>=2.28.0\n# comment\nnumpy==1.24.3\n";
+        let targets = parse_requirements_txt(content);
+        assert_eq!(targets.len(), 3);
+        assert_eq!(targets[0].name, "flask");
+        assert_eq!(targets[0].version, "2.3.0");
+        assert_eq!(targets[1].name, "requests");
+        assert_eq!(targets[1].version, "latest");
+    }
+
+    #[test]
+    fn test_parse_cargo_lock() {
+        let content = "\
+[[package]]
+name = \"serde\"
+version = \"1.0.197\"
+source = \"registry+https://github.com/rust-lang/crates.io-index\"
+
+[[package]]
+name = \"my-local-crate\"
+version = \"0.1.0\"
+";
+        let targets = parse_cargo_lock(content).unwrap();
+        assert_eq!(targets.len(), 1);
+        assert_eq!(targets[0].name, "serde");
+    }
+
+    #[test]
+    fn test_parse_maven_deps() {
+        let content = "[INFO]    org.apache.commons:commons-lang3:jar:3.12.0:compile\n";
+        let targets = parse_maven_deps(content);
+        assert_eq!(targets.len(), 1);
+        assert_eq!(targets[0].name, "org.apache.commons:commons-lang3");
+        assert_eq!(targets[0].version, "3.12.0");
+    }
+
+    #[test]
+    fn test_parse_requirements_txt_empty() {
+        let targets = parse_requirements_txt("");
+        assert!(targets.is_empty());
+    }
+
+    #[test]
+    fn test_parse_requirements_txt_comments_only() {
+        let content = "# This is a comment\n# Another comment\n\n";
+        let targets = parse_requirements_txt(content);
+        assert!(targets.is_empty());
+    }
+
+    #[test]
+    fn test_parse_requirements_txt_flags() {
+        let content = "-r other-requirements.txt\n-i https://pypi.org/simple\nflask==2.0\n";
+        let targets = parse_requirements_txt(content);
+        assert_eq!(targets.len(), 1);
+        assert_eq!(targets[0].name, "flask");
+    }
+
+    #[test]
+    fn test_parse_requirements_txt_version_specifiers() {
+        let content =
+            "pkg1>=1.0\npkg2<2.0\npkg3!=1.5\npkg4~=1.0\npkg5==1.0 ; python_version>='3.8'\n";
+        let targets = parse_requirements_txt(content);
+        assert_eq!(targets.len(), 5);
+        assert_eq!(targets[0].name, "pkg1");
+        assert_eq!(targets[0].version, "latest");
+        assert_eq!(targets[4].name, "pkg5");
+        assert_eq!(targets[4].version, "1.0 ; python_version>='3.8'");
+    }
+
+    #[test]
+    fn test_parse_requirements_txt_inline_comments() {
+        let content = "flask==2.0  # web framework\n";
+        let targets = parse_requirements_txt(content);
+        assert_eq!(targets.len(), 1);
+        assert_eq!(targets[0].name, "flask");
+        assert_eq!(targets[0].version, "2.0");
+    }
+
+    #[test]
+    fn test_parse_cargo_lock_empty() {
+        let content = "";
+        let result = parse_cargo_lock(content);
+        let targets = result.unwrap();
+        assert!(targets.is_empty());
+    }
+
+    #[test]
+    fn test_parse_cargo_lock_no_packages() {
+        let content = "[metadata]\nsome = \"value\"\n";
+        let targets = parse_cargo_lock(content).unwrap();
+        assert!(targets.is_empty());
+    }
+
+    #[test]
+    fn test_parse_cargo_lock_git_source() {
+        let content = r#"
+[[package]]
+name = "my-dep"
+version = "0.1.0"
+source = "git+https://github.com/user/repo#abc123"
+"#;
+        let targets = parse_cargo_lock(content).unwrap();
+        assert!(targets.is_empty()); // git sources filtered out
+    }
+
+    #[test]
+    fn test_parse_cargo_lock_multiple() {
+        let content = r#"
+[[package]]
+name = "serde"
+version = "1.0.197"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+
+[[package]]
+name = "tokio"
+version = "1.36.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+
+[[package]]
+name = "local-crate"
+version = "0.1.0"
+"#;
+        let targets = parse_cargo_lock(content).unwrap();
+        assert_eq!(targets.len(), 2);
+    }
+
+    #[test]
+    fn test_parse_maven_deps_empty() {
+        let targets = parse_maven_deps("");
+        assert!(targets.is_empty());
+    }
+
+    #[test]
+    fn test_parse_maven_deps_short_line() {
+        let targets = parse_maven_deps("foo:bar\n");
+        assert!(targets.is_empty());
+    }
+
+    #[test]
+    fn test_parse_maven_deps_multiple() {
+        let content = "[INFO]    org.slf4j:slf4j-api:jar:2.0.9:compile\n[INFO]    com.google.guava:guava:jar:33.0.0-jre:compile\n";
+        let targets = parse_maven_deps(content);
+        assert_eq!(targets.len(), 2);
+        assert_eq!(targets[0].name, "org.slf4j:slf4j-api");
+        assert_eq!(targets[1].version, "33.0.0-jre");
+    }
+
+    #[test]
+    fn test_create_progress_bar() {
+        let pb = create_progress_bar(100);
+        assert_eq!(pb.length(), Some(100));
+    }
+
+    #[test]
+    fn test_mirror_result_json_serialization() {
+        let result = MirrorResult {
+            total: 10,
+            fetched: 8,
+            failed: 2,
+            bytes: 1048576,
+        };
+        let json = serde_json::to_string_pretty(&result).unwrap();
+        let parsed: serde_json::Value = serde_json::from_str(&json).unwrap();
+        assert_eq!(parsed["total"], 10);
+        assert_eq!(parsed["fetched"], 8);
+        assert_eq!(parsed["failed"], 2);
+        assert_eq!(parsed["bytes"], 1048576);
+    }
+
+    #[test]
+    fn test_mirror_result_json_zero_values() {
+        let result = MirrorResult {
+            total: 0,
+            fetched: 0,
+            failed: 0,
+            bytes: 0,
+        };
+        let json = serde_json::to_string(&result).unwrap();
+        assert!(json.contains("\"total\":0"));
+    }
+}

nora-registry/src/mirror/npm.rs

@@ -0,0 +1,614 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
+//! npm lockfile parser + mirror logic.
+
+use super::{create_progress_bar, MirrorResult, MirrorTarget};
+use std::collections::HashSet;
+use std::path::PathBuf;
+use tokio::sync::Semaphore;
+
+/// Entry point for npm mirroring
+pub async fn run_npm_mirror(
+    client: &reqwest::Client,
+    registry: &str,
+    lockfile: Option<PathBuf>,
+    packages: Option<Vec<String>>,
+    all_versions: bool,
+    concurrency: usize,
+) -> Result<MirrorResult, String> {
+    let targets = if let Some(path) = lockfile {
+        let content = std::fs::read_to_string(&path)
+            .map_err(|e| format!("Cannot read {}: {}", path.display(), e))?;
+        parse_npm_lockfile(&content)?
+    } else if let Some(names) = packages {
+        resolve_npm_packages(client, registry, &names, all_versions).await?
+    } else {
+        return Err("Specify --lockfile or --packages".to_string());
+    };
+
+    if targets.is_empty() {
+        println!("No npm packages to mirror");
+        return Ok(MirrorResult {
+            total: 0,
+            fetched: 0,
+            failed: 0,
+            bytes: 0,
+        });
+    }
+
+    println!(
+        "Mirroring {} npm packages via {}...",
+        targets.len(),
+        registry
+    );
+    mirror_npm_packages(client, registry, &targets, concurrency).await
+}
+
+/// Parse package-lock.json (v1, v2, v3)
+fn parse_npm_lockfile(content: &str) -> Result<Vec<MirrorTarget>, String> {
+    let json: serde_json::Value =
+        serde_json::from_str(content).map_err(|e| format!("Invalid JSON: {}", e))?;
+
+    let version = json
+        .get("lockfileVersion")
+        .and_then(|v| v.as_u64())
+        .unwrap_or(1);
+
+    let mut seen = HashSet::new();
+    let mut targets = Vec::new();
+
+    if version >= 2 {
+        // v2/v3: use "packages" object
+        if let Some(packages) = json.get("packages").and_then(|p| p.as_object()) {
+            for (key, pkg) in packages {
+                if key.is_empty() {
+                    continue; // root package
+                }
+                if let Some(name) = extract_package_name(key) {
+                    if let Some(ver) = pkg.get("version").and_then(|v| v.as_str()) {
+                        let pair = (name.to_string(), ver.to_string());
+                        if seen.insert(pair.clone()) {
+                            targets.push(MirrorTarget {
+                                name: pair.0,
+                                version: pair.1,
+                            });
+                        }
+                    }
+                }
+            }
+        }
+    }
+
+    if version == 1 || targets.is_empty() {
+        // v1 fallback: recursive "dependencies"
+        if let Some(deps) = json.get("dependencies").and_then(|d| d.as_object()) {
+            parse_v1_deps(deps, &mut targets, &mut seen);
+        }
+    }
+
+    Ok(targets)
+}
+
+/// Extract package name from lockfile key like "node_modules/@babel/core"
+fn extract_package_name(key: &str) -> Option<&str> {
+    // Handle nested: "node_modules/foo/node_modules/@scope/bar" → "@scope/bar"
+    let last_nm = key.rfind("node_modules/")?;
+    let after = &key[last_nm + "node_modules/".len()..];
+    let name = after.trim_end_matches('/');
+    if name.is_empty() {
+        None
+    } else {
+        Some(name)
+    }
+}
+
+/// Recursively parse v1 lockfile "dependencies"
+fn parse_v1_deps(
+    deps: &serde_json::Map<String, serde_json::Value>,
+    targets: &mut Vec<MirrorTarget>,
+    seen: &mut HashSet<(String, String)>,
+) {
+    for (name, pkg) in deps {
+        if let Some(ver) = pkg.get("version").and_then(|v| v.as_str()) {
+            let pair = (name.clone(), ver.to_string());
+            if seen.insert(pair.clone()) {
+                targets.push(MirrorTarget {
+                    name: pair.0,
+                    version: pair.1,
+                });
+            }
+        }
+        // Recurse into nested dependencies
+        if let Some(nested) = pkg.get("dependencies").and_then(|d| d.as_object()) {
+            parse_v1_deps(nested, targets, seen);
+        }
+    }
+}
+
+/// Resolve --packages list by fetching metadata from NORA
+async fn resolve_npm_packages(
+    client: &reqwest::Client,
+    registry: &str,
+    names: &[String],
+    all_versions: bool,
+) -> Result<Vec<MirrorTarget>, String> {
+    let base = registry.trim_end_matches('/');
+    let mut targets = Vec::new();
+
+    for name in names {
+        let url = format!("{}/npm/{}", base, name);
+        let resp = client.get(&url).send().await.map_err(|e| e.to_string())?;
+
+        if !resp.status().is_success() {
+            eprintln!("Warning: {} not found (HTTP {})", name, resp.status());
+            continue;
+        }
+
+        let json: serde_json::Value = resp.json().await.map_err(|e| e.to_string())?;
+
+        if all_versions {
+            if let Some(versions) = json.get("versions").and_then(|v| v.as_object()) {
+                for ver in versions.keys() {
+                    targets.push(MirrorTarget {
+                        name: name.clone(),
+                        version: ver.clone(),
+                    });
+                }
+            }
+        } else {
+            // Just latest
+            let latest = json
+                .get("dist-tags")
+                .and_then(|d| d.get("latest"))
+                .and_then(|v| v.as_str())
+                .unwrap_or("latest");
+            targets.push(MirrorTarget {
+                name: name.clone(),
+                version: latest.to_string(),
+            });
+        }
+    }
+
+    Ok(targets)
+}
+
+/// Fetch packages through NORA (triggers proxy cache)
+pub async fn mirror_npm_packages(
+    client: &reqwest::Client,
+    registry: &str,
+    targets: &[MirrorTarget],
+    concurrency: usize,
+) -> Result<MirrorResult, String> {
+    let base = registry.trim_end_matches('/');
+    let pb = create_progress_bar(targets.len() as u64);
+    let sem = std::sync::Arc::new(Semaphore::new(concurrency));
+
+    // Deduplicate metadata fetches (one per package name)
+    let unique_names: HashSet<&str> = targets.iter().map(|t| t.name.as_str()).collect();
+    pb.set_message("fetching metadata...");
+    for name in &unique_names {
+        let url = format!("{}/npm/{}", base, name);
+        let _ = client.get(&url).send().await; // trigger metadata cache
+    }
+
+    // Fetch tarballs concurrently
+    let fetched = std::sync::Arc::new(std::sync::atomic::AtomicUsize::new(0));
+    let failed = std::sync::Arc::new(std::sync::atomic::AtomicUsize::new(0));
+    let bytes = std::sync::Arc::new(std::sync::atomic::AtomicU64::new(0));
+
+    let mut handles = Vec::new();
+
+    for target in targets {
+        let permit = sem
+            .clone()
+            .acquire_owned()
+            .await
+            .expect("semaphore closed unexpectedly");
+        let client = client.clone();
+        let pb = pb.clone();
+        let fetched = fetched.clone();
+        let failed = failed.clone();
+        let bytes = bytes.clone();
+
+        let short_name = target.name.split('/').next_back().unwrap_or(&target.name);
+        let tarball_url = format!(
+            "{}/npm/{}/-/{}-{}.tgz",
+            base, target.name, short_name, target.version
+        );
+        let label = format!("{}@{}", target.name, target.version);
+
+        handles.push(tokio::spawn(async move {
+            let _permit = permit;
+            match client.get(&tarball_url).send().await {
+                Ok(r) if r.status().is_success() => {
+                    if let Ok(body) = r.bytes().await {
+                        bytes.fetch_add(body.len() as u64, std::sync::atomic::Ordering::Relaxed);
+                    }
+                    fetched.fetch_add(1, std::sync::atomic::Ordering::Relaxed);
+                }
+                _ => {
+                    failed.fetch_add(1, std::sync::atomic::Ordering::Relaxed);
+                }
+            }
+            pb.set_message(label);
+            pb.inc(1);
+        }));
+    }
+
+    for h in handles {
+        let _ = h.await;
+    }
+
+    pb.finish_with_message("done");
+
+    Ok(MirrorResult {
+        total: targets.len(),
+        fetched: fetched.load(std::sync::atomic::Ordering::Relaxed),
+        failed: failed.load(std::sync::atomic::Ordering::Relaxed),
+        bytes: bytes.load(std::sync::atomic::Ordering::Relaxed),
+    })
+}
+
+/// Parse yarn.lock v1 format
+/// Format: "package@version:\n  version \"X.Y.Z\"\n  resolved \"url\""
+pub fn parse_yarn_lock(content: &str) -> Vec<MirrorTarget> {
+    let mut targets = Vec::new();
+    let mut seen = HashSet::new();
+    let mut current_name: Option<String> = None;
+
+    for line in content.lines() {
+        let trimmed = line.trim();
+
+        // Skip comments and empty lines
+        if trimmed.starts_with('#') || trimmed.is_empty() {
+            continue;
+        }
+
+        // Package header: "lodash@^4.17.21:" or "@babel/core@^7.0.0, @babel/core@^7.26.0:"
+        if !line.starts_with(' ') && !line.starts_with('\t') && trimmed.ends_with(':') {
+            let header = trimmed.trim_end_matches(':');
+            // Take first entry before comma (all resolve to same version)
+            let first = header.split(',').next().unwrap_or(header).trim();
+            // Remove quotes if present
+            let first = first.trim_matches('"');
+            // Extract package name: everything before last @
+            if let Some(name) = extract_yarn_package_name(first) {
+                current_name = Some(name.to_string());
+            } else {
+                current_name = None;
+            }
+            continue;
+        }
+
+        // Version line: "  version "4.17.21""
+        if let Some(ref name) = current_name {
+            if trimmed.starts_with("version ") {
+                let ver = trimmed.trim_start_matches("version ").trim_matches('"');
+                let pair = (name.clone(), ver.to_string());
+                if seen.insert(pair.clone()) {
+                    targets.push(MirrorTarget {
+                        name: pair.0,
+                        version: pair.1,
+                    });
+                }
+                current_name = None;
+            }
+        }
+    }
+
+    targets
+}
+
+/// Extract package name from yarn.lock entry like "@babel/core@^7.0.0"
+fn extract_yarn_package_name(entry: &str) -> Option<&str> {
+    if let Some(rest) = entry.strip_prefix('@') {
+        // Scoped: @babel/core@^7.0.0 → find second @
+        let after_scope = rest.find('@')?;
+        Some(&entry[..after_scope + 1])
+    } else {
+        // Regular: lodash@^4.17.21 → find first @
+        let at = entry.find('@')?;
+        if at == 0 {
+            None
+        } else {
+            Some(&entry[..at])
+        }
+    }
+}
+
+#[cfg(test)]
+#[allow(clippy::unwrap_used)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_extract_package_name() {
+        assert_eq!(extract_package_name("node_modules/lodash"), Some("lodash"));
+        assert_eq!(
+            extract_package_name("node_modules/@babel/core"),
+            Some("@babel/core")
+        );
+        assert_eq!(
+            extract_package_name("node_modules/foo/node_modules/bar"),
+            Some("bar")
+        );
+        assert_eq!(
+            extract_package_name("node_modules/foo/node_modules/@types/node"),
+            Some("@types/node")
+        );
+        assert_eq!(extract_package_name(""), None);
+    }
+
+    #[test]
+    fn test_parse_lockfile_v3() {
+        let content = r#"{
+            "lockfileVersion": 3,
+            "packages": {
+                "": { "name": "test" },
+                "node_modules/lodash": { "version": "4.17.21" },
+                "node_modules/@babel/core": { "version": "7.26.0" },
+                "node_modules/@babel/core/node_modules/semver": { "version": "6.3.1" }
+            }
+        }"#;
+        let targets = parse_npm_lockfile(content).unwrap();
+        assert_eq!(targets.len(), 3);
+        let names: HashSet<&str> = targets.iter().map(|t| t.name.as_str()).collect();
+        assert!(names.contains("lodash"));
+        assert!(names.contains("@babel/core"));
+        assert!(names.contains("semver"));
+    }
+
+    #[test]
+    fn test_parse_lockfile_v1() {
+        let content = r#"{
+            "lockfileVersion": 1,
+            "dependencies": {
+                "express": {
+                    "version": "4.18.2",
+                    "dependencies": {
+                        "accepts": { "version": "1.3.8" }
+                    }
+                }
+            }
+        }"#;
+        let targets = parse_npm_lockfile(content).unwrap();
+        assert_eq!(targets.len(), 2);
+        assert_eq!(targets[0].name, "express");
+        assert_eq!(targets[1].name, "accepts");
+    }
+
+    #[test]
+    fn test_deduplication() {
+        let content = r#"{
+            "lockfileVersion": 3,
+            "packages": {
+                "": {},
+                "node_modules/debug": { "version": "4.3.4" },
+                "node_modules/express/node_modules/debug": { "version": "4.3.4" }
+            }
+        }"#;
+        let targets = parse_npm_lockfile(content).unwrap();
+        assert_eq!(targets.len(), 1); // deduplicated
+        assert_eq!(targets[0].name, "debug");
+    }
+
+    #[test]
+    fn test_extract_package_name_simple() {
+        assert_eq!(extract_package_name("node_modules/lodash"), Some("lodash"));
+    }
+
+    #[test]
+    fn test_extract_package_name_scoped() {
+        assert_eq!(
+            extract_package_name("node_modules/@babel/core"),
+            Some("@babel/core")
+        );
+    }
+
+    #[test]
+    fn test_extract_package_name_nested() {
+        assert_eq!(
+            extract_package_name("node_modules/foo/node_modules/@scope/bar"),
+            Some("@scope/bar")
+        );
+    }
+
+    #[test]
+    fn test_extract_package_name_no_node_modules() {
+        assert_eq!(extract_package_name("just/a/path"), None);
+    }
+
+    #[test]
+    fn test_extract_package_name_empty_after() {
+        assert_eq!(extract_package_name("node_modules/"), None);
+    }
+
+    #[test]
+    fn test_parse_lockfile_v2() {
+        let lockfile = serde_json::json!({
+            "lockfileVersion": 2,
+            "packages": {
+                "": {"name": "root"},
+                "node_modules/express": {"version": "4.18.2"},
+                "node_modules/@types/node": {"version": "20.11.0"}
+            }
+        });
+        let targets = parse_npm_lockfile(&lockfile.to_string()).unwrap();
+        assert_eq!(targets.len(), 2);
+    }
+
+    #[test]
+    fn test_parse_lockfile_empty_packages() {
+        let lockfile = serde_json::json!({
+            "lockfileVersion": 3,
+            "packages": {}
+        });
+        let targets = parse_npm_lockfile(&lockfile.to_string()).unwrap();
+        assert!(targets.is_empty());
+    }
+
+    #[test]
+    fn test_parse_lockfile_invalid_json() {
+        let result = parse_npm_lockfile("not json at all");
+        assert!(result.is_err());
+    }
+
+    #[test]
+    fn test_parse_lockfile_v1_nested() {
+        let lockfile = serde_json::json!({
+            "lockfileVersion": 1,
+            "dependencies": {
+                "express": {
+                    "version": "4.18.2",
+                    "dependencies": {
+                        "accepts": {"version": "1.3.8"}
+                    }
+                }
+            }
+        });
+        let targets = parse_npm_lockfile(&lockfile.to_string()).unwrap();
+        assert_eq!(targets.len(), 2);
+    }
+
+    #[test]
+    fn test_parse_lockfile_v2_falls_back_to_v1() {
+        // v2 with empty packages should fall back to v1 dependencies
+        let lockfile = serde_json::json!({
+            "lockfileVersion": 2,
+            "packages": {},
+            "dependencies": {
+                "lodash": {"version": "4.17.21"}
+            }
+        });
+        let targets = parse_npm_lockfile(&lockfile.to_string()).unwrap();
+        assert_eq!(targets.len(), 1);
+        assert_eq!(targets[0].name, "lodash");
+    }
+
+    #[test]
+    fn test_parse_lockfile_no_version_field() {
+        let lockfile = serde_json::json!({
+            "packages": {
+                "node_modules/something": {"resolved": "https://example.com"}
+            }
+        });
+        let targets = parse_npm_lockfile(&lockfile.to_string()).unwrap();
+        assert!(targets.is_empty());
+    }
+
+    #[test]
+    fn test_parse_yarn_lock_basic() {
+        let content = r#"# yarn lockfile v1
+
+lodash@^4.17.21:
+  version "4.17.21"
+  resolved "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz"
+
+express@^4.18.0:
+  version "4.18.2"
+  resolved "https://registry.npmjs.org/express/-/express-4.18.2.tgz"
+"#;
+        let targets = parse_yarn_lock(content);
+        assert_eq!(targets.len(), 2);
+        assert_eq!(targets[0].name, "lodash");
+        assert_eq!(targets[0].version, "4.17.21");
+        assert_eq!(targets[1].name, "express");
+        assert_eq!(targets[1].version, "4.18.2");
+    }
+
+    #[test]
+    fn test_parse_yarn_lock_scoped() {
+        let content = r#"
+"@babel/core@^7.26.0":
+  version "7.26.0"
+  resolved "https://registry.npmjs.org/@babel/core/-/core-7.26.0.tgz"
+"#;
+        let targets = parse_yarn_lock(content);
+        assert_eq!(targets.len(), 1);
+        assert_eq!(targets[0].name, "@babel/core");
+        assert_eq!(targets[0].version, "7.26.0");
+    }
+
+    #[test]
+    fn test_parse_yarn_lock_multiple_ranges() {
+        let content = r#"
+debug@2.6.9, debug@^2.2.0:
+  version "2.6.9"
+  resolved "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz"
+
+debug@^4.1.0, debug@^4.3.4:
+  version "4.3.7"
+  resolved "https://registry.npmjs.org/debug/-/debug-4.3.7.tgz"
+"#;
+        let targets = parse_yarn_lock(content);
+        assert_eq!(targets.len(), 2);
+        assert_eq!(targets[0].name, "debug");
+        assert_eq!(targets[0].version, "2.6.9");
+        assert_eq!(targets[1].name, "debug");
+        assert_eq!(targets[1].version, "4.3.7");
+    }
+
+    #[test]
+    fn test_parse_yarn_lock_dedup() {
+        let content = r#"
+lodash@^4.0.0:
+  version "4.17.21"
+
+lodash@^4.17.0:
+  version "4.17.21"
+"#;
+        let targets = parse_yarn_lock(content);
+        assert_eq!(targets.len(), 1); // same name+version deduped
+    }
+
+    #[test]
+    fn test_parse_yarn_lock_empty() {
+        let targets = parse_yarn_lock(
+            "# yarn lockfile v1
+
+",
+        );
+        assert!(targets.is_empty());
+    }
+
+    #[test]
+    fn test_parse_yarn_lock_comments_only() {
+        let content = "# yarn lockfile v1
+# comment
+";
+        let targets = parse_yarn_lock(content);
+        assert!(targets.is_empty());
+    }
+
+    #[test]
+    fn test_extract_yarn_package_name_simple() {
+        assert_eq!(extract_yarn_package_name("lodash@^4.17.21"), Some("lodash"));
+    }
+
+    #[test]
+    fn test_extract_yarn_package_name_scoped() {
+        assert_eq!(
+            extract_yarn_package_name("@babel/core@^7.0.0"),
+            Some("@babel/core")
+        );
+    }
+
+    #[test]
+    fn test_extract_yarn_package_name_no_at() {
+        assert_eq!(extract_yarn_package_name("lodash"), None);
+    }
+
+    #[test]
+    fn test_parse_yarn_lock_quoted_headers() {
+        let content = r#"
+"@types/node@^20.0.0":
+  version "20.11.5"
+  resolved "https://registry.npmjs.org/@types/node/-/node-20.11.5.tgz"
+"#;
+        let targets = parse_yarn_lock(content);
+        assert_eq!(targets.len(), 1);
+        assert_eq!(targets[0].name, "@types/node");
+        assert_eq!(targets[0].version, "20.11.5");
+    }
+}

nora-registry/src/openapi.rs

@@ -1,8 +1,11 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 //! OpenAPI documentation and Swagger UI
 //!
 //! Functions in this module are stubs used only for generating OpenAPI documentation.
 
-#![allow(dead_code)]
+#![allow(dead_code)] // utoipa doc stubs — not called at runtime, used by derive macros
 
 use axum::Router;
 use std::sync::Arc;
@@ -15,7 +18,7 @@ use crate::AppState;
 #[openapi(
     info(
         title = "Nora",
-        version = "0.1.0",
+        version = "0.2.12",
         description = "Multi-protocol package registry supporting Docker, Maven, npm, Cargo, and PyPI",
         license(name = "MIT"),
         contact(name = "DevITWay", url = "https://github.com/getnora-io/nora")
@@ -25,6 +28,8 @@ use crate::AppState;
     ),
     tags(
         (name = "health", description = "Health check endpoints"),
+        (name = "metrics", description = "Prometheus metrics"),
+        (name = "dashboard", description = "Dashboard & Metrics API"),
         (name = "docker", description = "Docker Registry v2 API"),
         (name = "maven", description = "Maven Repository API"),
         (name = "npm", description = "npm Registry API"),
@@ -36,16 +41,30 @@ use crate::AppState;
         // Health
         crate::openapi::health_check,
         crate::openapi::readiness_check,
-        // Docker
+        // Metrics
+        crate::openapi::prometheus_metrics,
+        // Dashboard
+        crate::openapi::dashboard_metrics,
+        // Docker - Read
         crate::openapi::docker_version,
         crate::openapi::docker_catalog,
         crate::openapi::docker_tags,
-        crate::openapi::docker_manifest,
-        crate::openapi::docker_blob,
+        crate::openapi::docker_manifest_get,
+        crate::openapi::docker_blob_head,
+        crate::openapi::docker_blob_get,
+        // Docker - Write
+        crate::openapi::docker_manifest_put,
+        crate::openapi::docker_blob_upload_start,
+        crate::openapi::docker_blob_upload_patch,
+        crate::openapi::docker_blob_upload_put,
         // Maven
-        crate::openapi::maven_artifact,
+        crate::openapi::maven_artifact_get,
+        crate::openapi::maven_artifact_put,
         // npm
         crate::openapi::npm_package,
+        // Cargo
+        crate::openapi::cargo_metadata,
+        crate::openapi::cargo_download,
         // PyPI
         crate::openapi::pypi_simple,
         crate::openapi::pypi_package,
@@ -59,6 +78,11 @@ use crate::AppState;
             HealthResponse,
             StorageHealth,
             RegistriesHealth,
+            DashboardResponse,
+            GlobalStats,
+            RegistryCardStats,
+            MountPoint,
+            ActivityEntry,
             DockerVersion,
             DockerCatalog,
             DockerTags,
@@ -182,8 +206,76 @@ pub struct ErrorResponse {
     pub error: String,
 }
 
+#[derive(Serialize, ToSchema)]
+pub struct DashboardResponse {
+    /// Global statistics across all registries
+    pub global_stats: GlobalStats,
+    /// Per-registry statistics
+    pub registry_stats: Vec<RegistryCardStats>,
+    /// Registry mount points and proxy configuration
+    pub mount_points: Vec<MountPoint>,
+    /// Recent activity log entries
+    pub activity: Vec<ActivityEntry>,
+    /// Server uptime in seconds
+    pub uptime_seconds: u64,
+}
+
+#[derive(Serialize, ToSchema)]
+pub struct GlobalStats {
+    /// Total downloads across all registries
+    pub downloads: u64,
+    /// Total uploads across all registries
+    pub uploads: u64,
+    /// Total artifact count
+    pub artifacts: u64,
+    /// Cache hit percentage (0-100)
+    pub cache_hit_percent: f64,
+    /// Total storage used in bytes
+    pub storage_bytes: u64,
+}
+
+#[derive(Serialize, ToSchema)]
+pub struct RegistryCardStats {
+    /// Registry name (docker, maven, npm, cargo, pypi)
+    pub name: String,
+    /// Number of artifacts in this registry
+    pub artifact_count: usize,
+    /// Download count for this registry
+    pub downloads: u64,
+    /// Upload count for this registry
+    pub uploads: u64,
+    /// Storage used by this registry in bytes
+    pub size_bytes: u64,
+}
+
+#[derive(Serialize, ToSchema)]
+pub struct MountPoint {
+    /// Registry display name
+    pub registry: String,
+    /// URL mount path (e.g., /v2/, /maven2/)
+    pub mount_path: String,
+    /// Upstream proxy URL if configured
+    pub proxy_upstream: Option<String>,
+}
+
+#[derive(Serialize, ToSchema)]
+pub struct ActivityEntry {
+    /// ISO 8601 timestamp
+    pub timestamp: String,
+    /// Action type (Pull, Push, CacheHit, ProxyFetch)
+    pub action: String,
+    /// Artifact name/identifier
+    pub artifact: String,
+    /// Registry type
+    pub registry: String,
+    /// Source (LOCAL, PROXY, CACHE)
+    pub source: String,
+}
+
 // ============ Path Operations (documentation only) ============
 
+// -------------------- Health --------------------
+
 /// Health check endpoint
 #[utoipa::path(
     get,
@@ -208,6 +300,39 @@ pub async fn health_check() {}
 )]
 pub async fn readiness_check() {}
 
+// -------------------- Metrics --------------------
+
+/// Prometheus metrics endpoint
+///
+/// Returns metrics in Prometheus text format for scraping.
+#[utoipa::path(
+    get,
+    path = "/metrics",
+    tag = "metrics",
+    responses(
+        (status = 200, description = "Prometheus metrics", content_type = "text/plain")
+    )
+)]
+pub async fn prometheus_metrics() {}
+
+// -------------------- Dashboard --------------------
+
+/// Dashboard metrics and activity
+///
+/// Returns comprehensive metrics including downloads, uploads, cache statistics,
+/// per-registry stats, mount points configuration, and recent activity log.
+#[utoipa::path(
+    get,
+    path = "/api/ui/dashboard",
+    tag = "dashboard",
+    responses(
+        (status = 200, description = "Dashboard metrics", body = DashboardResponse)
+    )
+)]
+pub async fn dashboard_metrics() {}
+
+// -------------------- Docker Registry v2 - Read Operations --------------------
+
 /// Docker Registry version check
 #[utoipa::path(
     get,
@@ -237,7 +362,7 @@ pub async fn docker_catalog() {}
     path = "/v2/{name}/tags/list",
     tag = "docker",
     params(
-        ("name" = String, Path, description = "Repository name")
+        ("name" = String, Path, description = "Repository name (e.g., 'alpine' or 'library/nginx')")
     ),
     responses(
         (status = 200, description = "Tag list", body = DockerTags),
@@ -253,14 +378,30 @@ pub async fn docker_tags() {}
     tag = "docker",
     params(
         ("name" = String, Path, description = "Repository name"),
-        ("reference" = String, Path, description = "Tag or digest")
+        ("reference" = String, Path, description = "Tag or digest (sha256:...)")
     ),
     responses(
         (status = 200, description = "Manifest content"),
         (status = 404, description = "Manifest not found")
     )
 )]
-pub async fn docker_manifest() {}
+pub async fn docker_manifest_get() {}
+
+/// Check if blob exists
+#[utoipa::path(
+    head,
+    path = "/v2/{name}/blobs/{digest}",
+    tag = "docker",
+    params(
+        ("name" = String, Path, description = "Repository name"),
+        ("digest" = String, Path, description = "Blob digest (sha256:...)")
+    ),
+    responses(
+        (status = 200, description = "Blob exists, Content-Length header contains size"),
+        (status = 404, description = "Blob not found")
+    )
+)]
+pub async fn docker_blob_head() {}
 
 /// Get blob
 #[utoipa::path(
@@ -276,7 +417,79 @@ pub async fn docker_manifest() {}
         (status = 404, description = "Blob not found")
     )
 )]
-pub async fn docker_blob() {}
+pub async fn docker_blob_get() {}
+
+// -------------------- Docker Registry v2 - Write Operations --------------------
+
+/// Push manifest
+#[utoipa::path(
+    put,
+    path = "/v2/{name}/manifests/{reference}",
+    tag = "docker",
+    params(
+        ("name" = String, Path, description = "Repository name"),
+        ("reference" = String, Path, description = "Tag or digest")
+    ),
+    responses(
+        (status = 201, description = "Manifest created, Docker-Content-Digest header contains digest"),
+        (status = 400, description = "Invalid manifest")
+    )
+)]
+pub async fn docker_manifest_put() {}
+
+/// Start blob upload
+///
+/// Initiates a resumable blob upload. Returns a Location header with the upload URL.
+#[utoipa::path(
+    post,
+    path = "/v2/{name}/blobs/uploads/",
+    tag = "docker",
+    params(
+        ("name" = String, Path, description = "Repository name")
+    ),
+    responses(
+        (status = 202, description = "Upload started, Location header contains upload URL")
+    )
+)]
+pub async fn docker_blob_upload_start() {}
+
+/// Upload blob chunk (chunked upload)
+///
+/// Uploads a chunk of data to an in-progress upload session.
+#[utoipa::path(
+    patch,
+    path = "/v2/{name}/blobs/uploads/{uuid}",
+    tag = "docker",
+    params(
+        ("name" = String, Path, description = "Repository name"),
+        ("uuid" = String, Path, description = "Upload session UUID")
+    ),
+    responses(
+        (status = 202, description = "Chunk accepted, Range header indicates bytes received")
+    )
+)]
+pub async fn docker_blob_upload_patch() {}
+
+/// Complete blob upload
+///
+/// Finalizes the blob upload. Can include final chunk data in the body.
+#[utoipa::path(
+    put,
+    path = "/v2/{name}/blobs/uploads/{uuid}",
+    tag = "docker",
+    params(
+        ("name" = String, Path, description = "Repository name"),
+        ("uuid" = String, Path, description = "Upload session UUID"),
+        ("digest" = String, Query, description = "Expected blob digest (sha256:...)")
+    ),
+    responses(
+        (status = 201, description = "Blob created"),
+        (status = 400, description = "Digest mismatch or missing")
+    )
+)]
+pub async fn docker_blob_upload_put() {}
+
+// -------------------- Maven --------------------
 
 /// Get Maven artifact
 #[utoipa::path(
@@ -291,7 +504,24 @@ pub async fn docker_blob() {}
         (status = 404, description = "Artifact not found, trying upstream proxies")
     )
 )]
-pub async fn maven_artifact() {}
+pub async fn maven_artifact_get() {}
+
+/// Upload Maven artifact
+#[utoipa::path(
+    put,
+    path = "/maven2/{path}",
+    tag = "maven",
+    params(
+        ("path" = String, Path, description = "Artifact path")
+    ),
+    responses(
+        (status = 201, description = "Artifact uploaded"),
+        (status = 500, description = "Storage error")
+    )
+)]
+pub async fn maven_artifact_put() {}
+
+// -------------------- npm --------------------
 
 /// Get npm package metadata
 #[utoipa::path(
@@ -299,7 +529,7 @@ pub async fn maven_artifact() {}
     path = "/npm/{name}",
     tag = "npm",
     params(
-        ("name" = String, Path, description = "Package name")
+        ("name" = String, Path, description = "Package name (e.g., 'lodash' or '@scope/package')")
     ),
     responses(
         (status = 200, description = "Package metadata (JSON)"),
@@ -308,6 +538,41 @@ pub async fn maven_artifact() {}
 )]
 pub async fn npm_package() {}
 
+// -------------------- Cargo --------------------
+
+/// Get Cargo crate metadata
+#[utoipa::path(
+    get,
+    path = "/cargo/api/v1/crates/{crate_name}",
+    tag = "cargo",
+    params(
+        ("crate_name" = String, Path, description = "Crate name")
+    ),
+    responses(
+        (status = 200, description = "Crate metadata (JSON)"),
+        (status = 404, description = "Crate not found")
+    )
+)]
+pub async fn cargo_metadata() {}
+
+/// Download Cargo crate
+#[utoipa::path(
+    get,
+    path = "/cargo/api/v1/crates/{crate_name}/{version}/download",
+    tag = "cargo",
+    params(
+        ("crate_name" = String, Path, description = "Crate name"),
+        ("version" = String, Path, description = "Crate version")
+    ),
+    responses(
+        (status = 200, description = "Crate file (.crate)"),
+        (status = 404, description = "Crate version not found")
+    )
+)]
+pub async fn cargo_download() {}
+
+// -------------------- PyPI --------------------
+
 /// PyPI Simple index
 #[utoipa::path(
     get,
@@ -334,6 +599,8 @@ pub async fn pypi_simple() {}
 )]
 pub async fn pypi_package() {}
 
+// -------------------- Auth / Tokens --------------------
+
 /// Create API token
 #[utoipa::path(
     post,

nora-registry/src/rate_limit.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 //! Rate limiting configuration and middleware
 //!
 //! Provides rate limiting to protect against:
@@ -5,117 +8,113 @@
 //! - DoS attacks on upload endpoints
 //! - General API abuse
 
+use crate::config::RateLimitConfig;
 use tower_governor::governor::GovernorConfigBuilder;
-
-/// Rate limit configuration
-#[derive(Debug, Clone)]
-pub struct RateLimitConfig {
-    /// Requests per second for auth endpoints (strict)
-    pub auth_rps: u32,
-    /// Burst size for auth endpoints
-    pub auth_burst: u32,
-    /// Requests per second for upload endpoints
-    pub upload_rps: u32,
-    /// Burst size for upload endpoints
-    pub upload_burst: u32,
-    /// Requests per second for general endpoints (lenient)
-    pub general_rps: u32,
-    /// Burst size for general endpoints
-    pub general_burst: u32,
-}
-
-impl Default for RateLimitConfig {
-    fn default() -> Self {
-        Self {
-            auth_rps: 1,       // 1 req/sec for auth (strict)
-            auth_burst: 5,     // Allow burst of 5
-            upload_rps: 10,    // 10 req/sec for uploads
-            upload_burst: 20,  // Allow burst of 20
-            general_rps: 100,  // 100 req/sec general
-            general_burst: 200, // Allow burst of 200
-        }
-    }
-}
+use tower_governor::key_extractor::SmartIpKeyExtractor;
 
 /// Create rate limiter layer for auth endpoints (strict protection against brute-force)
-///
-/// Default: 1 request per second, burst of 5
-pub fn auth_rate_limiter() -> tower_governor::GovernorLayer<
+pub fn auth_rate_limiter(
+    config: &RateLimitConfig,
+) -> tower_governor::GovernorLayer<
     tower_governor::key_extractor::PeerIpKeyExtractor,
     governor::middleware::StateInformationMiddleware,
     axum::body::Body,
 > {
-    let config = GovernorConfigBuilder::default()
-        .per_second(1)
-        .burst_size(5)
+    let gov_config = GovernorConfigBuilder::default()
+        .per_second(config.auth_rps)
+        .burst_size(config.auth_burst)
         .use_headers()
         .finish()
-        .unwrap();
+        .expect("failed to build auth rate limiter: invalid RateLimitConfig");
 
-    tower_governor::GovernorLayer::new(config)
+    tower_governor::GovernorLayer::new(gov_config)
 }
 
 /// Create rate limiter layer for upload endpoints
 ///
-/// Default: 10 requests per second, burst of 20
-pub fn upload_rate_limiter() -> tower_governor::GovernorLayer<
-    tower_governor::key_extractor::PeerIpKeyExtractor,
+/// High limits to accommodate Docker client's aggressive parallel layer uploads
+pub fn upload_rate_limiter(
+    config: &RateLimitConfig,
+) -> tower_governor::GovernorLayer<
+    SmartIpKeyExtractor,
     governor::middleware::StateInformationMiddleware,
     axum::body::Body,
 > {
-    let config = GovernorConfigBuilder::default()
-        .per_second(10)
-        .burst_size(20)
+    let gov_config = GovernorConfigBuilder::default()
+        .key_extractor(SmartIpKeyExtractor)
+        .per_second(config.upload_rps)
+        .burst_size(config.upload_burst)
         .use_headers()
         .finish()
-        .unwrap();
+        .expect("failed to build upload rate limiter: invalid RateLimitConfig");
 
-    tower_governor::GovernorLayer::new(config)
+    tower_governor::GovernorLayer::new(gov_config)
 }
 
 /// Create rate limiter layer for general endpoints (lenient)
-///
-/// Default: 100 requests per second, burst of 200
-pub fn general_rate_limiter() -> tower_governor::GovernorLayer<
-    tower_governor::key_extractor::PeerIpKeyExtractor,
+pub fn general_rate_limiter(
+    config: &RateLimitConfig,
+) -> tower_governor::GovernorLayer<
+    SmartIpKeyExtractor,
     governor::middleware::StateInformationMiddleware,
     axum::body::Body,
 > {
-    let config = GovernorConfigBuilder::default()
-        .per_second(100)
-        .burst_size(200)
+    let gov_config = GovernorConfigBuilder::default()
+        .key_extractor(SmartIpKeyExtractor)
+        .per_second(config.general_rps)
+        .burst_size(config.general_burst)
         .use_headers()
         .finish()
-        .unwrap();
+        .expect("failed to build general rate limiter: invalid RateLimitConfig");
 
-    tower_governor::GovernorLayer::new(config)
+    tower_governor::GovernorLayer::new(gov_config)
 }
 
 #[cfg(test)]
 mod tests {
     use super::*;
+    use crate::config::RateLimitConfig;
 
     #[test]
     fn test_default_config() {
         let config = RateLimitConfig::default();
         assert_eq!(config.auth_rps, 1);
         assert_eq!(config.auth_burst, 5);
-        assert_eq!(config.upload_rps, 10);
+        assert_eq!(config.upload_rps, 200);
         assert_eq!(config.general_rps, 100);
     }
 
     #[test]
     fn test_auth_rate_limiter_creation() {
-        let _limiter = auth_rate_limiter();
+        let config = RateLimitConfig::default();
+        let _limiter = auth_rate_limiter(&config);
     }
 
     #[test]
     fn test_upload_rate_limiter_creation() {
-        let _limiter = upload_rate_limiter();
+        let config = RateLimitConfig::default();
+        let _limiter = upload_rate_limiter(&config);
     }
 
     #[test]
     fn test_general_rate_limiter_creation() {
-        let _limiter = general_rate_limiter();
+        let config = RateLimitConfig::default();
+        let _limiter = general_rate_limiter(&config);
+    }
+
+    #[test]
+    fn test_custom_config() {
+        let config = RateLimitConfig {
+            enabled: true,
+            auth_rps: 10,
+            auth_burst: 20,
+            upload_rps: 500,
+            upload_burst: 1000,
+            general_rps: 200,
+            general_burst: 400,
+        };
+        let _auth = auth_rate_limiter(&config);
+        let _upload = upload_rate_limiter(&config);
+        let _general = general_rate_limiter(&config);
     }
 }

nora-registry/src/registry/cargo_registry.rs

@@ -1,3 +1,9 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
+use crate::activity_log::{ActionType, ActivityEntry};
+use crate::audit::AuditEntry;
+use crate::validation::validate_storage_key;
 use crate::AppState;
 use axum::{
     extract::{Path, State},
@@ -21,6 +27,10 @@ async fn get_metadata(
     State(state): State<Arc<AppState>>,
     Path(crate_name): Path<String>,
 ) -> Response {
+    // Validate input to prevent path traversal
+    if validate_storage_key(&crate_name).is_err() {
+        return StatusCode::BAD_REQUEST.into_response();
+    }
     let key = format!("cargo/{}/metadata.json", crate_name);
     match state.storage.get(&key).await {
         Ok(data) => (StatusCode::OK, data).into_response(),
@@ -32,12 +42,99 @@ async fn download(
     State(state): State<Arc<AppState>>,
     Path((crate_name, version)): Path<(String, String)>,
 ) -> Response {
+    // Validate inputs to prevent path traversal
+    if validate_storage_key(&crate_name).is_err() || validate_storage_key(&version).is_err() {
+        return StatusCode::BAD_REQUEST.into_response();
+    }
     let key = format!(
         "cargo/{}/{}/{}-{}.crate",
         crate_name, version, crate_name, version
     );
     match state.storage.get(&key).await {
-        Ok(data) => (StatusCode::OK, data).into_response(),
+        Ok(data) => {
+            state.metrics.record_download("cargo");
+            state.metrics.record_cache_hit();
+            state.activity.push(ActivityEntry::new(
+                ActionType::Pull,
+                format!("{}@{}", crate_name, version),
+                "cargo",
+                "LOCAL",
+            ));
+            state
+                .audit
+                .log(AuditEntry::new("pull", "api", "", "cargo", ""));
+            (StatusCode::OK, data).into_response()
+        }
         Err(_) => StatusCode::NOT_FOUND.into_response(),
     }
 }
+
+#[cfg(test)]
+#[allow(clippy::unwrap_used)]
+mod tests {
+    use crate::test_helpers::{body_bytes, create_test_context, send};
+    use axum::http::{Method, StatusCode};
+
+    #[tokio::test]
+    async fn test_cargo_metadata_not_found() {
+        let ctx = create_test_context();
+        let resp = send(
+            &ctx.app,
+            Method::GET,
+            "/cargo/api/v1/crates/nonexistent",
+            "",
+        )
+        .await;
+        assert_eq!(resp.status(), StatusCode::NOT_FOUND);
+    }
+
+    #[tokio::test]
+    async fn test_cargo_metadata_from_storage() {
+        let ctx = create_test_context();
+        let meta = r#"{"name":"test-crate","versions":[]}"#;
+        ctx.state
+            .storage
+            .put("cargo/test-crate/metadata.json", meta.as_bytes())
+            .await
+            .unwrap();
+
+        let resp = send(&ctx.app, Method::GET, "/cargo/api/v1/crates/test-crate", "").await;
+        assert_eq!(resp.status(), StatusCode::OK);
+        let body = body_bytes(resp).await;
+        assert_eq!(&body[..], meta.as_bytes());
+    }
+
+    #[tokio::test]
+    async fn test_cargo_download_not_found() {
+        let ctx = create_test_context();
+        let resp = send(
+            &ctx.app,
+            Method::GET,
+            "/cargo/api/v1/crates/missing/1.0.0/download",
+            "",
+        )
+        .await;
+        assert_eq!(resp.status(), StatusCode::NOT_FOUND);
+    }
+
+    #[tokio::test]
+    async fn test_cargo_download_from_storage() {
+        let ctx = create_test_context();
+        ctx.state
+            .storage
+            .put("cargo/my-crate/1.2.3/my-crate-1.2.3.crate", b"crate-data")
+            .await
+            .unwrap();
+
+        let resp = send(
+            &ctx.app,
+            Method::GET,
+            "/cargo/api/v1/crates/my-crate/1.2.3/download",
+            "",
+        )
+        .await;
+        assert_eq!(resp.status(), StatusCode::OK);
+        let body = body_bytes(resp).await;
+        assert_eq!(&body[..], b"crate-data");
+    }
+}

nora-registry/src/registry/docker_auth.rs

@@ -0,0 +1,319 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
+use crate::config::basic_auth_header;
+use parking_lot::RwLock;
+use std::collections::HashMap;
+use std::time::{Duration, Instant};
+
+/// Cached Docker registry token
+struct CachedToken {
+    token: String,
+    expires_at: Instant,
+}
+
+/// Docker registry authentication handler
+/// Manages Bearer token acquisition and caching for upstream registries
+pub struct DockerAuth {
+    tokens: RwLock<HashMap<String, CachedToken>>,
+    client: reqwest::Client,
+}
+
+impl DockerAuth {
+    pub fn new(timeout: u64) -> Self {
+        Self {
+            tokens: RwLock::new(HashMap::new()),
+            client: reqwest::Client::builder()
+                .timeout(Duration::from_secs(timeout))
+                .build()
+                .unwrap_or_default(),
+        }
+    }
+
+    /// Get a valid token for the given registry and repository scope
+    /// Returns cached token if still valid, otherwise fetches a new one
+    pub async fn get_token(
+        &self,
+        registry_url: &str,
+        name: &str,
+        www_authenticate: Option<&str>,
+        basic_auth: Option<&str>,
+    ) -> Option<String> {
+        let cache_key = format!("{}:{}", registry_url, name);
+
+        // Check cache first
+        {
+            let tokens = self.tokens.read();
+            if let Some(cached) = tokens.get(&cache_key) {
+                if cached.expires_at > Instant::now() {
+                    return Some(cached.token.clone());
+                }
+            }
+        }
+
+        // Need to fetch a new token
+        let www_auth = www_authenticate?;
+        let token = self.fetch_token(www_auth, name, basic_auth).await?;
+
+        // Cache the token (default 5 minute expiry)
+        {
+            let mut tokens = self.tokens.write();
+            tokens.insert(
+                cache_key,
+                CachedToken {
+                    token: token.clone(),
+                    expires_at: Instant::now() + Duration::from_secs(300),
+                },
+            );
+        }
+
+        Some(token)
+    }
+
+    /// Parse Www-Authenticate header and fetch token from auth server
+    /// Format: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:library/alpine:pull"
+    async fn fetch_token(
+        &self,
+        www_authenticate: &str,
+        name: &str,
+        basic_auth: Option<&str>,
+    ) -> Option<String> {
+        let params = parse_www_authenticate(www_authenticate)?;
+
+        let realm = params.get("realm")?;
+        let service = params.get("service").map(|s| s.as_str()).unwrap_or("");
+
+        // Build token request URL
+        let scope = format!("repository:{}:pull", name);
+        let url = format!("{}?service={}&scope={}", realm, service, scope);
+
+        tracing::debug!(url = %url, "Fetching auth token");
+
+        let mut request = self.client.get(&url);
+        if let Some(credentials) = basic_auth {
+            request = request.header("Authorization", basic_auth_header(credentials));
+            tracing::debug!("Using basic auth for token request");
+        }
+
+        let response = request.send().await.ok()?;
+
+        if !response.status().is_success() {
+            tracing::warn!(status = %response.status(), "Token request failed");
+            return None;
+        }
+
+        let json: serde_json::Value = response.json().await.ok()?;
+
+        // Docker Hub returns "token", some registries return "access_token"
+        json.get("token")
+            .or_else(|| json.get("access_token"))
+            .and_then(|v| v.as_str())
+            .map(String::from)
+    }
+}
+
+impl Default for DockerAuth {
+    fn default() -> Self {
+        Self::new(60)
+    }
+}
+
+/// Parse Www-Authenticate header into key-value pairs
+/// Example: Bearer realm="https://auth.docker.io/token",service="registry.docker.io"
+fn parse_www_authenticate(header: &str) -> Option<HashMap<String, String>> {
+    let header = header
+        .strip_prefix("Bearer ")
+        .or_else(|| header.strip_prefix("bearer "))?;
+
+    let mut params = HashMap::new();
+
+    for part in header.split(',') {
+        let part = part.trim();
+        if let Some((key, value)) = part.split_once('=') {
+            let value = value.trim_matches('"');
+            params.insert(key.to_string(), value.to_string());
+        }
+    }
+
+    Some(params)
+}
+
+#[cfg(test)]
+#[allow(clippy::unwrap_used)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_parse_www_authenticate() {
+        let header = r#"Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:library/alpine:pull""#;
+        let params = parse_www_authenticate(header).unwrap();
+
+        assert_eq!(
+            params.get("realm"),
+            Some(&"https://auth.docker.io/token".to_string())
+        );
+        assert_eq!(
+            params.get("service"),
+            Some(&"registry.docker.io".to_string())
+        );
+    }
+
+    #[test]
+    fn test_parse_www_authenticate_lowercase() {
+        let header = r#"bearer realm="https://ghcr.io/token",service="ghcr.io""#;
+        let params = parse_www_authenticate(header).unwrap();
+
+        assert_eq!(
+            params.get("realm"),
+            Some(&"https://ghcr.io/token".to_string())
+        );
+    }
+
+    #[test]
+    fn test_parse_www_authenticate_no_bearer() {
+        assert!(parse_www_authenticate("Basic realm=\"test\"").is_none());
+    }
+
+    #[test]
+    fn test_parse_www_authenticate_empty() {
+        assert!(parse_www_authenticate("").is_none());
+    }
+
+    #[test]
+    fn test_parse_www_authenticate_partial() {
+        let header = r#"Bearer realm="https://example.com/token""#;
+        let params = parse_www_authenticate(header).unwrap();
+        assert_eq!(
+            params.get("realm"),
+            Some(&"https://example.com/token".to_string())
+        );
+        assert!(!params.contains_key("service"));
+    }
+
+    #[test]
+    fn test_docker_auth_default() {
+        let auth = DockerAuth::default();
+        assert!(auth.tokens.read().is_empty());
+    }
+
+    #[test]
+    fn test_docker_auth_new() {
+        let auth = DockerAuth::new(30);
+        assert!(auth.tokens.read().is_empty());
+    }
+
+    #[tokio::test]
+    async fn test_get_token_no_www_authenticate() {
+        let auth = DockerAuth::default();
+        let result = auth
+            .get_token("https://registry.example.com", "library/test", None, None)
+            .await;
+        assert!(result.is_none());
+    }
+
+    #[tokio::test]
+    async fn test_get_token_cache_hit() {
+        let auth = DockerAuth::default();
+        // Manually insert a cached token
+        {
+            let mut tokens = auth.tokens.write();
+            tokens.insert(
+                "https://registry.example.com:library/test".to_string(),
+                CachedToken {
+                    token: "cached-token-123".to_string(),
+                    expires_at: Instant::now() + Duration::from_secs(300),
+                },
+            );
+        }
+        let result = auth
+            .get_token("https://registry.example.com", "library/test", None, None)
+            .await;
+        assert_eq!(result, Some("cached-token-123".to_string()));
+    }
+
+    #[tokio::test]
+    async fn test_get_token_cache_expired() {
+        let auth = DockerAuth::default();
+        {
+            let mut tokens = auth.tokens.write();
+            tokens.insert(
+                "https://registry.example.com:library/test".to_string(),
+                CachedToken {
+                    token: "expired-token".to_string(),
+                    expires_at: Instant::now() - Duration::from_secs(1),
+                },
+            );
+        }
+        // Without www_authenticate, returns None (can't fetch new token)
+        let result = auth
+            .get_token("https://registry.example.com", "library/test", None, None)
+            .await;
+        assert!(result.is_none());
+    }
+
+    #[test]
+    fn test_parse_www_authenticate_bearer_only() {
+        let params = parse_www_authenticate("Bearer ").unwrap();
+        assert!(params.is_empty());
+    }
+
+    #[test]
+    fn test_parse_www_authenticate_missing_realm() {
+        let header = r#"Bearer service="registry.docker.io""#;
+        let params = parse_www_authenticate(header).unwrap();
+        assert!(params.get("realm").is_none());
+        assert_eq!(
+            params.get("service"),
+            Some(&"registry.docker.io".to_string())
+        );
+    }
+
+    #[test]
+    fn test_parse_www_authenticate_missing_service() {
+        let header = r#"Bearer realm="https://auth.docker.io/token""#;
+        let params = parse_www_authenticate(header).unwrap();
+        assert_eq!(
+            params.get("realm"),
+            Some(&"https://auth.docker.io/token".to_string())
+        );
+        assert!(params.get("service").is_none());
+    }
+
+    #[test]
+    fn test_parse_www_authenticate_malformed_kv() {
+        let header = r#"Bearer garbage,realm="https://auth.docker.io/token""#;
+        let params = parse_www_authenticate(header).unwrap();
+        assert_eq!(
+            params.get("realm"),
+            Some(&"https://auth.docker.io/token".to_string())
+        );
+    }
+
+    #[tokio::test]
+    async fn test_fetch_token_invalid_url() {
+        let auth = DockerAuth::new(1);
+        let result = auth
+            .get_token(
+                "https://registry.example.com",
+                "library/test",
+                Some(r#"Bearer realm="http://127.0.0.1:1/token",service="test""#),
+                None,
+            )
+            .await;
+        assert!(result.is_none());
+    }
+
+    #[tokio::test]
+    async fn test_fetch_token_missing_realm_in_header() {
+        let auth = DockerAuth::default();
+        let result = auth
+            .get_token(
+                "https://registry.example.com",
+                "library/test",
+                Some(r#"Bearer service="registry.docker.io""#),
+                None,
+            )
+            .await;
+        assert!(result.is_none());
+    }
+}

nora-registry/src/registry/go.rs

@@ -0,0 +1,523 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
+//! Go module proxy (GOPROXY protocol).
+//!
+//! Implements the 5 required endpoints:
+//!   GET /go/{module}/@v/list        — list known versions
+//!   GET /go/{module}/@v/{ver}.info  — version metadata (JSON)
+//!   GET /go/{module}/@v/{ver}.mod   — go.mod file
+//!   GET /go/{module}/@v/{ver}.zip   — module zip archive
+//!   GET /go/{module}/@latest        — latest version info
+
+use crate::activity_log::{ActionType, ActivityEntry};
+use crate::audit::AuditEntry;
+use crate::registry::{proxy_fetch, proxy_fetch_text, ProxyError};
+use crate::AppState;
+use axum::{
+    extract::{Path, State},
+    http::{header, HeaderValue, StatusCode},
+    response::{IntoResponse, Response},
+    routing::get,
+    Router,
+};
+use percent_encoding::percent_decode;
+use std::sync::Arc;
+
+pub fn routes() -> Router<Arc<AppState>> {
+    Router::new().route("/go/{*path}", get(handle))
+}
+
+/// Main handler — parses the wildcard path and dispatches to the right logic.
+async fn handle(State(state): State<Arc<AppState>>, Path(path): Path<String>) -> Response {
+    // URL-decode the path: Go client sends %21 for !, Axum wildcard may not decode it
+    let path = percent_decode(path.as_bytes())
+        .decode_utf8()
+        .map(|s| s.into_owned())
+        .unwrap_or(path);
+
+    tracing::debug!(path = %path, "Go proxy request");
+
+    // Validate path: no traversal, no null bytes
+    if !is_safe_path(&path) {
+        tracing::debug!(path = %path, "Go proxy: unsafe path");
+        return StatusCode::BAD_REQUEST.into_response();
+    }
+
+    // Split: "github.com/!azure/sdk/@v/v1.0.0.info" → module + file
+    let (module_encoded, file) = match split_go_path(&path) {
+        Some(parts) => parts,
+        None => {
+            tracing::debug!(path = %path, "Go proxy: cannot split path");
+            return StatusCode::NOT_FOUND.into_response();
+        }
+    };
+
+    let storage_key = format!("go/{}", path);
+    let content_type = content_type_for(&file);
+
+    // Mutable endpoints: @v/list and @latest can be refreshed from upstream
+    let is_mutable = file == "@v/list" || file == "@latest";
+    // Immutable: .info, .mod, .zip — once cached, never overwrite
+    let is_immutable = !is_mutable;
+
+    // 1. Try local cache (for immutable files, this is authoritative)
+    if let Ok(data) = state.storage.get(&storage_key).await {
+        state.metrics.record_download("go");
+        state.metrics.record_cache_hit();
+        state.activity.push(ActivityEntry::new(
+            ActionType::CacheHit,
+            format_artifact(&module_encoded, &file),
+            "go",
+            "CACHE",
+        ));
+        return with_content_type(data.to_vec(), content_type);
+    }
+
+    // 2. Try upstream proxy
+    let proxy_url = match &state.config.go.proxy {
+        Some(url) => url.clone(),
+        None => return StatusCode::NOT_FOUND.into_response(),
+    };
+
+    // Validate module path encoding (but keep encoded for upstream — proxy.golang.org expects ! encoding)
+    if decode_module_path(&module_encoded).is_err() {
+        return StatusCode::BAD_REQUEST.into_response();
+    }
+
+    let upstream_url = format!(
+        "{}/{}",
+        proxy_url.trim_end_matches('/'),
+        format_upstream_path(&module_encoded, &file)
+    );
+
+    // Use longer timeout for .zip files
+    let timeout = if file.ends_with(".zip") {
+        state.config.go.proxy_timeout_zip
+    } else {
+        state.config.go.proxy_timeout
+    };
+
+    // Fetch: binary for .zip, text for everything else
+    let data = if file.ends_with(".zip") {
+        proxy_fetch(
+            &state.http_client,
+            &upstream_url,
+            timeout,
+            state.config.go.proxy_auth.as_deref(),
+        )
+        .await
+    } else {
+        proxy_fetch_text(
+            &state.http_client,
+            &upstream_url,
+            timeout,
+            state.config.go.proxy_auth.as_deref(),
+            None,
+        )
+        .await
+        .map(|s| s.into_bytes())
+    };
+
+    match data {
+        Ok(bytes) => {
+            // Enforce size limit for .zip
+            if file.ends_with(".zip") && bytes.len() as u64 > state.config.go.max_zip_size {
+                tracing::warn!(
+                    module = module_encoded,
+                    size = bytes.len(),
+                    limit = state.config.go.max_zip_size,
+                    "Go module zip exceeds size limit"
+                );
+                return StatusCode::PAYLOAD_TOO_LARGE.into_response();
+            }
+
+            state.metrics.record_download("go");
+            state.metrics.record_cache_miss();
+            state.activity.push(ActivityEntry::new(
+                ActionType::ProxyFetch,
+                format_artifact(&module_encoded, &file),
+                "go",
+                "PROXY",
+            ));
+            state
+                .audit
+                .log(AuditEntry::new("proxy_fetch", "api", "", "go", ""));
+
+            // Background cache: immutable = put_if_absent, mutable = always overwrite
+            let storage = state.storage.clone();
+            let key = storage_key.clone();
+            let data_clone = bytes.clone();
+            tokio::spawn(async move {
+                if is_immutable {
+                    // Only write if not already cached (immutability guarantee)
+                    if storage.stat(&key).await.is_none() {
+                        let _ = storage.put(&key, &data_clone).await;
+                    }
+                } else {
+                    let _ = storage.put(&key, &data_clone).await;
+                }
+            });
+
+            state.repo_index.invalidate("go");
+            with_content_type(bytes, content_type)
+        }
+        Err(ProxyError::NotFound) => StatusCode::NOT_FOUND.into_response(),
+        Err(e) => {
+            tracing::debug!(
+                module = module_encoded,
+                file = file,
+                error = ?e,
+                "Go upstream proxy error"
+            );
+            StatusCode::BAD_GATEWAY.into_response()
+        }
+    }
+}
+
+// ============================================================================
+// Module path encoding/decoding
+// ============================================================================
+
+/// Decode Go module path: `!x` → `X`
+///
+/// Go module proxy spec requires uppercase letters to be encoded as `!`
+/// followed by the lowercase letter. Raw uppercase in encoded path is invalid.
+fn decode_module_path(encoded: &str) -> Result<String, ()> {
+    let mut result = String::with_capacity(encoded.len());
+    let mut chars = encoded.chars();
+    while let Some(c) = chars.next() {
+        if c == '!' {
+            match chars.next() {
+                Some(next) if next.is_ascii_lowercase() => {
+                    result.push(next.to_ascii_uppercase());
+                }
+                _ => return Err(()),
+            }
+        } else if c.is_ascii_uppercase() {
+            // Raw uppercase in encoded path is invalid per spec
+            return Err(());
+        } else {
+            result.push(c);
+        }
+    }
+    Ok(result)
+}
+
+/// Encode Go module path: `X` → `!x`
+#[cfg(test)]
+fn encode_module_path(path: &str) -> String {
+    let mut result = String::with_capacity(path.len() + 8);
+    for c in path.chars() {
+        if c.is_ascii_uppercase() {
+            result.push('!');
+            result.push(c.to_ascii_lowercase());
+        } else {
+            result.push(c);
+        }
+    }
+    result
+}
+
+// ============================================================================
+// Path parsing helpers
+// ============================================================================
+
+/// Split Go path into (encoded_module, file).
+///
+/// Examples:
+///   "github.com/user/repo/@v/v1.0.0.info" → ("github.com/user/repo", "@v/v1.0.0.info")
+///   "github.com/user/repo/v2/@v/list"     → ("github.com/user/repo/v2", "@v/list")
+///   "github.com/user/repo/@latest"        → ("github.com/user/repo", "@latest")
+fn split_go_path(path: &str) -> Option<(String, String)> {
+    // Try @latest first (it's simpler)
+    if let Some(pos) = path.rfind("/@latest") {
+        let module = &path[..pos];
+        if !module.is_empty() {
+            return Some((module.to_string(), "@latest".to_string()));
+        }
+    }
+
+    // Try @v/ — find the last occurrence (handles /v2/@v/ correctly)
+    if let Some(pos) = path.rfind("/@v/") {
+        let module = &path[..pos];
+        let file = &path[pos + 1..]; // "@v/..."
+        if !module.is_empty() && !file.is_empty() {
+            return Some((module.to_string(), file.to_string()));
+        }
+    }
+
+    None
+}
+
+/// Path validation: no traversal attacks
+fn is_safe_path(path: &str) -> bool {
+    !path.contains("..")
+        && !path.starts_with('/')
+        && !path.contains("//")
+        && !path.contains('\0')
+        && !path.is_empty()
+}
+
+/// Content-Type for Go proxy responses
+fn content_type_for(file: &str) -> &'static str {
+    if file.ends_with(".info") || file == "@latest" {
+        "application/json"
+    } else if file.ends_with(".zip") {
+        "application/zip"
+    } else {
+        // .mod, @v/list
+        "text/plain; charset=utf-8"
+    }
+}
+
+/// Build upstream URL path (uses decoded module path)
+fn format_upstream_path(module_decoded: &str, file: &str) -> String {
+    format!("{}/{}", module_decoded, file)
+}
+
+/// Human-readable artifact name for activity log
+fn format_artifact(module: &str, file: &str) -> String {
+    if file == "@v/list" || file == "@latest" {
+        format!("{} {}", module, file)
+    } else if let Some(version_file) = file.strip_prefix("@v/") {
+        // "v1.0.0.info" → "module@v1.0.0"
+        let version = version_file
+            .rsplit_once('.')
+            .map(|(v, _ext)| v)
+            .unwrap_or(version_file);
+        format!("{}@{}", module, version)
+    } else {
+        format!("{}/{}", module, file)
+    }
+}
+
+/// Build response with Content-Type header
+fn with_content_type(data: Vec<u8>, content_type: &'static str) -> Response {
+    (
+        StatusCode::OK,
+        [(header::CONTENT_TYPE, HeaderValue::from_static(content_type))],
+        data,
+    )
+        .into_response()
+}
+
+// ============================================================================
+// Tests
+// ============================================================================
+
+#[cfg(test)]
+#[allow(clippy::unwrap_used)]
+mod tests {
+    use super::*;
+
+    // ── Encoding/decoding ───────────────────────────────────────────────
+
+    #[test]
+    fn test_decode_azure() {
+        assert_eq!(
+            decode_module_path("github.com/!azure/sdk").unwrap(),
+            "github.com/Azure/sdk"
+        );
+    }
+
+    #[test]
+    fn test_decode_multiple_uppercase() {
+        assert_eq!(
+            decode_module_path("!google!cloud!platform/foo").unwrap(),
+            "GoogleCloudPlatform/foo"
+        );
+    }
+
+    #[test]
+    fn test_decode_no_uppercase() {
+        assert_eq!(
+            decode_module_path("github.com/user/repo").unwrap(),
+            "github.com/user/repo"
+        );
+    }
+
+    #[test]
+    fn test_decode_invalid_bang_at_end() {
+        assert!(decode_module_path("foo!").is_err());
+    }
+
+    #[test]
+    fn test_decode_invalid_bang_followed_by_uppercase() {
+        assert!(decode_module_path("foo!A").is_err());
+    }
+
+    #[test]
+    fn test_decode_raw_uppercase_is_invalid() {
+        assert!(decode_module_path("github.com/Azure/sdk").is_err());
+    }
+
+    #[test]
+    fn test_encode_roundtrip() {
+        let original = "github.com/Azure/azure-sdk-for-go";
+        let encoded = encode_module_path(original);
+        assert_eq!(encoded, "github.com/!azure/azure-sdk-for-go");
+        assert_eq!(decode_module_path(&encoded).unwrap(), original);
+    }
+
+    #[test]
+    fn test_encode_no_change() {
+        assert_eq!(
+            encode_module_path("github.com/user/repo"),
+            "github.com/user/repo"
+        );
+    }
+
+    // ── Path splitting ──────────────────────────────────────────────────
+
+    #[test]
+    fn test_split_version_info() {
+        let (module, file) = split_go_path("github.com/user/repo/@v/v1.0.0.info").unwrap();
+        assert_eq!(module, "github.com/user/repo");
+        assert_eq!(file, "@v/v1.0.0.info");
+    }
+
+    #[test]
+    fn test_split_version_list() {
+        let (module, file) = split_go_path("github.com/user/repo/@v/list").unwrap();
+        assert_eq!(module, "github.com/user/repo");
+        assert_eq!(file, "@v/list");
+    }
+
+    #[test]
+    fn test_split_latest() {
+        let (module, file) = split_go_path("github.com/user/repo/@latest").unwrap();
+        assert_eq!(module, "github.com/user/repo");
+        assert_eq!(file, "@latest");
+    }
+
+    #[test]
+    fn test_split_major_version_suffix() {
+        let (module, file) = split_go_path("github.com/user/repo/v2/@v/list").unwrap();
+        assert_eq!(module, "github.com/user/repo/v2");
+        assert_eq!(file, "@v/list");
+    }
+
+    #[test]
+    fn test_split_incompatible_version() {
+        let (module, file) =
+            split_go_path("github.com/user/repo/@v/v4.1.2+incompatible.info").unwrap();
+        assert_eq!(module, "github.com/user/repo");
+        assert_eq!(file, "@v/v4.1.2+incompatible.info");
+    }
+
+    #[test]
+    fn test_split_pseudo_version() {
+        let (module, file) =
+            split_go_path("github.com/user/repo/@v/v0.0.0-20210101000000-abcdef123456.info")
+                .unwrap();
+        assert_eq!(module, "github.com/user/repo");
+        assert_eq!(file, "@v/v0.0.0-20210101000000-abcdef123456.info");
+    }
+
+    #[test]
+    fn test_split_no_at() {
+        assert!(split_go_path("github.com/user/repo/v1.0.0").is_none());
+    }
+
+    #[test]
+    fn test_split_empty_module() {
+        assert!(split_go_path("/@v/list").is_none());
+    }
+
+    // ── Path safety ─────────────────────────────────────────────────────
+
+    #[test]
+    fn test_safe_path_normal() {
+        assert!(is_safe_path("github.com/user/repo/@v/list"));
+    }
+
+    #[test]
+    fn test_reject_traversal() {
+        assert!(!is_safe_path("../../etc/passwd"));
+    }
+
+    #[test]
+    fn test_reject_absolute() {
+        assert!(!is_safe_path("/etc/passwd"));
+    }
+
+    #[test]
+    fn test_reject_double_slash() {
+        assert!(!is_safe_path("github.com//evil/@v/list"));
+    }
+
+    #[test]
+    fn test_reject_null() {
+        assert!(!is_safe_path("github.com/\0evil/@v/list"));
+    }
+
+    #[test]
+    fn test_reject_empty() {
+        assert!(!is_safe_path(""));
+    }
+
+    // ── Content-Type ────────────────────────────────────────────────────
+
+    #[test]
+    fn test_content_type_info() {
+        assert_eq!(content_type_for("@v/v1.0.0.info"), "application/json");
+    }
+
+    #[test]
+    fn test_content_type_latest() {
+        assert_eq!(content_type_for("@latest"), "application/json");
+    }
+
+    #[test]
+    fn test_content_type_zip() {
+        assert_eq!(content_type_for("@v/v1.0.0.zip"), "application/zip");
+    }
+
+    #[test]
+    fn test_content_type_mod() {
+        assert_eq!(
+            content_type_for("@v/v1.0.0.mod"),
+            "text/plain; charset=utf-8"
+        );
+    }
+
+    #[test]
+    fn test_content_type_list() {
+        assert_eq!(content_type_for("@v/list"), "text/plain; charset=utf-8");
+    }
+
+    // ── Artifact formatting ─────────────────────────────────────────────
+
+    #[test]
+    fn test_format_artifact_version() {
+        assert_eq!(
+            format_artifact("github.com/user/repo", "@v/v1.0.0.info"),
+            "github.com/user/repo@v1.0.0"
+        );
+    }
+
+    #[test]
+    fn test_format_artifact_list() {
+        assert_eq!(
+            format_artifact("github.com/user/repo", "@v/list"),
+            "github.com/user/repo @v/list"
+        );
+    }
+
+    #[test]
+    fn test_format_artifact_latest() {
+        assert_eq!(
+            format_artifact("github.com/user/repo", "@latest"),
+            "github.com/user/repo @latest"
+        );
+    }
+
+    #[test]
+    fn test_format_artifact_zip() {
+        assert_eq!(
+            format_artifact("github.com/user/repo", "@v/v1.0.0.zip"),
+            "github.com/user/repo@v1.0.0"
+        );
+    }
+}

nora-registry/src/registry/maven.rs

@@ -1,3 +1,9 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
+use crate::activity_log::{ActionType, ActivityEntry};
+use crate::audit::AuditEntry;
+use crate::registry::proxy_fetch;
 use crate::AppState;
 use axum::{
     body::Bytes,
@@ -8,7 +14,6 @@ use axum::{
     Router,
 };
 use std::sync::Arc;
-use std::time::Duration;
 
 pub fn routes() -> Router<Arc<AppState>> {
     Router::new()
@@ -19,18 +24,55 @@ pub fn routes() -> Router<Arc<AppState>> {
 async fn download(State(state): State<Arc<AppState>>, Path(path): Path<String>) -> Response {
     let key = format!("maven/{}", path);
 
-    // Try local storage first
+    let artifact_name = path
+        .split('/')
+        .rev()
+        .take(3)
+        .collect::<Vec<_>>()
+        .into_iter()
+        .rev()
+        .collect::<Vec<_>>()
+        .join("/");
+
     if let Ok(data) = state.storage.get(&key).await {
+        state.metrics.record_download("maven");
+        state.metrics.record_cache_hit();
+        state.activity.push(ActivityEntry::new(
+            ActionType::CacheHit,
+            artifact_name,
+            "maven",
+            "CACHE",
+        ));
+        state
+            .audit
+            .log(AuditEntry::new("cache_hit", "api", "", "maven", ""));
         return with_content_type(&path, data).into_response();
     }
 
-    // Try proxy servers
-    for proxy_url in &state.config.maven.proxies {
-        let url = format!("{}/{}", proxy_url.trim_end_matches('/'), path);
+    for proxy in &state.config.maven.proxies {
+        let url = format!("{}/{}", proxy.url().trim_end_matches('/'), path);
 
-        match fetch_from_proxy(&url, state.config.maven.proxy_timeout).await {
+        match proxy_fetch(
+            &state.http_client,
+            &url,
+            state.config.maven.proxy_timeout,
+            proxy.auth(),
+        )
+        .await
+        {
             Ok(data) => {
-                // Cache in local storage (fire and forget)
+                state.metrics.record_download("maven");
+                state.metrics.record_cache_miss();
+                state.activity.push(ActivityEntry::new(
+                    ActionType::ProxyFetch,
+                    artifact_name,
+                    "maven",
+                    "PROXY",
+                ));
+                state
+                    .audit
+                    .log(AuditEntry::new("proxy_fetch", "api", "", "maven", ""));
+
                 let storage = state.storage.clone();
                 let key_clone = key.clone();
                 let data_clone = data.clone();
@@ -38,6 +80,8 @@ async fn download(State(state): State<Arc<AppState>>, Path(path): Path<String>)
                     let _ = storage.put(&key_clone, &data_clone).await;
                 });
 
+                state.repo_index.invalidate("maven");
+
                 return with_content_type(&path, data.into()).into_response();
             }
             Err(_) => continue,
@@ -53,27 +97,36 @@ async fn upload(
     body: Bytes,
 ) -> StatusCode {
     let key = format!("maven/{}", path);
+
+    let artifact_name = path
+        .split('/')
+        .rev()
+        .take(3)
+        .collect::<Vec<_>>()
+        .into_iter()
+        .rev()
+        .collect::<Vec<_>>()
+        .join("/");
+
     match state.storage.put(&key, &body).await {
-        Ok(()) => StatusCode::CREATED,
+        Ok(()) => {
+            state.metrics.record_upload("maven");
+            state.activity.push(ActivityEntry::new(
+                ActionType::Push,
+                artifact_name,
+                "maven",
+                "LOCAL",
+            ));
+            state
+                .audit
+                .log(AuditEntry::new("push", "api", "", "maven", ""));
+            state.repo_index.invalidate("maven");
+            StatusCode::CREATED
+        }
         Err(_) => StatusCode::INTERNAL_SERVER_ERROR,
     }
 }
 
-async fn fetch_from_proxy(url: &str, timeout_secs: u64) -> Result<Vec<u8>, ()> {
-    let client = reqwest::Client::builder()
-        .timeout(Duration::from_secs(timeout_secs))
-        .build()
-        .map_err(|_| ())?;
-
-    let response = client.get(url).send().await.map_err(|_| ())?;
-
-    if !response.status().is_success() {
-        return Err(());
-    }
-
-    response.bytes().await.map(|b| b.to_vec()).map_err(|_| ())
-}
-
 fn with_content_type(
     path: &str,
     data: Bytes,
@@ -92,3 +145,148 @@ fn with_content_type(
 
     (StatusCode::OK, [(header::CONTENT_TYPE, content_type)], data)
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_content_type_pom() {
+        let (status, headers, _) =
+            with_content_type("com/example/1.0/example-1.0.pom", Bytes::from("data"));
+        assert_eq!(status, StatusCode::OK);
+        assert_eq!(headers[0].1, "application/xml");
+    }
+
+    #[test]
+    fn test_content_type_jar() {
+        let (_, headers, _) =
+            with_content_type("com/example/1.0/example-1.0.jar", Bytes::from("data"));
+        assert_eq!(headers[0].1, "application/java-archive");
+    }
+
+    #[test]
+    fn test_content_type_xml() {
+        let (_, headers, _) =
+            with_content_type("com/example/maven-metadata.xml", Bytes::from("data"));
+        assert_eq!(headers[0].1, "application/xml");
+    }
+
+    #[test]
+    fn test_content_type_sha1() {
+        let (_, headers, _) =
+            with_content_type("com/example/1.0/example-1.0.jar.sha1", Bytes::from("data"));
+        assert_eq!(headers[0].1, "text/plain");
+    }
+
+    #[test]
+    fn test_content_type_md5() {
+        let (_, headers, _) =
+            with_content_type("com/example/1.0/example-1.0.jar.md5", Bytes::from("data"));
+        assert_eq!(headers[0].1, "text/plain");
+    }
+
+    #[test]
+    fn test_content_type_unknown() {
+        let (_, headers, _) = with_content_type("some/random/file.bin", Bytes::from("data"));
+        assert_eq!(headers[0].1, "application/octet-stream");
+    }
+
+    #[test]
+    fn test_content_type_preserves_body() {
+        let body = Bytes::from("test-jar-content");
+        let (_, _, data) = with_content_type("test.jar", body.clone());
+        assert_eq!(data, body);
+    }
+}
+
+#[cfg(test)]
+#[allow(clippy::unwrap_used)]
+mod integration_tests {
+    use crate::test_helpers::{body_bytes, create_test_context, send};
+    use axum::body::Body;
+    use axum::http::{header, Method, StatusCode};
+
+    #[tokio::test]
+    async fn test_maven_put_get_roundtrip() {
+        let ctx = create_test_context();
+        let jar_data = b"fake-jar-content";
+
+        let put = send(
+            &ctx.app,
+            Method::PUT,
+            "/maven2/com/example/mylib/1.0/mylib-1.0.jar",
+            Body::from(&jar_data[..]),
+        )
+        .await;
+        assert_eq!(put.status(), StatusCode::CREATED);
+
+        let get = send(
+            &ctx.app,
+            Method::GET,
+            "/maven2/com/example/mylib/1.0/mylib-1.0.jar",
+            "",
+        )
+        .await;
+        assert_eq!(get.status(), StatusCode::OK);
+        let body = body_bytes(get).await;
+        assert_eq!(&body[..], jar_data);
+    }
+
+    #[tokio::test]
+    async fn test_maven_not_found_no_proxy() {
+        let ctx = create_test_context();
+        let resp = send(
+            &ctx.app,
+            Method::GET,
+            "/maven2/missing/artifact/1.0/artifact-1.0.jar",
+            "",
+        )
+        .await;
+        assert_eq!(resp.status(), StatusCode::NOT_FOUND);
+    }
+
+    #[tokio::test]
+    async fn test_maven_content_type_pom() {
+        let ctx = create_test_context();
+        send(
+            &ctx.app,
+            Method::PUT,
+            "/maven2/com/ex/1.0/ex-1.0.pom",
+            Body::from("<project/>"),
+        )
+        .await;
+
+        let get = send(&ctx.app, Method::GET, "/maven2/com/ex/1.0/ex-1.0.pom", "").await;
+        assert_eq!(get.status(), StatusCode::OK);
+        assert_eq!(
+            get.headers().get(header::CONTENT_TYPE).unwrap(),
+            "application/xml"
+        );
+    }
+
+    #[tokio::test]
+    async fn test_maven_content_type_jar() {
+        let ctx = create_test_context();
+        send(
+            &ctx.app,
+            Method::PUT,
+            "/maven2/org/test/app/2.0/app-2.0.jar",
+            Body::from("jar-data"),
+        )
+        .await;
+
+        let get = send(
+            &ctx.app,
+            Method::GET,
+            "/maven2/org/test/app/2.0/app-2.0.jar",
+            "",
+        )
+        .await;
+        assert_eq!(get.status(), StatusCode::OK);
+        assert_eq!(
+            get.headers().get(header::CONTENT_TYPE).unwrap(),
+            "application/java-archive"
+        );
+    }
+}

nora-registry/src/registry/mod.rs

@@ -1,11 +1,120 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 mod cargo_registry;
-mod docker;
+pub mod docker;
+pub mod docker_auth;
+mod go;
 mod maven;
 mod npm;
 mod pypi;
+mod raw;
 
 pub use cargo_registry::routes as cargo_routes;
 pub use docker::routes as docker_routes;
+pub use docker_auth::DockerAuth;
+pub use go::routes as go_routes;
 pub use maven::routes as maven_routes;
 pub use npm::routes as npm_routes;
 pub use pypi::routes as pypi_routes;
+pub use raw::routes as raw_routes;
+
+use crate::config::basic_auth_header;
+use std::time::Duration;
+
+#[derive(Debug)]
+#[allow(dead_code)]
+pub(crate) enum ProxyError {
+    NotFound,
+    Upstream(u16),
+    Network(String),
+}
+
+/// Core fetch logic with retry. Callers provide a response extractor.
+async fn proxy_fetch_core<T, F, Fut>(
+    client: &reqwest::Client,
+    url: &str,
+    timeout_secs: u64,
+    auth: Option<&str>,
+    extra_headers: Option<(&str, &str)>,
+    extract: F,
+) -> Result<T, ProxyError>
+where
+    F: Fn(reqwest::Response) -> Fut + Copy,
+    Fut: std::future::Future<Output = Result<T, reqwest::Error>>,
+{
+    for attempt in 0..2 {
+        let mut request = client.get(url).timeout(Duration::from_secs(timeout_secs));
+        if let Some(credentials) = auth {
+            request = request.header("Authorization", basic_auth_header(credentials));
+        }
+        if let Some((key, val)) = extra_headers {
+            request = request.header(key, val);
+        }
+
+        match request.send().await {
+            Ok(response) => {
+                if response.status().is_success() {
+                    return extract(response)
+                        .await
+                        .map_err(|e| ProxyError::Network(e.to_string()));
+                }
+                let status = response.status().as_u16();
+                if (400..500).contains(&status) {
+                    return Err(ProxyError::NotFound);
+                }
+                if attempt == 0 {
+                    tracing::debug!(url, status, "upstream 5xx, retrying in 1s");
+                    tokio::time::sleep(Duration::from_secs(1)).await;
+                    continue;
+                }
+                return Err(ProxyError::Upstream(status));
+            }
+            Err(e) => {
+                if attempt == 0 {
+                    tracing::debug!(url, error = %e, "upstream error, retrying in 1s");
+                    tokio::time::sleep(Duration::from_secs(1)).await;
+                    continue;
+                }
+                return Err(ProxyError::Network(e.to_string()));
+            }
+        }
+    }
+    Err(ProxyError::Network("max retries exceeded".into()))
+}
+
+/// Fetch binary content from upstream proxy with timeout and 1 retry.
+pub(crate) async fn proxy_fetch(
+    client: &reqwest::Client,
+    url: &str,
+    timeout_secs: u64,
+    auth: Option<&str>,
+) -> Result<Vec<u8>, ProxyError> {
+    proxy_fetch_core(client, url, timeout_secs, auth, None, |r| async {
+        r.bytes().await.map(|b| b.to_vec())
+    })
+    .await
+}
+
+/// Fetch text content from upstream proxy with timeout and 1 retry.
+pub(crate) async fn proxy_fetch_text(
+    client: &reqwest::Client,
+    url: &str,
+    timeout_secs: u64,
+    auth: Option<&str>,
+    extra_headers: Option<(&str, &str)>,
+) -> Result<String, ProxyError> {
+    proxy_fetch_core(client, url, timeout_secs, auth, extra_headers, |r| r.text()).await
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[tokio::test]
+    async fn test_proxy_fetch_invalid_url() {
+        let client = reqwest::Client::new();
+        let result = proxy_fetch(&client, "http://127.0.0.1:1/nonexistent", 2, None).await;
+        assert!(matches!(result, Err(ProxyError::Network(_))));
+    }
+}

nora-registry/src/registry/npm.rs

@@ -1,25 +1,72 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
+use crate::activity_log::{ActionType, ActivityEntry};
+use crate::audit::AuditEntry;
+use crate::registry::proxy_fetch;
 use crate::AppState;
 use axum::{
     body::Bytes,
     extract::{Path, State},
     http::{header, StatusCode},
     response::{IntoResponse, Response},
-    routing::get,
+    routing::{get, put},
     Router,
 };
+use base64::Engine;
+use sha2::Digest;
 use std::sync::Arc;
-use std::time::Duration;
 
 pub fn routes() -> Router<Arc<AppState>> {
-    Router::new().route("/npm/{*path}", get(handle_request))
+    Router::new()
+        .route("/npm/{*path}", get(handle_request))
+        .route("/npm/{*path}", put(handle_publish))
+}
+
+/// Build NORA base URL from config (for URL rewriting)
+fn nora_base_url(state: &AppState) -> String {
+    state.config.server.public_url.clone().unwrap_or_else(|| {
+        format!(
+            "http://{}:{}",
+            state.config.server.host, state.config.server.port
+        )
+    })
+}
+
+/// Rewrite tarball URLs in npm metadata to point to NORA.
+///
+/// Replaces upstream registry URLs (e.g. `https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz`)
+/// with NORA URLs (e.g. `http://nora:5000/npm/lodash/-/lodash-4.17.21.tgz`).
+fn rewrite_tarball_urls(data: &[u8], nora_base: &str, upstream_url: &str) -> Result<Vec<u8>, ()> {
+    let mut json: serde_json::Value = serde_json::from_slice(data).map_err(|_| ())?;
+
+    let upstream_trimmed = upstream_url.trim_end_matches('/');
+    let nora_npm_base = format!("{}/npm", nora_base.trim_end_matches('/'));
+
+    if let Some(versions) = json.get_mut("versions").and_then(|v| v.as_object_mut()) {
+        for (_ver, version_data) in versions.iter_mut() {
+            if let Some(tarball_url) = version_data
+                .get("dist")
+                .and_then(|d| d.get("tarball"))
+                .and_then(|t| t.as_str())
+                .map(|s| s.to_string())
+            {
+                let rewritten = tarball_url.replace(upstream_trimmed, &nora_npm_base);
+                if let Some(dist) = version_data.get_mut("dist") {
+                    dist["tarball"] = serde_json::Value::String(rewritten);
+                }
+            }
+        }
+    }
+
+    serde_json::to_vec(&json).map_err(|_| ())
 }
 
 async fn handle_request(State(state): State<Arc<AppState>>, Path(path): Path<String>) -> Response {
-    // Determine if this is a tarball request or metadata request
     let is_tarball = path.contains("/-/");
 
     let key = if is_tarball {
-        let parts: Vec<&str> = path.split("/-/").collect();
+        let parts: Vec<&str> = path.splitn(2, "/-/").collect();
         if parts.len() == 2 {
             format!("npm/{}/tarballs/{}", parts[0], parts[1])
         } else {
@@ -29,52 +76,348 @@ async fn handle_request(State(state): State<Arc<AppState>>, Path(path): Path<Str
         format!("npm/{}/metadata.json", path)
     };
 
-    // Try local storage first
+    let package_name = if is_tarball {
+        path.split("/-/").next().unwrap_or(&path).to_string()
+    } else {
+        path.clone()
+    };
+
+    // --- Cache hit path ---
     if let Ok(data) = state.storage.get(&key).await {
-        return with_content_type(is_tarball, data).into_response();
+        // Metadata TTL: if stale, try to refetch from upstream
+        if !is_tarball {
+            let ttl = state.config.npm.metadata_ttl;
+            if ttl > 0 {
+                if let Some(meta) = state.storage.stat(&key).await {
+                    let now = std::time::SystemTime::now()
+                        .duration_since(std::time::UNIX_EPOCH)
+                        .map(|d| d.as_secs())
+                        .unwrap_or(0);
+                    if now.saturating_sub(meta.modified) > ttl {
+                        if let Some(fresh) = refetch_metadata(&state, &path, &key).await {
+                            return with_content_type(false, fresh.into()).into_response();
+                        }
+                        // Upstream failed — serve stale cache
+                    }
+                }
+            }
+            return with_content_type(false, data).into_response();
+        }
+
+        // Tarball: integrity check if hash exists
+        let hash_key = format!("{}.sha256", key);
+        if let Ok(stored_hash) = state.storage.get(&hash_key).await {
+            let computed = hex::encode(sha2::Sha256::digest(&data));
+            let expected = String::from_utf8_lossy(&stored_hash);
+            if computed != expected.as_ref() {
+                tracing::error!(
+                    key = %key,
+                    expected = %expected,
+                    computed = %computed,
+                    "SECURITY: npm tarball integrity check FAILED — possible tampering"
+                );
+                return (StatusCode::INTERNAL_SERVER_ERROR, "Integrity check failed")
+                    .into_response();
+            }
+        }
+
+        state.metrics.record_download("npm");
+        state.metrics.record_cache_hit();
+        state.activity.push(ActivityEntry::new(
+            ActionType::CacheHit,
+            package_name,
+            "npm",
+            "CACHE",
+        ));
+        state
+            .audit
+            .log(AuditEntry::new("cache_hit", "api", "", "npm", ""));
+        return with_content_type(true, data).into_response();
     }
 
-    // Try proxy if configured
+    // --- Proxy fetch path ---
     if let Some(proxy_url) = &state.config.npm.proxy {
-        let url = if is_tarball {
-            // Tarball URL: https://registry.npmjs.org/package/-/package-version.tgz
-            format!("{}/{}", proxy_url.trim_end_matches('/'), path)
-        } else {
-            // Metadata URL: https://registry.npmjs.org/package
-            format!("{}/{}", proxy_url.trim_end_matches('/'), path)
-        };
+        let url = format!("{}/{}", proxy_url.trim_end_matches('/'), path);
 
-        if let Ok(data) = fetch_from_proxy(&url, state.config.npm.proxy_timeout).await {
-            // Cache in local storage (fire and forget)
+        if let Ok(data) = proxy_fetch(
+            &state.http_client,
+            &url,
+            state.config.npm.proxy_timeout,
+            state.config.npm.proxy_auth.as_deref(),
+        )
+        .await
+        {
+            let data_to_cache;
+            let data_to_serve;
+
+            if is_tarball {
+                // Compute and store sha256
+                let hash = hex::encode(sha2::Sha256::digest(&data));
+                let hash_key = format!("{}.sha256", key);
+                let storage = state.storage.clone();
+                tokio::spawn(async move {
+                    let _ = storage.put(&hash_key, hash.as_bytes()).await;
+                });
+
+                state.metrics.record_download("npm");
+                state.metrics.record_cache_miss();
+                state.activity.push(ActivityEntry::new(
+                    ActionType::ProxyFetch,
+                    package_name,
+                    "npm",
+                    "PROXY",
+                ));
+                state
+                    .audit
+                    .log(AuditEntry::new("proxy_fetch", "api", "", "npm", ""));
+
+                data_to_cache = data.clone();
+                data_to_serve = data;
+            } else {
+                // Metadata: rewrite tarball URLs to point to NORA
+                let nora_base = nora_base_url(&state);
+                let rewritten = rewrite_tarball_urls(&data, &nora_base, proxy_url).unwrap_or(data);
+
+                data_to_cache = rewritten.clone();
+                data_to_serve = rewritten;
+            }
+
+            // Cache in background
             let storage = state.storage.clone();
             let key_clone = key.clone();
-            let data_clone = data.clone();
             tokio::spawn(async move {
-                let _ = storage.put(&key_clone, &data_clone).await;
+                let _ = storage.put(&key_clone, &data_to_cache).await;
             });
 
-            return with_content_type(is_tarball, data.into()).into_response();
+            if is_tarball {
+                state.repo_index.invalidate("npm");
+            }
+
+            return with_content_type(is_tarball, data_to_serve.into()).into_response();
         }
     }
 
     StatusCode::NOT_FOUND.into_response()
 }
 
-async fn fetch_from_proxy(url: &str, timeout_secs: u64) -> Result<Vec<u8>, ()> {
-    let client = reqwest::Client::builder()
-        .timeout(Duration::from_secs(timeout_secs))
-        .build()
-        .map_err(|_| ())?;
+/// Refetch metadata from upstream, rewrite URLs, update cache.
+/// Returns None if upstream is unavailable (caller serves stale cache).
+async fn refetch_metadata(state: &Arc<AppState>, path: &str, key: &str) -> Option<Vec<u8>> {
+    let proxy_url = state.config.npm.proxy.as_ref()?;
+    let url = format!("{}/{}", proxy_url.trim_end_matches('/'), path);
 
-    let response = client.get(url).send().await.map_err(|_| ())?;
+    let data = proxy_fetch(
+        &state.http_client,
+        &url,
+        state.config.npm.proxy_timeout,
+        state.config.npm.proxy_auth.as_deref(),
+    )
+    .await
+    .ok()?;
 
-    if !response.status().is_success() {
-        return Err(());
+    let nora_base = nora_base_url(state);
+    let rewritten = rewrite_tarball_urls(&data, &nora_base, proxy_url).unwrap_or(data);
+
+    let storage = state.storage.clone();
+    let key_clone = key.to_string();
+    let cache_data = rewritten.clone();
+    tokio::spawn(async move {
+        let _ = storage.put(&key_clone, &cache_data).await;
+    });
+
+    Some(rewritten)
+}
+
+// ============================================================================
+// npm publish
+// ============================================================================
+
+/// Validate attachment filename: only safe characters, no path traversal.
+fn is_valid_attachment_name(name: &str) -> bool {
+    !name.is_empty()
+        && !name.contains("..")
+        && !name.contains('/')
+        && !name.contains('\\')
+        && !name.contains('\0')
+        && name
+            .chars()
+            .all(|c| c.is_ascii_alphanumeric() || matches!(c, '.' | '-' | '_' | '@'))
+}
+
+async fn handle_publish(
+    State(state): State<Arc<AppState>>,
+    Path(path): Path<String>,
+    body: Bytes,
+) -> Response {
+    let package_name = path;
+
+    let payload: serde_json::Value = match serde_json::from_slice(&body) {
+        Ok(v) => v,
+        Err(e) => return (StatusCode::BAD_REQUEST, format!("Invalid JSON: {}", e)).into_response(),
+    };
+
+    // Security: verify payload name matches URL path
+    if let Some(payload_name) = payload.get("name").and_then(|n| n.as_str()) {
+        if payload_name != package_name {
+            tracing::warn!(
+                url_name = %package_name,
+                payload_name = %payload_name,
+                "SECURITY: npm publish name mismatch — possible spoofing attempt"
+            );
+            return (
+                StatusCode::BAD_REQUEST,
+                "Package name in URL does not match payload",
+            )
+                .into_response();
+        }
     }
 
-    response.bytes().await.map(|b| b.to_vec()).map_err(|_| ())
+    let attachments = match payload.get("_attachments").and_then(|a| a.as_object()) {
+        Some(a) => a,
+        None => return (StatusCode::BAD_REQUEST, "Missing _attachments").into_response(),
+    };
+
+    let new_versions = match payload.get("versions").and_then(|v| v.as_object()) {
+        Some(v) => v,
+        None => return (StatusCode::BAD_REQUEST, "Missing versions").into_response(),
+    };
+
+    // Load or create metadata
+    let metadata_key = format!("npm/{}/metadata.json", package_name);
+    let mut metadata = if let Ok(existing) = state.storage.get(&metadata_key).await {
+        serde_json::from_slice::<serde_json::Value>(&existing)
+            .unwrap_or_else(|_| serde_json::json!({}))
+    } else {
+        serde_json::json!({})
+    };
+
+    // Version immutability
+    if let Some(existing_versions) = metadata.get("versions").and_then(|v| v.as_object()) {
+        for ver in new_versions.keys() {
+            if existing_versions.contains_key(ver) {
+                return (
+                    StatusCode::CONFLICT,
+                    format!("Version {} already exists", ver),
+                )
+                    .into_response();
+            }
+        }
+    }
+
+    // Store tarballs
+    for (filename, attachment_data) in attachments {
+        if !is_valid_attachment_name(filename) {
+            tracing::warn!(
+                filename = %filename,
+                package = %package_name,
+                "SECURITY: npm publish rejected — invalid attachment filename"
+            );
+            return (StatusCode::BAD_REQUEST, "Invalid attachment filename").into_response();
+        }
+
+        let base64_data = match attachment_data.get("data").and_then(|d| d.as_str()) {
+            Some(d) => d,
+            None => continue,
+        };
+
+        let tarball_bytes = match base64::engine::general_purpose::STANDARD.decode(base64_data) {
+            Ok(b) => b,
+            Err(_) => {
+                return (StatusCode::BAD_REQUEST, "Invalid base64 in attachment").into_response()
+            }
+        };
+
+        let tarball_key = format!("npm/{}/tarballs/{}", package_name, filename);
+        if state
+            .storage
+            .put(&tarball_key, &tarball_bytes)
+            .await
+            .is_err()
+        {
+            return StatusCode::INTERNAL_SERVER_ERROR.into_response();
+        }
+
+        // Store sha256
+        let hash = hex::encode(sha2::Sha256::digest(&tarball_bytes));
+        let hash_key = format!("{}.sha256", tarball_key);
+        let _ = state.storage.put(&hash_key, hash.as_bytes()).await;
+    }
+
+    // Merge versions
+    let Some(meta_obj) = metadata.as_object_mut() else {
+        return (StatusCode::INTERNAL_SERVER_ERROR, "invalid metadata format").into_response();
+    };
+    let stored_versions = meta_obj.entry("versions").or_insert(serde_json::json!({}));
+    if let Some(sv) = stored_versions.as_object_mut() {
+        for (ver, ver_data) in new_versions {
+            sv.insert(ver.clone(), ver_data.clone());
+        }
+    }
+
+    // Copy standard fields
+    for field in &["name", "_id", "description", "readme", "license"] {
+        if let Some(val) = payload.get(*field) {
+            meta_obj.insert(field.to_string(), val.clone());
+        }
+    }
+
+    // Merge dist-tags
+    if let Some(new_dist_tags) = payload.get("dist-tags").and_then(|d| d.as_object()) {
+        let stored_dist_tags = meta_obj.entry("dist-tags").or_insert(serde_json::json!({}));
+        if let Some(sdt) = stored_dist_tags.as_object_mut() {
+            for (tag, ver) in new_dist_tags {
+                sdt.insert(tag.clone(), ver.clone());
+            }
+        }
+    }
+
+    // Rewrite tarball URLs for published packages
+    let nora_base = nora_base_url(&state);
+    if let Some(versions) = metadata.get_mut("versions").and_then(|v| v.as_object_mut()) {
+        for (ver, ver_data) in versions.iter_mut() {
+            if let Some(dist) = ver_data.get_mut("dist") {
+                let short_name = package_name.split('/').next_back().unwrap_or(&package_name);
+                let tarball_url = format!(
+                    "{}/npm/{}/-/{}-{}.tgz",
+                    nora_base.trim_end_matches('/'),
+                    package_name,
+                    short_name,
+                    ver
+                );
+                dist["tarball"] = serde_json::Value::String(tarball_url);
+            }
+        }
+    }
+
+    // Store metadata
+    match serde_json::to_vec(&metadata) {
+        Ok(bytes) => {
+            if state.storage.put(&metadata_key, &bytes).await.is_err() {
+                return StatusCode::INTERNAL_SERVER_ERROR.into_response();
+            }
+        }
+        Err(_) => return StatusCode::INTERNAL_SERVER_ERROR.into_response(),
+    }
+
+    state.metrics.record_upload("npm");
+    state.activity.push(ActivityEntry::new(
+        ActionType::Push,
+        package_name,
+        "npm",
+        "LOCAL",
+    ));
+    state
+        .audit
+        .log(AuditEntry::new("push", "api", "", "npm", ""));
+    state.repo_index.invalidate("npm");
+
+    StatusCode::CREATED.into_response()
 }
 
+// ============================================================================
+// Helpers
+// ============================================================================
+
 fn with_content_type(
     is_tarball: bool,
     data: Bytes,
@@ -87,3 +430,355 @@ fn with_content_type(
 
     (StatusCode::OK, [(header::CONTENT_TYPE, content_type)], data)
 }
+
+#[cfg(test)]
+#[allow(clippy::unwrap_used)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_rewrite_tarball_urls_regular_package() {
+        let metadata = serde_json::json!({
+            "name": "lodash",
+            "versions": {
+                "4.17.21": {
+                    "dist": {
+                        "tarball": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
+                        "shasum": "abc123"
+                    }
+                }
+            }
+        });
+        let data = serde_json::to_vec(&metadata).unwrap();
+        let result =
+            rewrite_tarball_urls(&data, "http://nora:5000", "https://registry.npmjs.org").unwrap();
+        let json: serde_json::Value = serde_json::from_slice(&result).unwrap();
+
+        assert_eq!(
+            json["versions"]["4.17.21"]["dist"]["tarball"],
+            "http://nora:5000/npm/lodash/-/lodash-4.17.21.tgz"
+        );
+        assert_eq!(json["versions"]["4.17.21"]["dist"]["shasum"], "abc123");
+    }
+
+    #[test]
+    fn test_rewrite_tarball_urls_scoped_package() {
+        let metadata = serde_json::json!({
+            "name": "@babel/core",
+            "versions": {
+                "7.26.0": {
+                    "dist": {
+                        "tarball": "https://registry.npmjs.org/@babel/core/-/core-7.26.0.tgz",
+                        "integrity": "sha512-test"
+                    }
+                }
+            }
+        });
+        let data = serde_json::to_vec(&metadata).unwrap();
+        let result =
+            rewrite_tarball_urls(&data, "http://nora:5000", "https://registry.npmjs.org").unwrap();
+        let json: serde_json::Value = serde_json::from_slice(&result).unwrap();
+
+        assert_eq!(
+            json["versions"]["7.26.0"]["dist"]["tarball"],
+            "http://nora:5000/npm/@babel/core/-/core-7.26.0.tgz"
+        );
+    }
+
+    #[test]
+    fn test_rewrite_tarball_urls_multiple_versions() {
+        let metadata = serde_json::json!({
+            "name": "express",
+            "versions": {
+                "4.18.2": { "dist": { "tarball": "https://registry.npmjs.org/express/-/express-4.18.2.tgz" } },
+                "4.19.0": { "dist": { "tarball": "https://registry.npmjs.org/express/-/express-4.19.0.tgz" } }
+            }
+        });
+        let data = serde_json::to_vec(&metadata).unwrap();
+        let result = rewrite_tarball_urls(
+            &data,
+            "https://demo.getnora.io",
+            "https://registry.npmjs.org",
+        )
+        .unwrap();
+        let json: serde_json::Value = serde_json::from_slice(&result).unwrap();
+
+        assert_eq!(
+            json["versions"]["4.18.2"]["dist"]["tarball"],
+            "https://demo.getnora.io/npm/express/-/express-4.18.2.tgz"
+        );
+        assert_eq!(
+            json["versions"]["4.19.0"]["dist"]["tarball"],
+            "https://demo.getnora.io/npm/express/-/express-4.19.0.tgz"
+        );
+    }
+
+    #[test]
+    fn test_rewrite_tarball_urls_no_versions() {
+        let metadata = serde_json::json!({ "name": "empty-pkg" });
+        let data = serde_json::to_vec(&metadata).unwrap();
+        let result =
+            rewrite_tarball_urls(&data, "http://nora:5000", "https://registry.npmjs.org").unwrap();
+        let json: serde_json::Value = serde_json::from_slice(&result).unwrap();
+        assert_eq!(json["name"], "empty-pkg");
+    }
+
+    #[test]
+    fn test_rewrite_invalid_json() {
+        assert!(rewrite_tarball_urls(
+            b"not json",
+            "http://nora:5000",
+            "https://registry.npmjs.org"
+        )
+        .is_err());
+    }
+
+    #[test]
+    fn test_valid_attachment_names() {
+        assert!(is_valid_attachment_name("lodash-4.17.21.tgz"));
+        assert!(is_valid_attachment_name("core-7.26.0.tgz"));
+        assert!(is_valid_attachment_name("my_package-1.0.0.tgz"));
+        assert!(is_valid_attachment_name("@scope-pkg-1.0.0.tgz"));
+    }
+
+    #[test]
+    fn test_path_traversal_attachment_names() {
+        assert!(!is_valid_attachment_name("../../etc/passwd"));
+        assert!(!is_valid_attachment_name(
+            "../docker/nginx/manifests/latest.json"
+        ));
+        assert!(!is_valid_attachment_name("foo/bar.tgz"));
+        assert!(!is_valid_attachment_name("foo\\bar.tgz"));
+    }
+
+    #[test]
+    fn test_empty_and_null_attachment_names() {
+        assert!(!is_valid_attachment_name(""));
+        assert!(!is_valid_attachment_name("foo\0bar.tgz"));
+    }
+
+    #[test]
+    fn test_with_content_type_tarball() {
+        let data = Bytes::from("tarball-data");
+        let (status, headers, body) = with_content_type(true, data.clone());
+        assert_eq!(status, StatusCode::OK);
+        assert_eq!(headers[0].1, "application/octet-stream");
+        assert_eq!(body, data);
+    }
+
+    #[test]
+    fn test_with_content_type_json() {
+        let data = Bytes::from("json-data");
+        let (status, headers, body) = with_content_type(false, data.clone());
+        assert_eq!(status, StatusCode::OK);
+        assert_eq!(headers[0].1, "application/json");
+        assert_eq!(body, data);
+    }
+
+    #[test]
+    fn test_rewrite_tarball_urls_trailing_slash() {
+        let metadata = serde_json::json!({
+            "name": "test",
+            "versions": {
+                "1.0.0": {
+                    "dist": {
+                        "tarball": "https://registry.npmjs.org/test/-/test-1.0.0.tgz"
+                    }
+                }
+            }
+        });
+        let data = serde_json::to_vec(&metadata).unwrap();
+        let result =
+            rewrite_tarball_urls(&data, "http://nora:5000/", "https://registry.npmjs.org/")
+                .unwrap();
+        let json: serde_json::Value = serde_json::from_slice(&result).unwrap();
+        let tarball = json["versions"]["1.0.0"]["dist"]["tarball"]
+            .as_str()
+            .unwrap();
+        assert!(tarball.starts_with("http://nora:5000/npm/"));
+    }
+
+    #[test]
+    fn test_rewrite_tarball_urls_preserves_other_fields() {
+        let metadata = serde_json::json!({
+            "name": "test",
+            "description": "A test package",
+            "versions": {
+                "1.0.0": {
+                    "dist": {
+                        "tarball": "https://registry.npmjs.org/test/-/test-1.0.0.tgz",
+                        "shasum": "abc123"
+                    },
+                    "dependencies": {"lodash": "^4.0.0"}
+                }
+            }
+        });
+        let data = serde_json::to_vec(&metadata).unwrap();
+        let result =
+            rewrite_tarball_urls(&data, "http://nora:5000", "https://registry.npmjs.org").unwrap();
+        let json: serde_json::Value = serde_json::from_slice(&result).unwrap();
+        assert_eq!(json["description"], "A test package");
+        assert_eq!(json["versions"]["1.0.0"]["dist"]["shasum"], "abc123");
+    }
+
+    #[test]
+    fn test_is_valid_attachment_name_valid() {
+        assert!(is_valid_attachment_name("package-1.0.0.tgz"));
+        assert!(is_valid_attachment_name("@scope-pkg-2.0.tgz"));
+        assert!(is_valid_attachment_name("my_pkg.tgz"));
+    }
+
+    #[test]
+    fn test_is_valid_attachment_name_traversal() {
+        assert!(!is_valid_attachment_name("../etc/passwd"));
+        assert!(!is_valid_attachment_name("foo/../bar"));
+    }
+
+    #[test]
+    fn test_is_valid_attachment_name_slash() {
+        assert!(!is_valid_attachment_name("path/file.tgz"));
+        assert!(!is_valid_attachment_name("path\\file.tgz"));
+    }
+
+    #[test]
+    fn test_is_valid_attachment_name_null_byte() {
+        assert!(!is_valid_attachment_name("file\0.tgz"));
+    }
+
+    #[test]
+    fn test_is_valid_attachment_name_empty() {
+        assert!(!is_valid_attachment_name(""));
+    }
+
+    #[test]
+    fn test_is_valid_attachment_name_special_chars() {
+        assert!(!is_valid_attachment_name("file name.tgz")); // space
+        assert!(!is_valid_attachment_name("file;cmd.tgz")); // semicolon
+    }
+}
+
+#[cfg(test)]
+#[allow(clippy::unwrap_used)]
+mod integration_tests {
+    use crate::test_helpers::{body_bytes, create_test_context, send};
+    use axum::body::Body;
+    use axum::http::{Method, StatusCode};
+    use base64::Engine;
+
+    #[tokio::test]
+    async fn test_npm_metadata_from_cache() {
+        let ctx = create_test_context();
+
+        let metadata = serde_json::json!({
+            "name": "lodash",
+            "versions": {
+                "4.17.21": { "dist": { "tarball": "http://example.com/lodash.tgz" } }
+            }
+        });
+        let metadata_bytes = serde_json::to_vec(&metadata).unwrap();
+
+        ctx.state
+            .storage
+            .put("npm/lodash/metadata.json", &metadata_bytes)
+            .await
+            .unwrap();
+
+        let response = send(&ctx.app, Method::GET, "/npm/lodash", "").await;
+
+        assert_eq!(response.status(), StatusCode::OK);
+        let body = body_bytes(response).await;
+        let json: serde_json::Value = serde_json::from_slice(&body).unwrap();
+        assert_eq!(json["name"], "lodash");
+    }
+
+    #[tokio::test]
+    async fn test_npm_tarball_from_cache() {
+        let ctx = create_test_context();
+
+        let tarball_data = b"fake-tarball-bytes";
+        ctx.state
+            .storage
+            .put("npm/lodash/tarballs/lodash-4.17.21.tgz", tarball_data)
+            .await
+            .unwrap();
+
+        let response = send(
+            &ctx.app,
+            Method::GET,
+            "/npm/lodash/-/lodash-4.17.21.tgz",
+            "",
+        )
+        .await;
+
+        assert_eq!(response.status(), StatusCode::OK);
+        let body = body_bytes(response).await;
+        assert_eq!(&body[..], tarball_data);
+    }
+
+    #[tokio::test]
+    async fn test_npm_not_found_no_proxy() {
+        let ctx = create_test_context();
+
+        // No proxy configured, no local data
+        let response = send(&ctx.app, Method::GET, "/npm/nonexistent", "").await;
+
+        assert_eq!(response.status(), StatusCode::NOT_FOUND);
+    }
+
+    #[tokio::test]
+    async fn test_npm_publish_basic() {
+        let ctx = create_test_context();
+
+        let tarball_data = b"fake-tarball";
+        let base64_data = base64::engine::general_purpose::STANDARD.encode(tarball_data);
+
+        let payload = serde_json::json!({
+            "name": "mypkg",
+            "versions": {
+                "1.0.0": { "dist": {} }
+            },
+            "_attachments": {
+                "mypkg-1.0.0.tgz": { "data": base64_data }
+            },
+            "dist-tags": { "latest": "1.0.0" }
+        });
+
+        let body_bytes = serde_json::to_vec(&payload).unwrap();
+        let response = send(&ctx.app, Method::PUT, "/npm/mypkg", Body::from(body_bytes)).await;
+
+        assert_eq!(response.status(), StatusCode::CREATED);
+
+        // Verify tarball was stored
+        let stored_tarball = ctx
+            .state
+            .storage
+            .get("npm/mypkg/tarballs/mypkg-1.0.0.tgz")
+            .await
+            .unwrap();
+        assert_eq!(&stored_tarball[..], tarball_data);
+    }
+
+    #[tokio::test]
+    async fn test_npm_publish_name_mismatch() {
+        let ctx = create_test_context();
+
+        let tarball_data = b"fake-tarball";
+        let base64_data = base64::engine::general_purpose::STANDARD.encode(tarball_data);
+
+        let payload = serde_json::json!({
+            "name": "other",
+            "versions": {
+                "1.0.0": { "dist": {} }
+            },
+            "_attachments": {
+                "other-1.0.0.tgz": { "data": base64_data }
+            },
+            "dist-tags": { "latest": "1.0.0" }
+        });
+
+        let body_bytes = serde_json::to_vec(&payload).unwrap();
+        let response = send(&ctx.app, Method::PUT, "/npm/mypkg", Body::from(body_bytes)).await;
+
+        assert_eq!(response.status(), StatusCode::BAD_REQUEST);
+    }
+}

nora-registry/src/registry/pypi.rs

@@ -1,35 +1,615 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
+use crate::activity_log::{ActionType, ActivityEntry};
+use crate::audit::AuditEntry;
+use crate::registry::{proxy_fetch, proxy_fetch_text};
 use crate::AppState;
 use axum::{
-    extract::State,
-    http::StatusCode,
-    response::{Html, IntoResponse},
+    extract::{Path, State},
+    http::{header, StatusCode},
+    response::{Html, IntoResponse, Response},
     routing::get,
     Router,
 };
 use std::sync::Arc;
 
 pub fn routes() -> Router<Arc<AppState>> {
-    Router::new().route("/simple/", get(list_packages))
+    Router::new()
+        .route("/simple/", get(list_packages))
+        .route("/simple/{name}/", get(package_versions))
+        .route("/simple/{name}/{filename}", get(download_file))
 }
 
+/// List all packages (Simple API index)
 async fn list_packages(State(state): State<Arc<AppState>>) -> impl IntoResponse {
     let keys = state.storage.list("pypi/").await;
     let mut packages = std::collections::HashSet::new();
 
     for key in keys {
         if let Some(pkg) = key.strip_prefix("pypi/").and_then(|k| k.split('/').next()) {
-            packages.insert(pkg.to_string());
+            if !pkg.is_empty() {
+                packages.insert(pkg.to_string());
+            }
         }
     }
 
-    let mut html = String::from("<html><body><h1>Simple Index</h1>");
+    let mut html = String::from(
+        "<!DOCTYPE html>\n<html><head><title>Simple Index</title></head><body><h1>Simple Index</h1>\n",
+    );
     let mut pkg_list: Vec<_> = packages.into_iter().collect();
     pkg_list.sort();
 
     for pkg in pkg_list {
-        html.push_str(&format!("<a href=\"/simple/{}/\">{}</a><br>", pkg, pkg));
+        html.push_str(&format!("<a href=\"/simple/{}/\">{}</a><br>\n", pkg, pkg));
     }
     html.push_str("</body></html>");
 
     (StatusCode::OK, Html(html))
 }
+
+/// List versions/files for a specific package
+async fn package_versions(
+    State(state): State<Arc<AppState>>,
+    Path(name): Path<String>,
+) -> Response {
+    // Normalize package name (PEP 503)
+    let normalized = normalize_name(&name);
+
+    // Try to get local files first
+    let prefix = format!("pypi/{}/", normalized);
+    let keys = state.storage.list(&prefix).await;
+
+    if !keys.is_empty() {
+        // We have local files
+        let mut html = format!(
+            "<!DOCTYPE html>\n<html><head><title>Links for {}</title></head><body><h1>Links for {}</h1>\n",
+            name, name
+        );
+
+        for key in &keys {
+            if let Some(filename) = key.strip_prefix(&prefix) {
+                if !filename.is_empty() {
+                    html.push_str(&format!(
+                        "<a href=\"/simple/{}/{}\">{}</a><br>\n",
+                        normalized, filename, filename
+                    ));
+                }
+            }
+        }
+        html.push_str("</body></html>");
+
+        return (StatusCode::OK, Html(html)).into_response();
+    }
+
+    // Try proxy if configured
+    if let Some(proxy_url) = &state.config.pypi.proxy {
+        let url = format!("{}/{}/", proxy_url.trim_end_matches('/'), normalized);
+
+        if let Ok(html) = proxy_fetch_text(
+            &state.http_client,
+            &url,
+            state.config.pypi.proxy_timeout,
+            state.config.pypi.proxy_auth.as_deref(),
+            Some(("Accept", "text/html")),
+        )
+        .await
+        {
+            // Rewrite URLs in the HTML to point to our registry
+            let rewritten = rewrite_pypi_links(&html, &normalized);
+            return (StatusCode::OK, Html(rewritten)).into_response();
+        }
+    }
+
+    StatusCode::NOT_FOUND.into_response()
+}
+
+/// Download a specific file
+async fn download_file(
+    State(state): State<Arc<AppState>>,
+    Path((name, filename)): Path<(String, String)>,
+) -> Response {
+    let normalized = normalize_name(&name);
+    let key = format!("pypi/{}/{}", normalized, filename);
+
+    // Try local storage first
+    if let Ok(data) = state.storage.get(&key).await {
+        state.metrics.record_download("pypi");
+        state.metrics.record_cache_hit();
+        state.activity.push(ActivityEntry::new(
+            ActionType::CacheHit,
+            format!("{}/{}", name, filename),
+            "pypi",
+            "CACHE",
+        ));
+        state
+            .audit
+            .log(AuditEntry::new("cache_hit", "api", "", "pypi", ""));
+
+        let content_type = if filename.ends_with(".whl") {
+            "application/zip"
+        } else if filename.ends_with(".tar.gz") || filename.ends_with(".tgz") {
+            "application/gzip"
+        } else {
+            "application/octet-stream"
+        };
+
+        return (StatusCode::OK, [(header::CONTENT_TYPE, content_type)], data).into_response();
+    }
+
+    // Try proxy if configured
+    if let Some(proxy_url) = &state.config.pypi.proxy {
+        // First, fetch the package page to find the actual download URL
+        let page_url = format!("{}/{}/", proxy_url.trim_end_matches('/'), normalized);
+
+        if let Ok(html) = proxy_fetch_text(
+            &state.http_client,
+            &page_url,
+            state.config.pypi.proxy_timeout,
+            state.config.pypi.proxy_auth.as_deref(),
+            Some(("Accept", "text/html")),
+        )
+        .await
+        {
+            // Find the URL for this specific file
+            if let Some(file_url) = find_file_url(&html, &filename) {
+                if let Ok(data) = proxy_fetch(
+                    &state.http_client,
+                    &file_url,
+                    state.config.pypi.proxy_timeout,
+                    state.config.pypi.proxy_auth.as_deref(),
+                )
+                .await
+                {
+                    state.metrics.record_download("pypi");
+                    state.metrics.record_cache_miss();
+                    state.activity.push(ActivityEntry::new(
+                        ActionType::ProxyFetch,
+                        format!("{}/{}", name, filename),
+                        "pypi",
+                        "PROXY",
+                    ));
+                    state
+                        .audit
+                        .log(AuditEntry::new("proxy_fetch", "api", "", "pypi", ""));
+
+                    // Cache in local storage
+                    let storage = state.storage.clone();
+                    let key_clone = key.clone();
+                    let data_clone = data.clone();
+                    tokio::spawn(async move {
+                        let _ = storage.put(&key_clone, &data_clone).await;
+                    });
+
+                    state.repo_index.invalidate("pypi");
+
+                    let content_type = if filename.ends_with(".whl") {
+                        "application/zip"
+                    } else if filename.ends_with(".tar.gz") || filename.ends_with(".tgz") {
+                        "application/gzip"
+                    } else {
+                        "application/octet-stream"
+                    };
+
+                    return (StatusCode::OK, [(header::CONTENT_TYPE, content_type)], data)
+                        .into_response();
+                }
+            }
+        }
+    }
+
+    StatusCode::NOT_FOUND.into_response()
+}
+
+/// Normalize package name according to PEP 503
+fn normalize_name(name: &str) -> String {
+    name.to_lowercase().replace(['-', '_', '.'], "-")
+}
+
+/// Rewrite PyPI links to point to our registry
+fn rewrite_pypi_links(html: &str, package_name: &str) -> String {
+    // Simple regex-free approach: find href="..." and rewrite
+    let mut result = String::with_capacity(html.len());
+    let mut remaining = html;
+
+    while let Some(href_start) = remaining.find("href=\"") {
+        result.push_str(&remaining[..href_start + 6]);
+        remaining = &remaining[href_start + 6..];
+
+        if let Some(href_end) = remaining.find('"') {
+            let url = &remaining[..href_end];
+
+            // Extract filename from URL
+            if let Some(filename) = extract_filename(url) {
+                // Rewrite to our local URL
+                result.push_str(&format!("/simple/{}/{}", package_name, filename));
+            } else {
+                result.push_str(url);
+            }
+
+            remaining = &remaining[href_end..];
+        }
+    }
+    result.push_str(remaining);
+
+    // Remove data-core-metadata and data-dist-info-metadata attributes
+    // as we don't serve .metadata files (PEP 658)
+    let result = remove_attribute(&result, "data-core-metadata");
+    remove_attribute(&result, "data-dist-info-metadata")
+}
+
+/// Remove an HTML attribute from all tags
+fn remove_attribute(html: &str, attr_name: &str) -> String {
+    let mut result = String::with_capacity(html.len());
+    let mut remaining = html;
+    let pattern = format!(" {}=\"", attr_name);
+
+    while let Some(attr_start) = remaining.find(&pattern) {
+        result.push_str(&remaining[..attr_start]);
+        remaining = &remaining[attr_start + pattern.len()..];
+
+        // Skip the attribute value
+        if let Some(attr_end) = remaining.find('"') {
+            remaining = &remaining[attr_end + 1..];
+        }
+    }
+    result.push_str(remaining);
+    result
+}
+
+/// Extract filename from PyPI download URL
+fn extract_filename(url: &str) -> Option<&str> {
+    // PyPI URLs look like:
+    // https://files.pythonhosted.org/packages/.../package-1.0.0.tar.gz#sha256=...
+    // or just the filename directly
+
+    // Remove hash fragment
+    let url = url.split('#').next()?;
+
+    // Get the last path component
+    let filename = url.rsplit('/').next()?;
+
+    // Must be a valid package file
+    if filename.ends_with(".tar.gz")
+        || filename.ends_with(".tgz")
+        || filename.ends_with(".whl")
+        || filename.ends_with(".zip")
+        || filename.ends_with(".egg")
+    {
+        Some(filename)
+    } else {
+        None
+    }
+}
+
+/// Find the download URL for a specific file in the HTML
+fn find_file_url(html: &str, target_filename: &str) -> Option<String> {
+    let mut remaining = html;
+
+    while let Some(href_start) = remaining.find("href=\"") {
+        remaining = &remaining[href_start + 6..];
+
+        if let Some(href_end) = remaining.find('"') {
+            let url = &remaining[..href_end];
+
+            if let Some(filename) = extract_filename(url) {
+                if filename == target_filename {
+                    // Remove hash fragment for actual download
+                    return Some(url.split('#').next().unwrap_or(url).to_string());
+                }
+            }
+
+            remaining = &remaining[href_end..];
+        }
+    }
+
+    None
+}
+
+#[cfg(test)]
+#[allow(clippy::unwrap_used)]
+mod tests {
+    use super::*;
+    use proptest::prelude::*;
+
+    proptest! {
+        #[test]
+        fn extract_filename_never_panics(s in "\\PC{0,500}") {
+            let _ = extract_filename(&s);
+        }
+
+        #[test]
+        fn extract_filename_valid_tarball(
+            name in "[a-z][a-z0-9_-]{0,20}",
+            version in "[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}"
+        ) {
+            let url = format!("https://files.example.com/packages/{}-{}.tar.gz", name, version);
+            let result = extract_filename(&url);
+            prop_assert!(result.is_some());
+            prop_assert!(result.unwrap().ends_with(".tar.gz"));
+        }
+
+        #[test]
+        fn extract_filename_valid_wheel(
+            name in "[a-z][a-z0-9_]{0,20}",
+            version in "[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}"
+        ) {
+            let url = format!("https://files.example.com/{}-{}-py3-none-any.whl", name, version);
+            let result = extract_filename(&url);
+            prop_assert!(result.is_some());
+            prop_assert!(result.unwrap().ends_with(".whl"));
+        }
+
+        #[test]
+        fn extract_filename_strips_hash(
+            name in "[a-z]{1,10}",
+            hash in "[a-f0-9]{64}"
+        ) {
+            let url = format!("https://example.com/{}.tar.gz#sha256={}", name, hash);
+            let result = extract_filename(&url);
+            prop_assert!(result.is_some());
+            let fname = result.unwrap();
+            prop_assert!(!fname.contains('#'));
+        }
+
+        #[test]
+        fn extract_filename_rejects_unknown_ext(
+            name in "[a-z]{1,10}",
+            ext in "(exe|dll|so|bin|dat)"
+        ) {
+            let url = format!("https://example.com/{}.{}", name, ext);
+            prop_assert!(extract_filename(&url).is_none());
+        }
+    }
+
+    #[test]
+    fn test_normalize_name_lowercase() {
+        assert_eq!(normalize_name("Flask"), "flask");
+        assert_eq!(normalize_name("REQUESTS"), "requests");
+    }
+
+    #[test]
+    fn test_normalize_name_separators() {
+        assert_eq!(normalize_name("my-package"), "my-package");
+        assert_eq!(normalize_name("my_package"), "my-package");
+        assert_eq!(normalize_name("my.package"), "my-package");
+    }
+
+    #[test]
+    fn test_normalize_name_mixed() {
+        assert_eq!(
+            normalize_name("My_Complex.Package-Name"),
+            "my-complex-package-name"
+        );
+    }
+
+    #[test]
+    fn test_normalize_name_empty() {
+        assert_eq!(normalize_name(""), "");
+    }
+
+    #[test]
+    fn test_normalize_name_already_normal() {
+        assert_eq!(normalize_name("simple"), "simple");
+    }
+
+    #[test]
+    fn test_extract_filename_tarball() {
+        assert_eq!(
+            extract_filename(
+                "https://files.pythonhosted.org/packages/aa/bb/flask-2.0.0.tar.gz#sha256=abc123"
+            ),
+            Some("flask-2.0.0.tar.gz")
+        );
+    }
+
+    #[test]
+    fn test_extract_filename_wheel() {
+        assert_eq!(
+            extract_filename(
+                "https://files.pythonhosted.org/packages/aa/bb/flask-2.0.0-py3-none-any.whl"
+            ),
+            Some("flask-2.0.0-py3-none-any.whl")
+        );
+    }
+
+    #[test]
+    fn test_extract_filename_tgz() {
+        assert_eq!(
+            extract_filename("https://example.com/package-1.0.tgz"),
+            Some("package-1.0.tgz")
+        );
+    }
+
+    #[test]
+    fn test_extract_filename_zip() {
+        assert_eq!(
+            extract_filename("https://example.com/package-1.0.zip"),
+            Some("package-1.0.zip")
+        );
+    }
+
+    #[test]
+    fn test_extract_filename_egg() {
+        assert_eq!(
+            extract_filename("https://example.com/package-1.0.egg"),
+            Some("package-1.0.egg")
+        );
+    }
+
+    #[test]
+    fn test_extract_filename_unknown_ext() {
+        assert_eq!(extract_filename("https://example.com/readme.txt"), None);
+    }
+
+    #[test]
+    fn test_extract_filename_no_path() {
+        assert_eq!(extract_filename(""), None);
+    }
+
+    #[test]
+    fn test_extract_filename_bare() {
+        assert_eq!(
+            extract_filename("package-1.0.tar.gz"),
+            Some("package-1.0.tar.gz")
+        );
+    }
+
+    #[test]
+    fn test_remove_attribute_present() {
+        let html = r#"<a href="url" data-core-metadata="true">link</a>"#;
+        let result = remove_attribute(html, "data-core-metadata");
+        assert_eq!(result, r#"<a href="url">link</a>"#);
+    }
+
+    #[test]
+    fn test_remove_attribute_absent() {
+        let html = r#"<a href="url">link</a>"#;
+        let result = remove_attribute(html, "data-core-metadata");
+        assert_eq!(result, html);
+    }
+
+    #[test]
+    fn test_remove_attribute_multiple() {
+        let html =
+            r#"<a data-core-metadata="true">one</a><a data-core-metadata="sha256=abc">two</a>"#;
+        let result = remove_attribute(html, "data-core-metadata");
+        assert_eq!(result, r#"<a>one</a><a>two</a>"#);
+    }
+
+    #[test]
+    fn test_rewrite_pypi_links_basic() {
+        let html = r#"<a href="https://files.pythonhosted.org/packages/aa/bb/flask-2.0.tar.gz#sha256=abc">flask-2.0.tar.gz</a>"#;
+        let result = rewrite_pypi_links(html, "flask");
+        assert!(result.contains("/simple/flask/flask-2.0.tar.gz"));
+    }
+
+    #[test]
+    fn test_rewrite_pypi_links_unknown_ext() {
+        let html = r#"<a href="https://example.com/readme.txt">readme</a>"#;
+        let result = rewrite_pypi_links(html, "test");
+        assert!(result.contains("https://example.com/readme.txt"));
+    }
+
+    #[test]
+    fn test_rewrite_pypi_links_removes_metadata_attrs() {
+        let html = r#"<a href="https://example.com/pkg-1.0.whl" data-core-metadata="sha256=abc" data-dist-info-metadata="sha256=def">pkg</a>"#;
+        let result = rewrite_pypi_links(html, "pkg");
+        assert!(!result.contains("data-core-metadata"));
+        assert!(!result.contains("data-dist-info-metadata"));
+    }
+
+    #[test]
+    fn test_rewrite_pypi_links_empty() {
+        assert_eq!(rewrite_pypi_links("", "pkg"), "");
+    }
+
+    #[test]
+    fn test_find_file_url_found() {
+        let html = r#"<a href="https://files.pythonhosted.org/packages/aa/bb/flask-2.0.tar.gz#sha256=abc">flask-2.0.tar.gz</a>"#;
+        let result = find_file_url(html, "flask-2.0.tar.gz");
+        assert_eq!(
+            result,
+            Some("https://files.pythonhosted.org/packages/aa/bb/flask-2.0.tar.gz".to_string())
+        );
+    }
+
+    #[test]
+    fn test_find_file_url_not_found() {
+        let html = r#"<a href="https://example.com/other-1.0.tar.gz">other</a>"#;
+        let result = find_file_url(html, "flask-2.0.tar.gz");
+        assert_eq!(result, None);
+    }
+
+    #[test]
+    fn test_find_file_url_strips_hash() {
+        let html = r#"<a href="https://example.com/pkg-1.0.whl#sha256=deadbeef">pkg</a>"#;
+        let result = find_file_url(html, "pkg-1.0.whl");
+        assert_eq!(result, Some("https://example.com/pkg-1.0.whl".to_string()));
+    }
+}
+
+#[cfg(test)]
+#[allow(clippy::unwrap_used)]
+mod integration_tests {
+    use crate::test_helpers::{body_bytes, create_test_context, send};
+    use axum::http::{Method, StatusCode};
+
+    #[tokio::test]
+    async fn test_pypi_list_empty() {
+        let ctx = create_test_context();
+        let response = send(&ctx.app, Method::GET, "/simple/", "").await;
+
+        assert_eq!(response.status(), StatusCode::OK);
+        let body = body_bytes(response).await;
+        let html = String::from_utf8_lossy(&body);
+        assert!(html.contains("Simple Index"));
+    }
+
+    #[tokio::test]
+    async fn test_pypi_list_with_packages() {
+        let ctx = create_test_context();
+
+        // Pre-populate storage with a package
+        ctx.state
+            .storage
+            .put("pypi/flask/flask-2.0.tar.gz", b"fake-tarball-data")
+            .await
+            .unwrap();
+
+        let response = send(&ctx.app, Method::GET, "/simple/", "").await;
+
+        assert_eq!(response.status(), StatusCode::OK);
+        let body = body_bytes(response).await;
+        let html = String::from_utf8_lossy(&body);
+        assert!(html.contains("flask"));
+    }
+
+    #[tokio::test]
+    async fn test_pypi_versions_local() {
+        let ctx = create_test_context();
+
+        // Pre-populate storage
+        ctx.state
+            .storage
+            .put("pypi/flask/flask-2.0.tar.gz", b"fake-data")
+            .await
+            .unwrap();
+
+        let response = send(&ctx.app, Method::GET, "/simple/flask/", "").await;
+
+        assert_eq!(response.status(), StatusCode::OK);
+        let body = body_bytes(response).await;
+        let html = String::from_utf8_lossy(&body);
+        assert!(html.contains("flask-2.0.tar.gz"));
+        assert!(html.contains("/simple/flask/flask-2.0.tar.gz"));
+    }
+
+    #[tokio::test]
+    async fn test_pypi_download_local() {
+        let ctx = create_test_context();
+
+        let tarball_data = b"fake-tarball-content";
+        ctx.state
+            .storage
+            .put("pypi/flask/flask-2.0.tar.gz", tarball_data)
+            .await
+            .unwrap();
+
+        let response = send(&ctx.app, Method::GET, "/simple/flask/flask-2.0.tar.gz", "").await;
+
+        assert_eq!(response.status(), StatusCode::OK);
+        let body = body_bytes(response).await;
+        assert_eq!(&body[..], tarball_data);
+    }
+
+    #[tokio::test]
+    async fn test_pypi_not_found_no_proxy() {
+        let ctx = create_test_context();
+
+        // No proxy configured, no local data
+        let response = send(&ctx.app, Method::GET, "/simple/nonexistent/", "").await;
+
+        assert_eq!(response.status(), StatusCode::NOT_FOUND);
+    }
+}

nora-registry/src/registry/raw.rs

@@ -0,0 +1,331 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
+use crate::activity_log::{ActionType, ActivityEntry};
+use crate::audit::AuditEntry;
+use crate::AppState;
+use axum::{
+    body::Bytes,
+    extract::{Path, State},
+    http::{header, StatusCode},
+    response::{IntoResponse, Response},
+    routing::get,
+    Router,
+};
+use std::sync::Arc;
+
+pub fn routes() -> Router<Arc<AppState>> {
+    Router::new().route(
+        "/raw/{*path}",
+        get(download)
+            .put(upload)
+            .delete(delete_file)
+            .head(check_exists),
+    )
+}
+
+async fn download(State(state): State<Arc<AppState>>, Path(path): Path<String>) -> Response {
+    if !state.config.raw.enabled {
+        return StatusCode::NOT_FOUND.into_response();
+    }
+
+    let key = format!("raw/{}", path);
+    match state.storage.get(&key).await {
+        Ok(data) => {
+            state.metrics.record_download("raw");
+            state
+                .activity
+                .push(ActivityEntry::new(ActionType::Pull, path, "raw", "LOCAL"));
+            state
+                .audit
+                .log(AuditEntry::new("pull", "api", "", "raw", ""));
+
+            // Guess content type from extension
+            let content_type = guess_content_type(&key);
+            (StatusCode::OK, [(header::CONTENT_TYPE, content_type)], data).into_response()
+        }
+        Err(_) => StatusCode::NOT_FOUND.into_response(),
+    }
+}
+
+async fn upload(
+    State(state): State<Arc<AppState>>,
+    Path(path): Path<String>,
+    body: Bytes,
+) -> Response {
+    if !state.config.raw.enabled {
+        return StatusCode::NOT_FOUND.into_response();
+    }
+
+    // Check file size limit
+    if body.len() as u64 > state.config.raw.max_file_size {
+        return (
+            StatusCode::PAYLOAD_TOO_LARGE,
+            format!(
+                "File too large. Max size: {} bytes",
+                state.config.raw.max_file_size
+            ),
+        )
+            .into_response();
+    }
+
+    let key = format!("raw/{}", path);
+    match state.storage.put(&key, &body).await {
+        Ok(()) => {
+            state.metrics.record_upload("raw");
+            state
+                .activity
+                .push(ActivityEntry::new(ActionType::Push, path, "raw", "LOCAL"));
+            state
+                .audit
+                .log(AuditEntry::new("push", "api", "", "raw", ""));
+            StatusCode::CREATED.into_response()
+        }
+        Err(_) => StatusCode::INTERNAL_SERVER_ERROR.into_response(),
+    }
+}
+
+async fn delete_file(State(state): State<Arc<AppState>>, Path(path): Path<String>) -> Response {
+    if !state.config.raw.enabled {
+        return StatusCode::NOT_FOUND.into_response();
+    }
+
+    let key = format!("raw/{}", path);
+    match state.storage.delete(&key).await {
+        Ok(()) => StatusCode::NO_CONTENT.into_response(),
+        Err(crate::storage::StorageError::NotFound) => StatusCode::NOT_FOUND.into_response(),
+        Err(_) => StatusCode::INTERNAL_SERVER_ERROR.into_response(),
+    }
+}
+
+async fn check_exists(State(state): State<Arc<AppState>>, Path(path): Path<String>) -> Response {
+    if !state.config.raw.enabled {
+        return StatusCode::NOT_FOUND.into_response();
+    }
+
+    let key = format!("raw/{}", path);
+    match state.storage.stat(&key).await {
+        Some(meta) => (
+            StatusCode::OK,
+            [
+                (header::CONTENT_LENGTH, meta.size.to_string()),
+                (header::CONTENT_TYPE, guess_content_type(&key).to_string()),
+            ],
+        )
+            .into_response(),
+        None => StatusCode::NOT_FOUND.into_response(),
+    }
+}
+
+fn guess_content_type(path: &str) -> &'static str {
+    let ext = path.rsplit('.').next().unwrap_or("");
+    match ext.to_lowercase().as_str() {
+        "json" => "application/json",
+        "xml" => "application/xml",
+        "html" | "htm" => "text/html",
+        "css" => "text/css",
+        "js" => "application/javascript",
+        "txt" => "text/plain",
+        "md" => "text/markdown",
+        "yaml" | "yml" => "application/x-yaml",
+        "toml" => "application/toml",
+        "tar" => "application/x-tar",
+        "gz" | "gzip" => "application/gzip",
+        "zip" => "application/zip",
+        "png" => "image/png",
+        "jpg" | "jpeg" => "image/jpeg",
+        "gif" => "image/gif",
+        "svg" => "image/svg+xml",
+        "pdf" => "application/pdf",
+        "wasm" => "application/wasm",
+        _ => "application/octet-stream",
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_guess_content_type_json() {
+        assert_eq!(guess_content_type("config.json"), "application/json");
+    }
+
+    #[test]
+    fn test_guess_content_type_xml() {
+        assert_eq!(guess_content_type("data.xml"), "application/xml");
+    }
+
+    #[test]
+    fn test_guess_content_type_html() {
+        assert_eq!(guess_content_type("index.html"), "text/html");
+        assert_eq!(guess_content_type("page.htm"), "text/html");
+    }
+
+    #[test]
+    fn test_guess_content_type_css() {
+        assert_eq!(guess_content_type("style.css"), "text/css");
+    }
+
+    #[test]
+    fn test_guess_content_type_js() {
+        assert_eq!(guess_content_type("app.js"), "application/javascript");
+    }
+
+    #[test]
+    fn test_guess_content_type_text() {
+        assert_eq!(guess_content_type("readme.txt"), "text/plain");
+    }
+
+    #[test]
+    fn test_guess_content_type_markdown() {
+        assert_eq!(guess_content_type("README.md"), "text/markdown");
+    }
+
+    #[test]
+    fn test_guess_content_type_yaml() {
+        assert_eq!(guess_content_type("config.yaml"), "application/x-yaml");
+        assert_eq!(guess_content_type("config.yml"), "application/x-yaml");
+    }
+
+    #[test]
+    fn test_guess_content_type_toml() {
+        assert_eq!(guess_content_type("Cargo.toml"), "application/toml");
+    }
+
+    #[test]
+    fn test_guess_content_type_archives() {
+        assert_eq!(guess_content_type("data.tar"), "application/x-tar");
+        assert_eq!(guess_content_type("data.gz"), "application/gzip");
+        assert_eq!(guess_content_type("data.gzip"), "application/gzip");
+        assert_eq!(guess_content_type("data.zip"), "application/zip");
+    }
+
+    #[test]
+    fn test_guess_content_type_images() {
+        assert_eq!(guess_content_type("logo.png"), "image/png");
+        assert_eq!(guess_content_type("photo.jpg"), "image/jpeg");
+        assert_eq!(guess_content_type("photo.jpeg"), "image/jpeg");
+        assert_eq!(guess_content_type("anim.gif"), "image/gif");
+        assert_eq!(guess_content_type("icon.svg"), "image/svg+xml");
+    }
+
+    #[test]
+    fn test_guess_content_type_special() {
+        assert_eq!(guess_content_type("doc.pdf"), "application/pdf");
+        assert_eq!(guess_content_type("module.wasm"), "application/wasm");
+    }
+
+    #[test]
+    fn test_guess_content_type_unknown() {
+        assert_eq!(guess_content_type("binary.bin"), "application/octet-stream");
+        assert_eq!(guess_content_type("noext"), "application/octet-stream");
+    }
+
+    #[test]
+    fn test_guess_content_type_case_insensitive() {
+        assert_eq!(guess_content_type("FILE.JSON"), "application/json");
+        assert_eq!(guess_content_type("IMAGE.PNG"), "image/png");
+    }
+}
+
+#[cfg(test)]
+#[allow(clippy::unwrap_used)]
+mod integration_tests {
+    use crate::storage::{Storage, StorageError};
+    use crate::test_helpers::{
+        body_bytes, create_test_context, create_test_context_with_raw_disabled, send,
+    };
+    use axum::http::{Method, StatusCode};
+
+    #[tokio::test]
+    async fn test_raw_put_get_roundtrip() {
+        let ctx = create_test_context();
+        let put_resp = send(&ctx.app, Method::PUT, "/raw/test.txt", b"hello".to_vec()).await;
+        assert_eq!(put_resp.status(), StatusCode::CREATED);
+
+        let get_resp = send(&ctx.app, Method::GET, "/raw/test.txt", "").await;
+        assert_eq!(get_resp.status(), StatusCode::OK);
+        let body = body_bytes(get_resp).await;
+        assert_eq!(&body[..], b"hello");
+    }
+
+    #[tokio::test]
+    async fn test_raw_head() {
+        let ctx = create_test_context();
+        send(
+            &ctx.app,
+            Method::PUT,
+            "/raw/test.txt",
+            b"hello world".to_vec(),
+        )
+        .await;
+
+        let head_resp = send(&ctx.app, Method::HEAD, "/raw/test.txt", "").await;
+        assert_eq!(head_resp.status(), StatusCode::OK);
+        let cl = head_resp.headers().get("content-length").unwrap();
+        assert_eq!(cl.to_str().unwrap(), "11");
+    }
+
+    #[tokio::test]
+    async fn test_raw_delete() {
+        let ctx = create_test_context();
+        send(&ctx.app, Method::PUT, "/raw/test.txt", b"data".to_vec()).await;
+
+        let del = send(&ctx.app, Method::DELETE, "/raw/test.txt", "").await;
+        assert_eq!(del.status(), StatusCode::NO_CONTENT);
+
+        let get = send(&ctx.app, Method::GET, "/raw/test.txt", "").await;
+        assert_eq!(get.status(), StatusCode::NOT_FOUND);
+    }
+
+    #[tokio::test]
+    async fn test_raw_not_found() {
+        let ctx = create_test_context();
+        let resp = send(&ctx.app, Method::GET, "/raw/missing.txt", "").await;
+        assert_eq!(resp.status(), StatusCode::NOT_FOUND);
+    }
+
+    #[tokio::test]
+    async fn test_raw_content_type_json() {
+        let ctx = create_test_context();
+        send(&ctx.app, Method::PUT, "/raw/file.json", b"{}".to_vec()).await;
+
+        let resp = send(&ctx.app, Method::GET, "/raw/file.json", "").await;
+        assert_eq!(resp.status(), StatusCode::OK);
+        let ct = resp.headers().get("content-type").unwrap();
+        assert_eq!(ct.to_str().unwrap(), "application/json");
+    }
+
+    #[tokio::test]
+    async fn test_raw_payload_too_large() {
+        let ctx = create_test_context();
+        let big = vec![0u8; 2 * 1024 * 1024]; // 2 MB > 1 MB limit
+        let resp = send(&ctx.app, Method::PUT, "/raw/large.bin", big).await;
+        assert_eq!(resp.status(), StatusCode::PAYLOAD_TOO_LARGE);
+    }
+
+    #[tokio::test]
+    async fn test_raw_disabled() {
+        let ctx = create_test_context_with_raw_disabled();
+        let get = send(&ctx.app, Method::GET, "/raw/test.txt", "").await;
+        assert_eq!(get.status(), StatusCode::NOT_FOUND);
+        let put = send(&ctx.app, Method::PUT, "/raw/test.txt", b"data".to_vec()).await;
+        assert_eq!(put.status(), StatusCode::NOT_FOUND);
+    }
+
+    #[tokio::test]
+    async fn test_upload_path_traversal_rejected() {
+        let temp_dir = tempfile::TempDir::new().unwrap();
+        let storage = Storage::new_local(temp_dir.path().to_str().unwrap());
+
+        let result = storage.put("raw/../../../etc/passwd", b"pwned").await;
+        assert!(result.is_err(), "path traversal key must be rejected");
+        match result {
+            Err(StorageError::Validation(v)) => {
+                assert_eq!(format!("{}", v), "Path traversal detected");
+            }
+            other => panic!("expected Validation(PathTraversal), got {:?}", other),
+        }
+    }
+}

nora-registry/src/repo_index.rs

@@ -0,0 +1,588 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
+//! In-memory repository index with lazy rebuild on invalidation.
+//!
+//! Design:
+//! - Rebuild happens ONLY on write operations, not TTL
+//! - Double-checked locking prevents duplicate rebuilds
+//! - Arc<Vec> for zero-cost reads
+//! - Single rebuild at a time per registry (rebuild_lock)
+
+use crate::storage::Storage;
+use crate::ui::components::format_timestamp;
+use parking_lot::RwLock;
+use serde::Serialize;
+use std::collections::HashMap;
+use std::sync::atomic::{AtomicBool, Ordering};
+use std::sync::Arc;
+use tokio::sync::Mutex as AsyncMutex;
+use tracing::info;
+
+/// Repository info for UI display
+#[derive(Debug, Clone, Serialize)]
+pub struct RepoInfo {
+    pub name: String,
+    pub versions: usize,
+    pub size: u64,
+    pub updated: String,
+}
+
+/// Index for a single registry type
+pub struct RegistryIndex {
+    data: RwLock<Arc<Vec<RepoInfo>>>,
+    dirty: AtomicBool,
+    rebuild_lock: AsyncMutex<()>,
+}
+
+impl RegistryIndex {
+    pub fn new() -> Self {
+        Self {
+            data: RwLock::new(Arc::new(Vec::new())),
+            dirty: AtomicBool::new(true),
+            rebuild_lock: AsyncMutex::new(()),
+        }
+    }
+
+    /// Mark index as needing rebuild
+    pub fn invalidate(&self) {
+        self.dirty.store(true, Ordering::Release);
+    }
+
+    fn is_dirty(&self) -> bool {
+        self.dirty.load(Ordering::Acquire)
+    }
+
+    fn get_cached(&self) -> Arc<Vec<RepoInfo>> {
+        Arc::clone(&self.data.read())
+    }
+
+    fn set(&self, data: Vec<RepoInfo>) {
+        *self.data.write() = Arc::new(data);
+        self.dirty.store(false, Ordering::Release);
+    }
+
+    pub fn count(&self) -> usize {
+        self.data.read().len()
+    }
+}
+
+impl Default for RegistryIndex {
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
+/// Main repository index for all registries
+pub struct RepoIndex {
+    pub docker: RegistryIndex,
+    pub maven: RegistryIndex,
+    pub npm: RegistryIndex,
+    pub cargo: RegistryIndex,
+    pub pypi: RegistryIndex,
+    pub go: RegistryIndex,
+    pub raw: RegistryIndex,
+}
+
+impl RepoIndex {
+    pub fn new() -> Self {
+        Self {
+            docker: RegistryIndex::new(),
+            maven: RegistryIndex::new(),
+            npm: RegistryIndex::new(),
+            cargo: RegistryIndex::new(),
+            pypi: RegistryIndex::new(),
+            go: RegistryIndex::new(),
+            raw: RegistryIndex::new(),
+        }
+    }
+
+    /// Invalidate a specific registry index
+    pub fn invalidate(&self, registry: &str) {
+        match registry {
+            "docker" => self.docker.invalidate(),
+            "maven" => self.maven.invalidate(),
+            "npm" => self.npm.invalidate(),
+            "cargo" => self.cargo.invalidate(),
+            "pypi" => self.pypi.invalidate(),
+            "go" => self.go.invalidate(),
+            "raw" => self.raw.invalidate(),
+            _ => {}
+        }
+    }
+
+    /// Get index with double-checked locking (prevents race condition)
+    pub async fn get(&self, registry: &str, storage: &Storage) -> Arc<Vec<RepoInfo>> {
+        let index = match registry {
+            "docker" => &self.docker,
+            "maven" => &self.maven,
+            "npm" => &self.npm,
+            "cargo" => &self.cargo,
+            "pypi" => &self.pypi,
+            "go" => &self.go,
+            "raw" => &self.raw,
+            _ => return Arc::new(Vec::new()),
+        };
+
+        // Fast path: not dirty, return cached
+        if !index.is_dirty() {
+            return index.get_cached();
+        }
+
+        // Slow path: acquire rebuild lock (only one thread rebuilds)
+        let _guard = index.rebuild_lock.lock().await;
+
+        // Double-check under lock (another thread may have rebuilt)
+        if index.is_dirty() {
+            let data = match registry {
+                "docker" => build_docker_index(storage).await,
+                "maven" => build_maven_index(storage).await,
+                "npm" => build_npm_index(storage).await,
+                "cargo" => build_cargo_index(storage).await,
+                "pypi" => build_pypi_index(storage).await,
+                "go" => build_go_index(storage).await,
+                "raw" => build_raw_index(storage).await,
+                _ => Vec::new(),
+            };
+            info!(registry = registry, count = data.len(), "Index rebuilt");
+            index.set(data);
+        }
+
+        index.get_cached()
+    }
+
+    /// Get counts for stats (no rebuild, just current state)
+    pub fn counts(&self) -> (usize, usize, usize, usize, usize, usize, usize) {
+        (
+            self.docker.count(),
+            self.maven.count(),
+            self.npm.count(),
+            self.cargo.count(),
+            self.pypi.count(),
+            self.go.count(),
+            self.raw.count(),
+        )
+    }
+}
+
+impl Default for RepoIndex {
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
+// ============================================================================
+// Index builders
+// ============================================================================
+
+async fn build_docker_index(storage: &Storage) -> Vec<RepoInfo> {
+    let keys = storage.list("docker/").await;
+    let mut repos: HashMap<String, (usize, u64, u64)> = HashMap::new();
+
+    for key in &keys {
+        if key.ends_with(".meta.json") {
+            continue;
+        }
+
+        if let Some(rest) = key.strip_prefix("docker/") {
+            // Support both single-segment and namespaced images:
+            // docker/alpine/manifests/latest.json → name="alpine"
+            // docker/library/alpine/manifests/latest.json → name="library/alpine"
+            let parts: Vec<_> = rest.split('/').collect();
+            let manifest_pos = parts.iter().position(|&p| p == "manifests");
+            if let Some(pos) = manifest_pos {
+                if pos >= 1 && key.ends_with(".json") {
+                    let name = parts[..pos].join("/");
+                    let entry = repos.entry(name).or_insert((0, 0, 0));
+                    entry.0 += 1;
+
+                    if let Ok(data) = storage.get(key).await {
+                        if let Ok(m) = serde_json::from_slice::<serde_json::Value>(&data) {
+                            let cfg = m
+                                .get("config")
+                                .and_then(|c| c.get("size"))
+                                .and_then(|s| s.as_u64())
+                                .unwrap_or(0);
+                            let layers: u64 = m
+                                .get("layers")
+                                .and_then(|l| l.as_array())
+                                .map(|arr| {
+                                    arr.iter()
+                                        .filter_map(|l| l.get("size").and_then(|s| s.as_u64()))
+                                        .sum()
+                                })
+                                .unwrap_or(0);
+                            entry.1 += cfg + layers;
+                        }
+                    }
+
+                    if let Some(meta) = storage.stat(key).await {
+                        if meta.modified > entry.2 {
+                            entry.2 = meta.modified;
+                        }
+                    }
+                }
+            }
+        }
+    }
+
+    to_sorted_vec(repos)
+}
+
+async fn build_maven_index(storage: &Storage) -> Vec<RepoInfo> {
+    let keys = storage.list("maven/").await;
+    let mut repos: HashMap<String, (usize, u64, u64)> = HashMap::new();
+
+    for key in &keys {
+        if let Some(rest) = key.strip_prefix("maven/") {
+            let parts: Vec<_> = rest.split('/').collect();
+            if parts.len() >= 2 {
+                let path = parts[..parts.len() - 1].join("/");
+                let entry = repos.entry(path).or_insert((0, 0, 0));
+                entry.0 += 1;
+
+                if let Some(meta) = storage.stat(key).await {
+                    entry.1 += meta.size;
+                    if meta.modified > entry.2 {
+                        entry.2 = meta.modified;
+                    }
+                }
+            }
+        }
+    }
+
+    to_sorted_vec(repos)
+}
+
+async fn build_npm_index(storage: &Storage) -> Vec<RepoInfo> {
+    let keys = storage.list("npm/").await;
+    let mut packages: HashMap<String, (usize, u64, u64)> = HashMap::new();
+
+    // Count tarballs instead of parsing metadata.json (faster than parsing JSON)
+    for key in &keys {
+        if let Some(rest) = key.strip_prefix("npm/") {
+            // Pattern: npm/{package}/tarballs/{file}.tgz
+            // Scoped:  npm/@scope/package/tarballs/{file}.tgz
+            if rest.contains("/tarballs/") && key.ends_with(".tgz") {
+                let parts: Vec<_> = rest.split('/').collect();
+                if !parts.is_empty() {
+                    // Scoped packages: @scope/package → parts[0]="@scope", parts[1]="package"
+                    let name = if parts[0].starts_with('@') && parts.len() >= 4 {
+                        format!("{}/{}", parts[0], parts[1])
+                    } else {
+                        parts[0].to_string()
+                    };
+                    let entry = packages.entry(name).or_insert((0, 0, 0));
+                    entry.0 += 1;
+
+                    if let Some(meta) = storage.stat(key).await {
+                        entry.1 += meta.size;
+                        if meta.modified > entry.2 {
+                            entry.2 = meta.modified;
+                        }
+                    }
+                }
+            }
+        }
+    }
+
+    to_sorted_vec(packages)
+}
+
+async fn build_cargo_index(storage: &Storage) -> Vec<RepoInfo> {
+    let keys = storage.list("cargo/").await;
+    let mut crates: HashMap<String, (usize, u64, u64)> = HashMap::new();
+
+    for key in &keys {
+        if key.ends_with(".crate") {
+            if let Some(rest) = key.strip_prefix("cargo/") {
+                let parts: Vec<_> = rest.split('/').collect();
+                if !parts.is_empty() {
+                    let name = parts[0].to_string();
+                    let entry = crates.entry(name).or_insert((0, 0, 0));
+                    entry.0 += 1;
+
+                    if let Some(meta) = storage.stat(key).await {
+                        entry.1 += meta.size;
+                        if meta.modified > entry.2 {
+                            entry.2 = meta.modified;
+                        }
+                    }
+                }
+            }
+        }
+    }
+
+    to_sorted_vec(crates)
+}
+
+async fn build_pypi_index(storage: &Storage) -> Vec<RepoInfo> {
+    let keys = storage.list("pypi/").await;
+    let mut packages: HashMap<String, (usize, u64, u64)> = HashMap::new();
+
+    for key in &keys {
+        if let Some(rest) = key.strip_prefix("pypi/") {
+            let parts: Vec<_> = rest.split('/').collect();
+            if parts.len() >= 2 {
+                let name = parts[0].to_string();
+                let entry = packages.entry(name).or_insert((0, 0, 0));
+                entry.0 += 1;
+
+                if let Some(meta) = storage.stat(key).await {
+                    entry.1 += meta.size;
+                    if meta.modified > entry.2 {
+                        entry.2 = meta.modified;
+                    }
+                }
+            }
+        }
+    }
+
+    to_sorted_vec(packages)
+}
+
+async fn build_go_index(storage: &Storage) -> Vec<RepoInfo> {
+    let keys = storage.list("go/").await;
+    let mut modules: HashMap<String, (usize, u64, u64)> = HashMap::new();
+
+    for key in &keys {
+        if let Some(rest) = key.strip_prefix("go/") {
+            // Pattern: go/{module}/@v/{version}.zip
+            // Count .zip files as versions (authoritative artifacts)
+            if rest.contains("/@v/") && key.ends_with(".zip") {
+                // Extract module path: everything before /@v/
+                if let Some(pos) = rest.rfind("/@v/") {
+                    let module = &rest[..pos];
+                    let entry = modules.entry(module.to_string()).or_insert((0, 0, 0));
+                    entry.0 += 1;
+
+                    if let Some(meta) = storage.stat(key).await {
+                        entry.1 += meta.size;
+                        if meta.modified > entry.2 {
+                            entry.2 = meta.modified;
+                        }
+                    }
+                }
+            }
+        }
+    }
+
+    to_sorted_vec(modules)
+}
+
+async fn build_raw_index(storage: &Storage) -> Vec<RepoInfo> {
+    let keys = storage.list("raw/").await;
+    let mut files: HashMap<String, (usize, u64, u64)> = HashMap::new();
+
+    for key in &keys {
+        if let Some(rest) = key.strip_prefix("raw/") {
+            // Group by top-level directory
+            let group = rest.split('/').next().unwrap_or(rest).to_string();
+            let entry = files.entry(group).or_insert((0, 0, 0));
+            entry.0 += 1;
+            if let Some(meta) = storage.stat(key).await {
+                entry.1 += meta.size;
+                if meta.modified > entry.2 {
+                    entry.2 = meta.modified;
+                }
+            }
+        }
+    }
+
+    to_sorted_vec(files)
+}
+
+/// Convert HashMap to sorted Vec<RepoInfo>
+fn to_sorted_vec(map: HashMap<String, (usize, u64, u64)>) -> Vec<RepoInfo> {
+    let mut result: Vec<_> = map
+        .into_iter()
+        .map(|(name, (versions, size, modified))| RepoInfo {
+            name,
+            versions,
+            size,
+            updated: if modified > 0 {
+                format_timestamp(modified)
+            } else {
+                "N/A".to_string()
+            },
+        })
+        .collect();
+
+    result.sort_by(|a, b| a.name.cmp(&b.name));
+    result
+}
+
+/// Pagination helper
+pub fn paginate<T: Clone>(data: &[T], page: usize, limit: usize) -> (Vec<T>, usize) {
+    let total = data.len();
+    let start = page.saturating_sub(1) * limit;
+
+    if start >= total {
+        return (Vec::new(), total);
+    }
+
+    let end = (start + limit).min(total);
+    (data[start..end].to_vec(), total)
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_paginate_first_page() {
+        let data = vec![1, 2, 3, 4, 5, 6, 7, 8, 9, 10];
+        let (page, total) = paginate(&data, 1, 3);
+        assert_eq!(page, vec![1, 2, 3]);
+        assert_eq!(total, 10);
+    }
+
+    #[test]
+    fn test_paginate_second_page() {
+        let data = vec![1, 2, 3, 4, 5, 6, 7, 8, 9, 10];
+        let (page, total) = paginate(&data, 2, 3);
+        assert_eq!(page, vec![4, 5, 6]);
+        assert_eq!(total, 10);
+    }
+
+    #[test]
+    fn test_paginate_last_page_partial() {
+        let data = vec![1, 2, 3, 4, 5, 6, 7, 8, 9, 10];
+        let (page, total) = paginate(&data, 4, 3);
+        assert_eq!(page, vec![10]);
+        assert_eq!(total, 10);
+    }
+
+    #[test]
+    fn test_paginate_beyond_range() {
+        let data = vec![1, 2, 3];
+        let (page, total) = paginate(&data, 5, 3);
+        assert!(page.is_empty());
+        assert_eq!(total, 3);
+    }
+
+    #[test]
+    fn test_paginate_empty_data() {
+        let data: Vec<i32> = vec![];
+        let (page, total) = paginate(&data, 1, 10);
+        assert!(page.is_empty());
+        assert_eq!(total, 0);
+    }
+
+    #[test]
+    fn test_paginate_page_zero() {
+        // page 0 with saturating_sub becomes 0, so start = 0
+        let data = vec![1, 2, 3];
+        let (page, _) = paginate(&data, 0, 2);
+        assert_eq!(page, vec![1, 2]);
+    }
+
+    #[test]
+    fn test_paginate_large_limit() {
+        let data = vec![1, 2, 3];
+        let (page, total) = paginate(&data, 1, 100);
+        assert_eq!(page, vec![1, 2, 3]);
+        assert_eq!(total, 3);
+    }
+
+    #[test]
+    fn test_registry_index_new() {
+        let idx = RegistryIndex::new();
+        assert_eq!(idx.count(), 0);
+        assert!(idx.is_dirty());
+    }
+
+    #[test]
+    fn test_registry_index_invalidate() {
+        let idx = RegistryIndex::new();
+        // Initially dirty
+        assert!(idx.is_dirty());
+
+        // Set data clears dirty
+        idx.set(vec![RepoInfo {
+            name: "test".to_string(),
+            versions: 1,
+            size: 100,
+            updated: "2026-01-01".to_string(),
+        }]);
+        assert!(!idx.is_dirty());
+        assert_eq!(idx.count(), 1);
+
+        // Invalidate makes it dirty again
+        idx.invalidate();
+        assert!(idx.is_dirty());
+    }
+
+    #[test]
+    fn test_registry_index_get_cached() {
+        let idx = RegistryIndex::new();
+        idx.set(vec![
+            RepoInfo {
+                name: "a".to_string(),
+                versions: 2,
+                size: 200,
+                updated: "today".to_string(),
+            },
+            RepoInfo {
+                name: "b".to_string(),
+                versions: 1,
+                size: 100,
+                updated: "yesterday".to_string(),
+            },
+        ]);
+
+        let cached = idx.get_cached();
+        assert_eq!(cached.len(), 2);
+        assert_eq!(cached[0].name, "a");
+    }
+
+    #[test]
+    fn test_registry_index_default() {
+        let idx = RegistryIndex::default();
+        assert_eq!(idx.count(), 0);
+    }
+
+    #[test]
+    fn test_repo_index_new() {
+        let idx = RepoIndex::new();
+        let (d, m, n, c, p, g, r) = idx.counts();
+        assert_eq!((d, m, n, c, p, g, r), (0, 0, 0, 0, 0, 0, 0));
+    }
+
+    #[test]
+    fn test_repo_index_invalidate() {
+        let idx = RepoIndex::new();
+        // Should not panic for any registry
+        idx.invalidate("docker");
+        idx.invalidate("maven");
+        idx.invalidate("npm");
+        idx.invalidate("cargo");
+        idx.invalidate("pypi");
+        idx.invalidate("raw");
+        idx.invalidate("unknown"); // should be a no-op
+    }
+
+    #[test]
+    fn test_repo_index_default() {
+        let idx = RepoIndex::default();
+        let (d, m, n, c, p, g, r) = idx.counts();
+        assert_eq!((d, m, n, c, p, g, r), (0, 0, 0, 0, 0, 0, 0));
+    }
+
+    #[test]
+    fn test_to_sorted_vec() {
+        let mut map = std::collections::HashMap::new();
+        map.insert("zebra".to_string(), (3usize, 100u64, 0u64));
+        map.insert("alpha".to_string(), (1, 50, 1700000000));
+
+        let result = to_sorted_vec(map);
+        assert_eq!(result.len(), 2);
+        assert_eq!(result[0].name, "alpha");
+        assert_eq!(result[0].versions, 1);
+        assert_eq!(result[0].size, 50);
+        assert_ne!(result[0].updated, "N/A");
+        assert_eq!(result[1].name, "zebra");
+        assert_eq!(result[1].versions, 3);
+        assert_eq!(result[1].updated, "N/A"); // modified = 0
+    }
+}

nora-registry/src/request_id.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 //! Request ID middleware for request tracking and correlation
 //!
 //! Generates a unique ID for each request that can be used for:
@@ -89,4 +92,69 @@ mod tests {
         let cloned = id.clone();
         assert_eq!(id.0, cloned.0);
     }
+
+    #[test]
+    fn test_request_id_debug() {
+        let id = RequestId("abc-def".to_string());
+        let debug = format!("{:?}", id);
+        assert!(debug.contains("abc-def"));
+    }
+
+    #[test]
+    fn test_request_id_header_name() {
+        assert_eq!(REQUEST_ID_HEADER.as_str(), "x-request-id");
+    }
+
+    #[test]
+    fn test_request_id_deref_string_methods() {
+        let id = RequestId("req-12345".to_string());
+        assert!(id.starts_with("req-"));
+        assert_eq!(id.len(), 9);
+    }
+}
+
+#[cfg(test)]
+#[allow(clippy::unwrap_used)]
+mod integration_tests {
+    use crate::test_helpers::{create_test_context, send, send_with_headers};
+    use axum::http::{Method, StatusCode};
+
+    #[tokio::test]
+    async fn test_response_has_request_id() {
+        let ctx = create_test_context();
+        let response = send(&ctx.app, Method::GET, "/health", "").await;
+
+        assert_eq!(response.status(), StatusCode::OK);
+        let request_id = response.headers().get("x-request-id");
+        assert!(
+            request_id.is_some(),
+            "Response must have X-Request-ID header"
+        );
+        let value = request_id.unwrap().to_str().unwrap();
+        assert!(!value.is_empty(), "X-Request-ID must not be empty");
+    }
+
+    #[tokio::test]
+    async fn test_preserves_incoming_request_id() {
+        let ctx = create_test_context();
+        let custom_id = "custom-123";
+
+        let response = send_with_headers(
+            &ctx.app,
+            Method::GET,
+            "/health",
+            vec![("x-request-id", custom_id)],
+            "",
+        )
+        .await;
+
+        assert_eq!(response.status(), StatusCode::OK);
+        let returned_id = response
+            .headers()
+            .get("x-request-id")
+            .unwrap()
+            .to_str()
+            .unwrap();
+        assert_eq!(returned_id, custom_id);
+    }
 }

nora-registry/src/secrets/env.rs

@@ -0,0 +1,131 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
+//! Environment variables secrets provider
+//!
+//! Reads secrets from environment variables. This is the default provider
+//! following 12-Factor App principles.
+
+use std::env;
+
+use super::{SecretsError, SecretsProvider};
+use crate::secrets::protected::ProtectedString;
+use async_trait::async_trait;
+
+/// Environment variables secrets provider
+///
+/// Reads secrets from environment variables.
+/// Optionally clears variables after reading for extra security.
+#[derive(Debug, Clone)]
+pub struct EnvProvider {
+    /// Clear environment variables after reading
+    clear_after_read: bool,
+}
+
+impl EnvProvider {
+    /// Create a new environment provider
+    pub fn new() -> Self {
+        Self {
+            clear_after_read: false,
+        }
+    }
+
+    /// Create a provider that clears env vars after reading
+    ///
+    /// This prevents secrets from being visible in `/proc/<pid>/environ`
+    pub fn with_clear_after_read(mut self) -> Self {
+        self.clear_after_read = true;
+        self
+    }
+}
+
+impl Default for EnvProvider {
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
+#[async_trait]
+impl SecretsProvider for EnvProvider {
+    async fn get_secret(&self, key: &str) -> Result<ProtectedString, SecretsError> {
+        let value = env::var(key).map_err(|_| SecretsError::NotFound(key.to_string()))?;
+
+        if self.clear_after_read {
+            env::remove_var(key);
+        }
+
+        Ok(ProtectedString::new(value))
+    }
+
+    async fn get_secret_optional(&self, key: &str) -> Option<ProtectedString> {
+        env::var(key).ok().map(|v| {
+            if self.clear_after_read {
+                env::remove_var(key);
+            }
+            ProtectedString::new(v)
+        })
+    }
+
+    fn provider_name(&self) -> &'static str {
+        "env"
+    }
+}
+
+#[cfg(test)]
+#[allow(clippy::unwrap_used)]
+mod tests {
+    use super::*;
+
+    #[tokio::test]
+    async fn test_get_secret_exists() {
+        env::set_var("TEST_SECRET_123", "secret-value");
+        let provider = EnvProvider::new();
+        let secret = provider.get_secret("TEST_SECRET_123").await.unwrap();
+        assert_eq!(secret.expose(), "secret-value");
+        env::remove_var("TEST_SECRET_123");
+    }
+
+    #[tokio::test]
+    async fn test_get_secret_not_found() {
+        let provider = EnvProvider::new();
+        let result = provider.get_secret("NONEXISTENT_VAR_XYZ").await;
+        assert!(matches!(result, Err(SecretsError::NotFound(_))));
+    }
+
+    #[tokio::test]
+    async fn test_get_secret_optional_exists() {
+        env::set_var("TEST_OPTIONAL_123", "optional-value");
+        let provider = EnvProvider::new();
+        let secret = provider.get_secret_optional("TEST_OPTIONAL_123").await;
+        assert!(secret.is_some());
+        assert_eq!(secret.unwrap().expose(), "optional-value");
+        env::remove_var("TEST_OPTIONAL_123");
+    }
+
+    #[tokio::test]
+    async fn test_get_secret_optional_not_found() {
+        let provider = EnvProvider::new();
+        let secret = provider
+            .get_secret_optional("NONEXISTENT_OPTIONAL_XYZ")
+            .await;
+        assert!(secret.is_none());
+    }
+
+    #[tokio::test]
+    async fn test_clear_after_read() {
+        env::set_var("TEST_CLEAR_123", "to-be-cleared");
+        let provider = EnvProvider::new().with_clear_after_read();
+
+        let secret = provider.get_secret("TEST_CLEAR_123").await.unwrap();
+        assert_eq!(secret.expose(), "to-be-cleared");
+
+        // Variable should be cleared
+        assert!(env::var("TEST_CLEAR_123").is_err());
+    }
+
+    #[test]
+    fn test_provider_name() {
+        let provider = EnvProvider::new();
+        assert_eq!(provider.provider_name(), "env");
+    }
+}

nora-registry/src/secrets/mod.rs

@@ -0,0 +1,171 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
+//! Secrets management for NORA
+//!
+//! Provides a trait-based architecture for secrets providers:
+//! - `env` - Environment variables (default, 12-Factor App)
+//! - `aws-secrets` - AWS Secrets Manager (v0.4.0+)
+//! - `vault` - HashiCorp Vault (v0.5.0+)
+//! - `k8s` - Kubernetes Secrets (v0.4.0+)
+//!
+//! # Example
+//!
+//! ```rust,ignore
+//! use nora::secrets::{create_secrets_provider, SecretsConfig};
+//!
+//! let config = SecretsConfig::default(); // Uses ENV provider
+//! let provider = create_secrets_provider(&config)?;
+//!
+//! let api_key = provider.get_secret("API_KEY").await?;
+//! println!("Got secret (redacted): {:?}", api_key);
+//! ```
+
+mod env;
+pub mod protected;
+
+pub use env::EnvProvider;
+#[allow(unused_imports)]
+pub use protected::{ProtectedString, S3Credentials};
+
+use async_trait::async_trait;
+use serde::{Deserialize, Serialize};
+use thiserror::Error;
+
+#[allow(dead_code)] // Variants used by provider impls; external error handling planned for v0.4
+/// Secrets provider error
+#[derive(Debug, Error)]
+pub enum SecretsError {
+    #[error("Secret not found: {0}")]
+    NotFound(String),
+
+    #[error("Provider error: {0}")]
+    Provider(String),
+
+    #[error("Configuration error: {0}")]
+    Config(String),
+
+    #[error("Unsupported provider: {0}")]
+    UnsupportedProvider(String),
+}
+
+/// Secrets provider trait
+///
+/// Implement this trait to add new secrets backends.
+#[async_trait]
+pub trait SecretsProvider: Send + Sync {
+    /// Get a secret by key (required)
+    #[allow(dead_code)]
+    async fn get_secret(&self, key: &str) -> Result<ProtectedString, SecretsError>;
+
+    /// Get a secret by key (optional, returns None if not found)
+    #[allow(dead_code)]
+    async fn get_secret_optional(&self, key: &str) -> Option<ProtectedString> {
+        self.get_secret(key).await.ok()
+    }
+
+    /// Get provider name for logging
+    fn provider_name(&self) -> &'static str;
+}
+
+/// Secrets configuration
+///
+/// # Example config.toml
+///
+/// ```toml
+/// [secrets]
+/// provider = "env"
+/// clear_env = false
+/// ```
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct SecretsConfig {
+    /// Provider type: "env", "aws-secrets", "vault", "k8s"
+    #[serde(default = "default_provider")]
+    pub provider: String,
+
+    /// Clear environment variables after reading (for env provider)
+    #[serde(default)]
+    pub clear_env: bool,
+}
+
+fn default_provider() -> String {
+    "env".to_string()
+}
+
+impl Default for SecretsConfig {
+    fn default() -> Self {
+        Self {
+            provider: default_provider(),
+            clear_env: false,
+        }
+    }
+}
+
+/// Create a secrets provider based on configuration
+///
+/// Currently supports:
+/// - `env` - Environment variables (default)
+///
+/// Future versions will add:
+/// - `aws-secrets` - AWS Secrets Manager
+/// - `vault` - HashiCorp Vault
+/// - `k8s` - Kubernetes Secrets
+pub fn create_secrets_provider(
+    config: &SecretsConfig,
+) -> Result<Box<dyn SecretsProvider>, SecretsError> {
+    match config.provider.as_str() {
+        "env" => {
+            let mut provider = EnvProvider::new();
+            if config.clear_env {
+                provider = provider.with_clear_after_read();
+            }
+            Ok(Box::new(provider))
+        }
+        // Future providers:
+        // "aws-secrets" => { ... }
+        // "vault" => { ... }
+        // "k8s" => { ... }
+        other => Err(SecretsError::UnsupportedProvider(other.to_string())),
+    }
+}
+
+#[cfg(test)]
+#[allow(clippy::unwrap_used)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_default_config() {
+        let config = SecretsConfig::default();
+        assert_eq!(config.provider, "env");
+        assert!(!config.clear_env);
+    }
+
+    #[test]
+    fn test_create_env_provider() {
+        let config = SecretsConfig::default();
+        let provider = create_secrets_provider(&config).unwrap();
+        assert_eq!(provider.provider_name(), "env");
+    }
+
+    #[test]
+    fn test_create_unsupported_provider() {
+        let config = SecretsConfig {
+            provider: "unknown".to_string(),
+            clear_env: false,
+        };
+        let result = create_secrets_provider(&config);
+        assert!(matches!(result, Err(SecretsError::UnsupportedProvider(_))));
+    }
+
+    #[test]
+    fn test_config_from_toml() {
+        let toml = r#"
+            provider = "env"
+            clear_env = true
+        "#;
+        let config: SecretsConfig = toml::from_str(toml).unwrap();
+        assert_eq!(config.provider, "env");
+        assert!(config.clear_env);
+    }
+}

nora-registry/src/secrets/protected.rs

@@ -0,0 +1,159 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
+//! Protected secret types with memory safety
+//!
+//! Secrets are automatically zeroed on drop and redacted in Debug output.
+
+use std::fmt;
+use zeroize::{Zeroize, Zeroizing};
+
+/// A protected secret string that is zeroed on drop
+///
+/// - Implements Zeroize: memory is overwritten with zeros when dropped
+/// - Debug shows `***REDACTED***` instead of actual value
+/// - Clone creates a new protected copy
+#[allow(dead_code)] // Used internally by SecretsProvider impls; external callers planned for v0.4
+#[derive(Clone, Zeroize)]
+#[zeroize(drop)]
+pub struct ProtectedString {
+    inner: String,
+}
+
+#[allow(dead_code)]
+impl ProtectedString {
+    /// Create a new protected string
+    pub fn new(value: String) -> Self {
+        Self { inner: value }
+    }
+
+    /// Get the secret value (use sparingly!)
+    pub fn expose(&self) -> &str {
+        &self.inner
+    }
+
+    /// Consume and return the inner value
+    pub fn into_inner(self) -> Zeroizing<String> {
+        Zeroizing::new(self.inner.clone())
+    }
+
+    /// Check if the secret is empty
+    pub fn is_empty(&self) -> bool {
+        self.inner.is_empty()
+    }
+}
+
+impl fmt::Debug for ProtectedString {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.debug_struct("ProtectedString")
+            .field("value", &"***REDACTED***")
+            .finish()
+    }
+}
+
+impl fmt::Display for ProtectedString {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(f, "***REDACTED***")
+    }
+}
+
+impl From<String> for ProtectedString {
+    fn from(value: String) -> Self {
+        Self::new(value)
+    }
+}
+
+impl From<&str> for ProtectedString {
+    fn from(value: &str) -> Self {
+        Self::new(value.to_string())
+    }
+}
+
+/// S3 credentials with protected secrets
+#[allow(dead_code)] // S3 storage backend planned for v0.4
+#[derive(Clone, Zeroize)]
+#[zeroize(drop)]
+pub struct S3Credentials {
+    pub access_key_id: String,
+    #[zeroize(skip)] // access_key_id is not sensitive
+    pub secret_access_key: ProtectedString,
+    pub region: Option<String>,
+}
+
+#[allow(dead_code)]
+impl S3Credentials {
+    pub fn new(access_key_id: String, secret_access_key: String) -> Self {
+        Self {
+            access_key_id,
+            secret_access_key: ProtectedString::new(secret_access_key),
+            region: None,
+        }
+    }
+
+    pub fn with_region(mut self, region: String) -> Self {
+        self.region = Some(region);
+        self
+    }
+}
+
+impl fmt::Debug for S3Credentials {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.debug_struct("S3Credentials")
+            .field("access_key_id", &self.access_key_id)
+            .field("secret_access_key", &"***REDACTED***")
+            .field("region", &self.region)
+            .finish()
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_protected_string_redacted_debug() {
+        let secret = ProtectedString::new("super-secret-value".to_string());
+        let debug_output = format!("{:?}", secret);
+        assert!(debug_output.contains("REDACTED"));
+        assert!(!debug_output.contains("super-secret-value"));
+    }
+
+    #[test]
+    fn test_protected_string_redacted_display() {
+        let secret = ProtectedString::new("super-secret-value".to_string());
+        let display_output = format!("{}", secret);
+        assert_eq!(display_output, "***REDACTED***");
+    }
+
+    #[test]
+    fn test_protected_string_expose() {
+        let secret = ProtectedString::new("my-secret".to_string());
+        assert_eq!(secret.expose(), "my-secret");
+    }
+
+    #[test]
+    fn test_s3_credentials_redacted_debug() {
+        let creds = S3Credentials::new(
+            "AKIAIOSFODNN7EXAMPLE".to_string(),
+            "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY".to_string(),
+        );
+        let debug_output = format!("{:?}", creds);
+        assert!(debug_output.contains("AKIAIOSFODNN7EXAMPLE"));
+        assert!(!debug_output.contains("wJalrXUtnFEMI"));
+        assert!(debug_output.contains("REDACTED"));
+    }
+
+    #[test]
+    fn test_protected_string_from_str() {
+        let secret: ProtectedString = "test".into();
+        assert_eq!(secret.expose(), "test");
+    }
+
+    #[test]
+    fn test_protected_string_is_empty() {
+        let empty = ProtectedString::new(String::new());
+        let non_empty = ProtectedString::new("secret".to_string());
+        assert!(empty.is_empty());
+        assert!(!non_empty.is_empty());
+    }
+}

nora-registry/src/storage/local.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 use async_trait::async_trait;
 use axum::body::Bytes;
 use std::path::PathBuf;
@@ -65,10 +68,6 @@ impl StorageBackend for LocalStorage {
     async fn get(&self, key: &str) -> Result<Bytes> {
         let path = self.key_to_path(key);
 
-        if !path.exists() {
-            return Err(StorageError::NotFound);
-        }
-
         let mut file = fs::File::open(&path).await.map_err(|e| {
             if e.kind() == std::io::ErrorKind::NotFound {
                 StorageError::NotFound
@@ -85,6 +84,20 @@ impl StorageBackend for LocalStorage {
         Ok(Bytes::from(buffer))
     }
 
+    async fn delete(&self, key: &str) -> Result<()> {
+        let path = self.key_to_path(key);
+
+        fs::remove_file(&path).await.map_err(|e| {
+            if e.kind() == std::io::ErrorKind::NotFound {
+                StorageError::NotFound
+            } else {
+                StorageError::Io(e.to_string())
+            }
+        })?;
+
+        Ok(())
+    }
+
     async fn list(&self, prefix: &str) -> Vec<String> {
         let base = self.base_path.clone();
         let prefix = prefix.to_string();
@@ -125,12 +138,36 @@ impl StorageBackend for LocalStorage {
         fs::create_dir_all(&self.base_path).await.is_ok()
     }
 
+    async fn total_size(&self) -> u64 {
+        let base = self.base_path.clone();
+        tokio::task::spawn_blocking(move || {
+            fn dir_size(path: &std::path::Path) -> u64 {
+                let mut total = 0u64;
+                if let Ok(entries) = std::fs::read_dir(path) {
+                    for entry in entries.flatten() {
+                        let path = entry.path();
+                        if path.is_file() {
+                            total += entry.metadata().map(|m| m.len()).unwrap_or(0);
+                        } else if path.is_dir() {
+                            total += dir_size(&path);
+                        }
+                    }
+                }
+                total
+            }
+            dir_size(&base)
+        })
+        .await
+        .unwrap_or(0)
+    }
+
     fn backend_name(&self) -> &'static str {
         "local"
     }
 }
 
 #[cfg(test)]
+#[allow(clippy::unwrap_used)]
 mod tests {
     use super::*;
     use tempfile::TempDir;
@@ -237,4 +274,147 @@ mod tests {
         let storage = LocalStorage::new(temp_dir.path().to_str().unwrap());
         assert_eq!(storage.backend_name(), "local");
     }
+
+    #[tokio::test(flavor = "multi_thread")]
+    async fn test_concurrent_writes_same_key() {
+        let temp_dir = TempDir::new().unwrap();
+        let storage = std::sync::Arc::new(LocalStorage::new(temp_dir.path().to_str().unwrap()));
+
+        let mut handles = Vec::new();
+        for i in 0..10u8 {
+            let s = storage.clone();
+            handles.push(tokio::spawn(async move {
+                let data = vec![i; 1024];
+                s.put("shared/key", &data).await
+            }));
+        }
+
+        for h in handles {
+            h.await.expect("task panicked").expect("put failed");
+        }
+
+        let data = storage.get("shared/key").await.expect("get failed");
+        assert_eq!(data.len(), 1024);
+        let first = data[0];
+        assert!(
+            data.iter().all(|&b| b == first),
+            "file is corrupted — mixed writers"
+        );
+    }
+
+    #[tokio::test(flavor = "multi_thread")]
+    async fn test_concurrent_writes_different_keys() {
+        let temp_dir = TempDir::new().unwrap();
+        let storage = std::sync::Arc::new(LocalStorage::new(temp_dir.path().to_str().unwrap()));
+
+        let mut handles = Vec::new();
+        for i in 0..10u32 {
+            let s = storage.clone();
+            handles.push(tokio::spawn(async move {
+                let key = format!("key/{}", i);
+                s.put(&key, format!("data-{}", i).as_bytes()).await
+            }));
+        }
+
+        for h in handles {
+            h.await.expect("task panicked").expect("put failed");
+        }
+
+        for i in 0..10u32 {
+            let key = format!("key/{}", i);
+            let data = storage.get(&key).await.expect("get failed");
+            assert_eq!(&*data, format!("data-{}", i).as_bytes());
+        }
+    }
+
+    #[tokio::test(flavor = "multi_thread")]
+    async fn test_concurrent_read_during_write() {
+        let temp_dir = TempDir::new().unwrap();
+        let storage = std::sync::Arc::new(LocalStorage::new(temp_dir.path().to_str().unwrap()));
+
+        let old_data = vec![0u8; 4096];
+        storage.put("rw/key", &old_data).await.expect("seed put");
+
+        let new_data = vec![1u8; 4096];
+        let sw = storage.clone();
+        let writer = tokio::spawn(async move {
+            sw.put("rw/key", &new_data).await.expect("put failed");
+        });
+
+        let sr = storage.clone();
+        let reader = tokio::spawn(async move {
+            match sr.get("rw/key").await {
+                Ok(_data) => {
+                    // tokio::fs::write is not atomic, so partial reads
+                    // (mix of old and new bytes) are expected — not a bug.
+                    // We only verify the final state after both tasks complete.
+                }
+                Err(crate::storage::StorageError::NotFound) => {}
+                Err(e) => panic!("unexpected error: {}", e),
+            }
+        });
+
+        writer.await.expect("writer panicked");
+        reader.await.expect("reader panicked");
+
+        let data = storage.get("rw/key").await.expect("final get");
+        assert_eq!(&*data, &vec![1u8; 4096]);
+    }
+
+    #[tokio::test]
+    async fn test_total_size_empty() {
+        let temp_dir = TempDir::new().unwrap();
+        let storage = LocalStorage::new(temp_dir.path().to_str().unwrap());
+        assert_eq!(storage.total_size().await, 0);
+    }
+
+    #[tokio::test]
+    async fn test_total_size_with_files() {
+        let temp_dir = TempDir::new().unwrap();
+        let storage = LocalStorage::new(temp_dir.path().to_str().unwrap());
+
+        storage.put("a/file1", b"hello").await.unwrap(); // 5 bytes
+        storage.put("b/file2", b"world!").await.unwrap(); // 6 bytes
+
+        let size = storage.total_size().await;
+        assert_eq!(size, 11);
+    }
+
+    #[tokio::test]
+    async fn test_total_size_after_delete() {
+        let temp_dir = TempDir::new().unwrap();
+        let storage = LocalStorage::new(temp_dir.path().to_str().unwrap());
+
+        storage.put("file1", b"12345").await.unwrap();
+        storage.put("file2", b"67890").await.unwrap();
+        assert_eq!(storage.total_size().await, 10);
+
+        storage.delete("file1").await.unwrap();
+        assert_eq!(storage.total_size().await, 5);
+    }
+
+    #[tokio::test(flavor = "multi_thread")]
+    async fn test_concurrent_deletes_same_key() {
+        let temp_dir = TempDir::new().unwrap();
+        let storage = std::sync::Arc::new(LocalStorage::new(temp_dir.path().to_str().unwrap()));
+
+        storage.put("del/key", b"ephemeral").await.expect("put");
+
+        let mut handles = Vec::new();
+        for _ in 0..10 {
+            let s = storage.clone();
+            handles.push(tokio::spawn(async move {
+                let _ = s.delete("del/key").await;
+            }));
+        }
+
+        for h in handles {
+            h.await.expect("task panicked");
+        }
+
+        assert!(matches!(
+            storage.get("del/key").await,
+            Err(crate::storage::StorageError::NotFound)
+        ));
+    }
 }

nora-registry/src/storage/mod.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 mod local;
 mod s3;
 
@@ -39,9 +42,12 @@ pub type Result<T> = std::result::Result<T, StorageError>;
 pub trait StorageBackend: Send + Sync {
     async fn put(&self, key: &str, data: &[u8]) -> Result<()>;
     async fn get(&self, key: &str) -> Result<Bytes>;
+    async fn delete(&self, key: &str) -> Result<()>;
     async fn list(&self, prefix: &str) -> Vec<String>;
     async fn stat(&self, key: &str) -> Option<FileMeta>;
     async fn health_check(&self) -> bool;
+    /// Total size of all stored artifacts in bytes
+    async fn total_size(&self) -> u64;
     fn backend_name(&self) -> &'static str;
 }
 
@@ -58,9 +64,17 @@ impl Storage {
         }
     }
 
-    pub fn new_s3(s3_url: &str, bucket: &str) -> Self {
+    pub fn new_s3(
+        s3_url: &str,
+        bucket: &str,
+        region: &str,
+        access_key: Option<&str>,
+        secret_key: Option<&str>,
+    ) -> Self {
         Self {
-            inner: Arc::new(S3Storage::new(s3_url, bucket)),
+            inner: Arc::new(S3Storage::new(
+                s3_url, bucket, region, access_key, secret_key,
+            )),
         }
     }
 
@@ -74,12 +88,15 @@ impl Storage {
         self.inner.get(key).await
     }
 
+    pub async fn delete(&self, key: &str) -> Result<()> {
+        validate_storage_key(key)?;
+        self.inner.delete(key).await
+    }
+
     pub async fn list(&self, prefix: &str) -> Vec<String> {
         // Empty prefix is valid for listing all
-        if !prefix.is_empty() {
-            if let Err(_) = validate_storage_key(prefix) {
-                return Vec::new();
-            }
+        if !prefix.is_empty() && validate_storage_key(prefix).is_err() {
+            return Vec::new();
         }
         self.inner.list(prefix).await
     }
@@ -95,6 +112,10 @@ impl Storage {
         self.inner.health_check().await
     }
 
+    pub async fn total_size(&self) -> u64 {
+        self.inner.total_size().await
+    }
+
     pub fn backend_name(&self) -> &'static str {
         self.inner.backend_name()
     }

nora-registry/src/storage/s3.rs

@@ -1,24 +1,147 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 use async_trait::async_trait;
 use axum::body::Bytes;
+use chrono::Utc;
+use hmac::{digest::KeyInit, Hmac, Mac};
+use sha2::{Digest, Sha256};
 
 use super::{FileMeta, Result, StorageBackend, StorageError};
 
+type HmacSha256 = Hmac<Sha256>;
+
 /// S3-compatible storage backend (MinIO, AWS S3)
 pub struct S3Storage {
     s3_url: String,
     bucket: String,
+    region: String,
+    access_key: Option<String>,
+    secret_key: Option<String>,
     client: reqwest::Client,
 }
 
 impl S3Storage {
-    pub fn new(s3_url: &str, bucket: &str) -> Self {
+    /// Create new S3 storage with optional credentials
+    pub fn new(
+        s3_url: &str,
+        bucket: &str,
+        region: &str,
+        access_key: Option<&str>,
+        secret_key: Option<&str>,
+    ) -> Self {
         Self {
-            s3_url: s3_url.to_string(),
+            s3_url: s3_url.trim_end_matches('/').to_string(),
             bucket: bucket.to_string(),
+            region: region.to_string(),
+            access_key: access_key.map(String::from),
+            secret_key: secret_key.map(String::from),
             client: reqwest::Client::new(),
         }
     }
 
+    /// Sign a request using AWS Signature v4
+    fn sign_request(
+        &self,
+        method: &str,
+        path: &str,
+        payload_hash: &str,
+        timestamp: &str,
+        date: &str,
+    ) -> Option<String> {
+        let (access_key, secret_key) = match (&self.access_key, &self.secret_key) {
+            (Some(ak), Some(sk)) => (ak.as_str(), sk.as_str()),
+            _ => return None,
+        };
+
+        // Parse host from URL
+        let host = self
+            .s3_url
+            .trim_start_matches("http://")
+            .trim_start_matches("https://");
+
+        // Canonical request
+        // URI must be URL-encoded (except /)
+        let encoded_path = uri_encode(path);
+        let canonical_uri = format!("/{}/{}", self.bucket, encoded_path);
+        let canonical_query = "";
+        let canonical_headers = format!(
+            "host:{}\nx-amz-content-sha256:{}\nx-amz-date:{}\n",
+            host, payload_hash, timestamp
+        );
+        let signed_headers = "host;x-amz-content-sha256;x-amz-date";
+
+        // AWS Signature v4 canonical request format:
+        // HTTPMethod\nCanonicalURI\nCanonicalQueryString\nCanonicalHeaders\n\nSignedHeaders\nHashedPayload
+        // Note: CanonicalHeaders already ends with \n, plus blank line before SignedHeaders
+        let canonical_request = format!(
+            "{}\n{}\n{}\n{}\n{}\n{}",
+            method, canonical_uri, canonical_query, canonical_headers, signed_headers, payload_hash
+        );
+
+        let canonical_request_hash =
+            hex::encode(sha2::Sha256::digest(canonical_request.as_bytes()));
+
+        // String to sign
+        let credential_scope = format!("{}/{}/s3/aws4_request", date, self.region);
+        let string_to_sign = format!(
+            "AWS4-HMAC-SHA256\n{}\n{}\n{}",
+            timestamp, credential_scope, canonical_request_hash
+        );
+
+        // Calculate signature
+        let k_date = hmac_sha256(format!("AWS4{}", secret_key).as_bytes(), date.as_bytes());
+        let k_region = hmac_sha256(&k_date, self.region.as_bytes());
+        let k_service = hmac_sha256(&k_region, b"s3");
+        let k_signing = hmac_sha256(&k_service, b"aws4_request");
+        let signature = hex::encode(hmac_sha256(&k_signing, string_to_sign.as_bytes()));
+
+        // Authorization header
+        Some(format!(
+            "AWS4-HMAC-SHA256 Credential={}/{}, SignedHeaders={}, Signature={}",
+            access_key, credential_scope, signed_headers, signature
+        ))
+    }
+
+    /// Make a signed request
+    async fn signed_request(
+        &self,
+        method: reqwest::Method,
+        key: &str,
+        body: Option<&[u8]>,
+    ) -> std::result::Result<reqwest::Response, StorageError> {
+        let url = format!("{}/{}/{}", self.s3_url, self.bucket, key);
+        let now = Utc::now();
+        let timestamp = now.format("%Y%m%dT%H%M%SZ").to_string();
+        let date = now.format("%Y%m%d").to_string();
+
+        let payload_hash = match body {
+            Some(data) => hex::encode(Sha256::digest(data)),
+            None => hex::encode(Sha256::digest(b"")),
+        };
+
+        let mut request = self
+            .client
+            .request(method.clone(), &url)
+            .header("x-amz-date", &timestamp)
+            .header("x-amz-content-sha256", &payload_hash);
+
+        if let Some(auth) =
+            self.sign_request(method.as_str(), key, &payload_hash, &timestamp, &date)
+        {
+            request = request.header("Authorization", auth);
+        }
+
+        if let Some(data) = body {
+            request = request.body(data.to_vec());
+        }
+
+        request
+            .send()
+            .await
+            .map_err(|e| StorageError::Network(e.to_string()))
+    }
+
     fn parse_s3_keys(xml: &str, prefix: &str) -> Vec<String> {
         xml.split("<Key>")
             .filter_map(|part| part.split("</Key>").next())
@@ -28,17 +151,34 @@ impl S3Storage {
     }
 }
 
+/// URL-encode a string for S3 canonical URI (encode all except A-Za-z0-9-_.~/)
+fn uri_encode(s: &str) -> String {
+    let mut result = String::with_capacity(s.len() * 3);
+    for c in s.chars() {
+        match c {
+            'A'..='Z' | 'a'..='z' | '0'..='9' | '-' | '_' | '.' | '~' | '/' => result.push(c),
+            _ => {
+                for b in c.to_string().as_bytes() {
+                    result.push_str(&format!("%{:02X}", b));
+                }
+            }
+        }
+    }
+    result
+}
+
+fn hmac_sha256(key: &[u8], data: &[u8]) -> Vec<u8> {
+    let mut mac = HmacSha256::new_from_slice(key).expect("HMAC can take key of any size");
+    mac.update(data);
+    mac.finalize().into_bytes().to_vec()
+}
+
 #[async_trait]
 impl StorageBackend for S3Storage {
     async fn put(&self, key: &str, data: &[u8]) -> Result<()> {
-        let url = format!("{}/{}/{}", self.s3_url, self.bucket, key);
         let response = self
-            .client
-            .put(&url)
-            .body(data.to_vec())
-            .send()
-            .await
-            .map_err(|e| StorageError::Network(e.to_string()))?;
+            .signed_request(reqwest::Method::PUT, key, Some(data))
+            .await?;
 
         if response.status().is_success() {
             Ok(())
@@ -51,13 +191,7 @@ impl StorageBackend for S3Storage {
     }
 
     async fn get(&self, key: &str) -> Result<Bytes> {
-        let url = format!("{}/{}/{}", self.s3_url, self.bucket, key);
-        let response = self
-            .client
-            .get(&url)
-            .send()
-            .await
-            .map_err(|e| StorageError::Network(e.to_string()))?;
+        let response = self.signed_request(reqwest::Method::GET, key, None).await?;
 
         if response.status().is_success() {
             response
@@ -74,9 +208,78 @@ impl StorageBackend for S3Storage {
         }
     }
 
+    async fn delete(&self, key: &str) -> Result<()> {
+        let response = self
+            .signed_request(reqwest::Method::DELETE, key, None)
+            .await?;
+
+        if response.status().is_success() || response.status().as_u16() == 204 {
+            Ok(())
+        } else if response.status().as_u16() == 404 {
+            Err(StorageError::NotFound)
+        } else {
+            Err(StorageError::Network(format!(
+                "DELETE failed: {}",
+                response.status()
+            )))
+        }
+    }
+
     async fn list(&self, prefix: &str) -> Vec<String> {
+        // For listing, we need to make a request to the bucket
         let url = format!("{}/{}", self.s3_url, self.bucket);
-        match self.client.get(&url).send().await {
+        let now = Utc::now();
+        let timestamp = now.format("%Y%m%dT%H%M%SZ").to_string();
+        let date = now.format("%Y%m%d").to_string();
+        let payload_hash = hex::encode(Sha256::digest(b""));
+
+        let host = self
+            .s3_url
+            .trim_start_matches("http://")
+            .trim_start_matches("https://");
+
+        let mut request = self
+            .client
+            .get(&url)
+            .header("x-amz-date", &timestamp)
+            .header("x-amz-content-sha256", &payload_hash);
+
+        // Sign for bucket listing (different path)
+        if let (Some(access_key), Some(secret_key)) = (&self.access_key, &self.secret_key) {
+            let canonical_uri = format!("/{}", self.bucket);
+            let canonical_headers = format!(
+                "host:{}\nx-amz-content-sha256:{}\nx-amz-date:{}\n",
+                host, payload_hash, timestamp
+            );
+            let signed_headers = "host;x-amz-content-sha256;x-amz-date";
+
+            let canonical_request = format!(
+                "GET\n{}\n\n{}\n{}\n{}",
+                canonical_uri, canonical_headers, signed_headers, payload_hash
+            );
+
+            let canonical_request_hash =
+                hex::encode(sha2::Sha256::digest(canonical_request.as_bytes()));
+            let credential_scope = format!("{}/{}/s3/aws4_request", date, self.region);
+            let string_to_sign = format!(
+                "AWS4-HMAC-SHA256\n{}\n{}\n{}",
+                timestamp, credential_scope, canonical_request_hash
+            );
+
+            let k_date = hmac_sha256(format!("AWS4{}", secret_key).as_bytes(), date.as_bytes());
+            let k_region = hmac_sha256(&k_date, self.region.as_bytes());
+            let k_service = hmac_sha256(&k_region, b"s3");
+            let k_signing = hmac_sha256(&k_service, b"aws4_request");
+            let signature = hex::encode(hmac_sha256(&k_signing, string_to_sign.as_bytes()));
+
+            let auth = format!(
+                "AWS4-HMAC-SHA256 Credential={}/{}, SignedHeaders={}, Signature={}",
+                access_key, credential_scope, signed_headers, signature
+            );
+            request = request.header("Authorization", auth);
+        }
+
+        match request.send().await {
             Ok(response) if response.status().is_success() => {
                 if let Ok(xml) = response.text().await {
                     Self::parse_s3_keys(&xml, prefix)
@@ -89,18 +292,22 @@ impl StorageBackend for S3Storage {
     }
 
     async fn stat(&self, key: &str) -> Option<FileMeta> {
-        let url = format!("{}/{}/{}", self.s3_url, self.bucket, key);
-        let response = self.client.head(&url).send().await.ok()?;
+        let response = self
+            .signed_request(reqwest::Method::HEAD, key, None)
+            .await
+            .ok()?;
+
         if !response.status().is_success() {
             return None;
         }
+
         let size = response
             .headers()
             .get("content-length")
             .and_then(|v| v.to_str().ok())
             .and_then(|v| v.parse().ok())
             .unwrap_or(0);
-        // S3 uses Last-Modified header, but for simplicity use current time if unavailable
+
         let modified = response
             .headers()
             .get("last-modified")
@@ -112,17 +319,80 @@ impl StorageBackend for S3Storage {
                     .as_secs()
             })
             .unwrap_or(0);
+
         Some(FileMeta { size, modified })
     }
 
     async fn health_check(&self) -> bool {
+        // Try HEAD on the bucket
         let url = format!("{}/{}", self.s3_url, self.bucket);
-        match self.client.head(&url).send().await {
+        let now = Utc::now();
+        let timestamp = now.format("%Y%m%dT%H%M%SZ").to_string();
+        let date = now.format("%Y%m%d").to_string();
+        let payload_hash = hex::encode(Sha256::digest(b""));
+
+        let host = self
+            .s3_url
+            .trim_start_matches("http://")
+            .trim_start_matches("https://");
+
+        let mut request = self
+            .client
+            .head(&url)
+            .header("x-amz-date", &timestamp)
+            .header("x-amz-content-sha256", &payload_hash);
+
+        if let (Some(access_key), Some(secret_key)) = (&self.access_key, &self.secret_key) {
+            let canonical_uri = format!("/{}", self.bucket);
+            let canonical_headers = format!(
+                "host:{}\nx-amz-content-sha256:{}\nx-amz-date:{}\n",
+                host, payload_hash, timestamp
+            );
+            let signed_headers = "host;x-amz-content-sha256;x-amz-date";
+
+            let canonical_request = format!(
+                "HEAD\n{}\n\n{}\n{}\n{}",
+                canonical_uri, canonical_headers, signed_headers, payload_hash
+            );
+
+            let canonical_request_hash =
+                hex::encode(sha2::Sha256::digest(canonical_request.as_bytes()));
+            let credential_scope = format!("{}/{}/s3/aws4_request", date, self.region);
+            let string_to_sign = format!(
+                "AWS4-HMAC-SHA256\n{}\n{}\n{}",
+                timestamp, credential_scope, canonical_request_hash
+            );
+
+            let k_date = hmac_sha256(format!("AWS4{}", secret_key).as_bytes(), date.as_bytes());
+            let k_region = hmac_sha256(&k_date, self.region.as_bytes());
+            let k_service = hmac_sha256(&k_region, b"s3");
+            let k_signing = hmac_sha256(&k_service, b"aws4_request");
+            let signature = hex::encode(hmac_sha256(&k_signing, string_to_sign.as_bytes()));
+
+            let auth = format!(
+                "AWS4-HMAC-SHA256 Credential={}/{}, SignedHeaders={}, Signature={}",
+                access_key, credential_scope, signed_headers, signature
+            );
+            request = request.header("Authorization", auth);
+        }
+
+        match request.send().await {
             Ok(response) => response.status().is_success() || response.status().as_u16() == 404,
             Err(_) => false,
         }
     }
 
+    async fn total_size(&self) -> u64 {
+        let keys = self.list("").await;
+        let mut total = 0u64;
+        for key in &keys {
+            if let Some(meta) = self.stat(key).await {
+                total += meta.size;
+            }
+        }
+        total
+    }
+
     fn backend_name(&self) -> &'static str {
         "s3"
     }
@@ -131,173 +401,28 @@ impl StorageBackend for S3Storage {
 #[cfg(test)]
 mod tests {
     use super::*;
-    use wiremock::matchers::{method, path};
-    use wiremock::{Mock, MockServer, ResponseTemplate};
-
-    #[tokio::test]
-    async fn test_put_success() {
-        let mock_server = MockServer::start().await;
-        let storage = S3Storage::new(&mock_server.uri(), "test-bucket");
-
-        Mock::given(method("PUT"))
-            .and(path("/test-bucket/test-key"))
-            .respond_with(ResponseTemplate::new(200))
-            .mount(&mock_server)
-            .await;
-
-        let result = storage.put("test-key", b"data").await;
-        assert!(result.is_ok());
-    }
-
-    #[tokio::test]
-    async fn test_put_failure() {
-        let mock_server = MockServer::start().await;
-        let storage = S3Storage::new(&mock_server.uri(), "test-bucket");
-
-        Mock::given(method("PUT"))
-            .and(path("/test-bucket/test-key"))
-            .respond_with(ResponseTemplate::new(500))
-            .mount(&mock_server)
-            .await;
-
-        let result = storage.put("test-key", b"data").await;
-        assert!(matches!(result, Err(StorageError::Network(_))));
-    }
-
-    #[tokio::test]
-    async fn test_get_success() {
-        let mock_server = MockServer::start().await;
-        let storage = S3Storage::new(&mock_server.uri(), "test-bucket");
-
-        Mock::given(method("GET"))
-            .and(path("/test-bucket/test-key"))
-            .respond_with(ResponseTemplate::new(200).set_body_bytes(b"test data".to_vec()))
-            .mount(&mock_server)
-            .await;
-
-        let data = storage.get("test-key").await.unwrap();
-        assert_eq!(&*data, b"test data");
-    }
-
-    #[tokio::test]
-    async fn test_get_not_found() {
-        let mock_server = MockServer::start().await;
-        let storage = S3Storage::new(&mock_server.uri(), "test-bucket");
-
-        Mock::given(method("GET"))
-            .and(path("/test-bucket/missing"))
-            .respond_with(ResponseTemplate::new(404))
-            .mount(&mock_server)
-            .await;
-
-        let result = storage.get("missing").await;
-        assert!(matches!(result, Err(StorageError::NotFound)));
-    }
-
-    #[tokio::test]
-    async fn test_list() {
-        let mock_server = MockServer::start().await;
-        let storage = S3Storage::new(&mock_server.uri(), "test-bucket");
-
-        let xml_response = r#"<?xml version="1.0"?>
-            <ListBucketResult>
-                <Key>docker/image1</Key>
-                <Key>docker/image2</Key>
-                <Key>maven/artifact</Key>
-            </ListBucketResult>"#;
-
-        Mock::given(method("GET"))
-            .and(path("/test-bucket"))
-            .respond_with(ResponseTemplate::new(200).set_body_string(xml_response))
-            .mount(&mock_server)
-            .await;
-
-        let keys = storage.list("docker/").await;
-        assert_eq!(keys.len(), 2);
-        assert!(keys.iter().all(|k| k.starts_with("docker/")));
-    }
-
-    #[tokio::test]
-    async fn test_stat_success() {
-        let mock_server = MockServer::start().await;
-        let storage = S3Storage::new(&mock_server.uri(), "test-bucket");
-
-        Mock::given(method("HEAD"))
-            .and(path("/test-bucket/test-key"))
-            .respond_with(
-                ResponseTemplate::new(200)
-                    .insert_header("content-length", "1234")
-                    .insert_header("last-modified", "Sun, 06 Nov 1994 08:49:37 GMT"),
-            )
-            .mount(&mock_server)
-            .await;
-
-        let meta = storage.stat("test-key").await.unwrap();
-        assert_eq!(meta.size, 1234);
-        assert!(meta.modified > 0);
-    }
-
-    #[tokio::test]
-    async fn test_stat_not_found() {
-        let mock_server = MockServer::start().await;
-        let storage = S3Storage::new(&mock_server.uri(), "test-bucket");
-
-        Mock::given(method("HEAD"))
-            .and(path("/test-bucket/missing"))
-            .respond_with(ResponseTemplate::new(404))
-            .mount(&mock_server)
-            .await;
-
-        let meta = storage.stat("missing").await;
-        assert!(meta.is_none());
-    }
-
-    #[tokio::test]
-    async fn test_health_check_healthy() {
-        let mock_server = MockServer::start().await;
-        let storage = S3Storage::new(&mock_server.uri(), "test-bucket");
-
-        Mock::given(method("HEAD"))
-            .and(path("/test-bucket"))
-            .respond_with(ResponseTemplate::new(200))
-            .mount(&mock_server)
-            .await;
-
-        assert!(storage.health_check().await);
-    }
-
-    #[tokio::test]
-    async fn test_health_check_bucket_not_found_is_ok() {
-        let mock_server = MockServer::start().await;
-        let storage = S3Storage::new(&mock_server.uri(), "test-bucket");
-
-        Mock::given(method("HEAD"))
-            .and(path("/test-bucket"))
-            .respond_with(ResponseTemplate::new(404))
-            .mount(&mock_server)
-            .await;
-
-        // 404 is OK for health check (bucket may be empty)
-        assert!(storage.health_check().await);
-    }
-
-    #[tokio::test]
-    async fn test_health_check_server_error() {
-        let mock_server = MockServer::start().await;
-        let storage = S3Storage::new(&mock_server.uri(), "test-bucket");
-
-        Mock::given(method("HEAD"))
-            .and(path("/test-bucket"))
-            .respond_with(ResponseTemplate::new(500))
-            .mount(&mock_server)
-            .await;
-
-        assert!(!storage.health_check().await);
-    }
 
     #[test]
     fn test_backend_name() {
-        let storage = S3Storage::new("http://localhost:9000", "bucket");
+        let storage = S3Storage::new(
+            "http://localhost:9000",
+            "test-bucket",
+            "us-east-1",
+            Some("access"),
+            Some("secret"),
+        );
+        assert_eq!(storage.backend_name(), "s3");
+    }
+
+    #[test]
+    fn test_s3_storage_creation_anonymous() {
+        let storage = S3Storage::new(
+            "http://localhost:9000",
+            "test-bucket",
+            "us-east-1",
+            None,
+            None,
+        );
         assert_eq!(storage.backend_name(), "s3");
     }
 
@@ -307,4 +432,54 @@ mod tests {
         let keys = S3Storage::parse_s3_keys(xml, "docker/");
         assert_eq!(keys, vec!["docker/a", "docker/b"]);
     }
+
+    #[test]
+    fn test_hmac_sha256() {
+        let result = hmac_sha256(b"key", b"data");
+        assert!(!result.is_empty());
+    }
+
+    #[test]
+    fn test_uri_encode_safe_chars() {
+        assert_eq!(uri_encode("hello"), "hello");
+        assert_eq!(uri_encode("foo/bar"), "foo/bar");
+        assert_eq!(uri_encode("test-file_v1.0"), "test-file_v1.0");
+        assert_eq!(uri_encode("a~b"), "a~b");
+    }
+
+    #[test]
+    fn test_uri_encode_special_chars() {
+        assert_eq!(uri_encode("hello world"), "hello%20world");
+        assert_eq!(uri_encode("file name.txt"), "file%20name.txt");
+    }
+
+    #[test]
+    fn test_uri_encode_query_chars() {
+        assert_eq!(uri_encode("key=value"), "key%3Dvalue");
+        assert_eq!(uri_encode("a&b"), "a%26b");
+        assert_eq!(uri_encode("a+b"), "a%2Bb");
+    }
+
+    #[test]
+    fn test_uri_encode_empty() {
+        assert_eq!(uri_encode(""), "");
+    }
+
+    #[test]
+    fn test_uri_encode_all_safe_ranges() {
+        // A-Z
+        assert_eq!(uri_encode("ABCXYZ"), "ABCXYZ");
+        // a-z
+        assert_eq!(uri_encode("abcxyz"), "abcxyz");
+        // 0-9
+        assert_eq!(uri_encode("0123456789"), "0123456789");
+        // Special safe: - _ . ~ /
+        assert_eq!(uri_encode("-_.~/"), "-_.~/");
+    }
+
+    #[test]
+    fn test_uri_encode_percent() {
+        assert_eq!(uri_encode("%"), "%25");
+        assert_eq!(uri_encode("100%done"), "100%25done");
+    }
 }

nora-registry/src/test_helpers.rs

@@ -0,0 +1,255 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
+//! Shared test infrastructure for integration tests.
+//!
+//! Provides `TestContext` that builds a full axum Router backed by a
+//! tempdir-based local storage with all upstream proxies disabled.
+
+#![allow(clippy::unwrap_used)] // tests may use .unwrap() freely
+
+use axum::{body::Body, extract::DefaultBodyLimit, http::Request, middleware, Router};
+use http_body_util::BodyExt;
+use std::collections::HashMap;
+use std::sync::Arc;
+use std::time::Instant;
+use tempfile::TempDir;
+
+use crate::activity_log::ActivityLog;
+use crate::audit::AuditLog;
+use crate::auth::HtpasswdAuth;
+use crate::config::*;
+use crate::dashboard_metrics::DashboardMetrics;
+use crate::registry;
+use crate::repo_index::RepoIndex;
+use crate::storage::Storage;
+use crate::tokens::TokenStore;
+use crate::AppState;
+
+use parking_lot::RwLock;
+
+/// Everything a test needs: tempdir (must stay alive), shared state, and the router.
+pub struct TestContext {
+    pub state: Arc<AppState>,
+    pub app: Router,
+    pub _tempdir: TempDir,
+}
+
+/// Build a test context with auth **disabled** and all proxies off.
+pub fn create_test_context() -> TestContext {
+    build_context(false, &[], false, |_| {})
+}
+
+/// Build a test context with auth **enabled** (bcrypt cost=4 for speed).
+pub fn create_test_context_with_auth(users: &[(&str, &str)]) -> TestContext {
+    build_context(true, users, false, |_| {})
+}
+
+/// Build a test context with auth + anonymous_read.
+pub fn create_test_context_with_anonymous_read(users: &[(&str, &str)]) -> TestContext {
+    build_context(true, users, true, |_| {})
+}
+
+/// Build a test context with raw storage **disabled**.
+pub fn create_test_context_with_raw_disabled() -> TestContext {
+    build_context(false, &[], false, |cfg| cfg.raw.enabled = false)
+}
+
+fn build_context(
+    auth_enabled: bool,
+    users: &[(&str, &str)],
+    anonymous_read: bool,
+    customize: impl FnOnce(&mut Config),
+) -> TestContext {
+    let tempdir = TempDir::new().expect("failed to create tempdir");
+    let storage_path = tempdir.path().to_str().unwrap().to_string();
+
+    let mut config = Config {
+        server: ServerConfig {
+            host: "127.0.0.1".into(),
+            port: 0,
+            public_url: None,
+            body_limit_mb: 2048,
+        },
+        storage: StorageConfig {
+            mode: StorageMode::Local,
+            path: storage_path.clone(),
+            s3_url: String::new(),
+            bucket: String::new(),
+            s3_access_key: None,
+            s3_secret_key: None,
+            s3_region: String::new(),
+        },
+        maven: MavenConfig {
+            proxies: vec![],
+            proxy_timeout: 5,
+        },
+        npm: NpmConfig {
+            proxy: None,
+            proxy_auth: None,
+            proxy_timeout: 5,
+            metadata_ttl: 0,
+        },
+        pypi: PypiConfig {
+            proxy: None,
+            proxy_auth: None,
+            proxy_timeout: 5,
+        },
+        go: GoConfig {
+            proxy: None,
+            proxy_auth: None,
+            proxy_timeout: 5,
+            proxy_timeout_zip: 30,
+            max_zip_size: 10_485_760,
+        },
+        docker: DockerConfig {
+            proxy_timeout: 5,
+            upstreams: vec![],
+        },
+        raw: RawConfig {
+            enabled: true,
+            max_file_size: 1_048_576, // 1 MB
+        },
+        auth: AuthConfig {
+            enabled: auth_enabled,
+            anonymous_read,
+            htpasswd_file: String::new(),
+            token_storage: tempdir.path().join("tokens").to_str().unwrap().to_string(),
+        },
+        rate_limit: RateLimitConfig {
+            enabled: false,
+            ..RateLimitConfig::default()
+        },
+        secrets: SecretsConfig::default(),
+    };
+
+    // Apply any custom config tweaks
+    customize(&mut config);
+
+    let storage = Storage::new_local(&storage_path);
+
+    let auth = if auth_enabled && !users.is_empty() {
+        let htpasswd_path = tempdir.path().join("users.htpasswd");
+        let mut content = String::new();
+        for (username, password) in users {
+            let hash = bcrypt::hash(password, 4).expect("bcrypt hash");
+            content.push_str(&format!("{}:{}\n", username, hash));
+        }
+        std::fs::write(&htpasswd_path, &content).expect("write htpasswd");
+        config.auth.htpasswd_file = htpasswd_path.to_str().unwrap().to_string();
+        HtpasswdAuth::from_file(&htpasswd_path)
+    } else {
+        None
+    };
+
+    let tokens = if auth_enabled {
+        Some(TokenStore::new(tempdir.path().join("tokens").as_path()))
+    } else {
+        None
+    };
+
+    let docker_auth = registry::DockerAuth::new(config.docker.proxy_timeout);
+
+    let state = Arc::new(AppState {
+        storage,
+        config,
+        start_time: Instant::now(),
+        auth,
+        tokens,
+        metrics: DashboardMetrics::new(),
+        activity: ActivityLog::new(50),
+        audit: AuditLog::new(&storage_path),
+        docker_auth,
+        repo_index: RepoIndex::new(),
+        http_client: reqwest::Client::new(),
+        upload_sessions: Arc::new(RwLock::new(HashMap::new())),
+    });
+
+    // Build router identical to run_server() but without TcpListener / rate-limiting
+    let registry_routes = Router::new()
+        .merge(registry::docker_routes())
+        .merge(registry::maven_routes())
+        .merge(registry::npm_routes())
+        .merge(registry::cargo_routes())
+        .merge(registry::pypi_routes())
+        .merge(registry::raw_routes())
+        .merge(registry::go_routes());
+
+    let public_routes = Router::new().merge(crate::health::routes());
+
+    let app_routes = Router::new()
+        .merge(crate::auth::token_routes())
+        .merge(registry_routes);
+
+    let app = Router::new()
+        .merge(public_routes)
+        .merge(app_routes)
+        .layer(DefaultBodyLimit::max(
+            state.config.server.body_limit_mb * 1024 * 1024,
+        ))
+        .layer(middleware::from_fn(
+            crate::request_id::request_id_middleware,
+        ))
+        .layer(middleware::from_fn_with_state(
+            state.clone(),
+            crate::auth::auth_middleware,
+        ))
+        .with_state(state.clone());
+
+    TestContext {
+        state,
+        app,
+        _tempdir: tempdir,
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Convenience helpers
+// ---------------------------------------------------------------------------
+
+/// Send a request through the router and return the response.
+pub async fn send(
+    app: &Router,
+    method: axum::http::Method,
+    uri: &str,
+    body: impl Into<Body>,
+) -> axum::http::Response<Body> {
+    use tower::ServiceExt;
+
+    let request = Request::builder()
+        .method(method)
+        .uri(uri)
+        .body(body.into())
+        .unwrap();
+
+    app.clone().oneshot(request).await.unwrap()
+}
+
+/// Send a request with custom headers.
+pub async fn send_with_headers(
+    app: &Router,
+    method: axum::http::Method,
+    uri: &str,
+    headers: Vec<(&str, &str)>,
+    body: impl Into<Body>,
+) -> axum::http::Response<Body> {
+    use tower::ServiceExt;
+
+    let mut builder = Request::builder().method(method).uri(uri);
+    for (k, v) in headers {
+        builder = builder.header(k, v);
+    }
+    let request = builder.body(body.into()).unwrap();
+
+    app.clone().oneshot(request).await.unwrap()
+}
+
+/// Read the full response body into bytes.
+pub async fn body_bytes(response: axum::http::Response<Body>) -> axum::body::Bytes {
+    response
+        .into_body()
+        .collect()
+        .await
+        .expect("failed to read body")
+        .to_bytes()
+}

nora-registry/src/tokens.rs

@@ -1,13 +1,67 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
+use argon2::{
+    password_hash::{rand_core::OsRng, PasswordHash, PasswordHasher, PasswordVerifier, SaltString},
+    Argon2,
+};
 use serde::{Deserialize, Serialize};
 use sha2::{Digest, Sha256};
 use std::fs;
+use std::os::unix::fs::PermissionsExt;
 use std::path::{Path, PathBuf};
 use std::time::{SystemTime, UNIX_EPOCH};
 use thiserror::Error;
 use uuid::Uuid;
 
+use parking_lot::RwLock;
+use std::collections::HashMap;
+use std::sync::Arc;
+use std::time::{Duration, Instant};
+
+/// TTL for cached token verifications (avoids Argon2 per request)
+const CACHE_TTL: Duration = Duration::from_secs(300);
+
+/// Cached verification result
+#[derive(Clone)]
+struct CachedToken {
+    user: String,
+    role: Role,
+    expires_at: u64,
+    cached_at: Instant,
+}
+
 const TOKEN_PREFIX: &str = "nra_";
 
+/// Access role for API tokens
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
+#[serde(rename_all = "lowercase")]
+pub enum Role {
+    Read,
+    Write,
+    Admin,
+}
+
+impl std::fmt::Display for Role {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            Role::Read => write!(f, "read"),
+            Role::Write => write!(f, "write"),
+            Role::Admin => write!(f, "admin"),
+        }
+    }
+}
+
+impl Role {
+    pub fn can_write(&self) -> bool {
+        matches!(self, Role::Write | Role::Admin)
+    }
+
+    pub fn can_admin(&self) -> bool {
+        matches!(self, Role::Admin)
+    }
+}
+
 /// API Token metadata stored on disk
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct TokenInfo {
@@ -17,21 +71,37 @@ pub struct TokenInfo {
     pub expires_at: u64,
     pub last_used: Option<u64>,
     pub description: Option<String>,
+    #[serde(default = "default_role")]
+    pub role: Role,
+}
+
+fn default_role() -> Role {
+    Role::Read
 }
 
 /// Token store for managing API tokens
 #[derive(Clone)]
 pub struct TokenStore {
     storage_path: PathBuf,
+    /// In-memory cache: SHA256(token) -> verified result (avoids Argon2 per request)
+    cache: Arc<RwLock<HashMap<String, CachedToken>>>,
+    /// Pending last_used updates: file_id_prefix -> timestamp (flushed periodically)
+    pending_last_used: Arc<RwLock<HashMap<String, u64>>>,
 }
 
 impl TokenStore {
     /// Create a new token store
     pub fn new(storage_path: &Path) -> Self {
-        // Ensure directory exists
+        // Ensure directory exists with restricted permissions
         let _ = fs::create_dir_all(storage_path);
+        #[cfg(unix)]
+        {
+            let _ = fs::set_permissions(storage_path, fs::Permissions::from_mode(0o700));
+        }
         Self {
             storage_path: storage_path.to_path_buf(),
+            cache: Arc::new(RwLock::new(HashMap::new())),
+            pending_last_used: Arc::new(RwLock::new(HashMap::new())),
         }
     }
 
@@ -41,6 +111,7 @@ impl TokenStore {
         user: &str,
         ttl_days: u64,
         description: Option<String>,
+        role: Role,
     ) -> Result<String, TokenError> {
         // Generate random token
         let raw_token = format!(
@@ -48,7 +119,9 @@ impl TokenStore {
             TOKEN_PREFIX,
             Uuid::new_v4().to_string().replace("-", "")
         );
-        let token_hash = hash_token(&raw_token);
+        let token_hash = hash_token_argon2(&raw_token)?;
+        // Use SHA256 of token as filename (deterministic, for lookup)
+        let file_id = sha256_hex(&raw_token);
 
         let now = SystemTime::now()
             .duration_since(UNIX_EPOCH)
@@ -58,47 +131,93 @@ impl TokenStore {
         let expires_at = now + (ttl_days * 24 * 60 * 60);
 
         let info = TokenInfo {
-            token_hash: token_hash.clone(),
+            token_hash,
             user: user.to_string(),
             created_at: now,
             expires_at,
             last_used: None,
             description,
+            role,
         };
 
-        // Save to file
-        let file_path = self
-            .storage_path
-            .join(format!("{}.json", &token_hash[..16]));
+        // Save to file with restricted permissions
+        let file_path = self.storage_path.join(format!("{}.json", &file_id[..16]));
         let json =
             serde_json::to_string_pretty(&info).map_err(|e| TokenError::Storage(e.to_string()))?;
-        fs::write(&file_path, json).map_err(|e| TokenError::Storage(e.to_string()))?;
+        fs::write(&file_path, &json).map_err(|e| TokenError::Storage(e.to_string()))?;
+        set_file_permissions_600(&file_path);
 
         Ok(raw_token)
     }
 
-    /// Verify a token and return user info if valid
-    pub fn verify_token(&self, token: &str) -> Result<String, TokenError> {
+    /// Verify a token and return user info if valid.
+    ///
+    /// Uses an in-memory cache to avoid Argon2 verification on every request.
+    /// The `last_used` timestamp is updated in batch via `flush_last_used()`.
+    pub fn verify_token(&self, token: &str) -> Result<(String, Role), TokenError> {
         if !token.starts_with(TOKEN_PREFIX) {
             return Err(TokenError::InvalidFormat);
         }
 
-        let token_hash = hash_token(token);
-        let file_path = self
-            .storage_path
-            .join(format!("{}.json", &token_hash[..16]));
+        let cache_key = sha256_hex(token);
 
-        if !file_path.exists() {
-            return Err(TokenError::NotFound);
+        // Fast path: check in-memory cache
+        {
+            let cache = self.cache.read();
+            if let Some(cached) = cache.get(&cache_key) {
+                if cached.cached_at.elapsed() < CACHE_TTL {
+                    let now = SystemTime::now()
+                        .duration_since(UNIX_EPOCH)
+                        .unwrap_or_default()
+                        .as_secs();
+                    if now > cached.expires_at {
+                        return Err(TokenError::Expired);
+                    }
+                    // Schedule deferred last_used update
+                    self.pending_last_used
+                        .write()
+                        .insert(cache_key[..16].to_string(), now);
+                    return Ok((cached.user.clone(), cached.role.clone()));
+                }
+            }
         }
 
-        let content =
-            fs::read_to_string(&file_path).map_err(|e| TokenError::Storage(e.to_string()))?;
+        // Slow path: read from disk and verify Argon2
+        let file_path = self.storage_path.join(format!("{}.json", &cache_key[..16]));
+
+        let content = match fs::read_to_string(&file_path) {
+            Ok(c) => c,
+            Err(e) if e.kind() == std::io::ErrorKind::NotFound => {
+                return Err(TokenError::NotFound);
+            }
+            Err(e) => return Err(TokenError::Storage(e.to_string())),
+        };
+
         let mut info: TokenInfo =
             serde_json::from_str(&content).map_err(|e| TokenError::Storage(e.to_string()))?;
 
-        // Verify hash matches
-        if info.token_hash != token_hash {
+        // Verify hash: try Argon2id first, fall back to legacy SHA256
+        let hash_valid = if info.token_hash.starts_with("$argon2") {
+            verify_token_argon2(token, &info.token_hash)
+        } else {
+            // Legacy SHA256 hash (no salt) — verify and migrate
+            let legacy_hash = sha256_hex(token);
+            if info.token_hash == legacy_hash {
+                // Migrate to Argon2id
+                if let Ok(new_hash) = hash_token_argon2(token) {
+                    info.token_hash = new_hash;
+                    if let Ok(json) = serde_json::to_string_pretty(&info) {
+                        let _ = fs::write(&file_path, &json);
+                        set_file_permissions_600(&file_path);
+                    }
+                }
+                true
+            } else {
+                false
+            }
+        };
+
+        if !hash_valid {
             return Err(TokenError::NotFound);
         }
 
@@ -112,13 +231,23 @@ impl TokenStore {
             return Err(TokenError::Expired);
         }
 
-        // Update last_used
-        info.last_used = Some(now);
-        if let Ok(json) = serde_json::to_string_pretty(&info) {
-            let _ = fs::write(&file_path, json);
-        }
+        // Populate cache
+        self.cache.write().insert(
+            cache_key[..16].to_string(),
+            CachedToken {
+                user: info.user.clone(),
+                role: info.role.clone(),
+                expires_at: info.expires_at,
+                cached_at: Instant::now(),
+            },
+        );
 
-        Ok(info.user)
+        // Schedule deferred last_used update
+        self.pending_last_used
+            .write()
+            .insert(cache_key[..16].to_string(), now);
+
+        Ok((info.user, info.role))
     }
 
     /// List all tokens for a user
@@ -141,17 +270,56 @@ impl TokenStore {
         tokens
     }
 
+    /// Flush pending last_used timestamps to disk (async to avoid blocking runtime).
+    /// Called periodically by background task (every 30s).
+    pub async fn flush_last_used(&self) {
+        let pending: HashMap<String, u64> = {
+            let mut map = self.pending_last_used.write();
+            std::mem::take(&mut *map)
+        };
+
+        if pending.is_empty() {
+            return;
+        }
+
+        for (file_prefix, timestamp) in &pending {
+            let file_path = self.storage_path.join(format!("{}.json", file_prefix));
+            let content = match tokio::fs::read_to_string(&file_path).await {
+                Ok(c) => c,
+                Err(_) => continue,
+            };
+            let mut info: TokenInfo = match serde_json::from_str(&content) {
+                Ok(i) => i,
+                Err(_) => continue,
+            };
+            info.last_used = Some(*timestamp);
+            if let Ok(json) = serde_json::to_string_pretty(&info) {
+                let _ = tokio::fs::write(&file_path, &json).await;
+                set_file_permissions_600(&file_path);
+            }
+        }
+
+        tracing::debug!(count = pending.len(), "Flushed pending last_used updates");
+    }
+
+    /// Remove a token from the in-memory cache (called on revoke)
+    fn invalidate_cache(&self, hash_prefix: &str) {
+        self.cache.write().remove(hash_prefix);
+    }
+
     /// Revoke a token by its hash prefix
     pub fn revoke_token(&self, hash_prefix: &str) -> Result<(), TokenError> {
         let file_path = self.storage_path.join(format!("{}.json", hash_prefix));
 
-        if !file_path.exists() {
-            return Err(TokenError::NotFound);
+        // TOCTOU fix: try remove directly
+        match fs::remove_file(&file_path) {
+            Ok(()) => {
+                self.invalidate_cache(hash_prefix);
+                Ok(())
+            }
+            Err(e) if e.kind() == std::io::ErrorKind::NotFound => Err(TokenError::NotFound),
+            Err(e) => Err(TokenError::Storage(e.to_string())),
         }
-
-        fs::remove_file(&file_path).map_err(|e| TokenError::Storage(e.to_string()))?;
-
-        Ok(())
     }
 
     /// Revoke all tokens for a user
@@ -174,11 +342,39 @@ impl TokenStore {
     }
 }
 
-/// Hash a token using SHA256
-fn hash_token(token: &str) -> String {
+/// Hash a token using Argon2id with random salt
+fn hash_token_argon2(token: &str) -> Result<String, TokenError> {
+    let salt = SaltString::generate(&mut OsRng);
+    let argon2 = Argon2::default();
+    argon2
+        .hash_password(token.as_bytes(), &salt)
+        .map(|h| h.to_string())
+        .map_err(|e| TokenError::Storage(format!("hash error: {e}")))
+}
+
+/// Verify a token against an Argon2id hash
+fn verify_token_argon2(token: &str, hash: &str) -> bool {
+    match PasswordHash::new(hash) {
+        Ok(parsed) => Argon2::default()
+            .verify_password(token.as_bytes(), &parsed)
+            .is_ok(),
+        Err(_) => false,
+    }
+}
+
+/// SHA256 hex digest (used for file naming and legacy hash verification)
+fn sha256_hex(input: &str) -> String {
     let mut hasher = Sha256::new();
-    hasher.update(token.as_bytes());
-    format!("{:x}", hasher.finalize())
+    hasher.update(input.as_bytes());
+    hex::encode(hasher.finalize())
+}
+
+/// Set file permissions to 600 (owner read/write only)
+fn set_file_permissions_600(path: &Path) {
+    #[cfg(unix)]
+    {
+        let _ = fs::set_permissions(path, fs::Permissions::from_mode(0o600));
+    }
 }
 
 #[derive(Debug, Error)]
@@ -197,6 +393,7 @@ pub enum TokenError {
 }
 
 #[cfg(test)]
+#[allow(clippy::unwrap_used)]
 mod tests {
     use super::*;
     use tempfile::TempDir;
@@ -207,22 +404,38 @@ mod tests {
         let store = TokenStore::new(temp_dir.path());
 
         let token = store
-            .create_token("testuser", 30, Some("Test token".to_string()))
+            .create_token("testuser", 30, Some("Test token".to_string()), Role::Write)
             .unwrap();
 
         assert!(token.starts_with("nra_"));
         assert_eq!(token.len(), 4 + 32); // prefix + uuid without dashes
     }
 
+    #[test]
+    fn test_token_hash_is_argon2() {
+        let temp_dir = TempDir::new().unwrap();
+        let store = TokenStore::new(temp_dir.path());
+
+        let _token = store
+            .create_token("testuser", 30, None, Role::Write)
+            .unwrap();
+
+        let tokens = store.list_tokens("testuser");
+        assert!(tokens[0].token_hash.starts_with("$argon2"));
+    }
+
     #[test]
     fn test_verify_valid_token() {
         let temp_dir = TempDir::new().unwrap();
         let store = TokenStore::new(temp_dir.path());
 
-        let token = store.create_token("testuser", 30, None).unwrap();
-        let user = store.verify_token(&token).unwrap();
+        let token = store
+            .create_token("testuser", 30, None, Role::Write)
+            .unwrap();
+        let (user, role) = store.verify_token(&token).unwrap();
 
         assert_eq!(user, "testuser");
+        assert_eq!(role, Role::Write);
     }
 
     #[test]
@@ -248,30 +461,88 @@ mod tests {
         let temp_dir = TempDir::new().unwrap();
         let store = TokenStore::new(temp_dir.path());
 
-        // Create token and manually set it as expired
-        let token = store.create_token("testuser", 1, None).unwrap();
-        let token_hash = hash_token(&token);
-        let file_path = temp_dir.path().join(format!("{}.json", &token_hash[..16]));
+        let token = store
+            .create_token("testuser", 1, None, Role::Write)
+            .unwrap();
+        let file_id = sha256_hex(&token);
+        let file_path = temp_dir.path().join(format!("{}.json", &file_id[..16]));
 
-        // Read and modify the token to be expired
         let content = std::fs::read_to_string(&file_path).unwrap();
         let mut info: TokenInfo = serde_json::from_str(&content).unwrap();
-        info.expires_at = 0; // Set to epoch (definitely expired)
+        info.expires_at = 0;
         std::fs::write(&file_path, serde_json::to_string(&info).unwrap()).unwrap();
 
-        // Token should now be expired
         let result = store.verify_token(&token);
         assert!(matches!(result, Err(TokenError::Expired)));
     }
 
+    #[test]
+    fn test_legacy_sha256_migration() {
+        let temp_dir = TempDir::new().unwrap();
+        let store = TokenStore::new(temp_dir.path());
+
+        // Simulate a legacy token with SHA256 hash
+        let raw_token = "nra_00112233445566778899aabbccddeeff";
+        let legacy_hash = sha256_hex(raw_token);
+        let file_id = sha256_hex(raw_token);
+
+        let now = SystemTime::now()
+            .duration_since(UNIX_EPOCH)
+            .unwrap_or_default()
+            .as_secs();
+
+        let info = TokenInfo {
+            token_hash: legacy_hash.clone(),
+            user: "legacyuser".to_string(),
+            created_at: now,
+            expires_at: now + 86400,
+            last_used: None,
+            description: None,
+            role: Role::Read,
+        };
+
+        let file_path = temp_dir.path().join(format!("{}.json", &file_id[..16]));
+        fs::write(&file_path, serde_json::to_string_pretty(&info).unwrap()).unwrap();
+
+        // Verify should work with legacy hash
+        let (user, role) = store.verify_token(raw_token).unwrap();
+        assert_eq!(user, "legacyuser");
+        assert_eq!(role, Role::Read);
+
+        // After verification, hash should be migrated to Argon2id
+        let content = fs::read_to_string(&file_path).unwrap();
+        let updated: TokenInfo = serde_json::from_str(&content).unwrap();
+        assert!(updated.token_hash.starts_with("$argon2"));
+    }
+
+    #[test]
+    fn test_file_permissions() {
+        let temp_dir = TempDir::new().unwrap();
+        let store = TokenStore::new(temp_dir.path());
+
+        let token = store
+            .create_token("testuser", 30, None, Role::Write)
+            .unwrap();
+
+        let file_id = sha256_hex(&token);
+        let file_path = temp_dir.path().join(format!("{}.json", &file_id[..16]));
+
+        #[cfg(unix)]
+        {
+            let metadata = fs::metadata(&file_path).unwrap();
+            let mode = metadata.permissions().mode() & 0o777;
+            assert_eq!(mode, 0o600);
+        }
+    }
+
     #[test]
     fn test_list_tokens() {
         let temp_dir = TempDir::new().unwrap();
         let store = TokenStore::new(temp_dir.path());
 
-        store.create_token("user1", 30, None).unwrap();
-        store.create_token("user1", 30, None).unwrap();
-        store.create_token("user2", 30, None).unwrap();
+        store.create_token("user1", 30, None, Role::Write).unwrap();
+        store.create_token("user1", 30, None, Role::Write).unwrap();
+        store.create_token("user2", 30, None, Role::Read).unwrap();
 
         let user1_tokens = store.list_tokens("user1");
         assert_eq!(user1_tokens.len(), 2);
@@ -288,17 +559,16 @@ mod tests {
         let temp_dir = TempDir::new().unwrap();
         let store = TokenStore::new(temp_dir.path());
 
-        let token = store.create_token("testuser", 30, None).unwrap();
-        let token_hash = hash_token(&token);
-        let hash_prefix = &token_hash[..16];
+        let token = store
+            .create_token("testuser", 30, None, Role::Write)
+            .unwrap();
+        let file_id = sha256_hex(&token);
+        let hash_prefix = &file_id[..16];
 
-        // Verify token works
         assert!(store.verify_token(&token).is_ok());
 
-        // Revoke
         store.revoke_token(hash_prefix).unwrap();
 
-        // Verify token no longer works
         let result = store.verify_token(&token);
         assert!(matches!(result, Err(TokenError::NotFound)));
     }
@@ -317,9 +587,9 @@ mod tests {
         let temp_dir = TempDir::new().unwrap();
         let store = TokenStore::new(temp_dir.path());
 
-        store.create_token("user1", 30, None).unwrap();
-        store.create_token("user1", 30, None).unwrap();
-        store.create_token("user2", 30, None).unwrap();
+        store.create_token("user1", 30, None, Role::Write).unwrap();
+        store.create_token("user1", 30, None, Role::Write).unwrap();
+        store.create_token("user2", 30, None, Role::Read).unwrap();
 
         let revoked = store.revoke_all_for_user("user1");
         assert_eq!(revoked, 2);
@@ -328,28 +598,78 @@ mod tests {
         assert_eq!(store.list_tokens("user2").len(), 1);
     }
 
-    #[test]
-    fn test_token_updates_last_used() {
+    #[tokio::test]
+    async fn test_token_updates_last_used() {
         let temp_dir = TempDir::new().unwrap();
         let store = TokenStore::new(temp_dir.path());
 
-        let token = store.create_token("testuser", 30, None).unwrap();
+        let token = store
+            .create_token("testuser", 30, None, Role::Write)
+            .unwrap();
 
-        // First verification
         store.verify_token(&token).unwrap();
 
-        // Check last_used is set
+        // last_used is deferred — flush to persist
+        store.flush_last_used().await;
+
         let tokens = store.list_tokens("testuser");
         assert!(tokens[0].last_used.is_some());
     }
 
+    #[test]
+    fn test_verify_cache_hit() {
+        let temp_dir = TempDir::new().unwrap();
+        let store = TokenStore::new(temp_dir.path());
+
+        let token = store
+            .create_token("testuser", 30, None, Role::Write)
+            .unwrap();
+
+        // First call: cold (disk + Argon2)
+        let (user1, role1) = store.verify_token(&token).unwrap();
+        // Second call: should hit cache (no Argon2)
+        let (user2, role2) = store.verify_token(&token).unwrap();
+
+        assert_eq!(user1, user2);
+        assert_eq!(role1, role2);
+        assert_eq!(user1, "testuser");
+        assert_eq!(role1, Role::Write);
+    }
+
+    #[test]
+    fn test_revoke_invalidates_cache() {
+        let temp_dir = TempDir::new().unwrap();
+        let store = TokenStore::new(temp_dir.path());
+
+        let token = store
+            .create_token("testuser", 30, None, Role::Write)
+            .unwrap();
+        let file_id = sha256_hex(&token);
+        let hash_prefix = &file_id[..16];
+
+        // Populate cache
+        assert!(store.verify_token(&token).is_ok());
+
+        // Revoke
+        store.revoke_token(hash_prefix).unwrap();
+
+        // Cache should be invalidated
+        let result = store.verify_token(&token);
+        assert!(matches!(result, Err(TokenError::NotFound)));
+    }
+
     #[test]
     fn test_token_with_description() {
         let temp_dir = TempDir::new().unwrap();
         let store = TokenStore::new(temp_dir.path());
 
         store
-            .create_token("testuser", 30, Some("CI/CD Pipeline".to_string()))
+            .create_token(
+                "testuser",
+                30,
+                Some("CI/CD Pipeline".to_string()),
+                Role::Admin,
+            )
             .unwrap();
 
         let tokens = store.list_tokens("testuser");

nora-registry/src/ui/api.rs

@@ -1,5 +1,10 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 use super::components::{format_size, format_timestamp, html_escape};
 use super::templates::encode_uri_component;
+use crate::activity_log::ActivityEntry;
+use crate::repo_index::RepoInfo;
 use crate::AppState;
 use crate::Storage;
 use axum::{
@@ -8,6 +13,7 @@ use axum::{
 };
 use serde::{Deserialize, Serialize};
 use std::collections::{HashMap, HashSet};
+use std::sync::atomic::Ordering;
 use std::sync::Arc;
 
 #[derive(Serialize)]
@@ -17,14 +23,8 @@ pub struct RegistryStats {
     pub npm: usize,
     pub cargo: usize,
     pub pypi: usize,
-}
-
-#[derive(Serialize, Clone)]
-pub struct RepoInfo {
-    pub name: String,
-    pub versions: usize,
-    pub size: u64,
-    pub updated: String,
+    pub go: usize,
+    pub raw: usize,
 }
 
 #[derive(Serialize)]
@@ -32,6 +32,12 @@ pub struct TagInfo {
     pub name: String,
     pub size: u64,
     pub created: String,
+    pub downloads: u64,
+    pub last_pulled: Option<String>,
+    pub os: String,
+    pub arch: String,
+    pub layers_count: usize,
+    pub pull_command: String,
 }
 
 #[derive(Serialize)]
@@ -67,26 +73,222 @@ pub struct SearchQuery {
     pub q: Option<String>,
 }
 
+#[derive(Serialize)]
+pub struct DashboardResponse {
+    pub global_stats: GlobalStats,
+    pub registry_stats: Vec<RegistryCardStats>,
+    pub mount_points: Vec<MountPoint>,
+    pub activity: Vec<ActivityEntry>,
+    pub uptime_seconds: u64,
+}
+
+#[derive(Serialize)]
+pub struct GlobalStats {
+    pub downloads: u64,
+    pub uploads: u64,
+    pub artifacts: u64,
+    pub cache_hit_percent: f64,
+    pub storage_bytes: u64,
+}
+
+#[derive(Serialize)]
+pub struct RegistryCardStats {
+    pub name: String,
+    pub artifact_count: usize,
+    pub downloads: u64,
+    pub uploads: u64,
+    pub size_bytes: u64,
+}
+
+#[derive(Serialize)]
+pub struct MountPoint {
+    pub registry: String,
+    pub mount_path: String,
+    pub proxy_upstream: Option<String>,
+}
+
 // ============ API Handlers ============
 
 pub async fn api_stats(State(state): State<Arc<AppState>>) -> Json<RegistryStats> {
-    let stats = get_registry_stats(&state.storage).await;
-    Json(stats)
+    // Trigger index rebuild if needed, then get counts
+    let _ = state.repo_index.get("docker", &state.storage).await;
+    let _ = state.repo_index.get("maven", &state.storage).await;
+    let _ = state.repo_index.get("npm", &state.storage).await;
+    let _ = state.repo_index.get("cargo", &state.storage).await;
+    let _ = state.repo_index.get("pypi", &state.storage).await;
+    let _ = state.repo_index.get("go", &state.storage).await;
+    let _ = state.repo_index.get("raw", &state.storage).await;
+
+    let (docker, maven, npm, cargo, pypi, go, raw) = state.repo_index.counts();
+    Json(RegistryStats {
+        docker,
+        maven,
+        npm,
+        cargo,
+        pypi,
+        go,
+        raw,
+    })
+}
+
+pub async fn api_dashboard(State(state): State<Arc<AppState>>) -> Json<DashboardResponse> {
+    // Get indexes (will rebuild if dirty)
+    let docker_repos = state.repo_index.get("docker", &state.storage).await;
+    let maven_repos = state.repo_index.get("maven", &state.storage).await;
+    let npm_repos = state.repo_index.get("npm", &state.storage).await;
+    let cargo_repos = state.repo_index.get("cargo", &state.storage).await;
+    let pypi_repos = state.repo_index.get("pypi", &state.storage).await;
+    let go_repos = state.repo_index.get("go", &state.storage).await;
+    let raw_repos = state.repo_index.get("raw", &state.storage).await;
+
+    // Calculate sizes from cached index
+    let docker_size: u64 = docker_repos.iter().map(|r| r.size).sum();
+    let maven_size: u64 = maven_repos.iter().map(|r| r.size).sum();
+    let npm_size: u64 = npm_repos.iter().map(|r| r.size).sum();
+    let cargo_size: u64 = cargo_repos.iter().map(|r| r.size).sum();
+    let pypi_size: u64 = pypi_repos.iter().map(|r| r.size).sum();
+    let go_size: u64 = go_repos.iter().map(|r| r.size).sum();
+    let raw_size: u64 = raw_repos.iter().map(|r| r.size).sum();
+    let total_storage =
+        docker_size + maven_size + npm_size + cargo_size + pypi_size + go_size + raw_size;
+
+    // Count total versions/tags, not just repositories
+    let docker_versions: usize = docker_repos.iter().map(|r| r.versions).sum();
+    let maven_versions: usize = maven_repos.iter().map(|r| r.versions).sum();
+    let npm_versions: usize = npm_repos.iter().map(|r| r.versions).sum();
+    let cargo_versions: usize = cargo_repos.iter().map(|r| r.versions).sum();
+    let pypi_versions: usize = pypi_repos.iter().map(|r| r.versions).sum();
+    let go_versions: usize = go_repos.iter().map(|r| r.versions).sum();
+    let raw_versions: usize = raw_repos.iter().map(|r| r.versions).sum();
+    let total_artifacts = docker_versions
+        + maven_versions
+        + npm_versions
+        + cargo_versions
+        + pypi_versions
+        + go_versions
+        + raw_versions;
+
+    let global_stats = GlobalStats {
+        downloads: state.metrics.downloads.load(Ordering::Relaxed),
+        uploads: state.metrics.uploads.load(Ordering::Relaxed),
+        artifacts: total_artifacts as u64,
+        cache_hit_percent: state.metrics.cache_hit_rate(),
+        storage_bytes: total_storage,
+    };
+
+    let registry_card_stats = vec![
+        RegistryCardStats {
+            name: "docker".to_string(),
+            artifact_count: docker_versions,
+            downloads: state.metrics.get_registry_downloads("docker"),
+            uploads: state.metrics.get_registry_uploads("docker"),
+            size_bytes: docker_size,
+        },
+        RegistryCardStats {
+            name: "maven".to_string(),
+            artifact_count: maven_versions,
+            downloads: state.metrics.get_registry_downloads("maven"),
+            uploads: state.metrics.get_registry_uploads("maven"),
+            size_bytes: maven_size,
+        },
+        RegistryCardStats {
+            name: "npm".to_string(),
+            artifact_count: npm_versions,
+            downloads: state.metrics.get_registry_downloads("npm"),
+            uploads: 0,
+            size_bytes: npm_size,
+        },
+        RegistryCardStats {
+            name: "cargo".to_string(),
+            artifact_count: cargo_versions,
+            downloads: state.metrics.get_registry_downloads("cargo"),
+            uploads: 0,
+            size_bytes: cargo_size,
+        },
+        RegistryCardStats {
+            name: "pypi".to_string(),
+            artifact_count: pypi_versions,
+            downloads: state.metrics.get_registry_downloads("pypi"),
+            uploads: 0,
+            size_bytes: pypi_size,
+        },
+        RegistryCardStats {
+            name: "go".to_string(),
+            artifact_count: go_versions,
+            downloads: state.metrics.get_registry_downloads("go"),
+            uploads: 0,
+            size_bytes: go_size,
+        },
+        RegistryCardStats {
+            name: "raw".to_string(),
+            artifact_count: raw_versions,
+            downloads: state.metrics.get_registry_downloads("raw"),
+            uploads: state.metrics.get_registry_uploads("raw"),
+            size_bytes: raw_size,
+        },
+    ];
+
+    let mount_points = vec![
+        MountPoint {
+            registry: "Docker".to_string(),
+            mount_path: "/v2/".to_string(),
+            proxy_upstream: state.config.docker.upstreams.first().map(|u| u.url.clone()),
+        },
+        MountPoint {
+            registry: "Maven".to_string(),
+            mount_path: "/maven2/".to_string(),
+            proxy_upstream: state
+                .config
+                .maven
+                .proxies
+                .first()
+                .map(|p| p.url().to_string()),
+        },
+        MountPoint {
+            registry: "npm".to_string(),
+            mount_path: "/npm/".to_string(),
+            proxy_upstream: state.config.npm.proxy.clone(),
+        },
+        MountPoint {
+            registry: "Cargo".to_string(),
+            mount_path: "/cargo/".to_string(),
+            proxy_upstream: None,
+        },
+        MountPoint {
+            registry: "PyPI".to_string(),
+            mount_path: "/simple/".to_string(),
+            proxy_upstream: state.config.pypi.proxy.clone(),
+        },
+        MountPoint {
+            registry: "Go".to_string(),
+            mount_path: "/go/".to_string(),
+            proxy_upstream: state.config.go.proxy.clone(),
+        },
+        MountPoint {
+            registry: "Raw".to_string(),
+            mount_path: "/raw/".to_string(),
+            proxy_upstream: None,
+        },
+    ];
+
+    let activity = state.activity.recent(20);
+    let uptime_seconds = state.start_time.elapsed().as_secs();
+
+    Json(DashboardResponse {
+        global_stats,
+        registry_stats: registry_card_stats,
+        mount_points,
+        activity,
+        uptime_seconds,
+    })
 }
 
 pub async fn api_list(
     State(state): State<Arc<AppState>>,
     Path(registry_type): Path<String>,
 ) -> Json<Vec<RepoInfo>> {
-    let repos = match registry_type.as_str() {
-        "docker" => get_docker_repos(&state.storage).await,
-        "maven" => get_maven_repos(&state.storage).await,
-        "npm" => get_npm_packages(&state.storage).await,
-        "cargo" => get_cargo_crates(&state.storage).await,
-        "pypi" => get_pypi_packages(&state.storage).await,
-        _ => vec![],
-    };
-    Json(repos)
+    let repos = state.repo_index.get(&registry_type, &state.storage).await;
+    Json((*repos).clone())
 }
 
 pub async fn api_detail(
@@ -95,7 +297,7 @@ pub async fn api_detail(
 ) -> Json<serde_json::Value> {
     match registry_type.as_str() {
         "docker" => {
-            let detail = get_docker_detail(&state.storage, &name).await;
+            let detail = get_docker_detail(&state, &name).await;
             Json(serde_json::to_value(detail).unwrap_or_default())
         }
         "npm" => {
@@ -117,20 +319,13 @@ pub async fn api_search(
 ) -> axum::response::Html<String> {
     let query = params.q.unwrap_or_default().to_lowercase();
 
-    let repos = match registry_type.as_str() {
-        "docker" => get_docker_repos(&state.storage).await,
-        "maven" => get_maven_repos(&state.storage).await,
-        "npm" => get_npm_packages(&state.storage).await,
-        "cargo" => get_cargo_crates(&state.storage).await,
-        "pypi" => get_pypi_packages(&state.storage).await,
-        _ => vec![],
-    };
+    let repos = state.repo_index.get(&registry_type, &state.storage).await;
 
-    let filtered: Vec<_> = if query.is_empty() {
-        repos
+    let filtered: Vec<&RepoInfo> = if query.is_empty() {
+        repos.iter().collect()
     } else {
         repos
-            .into_iter()
+            .iter()
             .filter(|r| r.name.to_lowercase().contains(&query))
             .collect()
     };
@@ -175,7 +370,9 @@ pub async fn api_search(
 }
 
 // ============ Data Fetching Functions ============
+// NOTE: Legacy functions below - kept for reference, will be removed in future cleanup
 
+#[allow(dead_code)]
 pub async fn get_registry_stats(storage: &Storage) -> RegistryStats {
     let all_keys = storage.list("").await;
 
@@ -218,21 +415,47 @@ pub async fn get_registry_stats(storage: &Storage) -> RegistryStats {
         .collect::<HashSet<_>>()
         .len();
 
+    let go = all_keys
+        .iter()
+        .filter(|k| k.starts_with("go/") && k.ends_with(".zip"))
+        .filter_map(|k| {
+            let rest = k.strip_prefix("go/")?;
+            let pos = rest.rfind("/@v/")?;
+            Some(rest[..pos].to_string())
+        })
+        .collect::<HashSet<_>>()
+        .len();
+
+    let raw = all_keys
+        .iter()
+        .filter(|k| k.starts_with("raw/"))
+        .filter_map(|k| k.strip_prefix("raw/")?.split('/').next())
+        .collect::<HashSet<_>>()
+        .len();
+
     RegistryStats {
         docker,
         maven,
         npm,
         cargo,
         pypi,
+        go,
+        raw,
     }
 }
 
+#[allow(dead_code)]
 pub async fn get_docker_repos(storage: &Storage) -> Vec<RepoInfo> {
     let keys = storage.list("docker/").await;
 
     let mut repos: HashMap<String, (RepoInfo, u64)> = HashMap::new(); // (info, latest_modified)
 
     for key in &keys {
+        // Skip .meta.json files
+        if key.ends_with(".meta.json") {
+            continue;
+        }
+
         if let Some(rest) = key.strip_prefix("docker/") {
             let parts: Vec<_> = rest.split('/').collect();
             if parts.len() >= 3 {
@@ -249,10 +472,35 @@ pub async fn get_docker_repos(storage: &Storage) -> Vec<RepoInfo> {
                     )
                 });
 
-                if parts[1] == "manifests" {
+                if parts[1] == "manifests" && key.ends_with(".json") {
                     entry.0.versions += 1;
+
+                    // Parse manifest to get actual image size (config + layers)
+                    if let Ok(manifest_data) = storage.get(key).await {
+                        if let Ok(manifest) =
+                            serde_json::from_slice::<serde_json::Value>(&manifest_data)
+                        {
+                            let config_size = manifest
+                                .get("config")
+                                .and_then(|c| c.get("size"))
+                                .and_then(|s| s.as_u64())
+                                .unwrap_or(0);
+                            let layers_size: u64 = manifest
+                                .get("layers")
+                                .and_then(|l| l.as_array())
+                                .map(|layers| {
+                                    layers
+                                        .iter()
+                                        .filter_map(|l| l.get("size").and_then(|s| s.as_u64()))
+                                        .sum()
+                                })
+                                .unwrap_or(0);
+                            entry.0.size += config_size + layers_size;
+                        }
+                    }
+
+                    // Update timestamp
                     if let Some(meta) = storage.stat(key).await {
-                        entry.0.size += meta.size;
                         if meta.modified > entry.1 {
                             entry.1 = meta.modified;
                             entry.0.updated = format_timestamp(meta.modified);
@@ -268,25 +516,106 @@ pub async fn get_docker_repos(storage: &Storage) -> Vec<RepoInfo> {
     result
 }
 
-pub async fn get_docker_detail(storage: &Storage, name: &str) -> DockerDetail {
+pub async fn get_docker_detail(state: &AppState, name: &str) -> DockerDetail {
     let prefix = format!("docker/{}/manifests/", name);
-    let keys = storage.list(&prefix).await;
+    let keys = state.storage.list(&prefix).await;
+
+    // Build public URL for pull commands
+    let registry_host =
+        state.config.server.public_url.clone().unwrap_or_else(|| {
+            format!("{}:{}", state.config.server.host, state.config.server.port)
+        });
 
     let mut tags = Vec::new();
     for key in &keys {
+        // Skip .meta.json files
+        if key.ends_with(".meta.json") {
+            continue;
+        }
+
         if let Some(tag_name) = key
             .strip_prefix(&prefix)
             .and_then(|s| s.strip_suffix(".json"))
         {
-            let (size, created) = if let Some(meta) = storage.stat(key).await {
-                (meta.size, format_timestamp(meta.modified))
+            // Load metadata from .meta.json file
+            let meta_key = format!("{}.meta.json", key.trim_end_matches(".json"));
+            let metadata = if let Ok(meta_data) = state.storage.get(&meta_key).await {
+                serde_json::from_slice::<crate::registry::docker::ImageMetadata>(&meta_data)
+                    .unwrap_or_default()
             } else {
-                (0, "N/A".to_string())
+                crate::registry::docker::ImageMetadata::default()
             };
+
+            // Get file stats for created timestamp if metadata doesn't have push_timestamp
+            let created = if metadata.push_timestamp > 0 {
+                format_timestamp(metadata.push_timestamp)
+            } else if let Some(file_meta) = state.storage.stat(key).await {
+                format_timestamp(file_meta.modified)
+            } else {
+                "N/A".to_string()
+            };
+
+            // Calculate size from manifest layers (config + layers)
+            let size = if metadata.size_bytes > 0 {
+                metadata.size_bytes
+            } else {
+                // Parse manifest to get actual image size
+                if let Ok(manifest_data) = state.storage.get(key).await {
+                    if let Ok(manifest) =
+                        serde_json::from_slice::<serde_json::Value>(&manifest_data)
+                    {
+                        let config_size = manifest
+                            .get("config")
+                            .and_then(|c| c.get("size"))
+                            .and_then(|s| s.as_u64())
+                            .unwrap_or(0);
+                        let layers_size: u64 = manifest
+                            .get("layers")
+                            .and_then(|l| l.as_array())
+                            .map(|layers| {
+                                layers
+                                    .iter()
+                                    .filter_map(|l| l.get("size").and_then(|s| s.as_u64()))
+                                    .sum()
+                            })
+                            .unwrap_or(0);
+                        config_size + layers_size
+                    } else {
+                        0
+                    }
+                } else {
+                    0
+                }
+            };
+
+            // Format last_pulled
+            let last_pulled = if metadata.last_pulled > 0 {
+                Some(format_timestamp(metadata.last_pulled))
+            } else {
+                None
+            };
+
+            // Build pull command
+            let pull_command = format!("docker pull {}/{}:{}", registry_host, name, tag_name);
+
             tags.push(TagInfo {
                 name: tag_name.to_string(),
                 size,
                 created,
+                downloads: metadata.downloads,
+                last_pulled,
+                os: if metadata.os.is_empty() {
+                    "unknown".to_string()
+                } else {
+                    metadata.os
+                },
+                arch: if metadata.arch.is_empty() {
+                    "unknown".to_string()
+                } else {
+                    metadata.arch
+                },
+                layers_count: metadata.layers.len(),
+                pull_command,
             });
         }
     }
@@ -294,6 +623,7 @@ pub async fn get_docker_detail(storage: &Storage, name: &str) -> DockerDetail {
     DockerDetail { tags }
 }
 
+#[allow(dead_code)]
 pub async fn get_maven_repos(storage: &Storage) -> Vec<RepoInfo> {
     let keys = storage.list("maven/").await;
 
@@ -353,75 +683,125 @@ pub async fn get_maven_detail(storage: &Storage, path: &str) -> MavenDetail {
     MavenDetail { artifacts }
 }
 
+#[allow(dead_code)]
 pub async fn get_npm_packages(storage: &Storage) -> Vec<RepoInfo> {
     let keys = storage.list("npm/").await;
 
-    let mut packages: HashMap<String, (RepoInfo, u64)> = HashMap::new();
+    let mut packages: HashMap<String, RepoInfo> = HashMap::new();
 
+    // Find all metadata.json files
     for key in &keys {
-        if let Some(rest) = key.strip_prefix("npm/") {
-            let parts: Vec<_> = rest.split('/').collect();
-            if !parts.is_empty() {
-                let name = parts[0].to_string();
-                let entry = packages.entry(name.clone()).or_insert_with(|| {
-                    (
-                        RepoInfo {
-                            name,
-                            versions: 0,
-                            size: 0,
-                            updated: "N/A".to_string(),
-                        },
-                        0,
-                    )
-                });
+        if key.ends_with("/metadata.json") {
+            if let Some(name) = key
+                .strip_prefix("npm/")
+                .and_then(|s| s.strip_suffix("/metadata.json"))
+            {
+                // Parse metadata to get version count and info
+                if let Ok(data) = storage.get(key).await {
+                    if let Ok(metadata) = serde_json::from_slice::<serde_json::Value>(&data) {
+                        let versions_count = metadata
+                            .get("versions")
+                            .and_then(|v| v.as_object())
+                            .map(|v| v.len())
+                            .unwrap_or(0);
 
-                if parts.len() >= 3 && parts[1] == "tarballs" {
-                    entry.0.versions += 1;
-                    if let Some(meta) = storage.stat(key).await {
-                        entry.0.size += meta.size;
-                        if meta.modified > entry.1 {
-                            entry.1 = meta.modified;
-                            entry.0.updated = format_timestamp(meta.modified);
-                        }
+                        // Calculate total size from dist.unpackedSize or estimate
+                        let total_size: u64 = metadata
+                            .get("versions")
+                            .and_then(|v| v.as_object())
+                            .map(|versions| {
+                                versions
+                                    .values()
+                                    .filter_map(|v| {
+                                        v.get("dist")
+                                            .and_then(|d| d.get("unpackedSize"))
+                                            .and_then(|s| s.as_u64())
+                                    })
+                                    .sum()
+                            })
+                            .unwrap_or(0);
+
+                        // Get latest version time for "updated"
+                        let updated = metadata
+                            .get("time")
+                            .and_then(|t| t.get("modified"))
+                            .and_then(|m| m.as_str())
+                            .map(|s| s[..10].to_string()) // Take just date part
+                            .unwrap_or_else(|| "N/A".to_string());
+
+                        packages.insert(
+                            name.to_string(),
+                            RepoInfo {
+                                name: name.to_string(),
+                                versions: versions_count,
+                                size: total_size,
+                                updated,
+                            },
+                        );
                     }
                 }
             }
         }
     }
 
-    let mut result: Vec<_> = packages.into_values().map(|(r, _)| r).collect();
+    let mut result: Vec<_> = packages.into_values().collect();
     result.sort_by(|a, b| a.name.cmp(&b.name));
     result
 }
 
 pub async fn get_npm_detail(storage: &Storage, name: &str) -> PackageDetail {
-    let prefix = format!("npm/{}/tarballs/", name);
-    let keys = storage.list(&prefix).await;
+    let metadata_key = format!("npm/{}/metadata.json", name);
 
     let mut versions = Vec::new();
-    for key in &keys {
-        if let Some(tarball) = key.strip_prefix(&prefix) {
-            if let Some(version) = tarball
-                .strip_prefix(&format!("{}-", name))
-                .and_then(|s| s.strip_suffix(".tgz"))
-            {
-                let (size, published) = if let Some(meta) = storage.stat(key).await {
-                    (meta.size, format_timestamp(meta.modified))
-                } else {
-                    (0, "N/A".to_string())
-                };
-                versions.push(VersionInfo {
-                    version: version.to_string(),
-                    size,
-                    published,
-                });
+
+    // Parse metadata.json for version info
+    if let Ok(data) = storage.get(&metadata_key).await {
+        if let Ok(metadata) = serde_json::from_slice::<serde_json::Value>(&data) {
+            if let Some(versions_obj) = metadata.get("versions").and_then(|v| v.as_object()) {
+                let time_obj = metadata.get("time").and_then(|t| t.as_object());
+
+                for (version, info) in versions_obj {
+                    let size = info
+                        .get("dist")
+                        .and_then(|d| d.get("unpackedSize"))
+                        .and_then(|s| s.as_u64())
+                        .unwrap_or(0);
+
+                    let published = time_obj
+                        .and_then(|t| t.get(version))
+                        .and_then(|p| p.as_str())
+                        .map(|s| s[..10].to_string())
+                        .unwrap_or_else(|| "N/A".to_string());
+
+                    versions.push(VersionInfo {
+                        version: version.clone(),
+                        size,
+                        published,
+                    });
+                }
             }
         }
     }
 
+    // Sort by version (semver-like, newest first)
+    versions.sort_by(|a, b| {
+        let a_parts: Vec<u32> = a
+            .version
+            .split('.')
+            .filter_map(|s| s.parse().ok())
+            .collect();
+        let b_parts: Vec<u32> = b
+            .version
+            .split('.')
+            .filter_map(|s| s.parse().ok())
+            .collect();
+        b_parts.cmp(&a_parts)
+    });
+
     PackageDetail { versions }
 }
 
+#[allow(dead_code)]
 pub async fn get_cargo_crates(storage: &Storage) -> Vec<RepoInfo> {
     let keys = storage.list("cargo/").await;
 
@@ -489,6 +869,7 @@ pub async fn get_cargo_detail(storage: &Storage, name: &str) -> PackageDetail {
     PackageDetail { versions }
 }
 
+#[allow(dead_code)]
 pub async fn get_pypi_packages(storage: &Storage) -> Vec<RepoInfo> {
     let keys = storage.list("pypi/").await;
 
@@ -555,6 +936,32 @@ pub async fn get_pypi_detail(storage: &Storage, name: &str) -> PackageDetail {
     PackageDetail { versions }
 }
 
+pub async fn get_go_detail(storage: &Storage, module: &str) -> PackageDetail {
+    let prefix = format!("go/{}/@v/", module);
+    let keys = storage.list(&prefix).await;
+
+    let mut versions = Vec::new();
+    for key in keys.iter().filter(|k| k.ends_with(".zip")) {
+        if let Some(rest) = key.strip_prefix(&prefix) {
+            if let Some(version) = rest.strip_suffix(".zip") {
+                let (size, published) = if let Some(meta) = storage.stat(key).await {
+                    (meta.size, format_timestamp(meta.modified))
+                } else {
+                    (0, "N/A".to_string())
+                };
+                versions.push(VersionInfo {
+                    version: version.to_string(),
+                    size,
+                    published,
+                });
+            }
+        }
+    }
+
+    versions.sort_by(|a, b| b.version.cmp(&a.version));
+    PackageDetail { versions }
+}
+
 fn extract_pypi_version(name: &str, filename: &str) -> Option<String> {
     // Handle both .tar.gz and .whl files
     let clean_name = name.replace('-', "_");
@@ -578,3 +985,26 @@ fn extract_pypi_version(name: &str, filename: &str) -> Option<String> {
         None
     }
 }
+
+pub async fn get_raw_detail(storage: &Storage, group: &str) -> PackageDetail {
+    let prefix = format!("raw/{}/", group);
+    let keys = storage.list(&prefix).await;
+
+    let mut versions = Vec::new();
+    for key in &keys {
+        if let Some(filename) = key.strip_prefix(&prefix) {
+            let (size, published) = if let Some(meta) = storage.stat(key).await {
+                (meta.size, format_timestamp(meta.modified))
+            } else {
+                (0, "N/A".to_string())
+            };
+            versions.push(VersionInfo {
+                version: filename.to_string(),
+                size,
+                published,
+            });
+        }
+    }
+
+    PackageDetail { versions }
+}

nora-registry/src/ui/components.rs

@@ -1,8 +1,23 @@
-/// Main layout wrapper with header and sidebar
-pub fn layout(title: &str, content: &str, active_page: Option<&str>) -> String {
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
+use super::i18n::{get_translations, Lang, Translations};
+
+/// Application version from Cargo.toml
+const VERSION: &str = env!("CARGO_PKG_VERSION");
+
+/// Dark theme layout wrapper for dashboard
+pub fn layout_dark(
+    title: &str,
+    content: &str,
+    active_page: Option<&str>,
+    extra_scripts: &str,
+    lang: Lang,
+) -> String {
+    let t = get_translations(lang);
     format!(
         r##"<!DOCTYPE html>
-<html lang="en">
+<html lang="{}">
 <head>
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
@@ -14,7 +29,7 @@ pub fn layout(title: &str, content: &str, active_page: Option<&str>) -> String {
         .sidebar-open {{ overflow: hidden; }}
     </style>
 </head>
-<body class="bg-slate-100 min-h-screen">
+<body class="bg-[#0f172a] min-h-screen">
     <div class="flex h-screen overflow-hidden">
         <!-- Mobile sidebar overlay -->
         <div id="sidebar-overlay" class="fixed inset-0 bg-black/50 z-40 hidden md:hidden" onclick="toggleSidebar()"></div>
@@ -50,17 +65,438 @@ pub fn layout(title: &str, content: &str, active_page: Option<&str>) -> String {
                 document.body.classList.add('sidebar-open');
             }}
         }}
+
+        function setLang(lang) {{
+            document.cookie = 'nora_lang=' + lang + ';path=/;max-age=31536000';
+            window.location.reload();
+        }}
     </script>
+    {}
 </body>
 </html>"##,
+        lang.code(),
         html_escape(title),
-        sidebar(active_page),
-        header(),
-        content
+        sidebar_dark(active_page, t),
+        header_dark(lang),
+        content,
+        extra_scripts
     )
 }
 
-/// Sidebar navigation component
+/// Dark theme sidebar
+fn sidebar_dark(active_page: Option<&str>, t: &Translations) -> String {
+    let active = active_page.unwrap_or("");
+
+    let docker_icon = r#"<path fill="currentColor" d="M13.983 11.078h2.119a.186.186 0 00.186-.185V9.006a.186.186 0 00-.186-.186h-2.119a.185.185 0 00-.185.185v1.888c0 .102.083.185.185.185m-2.954-5.43h2.118a.186.186 0 00.186-.186V3.574a.186.186 0 00-.186-.185h-2.118a.185.185 0 00-.185.185v1.888c0 .102.082.185.185.186m0 2.716h2.118a.187.187 0 00.186-.186V6.29a.186.186 0 00-.186-.185h-2.118a.185.185 0 00-.185.185v1.887c0 .102.082.185.185.186m-2.93 0h2.12a.186.186 0 00.184-.186V6.29a.185.185 0 00-.185-.185H8.1a.185.185 0 00-.185.185v1.887c0 .102.083.185.185.186m-2.964 0h2.119a.186.186 0 00.185-.186V6.29a.185.185 0 00-.185-.185H5.136a.186.186 0 00-.186.185v1.887c0 .102.084.185.186.186m5.893 2.715h2.118a.186.186 0 00.186-.185V9.006a.186.186 0 00-.186-.186h-2.118a.185.185 0 00-.185.185v1.888c0 .102.082.185.185.185m-2.93 0h2.12a.185.185 0 00.184-.185V9.006a.185.185 0 00-.184-.186h-2.12a.185.185 0 00-.184.185v1.888c0 .102.083.185.185.185m-2.964 0h2.119a.185.185 0 00.185-.185V9.006a.185.185 0 00-.185-.186h-2.12a.186.186 0 00-.185.186v1.887c0 .102.084.185.186.185m-2.92 0h2.12a.185.185 0 00.184-.185V9.006a.185.185 0 00-.184-.186h-2.12a.185.185 0 00-.184.185v1.888c0 .102.082.185.185.185M23.763 9.89c-.065-.051-.672-.51-1.954-.51-.338.001-.676.03-1.01.087-.248-1.7-1.653-2.53-1.716-2.566l-.344-.199-.226.327c-.284.438-.49.922-.612 1.43-.23.97-.09 1.882.403 2.661-.595.332-1.55.413-1.744.42H.751a.751.751 0 00-.75.748 11.376 11.376 0 00.692 4.062c.545 1.428 1.355 2.48 2.41 3.124 1.18.723 3.1 1.137 5.275 1.137.983.003 1.963-.086 2.93-.266a12.248 12.248 0 003.823-1.389c.98-.567 1.86-1.288 2.61-2.136 1.252-1.418 1.998-2.997 2.553-4.4h.221c1.372 0 2.215-.549 2.68-1.009.309-.293.55-.65.707-1.046l.098-.288Z"/>"#;
+    let maven_icon = r#"<path fill="currentColor" d="M12 2C6.48 2 2 6.48 2 12s4.48 10 10 10 10-4.48 10-10S17.52 2 12 2zm-1 17.93c-3.95-.49-7-3.85-7-7.93 0-.62.08-1.21.21-1.79L9 15v1c0 1.1.9 2 2 2v1.93zm6.9-2.54c-.26-.81-1-1.39-1.9-1.39h-1v-3c0-.55-.45-1-1-1H8v-2h2c.55 0 1-.45 1-1V7h2c1.1 0 2-.9 2-2v-.41c2.93 1.19 5 4.06 5 7.41 0 2.08-.8 3.97-2.1 5.39z"/>"#;
+    let npm_icon = r#"<path fill="currentColor" d="M0 7.334v8h6.666v1.332H12v-1.332h12v-8H0zm6.666 6.664H5.334v-4H3.999v4H1.335V8.667h5.331v5.331zm4 0v1.336H8.001V8.667h5.334v5.332h-2.669v-.001zm12.001 0h-1.33v-4h-1.336v4h-1.335v-4h-1.33v4h-2.671V8.667h8.002v5.331zM10.665 10H12v2.667h-1.335V10z"/>"#;
+    let cargo_icon = r#"<path fill="currentColor" d="M6 2h12a1 1 0 011 1v8a1 1 0 01-1 1H6a1 1 0 01-1-1V3a1 1 0 011-1zm0 2v2h12V4H6zm0 3v2h12V7H6zM2 14h8a1 1 0 011 1v6a1 1 0 01-1 1H2a1 1 0 01-1-1v-6a1 1 0 011-1zm0 2v1.5h8V16H2zM14 14h8a1 1 0 011 1v6a1 1 0 01-1 1h-8a1 1 0 01-1-1v-6a1 1 0 011-1zm0 2v1.5h8V16h-8z"/>"#;
+    let pypi_icon = r#"<path fill="currentColor" d="M14.25.18l.9.2.73.26.59.3.45.32.34.34.25.34.16.33.1.3.04.26.02.2-.01.13V8.5l-.05.63-.13.55-.21.46-.26.38-.3.31-.33.25-.35.19-.35.14-.33.1-.3.07-.26.04-.21.02H8.83l-.69.05-.59.14-.5.22-.41.27-.33.32-.27.35-.2.36-.15.37-.1.35-.07.32-.04.27-.02.21v3.06H3.23l-.21-.03-.28-.07-.32-.12-.35-.18-.36-.26-.36-.36-.35-.46-.32-.59-.28-.73-.21-.88-.14-1.05L0 11.97l.06-1.22.16-1.04.24-.87.32-.71.36-.57.4-.44.42-.33.42-.24.4-.16.36-.1.32-.05.24-.01h.16l.06.01h8.16v-.83H6.24l-.01-2.75-.02-.37.05-.34.11-.31.17-.28.25-.26.31-.23.38-.2.44-.18.51-.15.58-.12.64-.1.71-.06.77-.04.84-.02 1.27.05 1.07.13zm-6.3 1.98l-.23.33-.08.41.08.41.23.34.33.22.41.09.41-.09.33-.22.23-.34.08-.41-.08-.41-.23-.33-.33-.22-.41-.09-.41.09-.33.22zM21.1 6.11l.28.06.32.12.35.18.36.27.36.35.35.47.32.59.28.73.21.88.14 1.04.05 1.23-.06 1.23-.16 1.04-.24.86-.32.71-.36.57-.4.45-.42.33-.42.24-.4.16-.36.09-.32.05-.24.02-.16-.01h-8.22v.82h5.84l.01 2.76.02.36-.05.34-.11.31-.17.29-.25.25-.31.24-.38.2-.44.17-.51.15-.58.13-.64.09-.71.07-.77.04-.84.01-1.27-.04-1.07-.14-.9-.2-.73-.25-.59-.3-.45-.33-.34-.34-.25-.34-.16-.33-.1-.3-.04-.25-.02-.2.01-.13v-5.34l.05-.64.13-.54.21-.46.26-.38.3-.32.33-.24.35-.2.35-.14.33-.1.3-.06.26-.04.21-.02.13-.01h5.84l.69-.05.59-.14.5-.21.41-.28.33-.32.27-.35.2-.36.15-.36.1-.35.07-.32.04-.28.02-.21V6.07h2.09l.14.01.21.03zm-6.47 14.25l-.23.33-.08.41.08.41.23.33.33.23.41.08.41-.08.33-.23.23-.33.08-.41-.08-.41-.23-.33-.33-.23-.41-.08-.41.08-.33.23z"/>"#;
+
+    // Dashboard label is translated, registry names stay as-is
+    let dashboard_label = t.nav_dashboard;
+
+    let nav_items = [
+        (
+            "dashboard",
+            "/ui/",
+            dashboard_label,
+            r#"<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M3 12l2-2m0 0l7-7 7 7M5 10v10a1 1 0 001 1h3m10-11l2 2m-2-2v10a1 1 0 01-1 1h-3m-6 0a1 1 0 001-1v-4a1 1 0 011-1h2a1 1 0 011 1v4a1 1 0 001 1m-6 0h6"/>"#,
+            true,
+        ),
+        ("docker", "/ui/docker", "Docker", docker_icon, false),
+        ("maven", "/ui/maven", "Maven", maven_icon, false),
+        ("npm", "/ui/npm", "npm", npm_icon, false),
+        ("cargo", "/ui/cargo", "Cargo", cargo_icon, false),
+        ("pypi", "/ui/pypi", "PyPI", pypi_icon, false),
+        (
+            "raw",
+            "/ui/raw",
+            "Raw",
+            r#"<path fill="currentColor" d="M14 2H6a2 2 0 00-2 2v16a2 2 0 002 2h12a2 2 0 002-2V8l-6-6zm4 18H6V4h7v5h5v11z"/>"#,
+            false,
+        ),
+        (
+            "go",
+            "/ui/go",
+            "Go",
+            r#"<path fill="currentColor" d="M2.64 9.56s.24-.14.65-.38c.41-.24.97-.5 1.63-.7A7.85 7.85 0 017.53 8c.86 0 1.67.17 2.37.52.7.35 1.26.87 1.63 1.51.37.64.54 1.41.54 2.27v.2h-2.7v-.16c0-.47-.09-.86-.28-1.15a1.7 1.7 0 00-.77-.67 2.7 2.7 0 00-1.14-.22c-.56 0-1.06.13-1.46.4-.41.27-.72.66-.93 1.16-.21.5-.31 1.1-.31 1.8 0 .69.1 1.28.32 1.78.21.5.53.88.94 1.15.41.27.9.4 1.47.4.38 0 .73-.06 1.04-.17.31-.12.56-.29.74-.52.19-.23.29-.51.29-.84v-.14H7.15v-1.76h5.07v1.3c0 .8-.17 1.48-.52 2.04a3.46 3.46 0 01-1.5 1.3c-.66.3-1.44.45-2.35.45-.99 0-1.87-.18-2.63-.55a4.2 4.2 0 01-1.77-1.59C3.15 14.82 3 13.94 3 12.89v-.28c0-1.04.16-1.93.48-2.65a3.08 3.08 0 01-.84-.4zm12.1-1.34c.92 0 1.74.18 2.44.55a3.96 3.96 0 011.66 1.59c.4.7.6 1.54.6 2.53v.28c0 .99-.2 1.83-.6 2.53a3.96 3.96 0 01-1.66 1.59c-.7.37-1.52.55-2.44.55s-1.74-.18-2.44-.55a3.96 3.96 0 01-1.66-1.59c-.4-.7-.6-1.54-.6-2.53v-.28c0-.99.2-1.83.6-2.53a3.96 3.96 0 011.66-1.59c.7-.37 1.52-.55 2.44-.55zm0 2.12c-.44 0-.82.12-1.14.37-.32.24-.56.6-.73 1.06-.17.46-.26 1.01-.26 1.65v.28c0 .64.09 1.19.26 1.65.17.46.41.82.73 1.06.32.25.7.37 1.14.37.44 0 .82-.12 1.14-.37.32-.24.56-.6.73-1.06.17-.46.26-1.01.26-1.65v-.28c0-.64-.09-1.19-.26-1.65a2.17 2.17 0 00-.73-1.06 1.78 1.78 0 00-1.14-.37z"/>"#,
+            false,
+        ),
+    ];
+
+    let nav_html: String = nav_items.iter().map(|(id, href, label, icon_path, is_stroke)| {
+        let is_active = active == *id;
+        let active_class = if is_active {
+            "bg-slate-700 text-white"
+        } else {
+            "text-slate-300 hover:bg-slate-700 hover:text-white"
+        };
+
+        let (fill_attr, stroke_attr) = if *is_stroke {
+            ("none", r#" stroke="currentColor""#)
+        } else {
+            ("currentColor", "")
+        };
+
+        format!(r##"
+            <a href="{}" class="flex items-center px-4 py-3 text-sm font-medium rounded-lg transition-colors {}">
+                <svg class="w-5 h-5 mr-3" fill="{}"{} viewBox="0 0 24 24">
+                    {}
+                </svg>
+                {}
+            </a>
+        "##, href, active_class, fill_attr, stroke_attr, icon_path, label)
+    }).collect();
+
+    format!(
+        r#"
+        <div id="sidebar" class="fixed md:static inset-y-0 left-0 z-50 w-64 bg-slate-800 text-white flex flex-col transform -translate-x-full md:translate-x-0 transition-transform duration-200 ease-in-out">
+            <div class="h-16 flex items-center justify-between px-6 border-b border-slate-700">
+                <div class="flex items-center">
+                    <span class="text-xl font-bold tracking-tight">N<span class="inline-block w-4 h-4 rounded-full border-2 border-current align-middle mx-px"></span>RA</span>
+                </div>
+                <button onclick="toggleSidebar()" class="md:hidden p-1 rounded-lg hover:bg-slate-700">
+                    <svg class="w-6 h-6" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12"/>
+                    </svg>
+                </button>
+            </div>
+            <nav class="flex-1 px-4 py-6 space-y-1 overflow-y-auto">
+                {}
+                <div class="text-xs font-semibold text-slate-400 uppercase tracking-wider px-4 mt-6 mb-3">
+                    {}
+                </div>
+            </nav>
+            <div class="px-4 py-4 border-t border-slate-700">
+                <div class="text-xs text-slate-400">
+                    Nora v{}
+                </div>
+            </div>
+        </div>
+    "#,
+        nav_html, t.nav_registries, VERSION
+    )
+}
+
+/// Dark theme header with language switcher
+fn header_dark(lang: Lang) -> String {
+    let (en_class, ru_class) = match lang {
+        Lang::En => (
+            "text-white font-semibold",
+            "text-slate-400 hover:text-slate-200",
+        ),
+        Lang::Ru => (
+            "text-slate-400 hover:text-slate-200",
+            "text-white font-semibold",
+        ),
+    };
+
+    format!(
+        r##"
+        <header class="h-16 bg-[#1e293b] border-b border-slate-700 flex items-center justify-between px-4 md:px-6">
+            <div class="flex items-center">
+                <button onclick="toggleSidebar()" class="md:hidden p-2 -ml-2 mr-2 rounded-lg hover:bg-slate-700">
+                    <svg class="w-6 h-6 text-slate-300" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 6h16M4 12h16M4 18h16"/>
+                    </svg>
+                </button>
+                <div class="md:hidden flex items-center">
+                    <span class="font-bold text-slate-200 tracking-tight">N<span class="inline-block w-4 h-4 rounded-full border-2 border-current align-middle mx-px"></span>RA</span>
+                </div>
+            </div>
+            <div class="flex items-center space-x-2 md:space-x-4">
+                <!-- Language switcher -->
+                <div class="flex items-center border border-slate-600 rounded-lg overflow-hidden text-sm">
+                    <button onclick="setLang('en')" class="px-3 py-1.5 {} transition-colors">EN</button>
+                    <span class="text-slate-600">|</span>
+                    <button onclick="setLang('ru')" class="px-3 py-1.5 {} transition-colors">RU</button>
+                </div>
+                <a href="https://github.com/getnora-io/nora" target="_blank" class="p-2 text-slate-400 hover:text-slate-200 hover:bg-slate-700 rounded-lg">
+                    <svg class="w-5 h-5" fill="currentColor" viewBox="0 0 24 24">
+                        <path fill-rule="evenodd" d="M12 2C6.477 2 2 6.484 2 12.017c0 4.425 2.865 8.18 6.839 9.504.5.092.682-.217.682-.483 0-.237-.008-.868-.013-1.703-2.782.605-3.369-1.343-3.369-1.343-.454-1.158-1.11-1.466-1.11-1.466-.908-.62.069-.608.069-.608 1.003.07 1.531 1.032 1.531 1.032.892 1.53 2.341 1.088 2.91.832.092-.647.35-1.088.636-1.338-2.22-.253-4.555-1.113-4.555-4.951 0-1.093.39-1.988 1.029-2.688-.103-.253-.446-1.272.098-2.65 0 0 .84-.27 2.75 1.026A9.564 9.564 0 0112 6.844c.85.004 1.705.115 2.504.337 1.909-1.296 2.747-1.027 2.747-1.027.546 1.379.202 2.398.1 2.651.64.7 1.028 1.595 1.028 2.688 0 3.848-2.339 4.695-4.566 4.943.359.309.678.92.678 1.855 0 1.338-.012 2.419-.012 2.747 0 .268.18.58.688.482A10.019 10.019 0 0022 12.017C22 6.484 17.522 2 12 2z" clip-rule="evenodd"/>
+                    </svg>
+                </a>
+                <a href="/api-docs" class="p-2 text-slate-400 hover:text-slate-200 hover:bg-slate-700 rounded-lg" title="API Docs">
+                    <svg class="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 12h6m-6 4h6m2 5H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z"/>
+                    </svg>
+                </a>
+            </div>
+        </header>
+    "##,
+        en_class, ru_class
+    )
+}
+
+/// Render global stats row (5-column grid)
+pub fn render_global_stats(
+    downloads: u64,
+    uploads: u64,
+    artifacts: u64,
+    cache_hit_percent: f64,
+    storage_bytes: u64,
+    lang: Lang,
+) -> String {
+    let t = get_translations(lang);
+    format!(
+        r##"
+        <div class="grid grid-cols-2 md:grid-cols-3 lg:grid-cols-5 gap-4 mb-6">
+            <div class="bg-[#1e293b] rounded-lg p-4 border border-slate-700">
+                <div class="text-slate-400 text-sm mb-1">{}</div>
+                <div id="stat-downloads" class="text-2xl font-bold text-slate-200">{}</div>
+            </div>
+            <div class="bg-[#1e293b] rounded-lg p-4 border border-slate-700">
+                <div class="text-slate-400 text-sm mb-1">{}</div>
+                <div id="stat-uploads" class="text-2xl font-bold text-slate-200">{}</div>
+            </div>
+            <div class="bg-[#1e293b] rounded-lg p-4 border border-slate-700">
+                <div class="text-slate-400 text-sm mb-1">{}</div>
+                <div id="stat-artifacts" class="text-2xl font-bold text-slate-200">{}</div>
+            </div>
+            <div class="bg-[#1e293b] rounded-lg p-4 border border-slate-700">
+                <div class="text-slate-400 text-sm mb-1">{}</div>
+                <div id="stat-cache-hit" class="text-2xl font-bold text-slate-200">{:.1}%</div>
+            </div>
+            <div class="bg-[#1e293b] rounded-lg p-4 border border-slate-700">
+                <div class="text-slate-400 text-sm mb-1">{}</div>
+                <div id="stat-storage" class="text-2xl font-bold text-slate-200">{}</div>
+            </div>
+        </div>
+        "##,
+        t.stat_downloads,
+        downloads,
+        t.stat_uploads,
+        uploads,
+        t.stat_artifacts,
+        artifacts,
+        t.stat_cache_hit,
+        cache_hit_percent,
+        t.stat_storage,
+        format_size(storage_bytes)
+    )
+}
+
+/// Render registry card with extended metrics
+#[allow(clippy::too_many_arguments)]
+pub fn render_registry_card(
+    name: &str,
+    icon_path: &str,
+    artifact_count: usize,
+    downloads: u64,
+    uploads: u64,
+    size_bytes: u64,
+    href: &str,
+    t: &Translations,
+) -> String {
+    format!(
+        r##"
+        <a href="{}" id="registry-{}" class="block bg-[#1e293b] rounded-lg border border-slate-700 p-3 hover:border-blue-400 transition-all">
+            <div class="flex items-center justify-between mb-2">
+                <svg class="w-6 h-6 text-slate-400" fill="currentColor" viewBox="0 0 24 24">
+                    {}
+                </svg>
+                <span class="text-[10px] font-medium text-green-400 bg-green-400/10 px-1.5 py-0.5 rounded-full">{}</span>
+            </div>
+            <div class="text-sm font-semibold text-slate-200 mb-2">{}</div>
+            <div class="grid grid-cols-2 gap-1 text-xs">
+                <div>
+                    <span class="text-slate-500">{}</span>
+                    <div class="text-slate-300 font-medium">{}</div>
+                </div>
+                <div>
+                    <span class="text-slate-500">{}</span>
+                    <div class="text-slate-300 font-medium">{}</div>
+                </div>
+                <div>
+                    <span class="text-slate-500">{}</span>
+                    <div class="text-slate-300 font-medium">{}</div>
+                </div>
+                <div>
+                    <span class="text-slate-500">{}</span>
+                    <div class="text-slate-300 font-medium">{}</div>
+                </div>
+            </div>
+        </a>
+        "##,
+        href,
+        name.to_lowercase(),
+        icon_path,
+        t.active,
+        name,
+        t.artifacts,
+        artifact_count,
+        t.size,
+        format_size(size_bytes),
+        t.downloads,
+        downloads,
+        t.uploads,
+        uploads
+    )
+}
+
+/// Render mount points table
+pub fn render_mount_points_table(
+    mount_points: &[(String, String, Option<String>)],
+    t: &Translations,
+) -> String {
+    let rows: String = mount_points
+        .iter()
+        .map(|(registry, mount_path, proxy)| {
+            let proxy_display = proxy.as_deref().unwrap_or("-");
+            format!(
+                r##"
+                <tr class="border-b border-slate-700">
+                    <td class="px-4 py-3 text-slate-300">{}</td>
+                    <td class="px-4 py-3 font-mono text-blue-400">{}</td>
+                    <td class="px-4 py-3 text-slate-400">{}</td>
+                </tr>
+                "##,
+                registry, mount_path, proxy_display
+            )
+        })
+        .collect();
+
+    format!(
+        r##"
+        <div class="bg-[#1e293b] rounded-lg border border-slate-700 overflow-hidden">
+            <div class="px-4 py-3 border-b border-slate-700">
+                <h3 class="text-slate-200 font-semibold">{}</h3>
+            </div>
+            <div class="overflow-auto max-h-80">
+                <table class="w-full">
+                    <thead class="sticky top-0 bg-slate-800">
+                        <tr class="text-left text-xs text-slate-500 uppercase border-b border-slate-700">
+                            <th class="px-4 py-2">{}</th>
+                            <th class="px-4 py-2">{}</th>
+                            <th class="px-4 py-2">{}</th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                        {}
+                    </tbody>
+                </table>
+            </div>
+        </div>
+        "##,
+        t.mount_points, t.registry, t.mount_path, t.proxy_upstream, rows
+    )
+}
+
+/// Render a single activity log row
+pub fn render_activity_row(
+    timestamp: &str,
+    action: &str,
+    artifact: &str,
+    registry: &str,
+    source: &str,
+) -> String {
+    let action_color = match action {
+        "PULL" => "text-blue-400",
+        "PUSH" => "text-green-400",
+        "CACHE" => "text-yellow-400",
+        "PROXY" => "text-purple-400",
+        _ => "text-slate-400",
+    };
+
+    format!(
+        r##"
+        <tr class="border-b border-slate-700/50 text-sm">
+            <td class="px-4 py-2 text-slate-500">{}</td>
+            <td class="px-4 py-2 font-medium {}"><span class="px-2 py-0.5 bg-slate-700 rounded">{}</span></td>
+            <td class="px-4 py-2 text-slate-300 font-mono text-xs">{}</td>
+            <td class="px-4 py-2 text-slate-400">{}</td>
+            <td class="px-4 py-2 text-slate-500">{}</td>
+        </tr>
+        "##,
+        timestamp,
+        action_color,
+        action,
+        html_escape(artifact),
+        registry,
+        source
+    )
+}
+
+/// Render the activity log container
+pub fn render_activity_log(rows: &str, t: &Translations) -> String {
+    format!(
+        r##"
+        <div class="bg-[#1e293b] rounded-lg border border-slate-700 overflow-hidden">
+            <div class="px-4 py-3 border-b border-slate-700 flex items-center justify-between">
+                <h3 class="text-slate-200 font-semibold">{}</h3>
+                <span class="text-xs text-slate-500">{}</span>
+            </div>
+            <div class="overflow-auto max-h-80">
+                <table class="w-full" id="activity-log">
+                    <thead class="sticky top-0 bg-slate-800">
+                        <tr class="text-left text-xs text-slate-500 uppercase border-b border-slate-700">
+                            <th class="px-4 py-2">{}</th>
+                            <th class="px-4 py-2">{}</th>
+                            <th class="px-4 py-2">{}</th>
+                            <th class="px-4 py-2">{}</th>
+                            <th class="px-4 py-2">{}</th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                        {}
+                    </tbody>
+                </table>
+            </div>
+        </div>
+        "##,
+        t.recent_activity,
+        t.last_n_events,
+        t.time,
+        t.action,
+        t.artifact,
+        t.registry,
+        t.source,
+        rows
+    )
+}
+
+/// Render the polling script for auto-refresh
+pub fn render_polling_script() -> String {
+    r##"
+    <script>
+        setInterval(async () => {
+            try {
+                const data = await fetch('/api/ui/dashboard').then(r => r.json());
+
+                // Update global stats
+                document.getElementById('stat-downloads').textContent = data.global_stats.downloads;
+                document.getElementById('stat-uploads').textContent = data.global_stats.uploads;
+                document.getElementById('stat-artifacts').textContent = data.global_stats.artifacts;
+                document.getElementById('stat-cache-hit').textContent = data.global_stats.cache_hit_percent.toFixed(1) + '%';
+
+                // Format storage size
+                const bytes = data.global_stats.storage_bytes;
+                let sizeStr;
+                if (bytes >= 1073741824) sizeStr = (bytes / 1073741824).toFixed(1) + ' GB';
+                else if (bytes >= 1048576) sizeStr = (bytes / 1048576).toFixed(1) + ' MB';
+                else if (bytes >= 1024) sizeStr = (bytes / 1024).toFixed(1) + ' KB';
+                else sizeStr = bytes + ' B';
+                document.getElementById('stat-storage').textContent = sizeStr;
+
+                // Update uptime
+                const uptime = document.getElementById('uptime');
+                if (uptime) {
+                    const secs = data.uptime_seconds;
+                    const hours = Math.floor(secs / 3600);
+                    const mins = Math.floor((secs % 3600) / 60);
+                    uptime.textContent = hours + 'h ' + mins + 'm';
+                }
+            } catch (e) {
+                console.error('Dashboard poll failed:', e);
+            }
+        }, 5000);
+    </script>
+    "##.to_string()
+}
+
+/// Sidebar navigation component (light theme, unused)
+#[allow(dead_code)]
 fn sidebar(active_page: Option<&str>) -> String {
     let active = active_page.unwrap_or("");
 
@@ -68,7 +504,7 @@ fn sidebar(active_page: Option<&str>) -> String {
     let docker_icon = r#"<path fill="currentColor" d="M13.983 11.078h2.119a.186.186 0 00.186-.185V9.006a.186.186 0 00-.186-.186h-2.119a.185.185 0 00-.185.185v1.888c0 .102.083.185.185.185m-2.954-5.43h2.118a.186.186 0 00.186-.186V3.574a.186.186 0 00-.186-.185h-2.118a.185.185 0 00-.185.185v1.888c0 .102.082.185.185.186m0 2.716h2.118a.187.187 0 00.186-.186V6.29a.186.186 0 00-.186-.185h-2.118a.185.185 0 00-.185.185v1.887c0 .102.082.185.185.186m-2.93 0h2.12a.186.186 0 00.184-.186V6.29a.185.185 0 00-.185-.185H8.1a.185.185 0 00-.185.185v1.887c0 .102.083.185.185.186m-2.964 0h2.119a.186.186 0 00.185-.186V6.29a.185.185 0 00-.185-.185H5.136a.186.186 0 00-.186.185v1.887c0 .102.084.185.186.186m5.893 2.715h2.118a.186.186 0 00.186-.185V9.006a.186.186 0 00-.186-.186h-2.118a.185.185 0 00-.185.185v1.888c0 .102.082.185.185.185m-2.93 0h2.12a.185.185 0 00.184-.185V9.006a.185.185 0 00-.184-.186h-2.12a.185.185 0 00-.184.185v1.888c0 .102.083.185.185.185m-2.964 0h2.119a.185.185 0 00.185-.185V9.006a.185.185 0 00-.185-.186h-2.12a.186.186 0 00-.185.186v1.887c0 .102.084.185.186.185m-2.92 0h2.12a.185.185 0 00.184-.185V9.006a.185.185 0 00-.184-.186h-2.12a.185.185 0 00-.184.185v1.888c0 .102.082.185.185.185M23.763 9.89c-.065-.051-.672-.51-1.954-.51-.338.001-.676.03-1.01.087-.248-1.7-1.653-2.53-1.716-2.566l-.344-.199-.226.327c-.284.438-.49.922-.612 1.43-.23.97-.09 1.882.403 2.661-.595.332-1.55.413-1.744.42H.751a.751.751 0 00-.75.748 11.376 11.376 0 00.692 4.062c.545 1.428 1.355 2.48 2.41 3.124 1.18.723 3.1 1.137 5.275 1.137.983.003 1.963-.086 2.93-.266a12.248 12.248 0 003.823-1.389c.98-.567 1.86-1.288 2.61-2.136 1.252-1.418 1.998-2.997 2.553-4.4h.221c1.372 0 2.215-.549 2.68-1.009.309-.293.55-.65.707-1.046l.098-.288Z"/>"#;
     let maven_icon = r#"<path fill="currentColor" d="M12 2C6.48 2 2 6.48 2 12s4.48 10 10 10 10-4.48 10-10S17.52 2 12 2zm-1 17.93c-3.95-.49-7-3.85-7-7.93 0-.62.08-1.21.21-1.79L9 15v1c0 1.1.9 2 2 2v1.93zm6.9-2.54c-.26-.81-1-1.39-1.9-1.39h-1v-3c0-.55-.45-1-1-1H8v-2h2c.55 0 1-.45 1-1V7h2c1.1 0 2-.9 2-2v-.41c2.93 1.19 5 4.06 5 7.41 0 2.08-.8 3.97-2.1 5.39z"/>"#;
     let npm_icon = r#"<path fill="currentColor" d="M0 7.334v8h6.666v1.332H12v-1.332h12v-8H0zm6.666 6.664H5.334v-4H3.999v4H1.335V8.667h5.331v5.331zm4 0v1.336H8.001V8.667h5.334v5.332h-2.669v-.001zm12.001 0h-1.33v-4h-1.336v4h-1.335v-4h-1.33v4h-2.671V8.667h8.002v5.331zM10.665 10H12v2.667h-1.335V10z"/>"#;
-    let cargo_icon = r#"<path fill="currentColor" d="M23.834 8.101a13.912 13.912 0 0 1-13.643 11.72 10.105 10.105 0 0 1-1.994-.12 6.111 6.111 0 0 1-5.082-5.761 5.934 5.934 0 0 1 11.867-.084c.025.983-.401 1.846-1.277 1.871-.936 0-1.374-.668-1.374-1.567v-2.5a1.531 1.531 0 0 0-1.52-1.533H8.715a3.648 3.648 0 1 0 2.695 6.08l.073-.11.074.121a2.58 2.58 0 0 0 2.2 1.048 2.909 2.909 0 0 0 2.695-3.04 7.912 7.912 0 0 0-.217-1.933 7.404 7.404 0 0 0-14.64 1.603 7.497 7.497 0 0 0 7.308 7.405 12.822 12.822 0 0 0 2.14-.12 11.927 11.927 0 0 0 9.98-10.023.117.117 0 0 0-.043-.117.115.115 0 0 0-.084-.023l-.09.024a.116.116 0 0 1-.147-.085.116.116 0 0 1 .054-.133zm-14.49 7.072a2.162 2.162 0 1 1 0-4.324 2.162 2.162 0 0 1 0 4.324z"/>"#;
+    let cargo_icon = r#"<path fill="currentColor" d="M6 2h12a1 1 0 011 1v8a1 1 0 01-1 1H6a1 1 0 01-1-1V3a1 1 0 011-1zm0 2v2h12V4H6zm0 3v2h12V7H6zM2 14h8a1 1 0 011 1v6a1 1 0 01-1 1H2a1 1 0 01-1-1v-6a1 1 0 011-1zm0 2v1.5h8V16H2zM14 14h8a1 1 0 011 1v6a1 1 0 01-1 1h-8a1 1 0 01-1-1v-6a1 1 0 011-1zm0 2v1.5h8V16h-8z"/>"#;
     let pypi_icon = r#"<path fill="currentColor" d="M14.25.18l.9.2.73.26.59.3.45.32.34.34.25.34.16.33.1.3.04.26.02.2-.01.13V8.5l-.05.63-.13.55-.21.46-.26.38-.3.31-.33.25-.35.19-.35.14-.33.1-.3.07-.26.04-.21.02H8.83l-.69.05-.59.14-.5.22-.41.27-.33.32-.27.35-.2.36-.15.37-.1.35-.07.32-.04.27-.02.21v3.06H3.23l-.21-.03-.28-.07-.32-.12-.35-.18-.36-.26-.36-.36-.35-.46-.32-.59-.28-.73-.21-.88-.14-1.05L0 11.97l.06-1.22.16-1.04.24-.87.32-.71.36-.57.4-.44.42-.33.42-.24.4-.16.36-.1.32-.05.24-.01h.16l.06.01h8.16v-.83H6.24l-.01-2.75-.02-.37.05-.34.11-.31.17-.28.25-.26.31-.23.38-.2.44-.18.51-.15.58-.12.64-.1.71-.06.77-.04.84-.02 1.27.05 1.07.13zm-6.3 1.98l-.23.33-.08.41.08.41.23.34.33.22.41.09.41-.09.33-.22.23-.34.08-.41-.08-.41-.23-.33-.33-.22-.41-.09-.41.09-.33.22zM21.1 6.11l.28.06.32.12.35.18.36.27.36.35.35.47.32.59.28.73.21.88.14 1.04.05 1.23-.06 1.23-.16 1.04-.24.86-.32.71-.36.57-.4.45-.42.33-.42.24-.4.16-.36.09-.32.05-.24.02-.16-.01h-8.22v.82h5.84l.01 2.76.02.36-.05.34-.11.31-.17.29-.25.25-.31.24-.38.2-.44.17-.51.15-.58.13-.64.09-.71.07-.77.04-.84.01-1.27-.04-1.07-.14-.9-.2-.73-.25-.59-.3-.45-.33-.34-.34-.25-.34-.16-.33-.1-.3-.04-.25-.02-.2.01-.13v-5.34l.05-.64.13-.54.21-.46.26-.38.3-.32.33-.24.35-.2.35-.14.33-.1.3-.06.26-.04.21-.02.13-.01h5.84l.69-.05.59-.14.5-.21.41-.28.33-.32.27-.35.2-.36.15-.36.1-.35.07-.32.04-.28.02-.21V6.07h2.09l.14.01.21.03zm-6.47 14.25l-.23.33-.08.41.08.41.23.33.33.23.41.08.41-.08.33-.23.23-.33.08-.41-.08-.41-.23-.33-.33-.23-.41-.08-.41.08-.33.23z"/>"#;
 
     let nav_items = [
@@ -84,6 +520,20 @@ fn sidebar(active_page: Option<&str>) -> String {
         ("npm", "/ui/npm", "npm", npm_icon, false),
         ("cargo", "/ui/cargo", "Cargo", cargo_icon, false),
         ("pypi", "/ui/pypi", "PyPI", pypi_icon, false),
+        (
+            "raw",
+            "/ui/raw",
+            "Raw",
+            r#"<path fill="currentColor" d="M14 2H6a2 2 0 00-2 2v16a2 2 0 002 2h12a2 2 0 002-2V8l-6-6zm4 18H6V4h7v5h5v11z"/>"#,
+            false,
+        ),
+        (
+            "go",
+            "/ui/go",
+            "Go",
+            r#"<path fill="currentColor" d="M2.64 9.56s.24-.14.65-.38c.41-.24.97-.5 1.63-.7A7.85 7.85 0 017.53 8c.86 0 1.67.17 2.37.52.7.35 1.26.87 1.63 1.51.37.64.54 1.41.54 2.27v.2h-2.7v-.16c0-.47-.09-.86-.28-1.15a1.7 1.7 0 00-.77-.67 2.7 2.7 0 00-1.14-.22c-.56 0-1.06.13-1.46.4-.41.27-.72.66-.93 1.16-.21.5-.31 1.1-.31 1.8 0 .69.1 1.28.32 1.78.21.5.53.88.94 1.15.41.27.9.4 1.47.4.38 0 .73-.06 1.04-.17.31-.12.56-.29.74-.52.19-.23.29-.51.29-.84v-.14H7.15v-1.76h5.07v1.3c0 .8-.17 1.48-.52 2.04a3.46 3.46 0 01-1.5 1.3c-.66.3-1.44.45-2.35.45-.99 0-1.87-.18-2.63-.55a4.2 4.2 0 01-1.77-1.59C3.15 14.82 3 13.94 3 12.89v-.28c0-1.04.16-1.93.48-2.65a3.08 3.08 0 01-.84-.4zm12.1-1.34c.92 0 1.74.18 2.44.55a3.96 3.96 0 011.66 1.59c.4.7.6 1.54.6 2.53v.28c0 .99-.2 1.83-.6 2.53a3.96 3.96 0 01-1.66 1.59c-.7.37-1.52.55-2.44.55s-1.74-.18-2.44-.55a3.96 3.96 0 01-1.66-1.59c-.4-.7-.6-1.54-.6-2.53v-.28c0-.99.2-1.83.6-2.53a3.96 3.96 0 011.66-1.59c.7-.37 1.52-.55 2.44-.55zm0 2.12c-.44 0-.82.12-1.14.37-.32.24-.56.6-.73 1.06-.17.46-.26 1.01-.26 1.65v.28c0 .64.09 1.19.26 1.65.17.46.41.82.73 1.06.32.25.7.37 1.14.37.44 0 .82-.12 1.14-.37.32-.24.56-.6.73-1.06.17-.46.26-1.01.26-1.65v-.28c0-.64-.09-1.19-.26-1.65a2.17 2.17 0 00-.73-1.06 1.78 1.78 0 00-1.14-.37z"/>"#,
+            false,
+        ),
     ];
 
     let nav_html: String = nav_items.iter().map(|(id, href, label, icon_path, is_stroke)| {
@@ -142,17 +592,19 @@ fn sidebar(active_page: Option<&str>) -> String {
             <!-- Footer -->
             <div class="px-4 py-4 border-t border-slate-700">
                 <div class="text-xs text-slate-400">
-                    Nora v0.2.0
+                    Nora v{}
                 </div>
             </div>
         </div>
     "#,
         super::logo::LOGO_BASE64,
-        nav_html
+        nav_html,
+        VERSION
     )
 }
 
-/// Header component
+/// Header component (light theme, unused)
+#[allow(dead_code)]
 fn header() -> String {
     r##"
         <header class="h-16 bg-white border-b border-slate-200 flex items-center justify-between px-4 md:px-6">
@@ -189,11 +641,14 @@ pub mod icons {
     pub const DOCKER: &str = r#"<path fill="currentColor" d="M13.983 11.078h2.119a.186.186 0 00.186-.185V9.006a.186.186 0 00-.186-.186h-2.119a.185.185 0 00-.185.185v1.888c0 .102.083.185.185.185m-2.954-5.43h2.118a.186.186 0 00.186-.186V3.574a.186.186 0 00-.186-.185h-2.118a.185.185 0 00-.185.185v1.888c0 .102.082.185.185.186m0 2.716h2.118a.187.187 0 00.186-.186V6.29a.186.186 0 00-.186-.185h-2.118a.185.185 0 00-.185.185v1.887c0 .102.082.185.185.186m-2.93 0h2.12a.186.186 0 00.184-.186V6.29a.185.185 0 00-.185-.185H8.1a.185.185 0 00-.185.185v1.887c0 .102.083.185.185.186m-2.964 0h2.119a.186.186 0 00.185-.186V6.29a.185.185 0 00-.185-.185H5.136a.186.186 0 00-.186.185v1.887c0 .102.084.185.186.186m5.893 2.715h2.118a.186.186 0 00.186-.185V9.006a.186.186 0 00-.186-.186h-2.118a.185.185 0 00-.185.185v1.888c0 .102.082.185.185.185m-2.93 0h2.12a.185.185 0 00.184-.185V9.006a.185.185 0 00-.184-.186h-2.12a.185.185 0 00-.184.185v1.888c0 .102.083.185.185.185m-2.964 0h2.119a.185.185 0 00.185-.185V9.006a.185.185 0 00-.185-.186h-2.12a.186.186 0 00-.185.186v1.887c0 .102.084.185.186.185m-2.92 0h2.12a.185.185 0 00.184-.185V9.006a.185.185 0 00-.184-.186h-2.12a.185.185 0 00-.184.185v1.888c0 .102.082.185.185.185M23.763 9.89c-.065-.051-.672-.51-1.954-.51-.338.001-.676.03-1.01.087-.248-1.7-1.653-2.53-1.716-2.566l-.344-.199-.226.327c-.284.438-.49.922-.612 1.43-.23.97-.09 1.882.403 2.661-.595.332-1.55.413-1.744.42H.751a.751.751 0 00-.75.748 11.376 11.376 0 00.692 4.062c.545 1.428 1.355 2.48 2.41 3.124 1.18.723 3.1 1.137 5.275 1.137.983.003 1.963-.086 2.93-.266a12.248 12.248 0 003.823-1.389c.98-.567 1.86-1.288 2.61-2.136 1.252-1.418 1.998-2.997 2.553-4.4h.221c1.372 0 2.215-.549 2.68-1.009.309-.293.55-.65.707-1.046l.098-.288Z"/>"#;
     pub const MAVEN: &str = r#"<path fill="currentColor" d="M12 2C6.48 2 2 6.48 2 12s4.48 10 10 10 10-4.48 10-10S17.52 2 12 2zm-1 17.93c-3.95-.49-7-3.85-7-7.93 0-.62.08-1.21.21-1.79L9 15v1c0 1.1.9 2 2 2v1.93zm6.9-2.54c-.26-.81-1-1.39-1.9-1.39h-1v-3c0-.55-.45-1-1-1H8v-2h2c.55 0 1-.45 1-1V7h2c1.1 0 2-.9 2-2v-.41c2.93 1.19 5 4.06 5 7.41 0 2.08-.8 3.97-2.1 5.39z"/>"#;
     pub const NPM: &str = r#"<path fill="currentColor" d="M0 7.334v8h6.666v1.332H12v-1.332h12v-8H0zm6.666 6.664H5.334v-4H3.999v4H1.335V8.667h5.331v5.331zm4 0v1.336H8.001V8.667h5.334v5.332h-2.669v-.001zm12.001 0h-1.33v-4h-1.336v4h-1.335v-4h-1.33v4h-2.671V8.667h8.002v5.331zM10.665 10H12v2.667h-1.335V10z"/>"#;
-    pub const CARGO: &str = r#"<path fill="currentColor" d="M23.834 8.101a13.912 13.912 0 0 1-13.643 11.72 10.105 10.105 0 0 1-1.994-.12 6.111 6.111 0 0 1-5.082-5.761 5.934 5.934 0 0 1 11.867-.084c.025.983-.401 1.846-1.277 1.871-.936 0-1.374-.668-1.374-1.567v-2.5a1.531 1.531 0 0 0-1.52-1.533H8.715a3.648 3.648 0 1 0 2.695 6.08l.073-.11.074.121a2.58 2.58 0 0 0 2.2 1.048 2.909 2.909 0 0 0 2.695-3.04 7.912 7.912 0 0 0-.217-1.933 7.404 7.404 0 0 0-14.64 1.603 7.497 7.497 0 0 0 7.308 7.405 12.822 12.822 0 0 0 2.14-.12 11.927 11.927 0 0 0 9.98-10.023.117.117 0 0 0-.043-.117.115.115 0 0 0-.084-.023l-.09.024a.116.116 0 0 1-.147-.085.116.116 0 0 1 .054-.133zm-14.49 7.072a2.162 2.162 0 1 1 0-4.324 2.162 2.162 0 0 1 0 4.324z"/>"#;
+    pub const CARGO: &str = r#"<path fill="currentColor" d="M6 2h12a1 1 0 011 1v8a1 1 0 01-1 1H6a1 1 0 01-1-1V3a1 1 0 011-1zm0 2v2h12V4H6zm0 3v2h12V7H6zM2 14h8a1 1 0 011 1v6a1 1 0 01-1 1H2a1 1 0 01-1-1v-6a1 1 0 011-1zm0 2v1.5h8V16H2zM14 14h8a1 1 0 011 1v6a1 1 0 01-1 1h-8a1 1 0 01-1-1v-6a1 1 0 011-1zm0 2v1.5h8V16h-8z"/>"#;
+    pub const GO: &str = r#"<path fill="currentColor" d="M2.64 9.56s.24-.14.65-.38c.41-.24.97-.5 1.63-.7A7.85 7.85 0 017.53 8c.86 0 1.67.17 2.37.52.7.35 1.26.87 1.63 1.51.37.64.54 1.41.54 2.27v.2h-2.7v-.16c0-.47-.09-.86-.28-1.15a1.7 1.7 0 00-.77-.67 2.7 2.7 0 00-1.14-.22c-.56 0-1.06.13-1.46.4-.41.27-.72.66-.93 1.16-.21.5-.31 1.1-.31 1.8 0 .69.1 1.28.32 1.78.21.5.53.88.94 1.15.41.27.9.4 1.47.4.38 0 .73-.06 1.04-.17.31-.12.56-.29.74-.52.19-.23.29-.51.29-.84v-.14H7.15v-1.76h5.07v1.3c0 .8-.17 1.48-.52 2.04a3.46 3.46 0 01-1.5 1.3c-.66.3-1.44.45-2.35.45-.99 0-1.87-.18-2.63-.55a4.2 4.2 0 01-1.77-1.59C3.15 14.82 3 13.94 3 12.89v-.28c0-1.04.16-1.93.48-2.65a3.08 3.08 0 01-.84-.4zm12.1-1.34c.92 0 1.74.18 2.44.55a3.96 3.96 0 011.66 1.59c.4.7.6 1.54.6 2.53v.28c0 .99-.2 1.83-.6 2.53a3.96 3.96 0 01-1.66 1.59c-.7.37-1.52.55-2.44.55s-1.74-.18-2.44-.55a3.96 3.96 0 01-1.66-1.59c-.4-.7-.6-1.54-.6-2.53v-.28c0-.99.2-1.83.6-2.53a3.96 3.96 0 011.66-1.59c.7-.37 1.52-.55 2.44-.55zm0 2.12c-.44 0-.82.12-1.14.37-.32.24-.56.6-.73 1.06-.17.46-.26 1.01-.26 1.65v.28c0 .64.09 1.19.26 1.65.17.46.41.82.73 1.06.32.25.7.37 1.14.37.44 0 .82-.12 1.14-.37.32-.24.56-.6.73-1.06.17-.46.26-1.01.26-1.65v-.28c0-.64-.09-1.19-.26-1.65a2.17 2.17 0 00-.73-1.06 1.78 1.78 0 00-1.14-.37z"/>"#;
+    pub const RAW: &str = r#"<path fill="currentColor" d="M14 2H6a2 2 0 00-2 2v16a2 2 0 002 2h12a2 2 0 002-2V8l-6-6zm4 18H6V4h7v5h5v11z"/>"#;
     pub const PYPI: &str = r#"<path fill="currentColor" d="M14.25.18l.9.2.73.26.59.3.45.32.34.34.25.34.16.33.1.3.04.26.02.2-.01.13V8.5l-.05.63-.13.55-.21.46-.26.38-.3.31-.33.25-.35.19-.35.14-.33.1-.3.07-.26.04-.21.02H8.83l-.69.05-.59.14-.5.22-.41.27-.33.32-.27.35-.2.36-.15.37-.1.35-.07.32-.04.27-.02.21v3.06H3.23l-.21-.03-.28-.07-.32-.12-.35-.18-.36-.26-.36-.36-.35-.46-.32-.59-.28-.73-.21-.88-.14-1.05L0 11.97l.06-1.22.16-1.04.24-.87.32-.71.36-.57.4-.44.42-.33.42-.24.4-.16.36-.1.32-.05.24-.01h.16l.06.01h8.16v-.83H6.24l-.01-2.75-.02-.37.05-.34.11-.31.17-.28.25-.26.31-.23.38-.2.44-.18.51-.15.58-.12.64-.1.71-.06.77-.04.84-.02 1.27.05 1.07.13zm-6.3 1.98l-.23.33-.08.41.08.41.23.34.33.22.41.09.41-.09.33-.22.23-.34.08-.41-.08-.41-.23-.33-.33-.22-.41-.09-.41.09-.33.22zM21.1 6.11l.28.06.32.12.35.18.36.27.36.35.35.47.32.59.28.73.21.88.14 1.04.05 1.23-.06 1.23-.16 1.04-.24.86-.32.71-.36.57-.4.45-.42.33-.42.24-.4.16-.36.09-.32.05-.24.02-.16-.01h-8.22v.82h5.84l.01 2.76.02.36-.05.34-.11.31-.17.29-.25.25-.31.24-.38.2-.44.17-.51.15-.58.13-.64.09-.71.07-.77.04-.84.01-1.27-.04-1.07-.14-.9-.2-.73-.25-.59-.3-.45-.33-.34-.34-.25-.34-.16-.33-.1-.3-.04-.25-.02-.2.01-.13v-5.34l.05-.64.13-.54.21-.46.26-.38.3-.32.33-.24.35-.2.35-.14.33-.1.3-.06.26-.04.21-.02.13-.01h5.84l.69-.05.59-.14.5-.21.41-.28.33-.32.27-.35.2-.36.15-.36.1-.35.07-.32.04-.28.02-.21V6.07h2.09l.14.01.21.03zm-6.47 14.25l-.23.33-.08.41.08.41.23.33.33.23.41.08.41-.08.33-.23.23-.33.08-.41-.08-.41-.23-.33-.33-.23-.41-.08-.41.08-.33.23z"/>"#;
 }
 
-/// Stat card for dashboard with SVG icon
+/// Stat card for dashboard with SVG icon (used in light theme pages)
+#[allow(dead_code)]
 pub fn stat_card(name: &str, icon_path: &str, count: usize, href: &str, unit: &str) -> String {
     format!(
         r##"
@@ -239,6 +694,57 @@ pub fn html_escape(s: &str) -> String {
         .replace('\'', "&#39;")
 }
 
+/// Render the "bragging" footer with NORA stats
+pub fn render_bragging_footer(lang: Lang) -> String {
+    let t = get_translations(lang);
+    format!(
+        r##"
+    <div class="mt-8 bg-gradient-to-r from-slate-800 to-slate-900 rounded-lg border border-slate-700 p-6">
+        <div class="text-center mb-4">
+            <span class="text-slate-400 text-sm uppercase tracking-wider">{}</span>
+        </div>
+        <div class="grid grid-cols-2 md:grid-cols-3 lg:grid-cols-6 gap-4 text-center">
+            <div class="p-3">
+                <div class="text-2xl font-bold text-blue-400">32 MB</div>
+                <div class="text-xs text-slate-500 mt-1">{}</div>
+            </div>
+            <div class="p-3">
+                <div class="text-2xl font-bold text-green-400">&lt;1s</div>
+                <div class="text-xs text-slate-500 mt-1">{}</div>
+            </div>
+            <div class="p-3">
+                <div class="text-2xl font-bold text-purple-400">~30 MB</div>
+                <div class="text-xs text-slate-500 mt-1">{}</div>
+            </div>
+            <div class="p-3">
+                <div class="text-2xl font-bold text-yellow-400">7</div>
+                <div class="text-xs text-slate-500 mt-1">{}</div>
+            </div>
+            <div class="p-3">
+                <div class="text-2xl font-bold text-pink-400">{}</div>
+                <div class="text-xs text-slate-500 mt-1">amd64 / arm64</div>
+            </div>
+            <div class="p-3">
+                <div class="text-2xl font-bold text-cyan-400">{}</div>
+                <div class="text-xs text-slate-500 mt-1">Config</div>
+            </div>
+        </div>
+        <div class="text-center mt-4">
+            <span class="text-slate-500 text-xs">{}</span>
+        </div>
+    </div>
+    "##,
+        t.built_for_speed,
+        t.docker_image,
+        t.cold_start,
+        t.memory,
+        t.registries_count,
+        t.multi_arch,
+        t.zero_config,
+        t.tagline
+    )
+}
+
 /// Format Unix timestamp as relative time
 pub fn format_timestamp(ts: u64) -> String {
     if ts == 0 {

nora-registry/src/ui/i18n.rs

@@ -0,0 +1,275 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
+/// Internationalization support for the UI
+use serde::{Deserialize, Serialize};
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Default, Serialize, Deserialize)]
+#[serde(rename_all = "lowercase")]
+pub enum Lang {
+    #[default]
+    En,
+    Ru,
+}
+
+impl Lang {
+    pub fn from_str(s: &str) -> Self {
+        match s.to_lowercase().as_str() {
+            "ru" | "rus" | "russian" => Lang::Ru,
+            _ => Lang::En,
+        }
+    }
+
+    pub fn code(&self) -> &'static str {
+        match self {
+            Lang::En => "en",
+            Lang::Ru => "ru",
+        }
+    }
+}
+
+/// All translatable strings
+#[allow(dead_code)]
+pub struct Translations {
+    // Navigation
+    pub nav_dashboard: &'static str,
+    pub nav_registries: &'static str,
+
+    // Dashboard
+    pub dashboard_title: &'static str,
+    pub dashboard_subtitle: &'static str,
+    pub uptime: &'static str,
+
+    // Stats
+    pub stat_downloads: &'static str,
+    pub stat_uploads: &'static str,
+    pub stat_artifacts: &'static str,
+    pub stat_cache_hit: &'static str,
+    pub stat_storage: &'static str,
+
+    // Registry cards
+    pub active: &'static str,
+    pub artifacts: &'static str,
+    pub size: &'static str,
+    pub downloads: &'static str,
+    pub uploads: &'static str,
+
+    // Mount points
+    pub mount_points: &'static str,
+    pub registry: &'static str,
+    pub mount_path: &'static str,
+    pub proxy_upstream: &'static str,
+
+    // Activity
+    pub recent_activity: &'static str,
+    pub last_n_events: &'static str,
+    pub time: &'static str,
+    pub action: &'static str,
+    pub artifact: &'static str,
+    pub source: &'static str,
+    pub no_activity: &'static str,
+
+    // Relative time
+    pub just_now: &'static str,
+    pub min_ago: &'static str,
+    pub mins_ago: &'static str,
+    pub hour_ago: &'static str,
+    pub hours_ago: &'static str,
+    pub day_ago: &'static str,
+    pub days_ago: &'static str,
+
+    // Registry pages
+    pub repositories: &'static str,
+    pub search_placeholder: &'static str,
+    pub no_repos_found: &'static str,
+    pub push_first_artifact: &'static str,
+    pub name: &'static str,
+    pub tags: &'static str,
+    pub versions: &'static str,
+    pub updated: &'static str,
+
+    // Detail pages
+    pub pull_command: &'static str,
+    pub install_command: &'static str,
+    pub maven_dependency: &'static str,
+    pub total: &'static str,
+    pub created: &'static str,
+    pub published: &'static str,
+    pub filename: &'static str,
+    pub files: &'static str,
+
+    // Bragging footer
+    pub built_for_speed: &'static str,
+    pub docker_image: &'static str,
+    pub cold_start: &'static str,
+    pub memory: &'static str,
+    pub registries_count: &'static str,
+    pub multi_arch: &'static str,
+    pub zero_config: &'static str,
+    pub tagline: &'static str,
+}
+
+pub fn get_translations(lang: Lang) -> &'static Translations {
+    match lang {
+        Lang::En => &TRANSLATIONS_EN,
+        Lang::Ru => &TRANSLATIONS_RU,
+    }
+}
+
+pub static TRANSLATIONS_EN: Translations = Translations {
+    // Navigation
+    nav_dashboard: "Dashboard",
+    nav_registries: "Registries",
+
+    // Dashboard
+    dashboard_title: "Dashboard",
+    dashboard_subtitle: "Overview of all registries",
+    uptime: "Uptime",
+
+    // Stats
+    stat_downloads: "Downloads",
+    stat_uploads: "Uploads",
+    stat_artifacts: "Artifacts",
+    stat_cache_hit: "Cache Hit",
+    stat_storage: "Storage",
+
+    // Registry cards
+    active: "ACTIVE",
+    artifacts: "Artifacts",
+    size: "Size",
+    downloads: "Downloads",
+    uploads: "Uploads",
+
+    // Mount points
+    mount_points: "Mount Points",
+    registry: "Registry",
+    mount_path: "Mount Path",
+    proxy_upstream: "Proxy Upstream",
+
+    // Activity
+    recent_activity: "Recent Activity",
+    last_n_events: "Last 20 events",
+    time: "Time",
+    action: "Action",
+    artifact: "Artifact",
+    source: "Source",
+    no_activity: "No recent activity",
+
+    // Relative time
+    just_now: "just now",
+    min_ago: "min ago",
+    mins_ago: "mins ago",
+    hour_ago: "hour ago",
+    hours_ago: "hours ago",
+    day_ago: "day ago",
+    days_ago: "days ago",
+
+    // Registry pages
+    repositories: "repositories",
+    search_placeholder: "Search repositories...",
+    no_repos_found: "No repositories found",
+    push_first_artifact: "Push your first artifact to see it here",
+    name: "Name",
+    tags: "Tags",
+    versions: "Versions",
+    updated: "Updated",
+
+    // Detail pages
+    pull_command: "Pull Command",
+    install_command: "Install Command",
+    maven_dependency: "Maven Dependency",
+    total: "total",
+    created: "Created",
+    published: "Published",
+    filename: "Filename",
+    files: "files",
+
+    // Bragging footer
+    built_for_speed: "Built for speed",
+    docker_image: "Docker Image",
+    cold_start: "Cold Start",
+    memory: "Memory",
+    registries_count: "Registries",
+    multi_arch: "Multi-arch",
+    zero_config: "Zero",
+    tagline: "Pure Rust. Single binary. OCI compatible.",
+};
+
+pub static TRANSLATIONS_RU: Translations = Translations {
+    // Navigation
+    nav_dashboard: "Панель",
+    nav_registries: "Реестры",
+
+    // Dashboard
+    dashboard_title: "Панель управления",
+    dashboard_subtitle: "Обзор всех реестров",
+    uptime: "Аптайм",
+
+    // Stats
+    stat_downloads: "Загрузки",
+    stat_uploads: "Публикации",
+    stat_artifacts: "Артефакты",
+    stat_cache_hit: "Кэш",
+    stat_storage: "Хранилище",
+
+    // Registry cards
+    active: "АКТИВЕН",
+    artifacts: "Артефакты",
+    size: "Размер",
+    downloads: "Загрузки",
+    uploads: "Публикации",
+
+    // Mount points
+    mount_points: "Точки монтирования",
+    registry: "Реестр",
+    mount_path: "Путь",
+    proxy_upstream: "Прокси",
+
+    // Activity
+    recent_activity: "Последняя активность",
+    last_n_events: "Последние 20 событий",
+    time: "Время",
+    action: "Действие",
+    artifact: "Артефакт",
+    source: "Источник",
+    no_activity: "Нет активности",
+
+    // Relative time
+    just_now: "только что",
+    min_ago: "мин назад",
+    mins_ago: "мин назад",
+    hour_ago: "час назад",
+    hours_ago: "ч назад",
+    day_ago: "день назад",
+    days_ago: "дн назад",
+
+    // Registry pages
+    repositories: "репозиториев",
+    search_placeholder: "Поиск репозиториев...",
+    no_repos_found: "Репозитории не найдены",
+    push_first_artifact: "Загрузите первый артефакт, чтобы увидеть его здесь",
+    name: "Название",
+    tags: "Теги",
+    versions: "Версии",
+    updated: "Обновлено",
+
+    // Detail pages
+    pull_command: "Команда загрузки",
+    install_command: "Команда установки",
+    maven_dependency: "Maven зависимость",
+    total: "всего",
+    created: "Создан",
+    published: "Опубликован",
+    filename: "Файл",
+    files: "файлов",
+
+    // Bragging footer
+    built_for_speed: "Создан для скорости",
+    docker_image: "Docker образ",
+    cold_start: "Холодный старт",
+    memory: "Память",
+    registries_count: "Реестров",
+    multi_arch: "Мульти-арх",
+    zero_config: "Без",
+    tagline: "Чистый Rust. Один бинарник. OCI совместимый.",
+};

nora-registry/src/ui/mod.rs

@@ -1,11 +1,16 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 mod api;
-mod components;
+pub mod components;
+pub mod i18n;
 mod logo;
 mod templates;
 
+use crate::repo_index::paginate;
 use crate::AppState;
 use axum::{
-    extract::{Path, State},
+    extract::{Path, Query, State},
     response::{Html, IntoResponse, Redirect},
     routing::get,
     Router,
@@ -13,8 +18,59 @@ use axum::{
 use std::sync::Arc;
 
 use api::*;
+use i18n::Lang;
 use templates::*;
 
+#[derive(Debug, serde::Deserialize)]
+struct LangQuery {
+    lang: Option<String>,
+}
+
+#[derive(Debug, serde::Deserialize)]
+struct ListQuery {
+    lang: Option<String>,
+    page: Option<usize>,
+    limit: Option<usize>,
+}
+
+const DEFAULT_PAGE_SIZE: usize = 50;
+
+fn extract_lang(query: &Query<LangQuery>, cookie_header: Option<&str>) -> Lang {
+    // Priority: query param > cookie > default
+    if let Some(ref lang) = query.lang {
+        return Lang::from_str(lang);
+    }
+
+    // Try cookie
+    if let Some(cookies) = cookie_header {
+        for part in cookies.split(';') {
+            let part = part.trim();
+            if let Some(value) = part.strip_prefix("nora_lang=") {
+                return Lang::from_str(value);
+            }
+        }
+    }
+
+    Lang::default()
+}
+
+fn extract_lang_from_list(query: &ListQuery, cookie_header: Option<&str>) -> Lang {
+    if let Some(ref lang) = query.lang {
+        return Lang::from_str(lang);
+    }
+
+    if let Some(cookies) = cookie_header {
+        for part in cookies.split(';') {
+            let part = part.trim();
+            if let Some(value) = part.strip_prefix("nora_lang=") {
+                return Lang::from_str(value);
+            }
+        }
+    }
+
+    Lang::default()
+}
+
 pub fn routes() -> Router<Arc<AppState>> {
     Router::new()
         // UI Pages
@@ -31,85 +87,294 @@ pub fn routes() -> Router<Arc<AppState>> {
         .route("/ui/cargo/{name}", get(cargo_detail))
         .route("/ui/pypi", get(pypi_list))
         .route("/ui/pypi/{name}", get(pypi_detail))
+        .route("/ui/go", get(go_list))
+        .route("/ui/go/{*name}", get(go_detail))
+        .route("/ui/raw", get(raw_list))
+        .route("/ui/raw/{*name}", get(raw_detail))
         // API endpoints for HTMX
         .route("/api/ui/stats", get(api_stats))
+        .route("/api/ui/dashboard", get(api_dashboard))
         .route("/api/ui/{registry_type}/list", get(api_list))
         .route("/api/ui/{registry_type}/{name}", get(api_detail))
         .route("/api/ui/{registry_type}/search", get(api_search))
 }
 
 // Dashboard page
-async fn dashboard(State(state): State<Arc<AppState>>) -> impl IntoResponse {
-    let stats = get_registry_stats(&state.storage).await;
-    Html(render_dashboard(&stats))
+async fn dashboard(
+    State(state): State<Arc<AppState>>,
+    Query(query): Query<LangQuery>,
+    headers: axum::http::HeaderMap,
+) -> impl IntoResponse {
+    let lang = extract_lang(
+        &Query(query),
+        headers.get("cookie").and_then(|v| v.to_str().ok()),
+    );
+    let response = api_dashboard(State(state)).await.0;
+    Html(render_dashboard(&response, lang))
 }
 
 // Docker pages
-async fn docker_list(State(state): State<Arc<AppState>>) -> impl IntoResponse {
-    let repos = get_docker_repos(&state.storage).await;
-    Html(render_registry_list("docker", "Docker Registry", &repos))
+async fn docker_list(
+    State(state): State<Arc<AppState>>,
+    Query(query): Query<ListQuery>,
+    headers: axum::http::HeaderMap,
+) -> impl IntoResponse {
+    let lang = extract_lang_from_list(&query, headers.get("cookie").and_then(|v| v.to_str().ok()));
+    let page = query.page.unwrap_or(1).max(1);
+    let limit = query.limit.unwrap_or(DEFAULT_PAGE_SIZE).min(100);
+
+    let all_repos = state.repo_index.get("docker", &state.storage).await;
+    let (repos, total) = paginate(&all_repos, page, limit);
+
+    Html(render_registry_list_paginated(
+        "docker",
+        "Docker Registry",
+        &repos,
+        page,
+        limit,
+        total,
+        lang,
+    ))
 }
 
 async fn docker_detail(
     State(state): State<Arc<AppState>>,
     Path(name): Path<String>,
+    Query(query): Query<LangQuery>,
+    headers: axum::http::HeaderMap,
 ) -> impl IntoResponse {
-    let detail = get_docker_detail(&state.storage, &name).await;
-    Html(render_docker_detail(&name, &detail))
+    let lang = extract_lang(
+        &Query(query),
+        headers.get("cookie").and_then(|v| v.to_str().ok()),
+    );
+    let detail = get_docker_detail(&state, &name).await;
+    Html(render_docker_detail(&name, &detail, lang))
 }
 
 // Maven pages
-async fn maven_list(State(state): State<Arc<AppState>>) -> impl IntoResponse {
-    let repos = get_maven_repos(&state.storage).await;
-    Html(render_registry_list("maven", "Maven Repository", &repos))
+async fn maven_list(
+    State(state): State<Arc<AppState>>,
+    Query(query): Query<ListQuery>,
+    headers: axum::http::HeaderMap,
+) -> impl IntoResponse {
+    let lang = extract_lang_from_list(&query, headers.get("cookie").and_then(|v| v.to_str().ok()));
+    let page = query.page.unwrap_or(1).max(1);
+    let limit = query.limit.unwrap_or(DEFAULT_PAGE_SIZE).min(100);
+
+    let all_repos = state.repo_index.get("maven", &state.storage).await;
+    let (repos, total) = paginate(&all_repos, page, limit);
+
+    Html(render_registry_list_paginated(
+        "maven",
+        "Maven Repository",
+        &repos,
+        page,
+        limit,
+        total,
+        lang,
+    ))
 }
 
 async fn maven_detail(
     State(state): State<Arc<AppState>>,
     Path(path): Path<String>,
+    Query(query): Query<LangQuery>,
+    headers: axum::http::HeaderMap,
 ) -> impl IntoResponse {
+    let lang = extract_lang(
+        &Query(query),
+        headers.get("cookie").and_then(|v| v.to_str().ok()),
+    );
     let detail = get_maven_detail(&state.storage, &path).await;
-    Html(render_maven_detail(&path, &detail))
+    Html(render_maven_detail(&path, &detail, lang))
 }
 
 // npm pages
-async fn npm_list(State(state): State<Arc<AppState>>) -> impl IntoResponse {
-    let packages = get_npm_packages(&state.storage).await;
-    Html(render_registry_list("npm", "npm Registry", &packages))
+async fn npm_list(
+    State(state): State<Arc<AppState>>,
+    Query(query): Query<ListQuery>,
+    headers: axum::http::HeaderMap,
+) -> impl IntoResponse {
+    let lang = extract_lang_from_list(&query, headers.get("cookie").and_then(|v| v.to_str().ok()));
+    let page = query.page.unwrap_or(1).max(1);
+    let limit = query.limit.unwrap_or(DEFAULT_PAGE_SIZE).min(100);
+
+    let all_packages = state.repo_index.get("npm", &state.storage).await;
+    let (packages, total) = paginate(&all_packages, page, limit);
+
+    Html(render_registry_list_paginated(
+        "npm",
+        "npm Registry",
+        &packages,
+        page,
+        limit,
+        total,
+        lang,
+    ))
 }
 
 async fn npm_detail(
     State(state): State<Arc<AppState>>,
     Path(name): Path<String>,
+    Query(query): Query<LangQuery>,
+    headers: axum::http::HeaderMap,
 ) -> impl IntoResponse {
+    let lang = extract_lang(
+        &Query(query),
+        headers.get("cookie").and_then(|v| v.to_str().ok()),
+    );
     let detail = get_npm_detail(&state.storage, &name).await;
-    Html(render_package_detail("npm", &name, &detail))
+    Html(render_package_detail("npm", &name, &detail, lang))
 }
 
 // Cargo pages
-async fn cargo_list(State(state): State<Arc<AppState>>) -> impl IntoResponse {
-    let crates = get_cargo_crates(&state.storage).await;
-    Html(render_registry_list("cargo", "Cargo Registry", &crates))
+async fn cargo_list(
+    State(state): State<Arc<AppState>>,
+    Query(query): Query<ListQuery>,
+    headers: axum::http::HeaderMap,
+) -> impl IntoResponse {
+    let lang = extract_lang_from_list(&query, headers.get("cookie").and_then(|v| v.to_str().ok()));
+    let page = query.page.unwrap_or(1).max(1);
+    let limit = query.limit.unwrap_or(DEFAULT_PAGE_SIZE).min(100);
+
+    let all_crates = state.repo_index.get("cargo", &state.storage).await;
+    let (crates, total) = paginate(&all_crates, page, limit);
+
+    Html(render_registry_list_paginated(
+        "cargo",
+        "Cargo Registry",
+        &crates,
+        page,
+        limit,
+        total,
+        lang,
+    ))
 }
 
 async fn cargo_detail(
     State(state): State<Arc<AppState>>,
     Path(name): Path<String>,
+    Query(query): Query<LangQuery>,
+    headers: axum::http::HeaderMap,
 ) -> impl IntoResponse {
+    let lang = extract_lang(
+        &Query(query),
+        headers.get("cookie").and_then(|v| v.to_str().ok()),
+    );
     let detail = get_cargo_detail(&state.storage, &name).await;
-    Html(render_package_detail("cargo", &name, &detail))
+    Html(render_package_detail("cargo", &name, &detail, lang))
 }
 
 // PyPI pages
-async fn pypi_list(State(state): State<Arc<AppState>>) -> impl IntoResponse {
-    let packages = get_pypi_packages(&state.storage).await;
-    Html(render_registry_list("pypi", "PyPI Repository", &packages))
+async fn pypi_list(
+    State(state): State<Arc<AppState>>,
+    Query(query): Query<ListQuery>,
+    headers: axum::http::HeaderMap,
+) -> impl IntoResponse {
+    let lang = extract_lang_from_list(&query, headers.get("cookie").and_then(|v| v.to_str().ok()));
+    let page = query.page.unwrap_or(1).max(1);
+    let limit = query.limit.unwrap_or(DEFAULT_PAGE_SIZE).min(100);
+
+    let all_packages = state.repo_index.get("pypi", &state.storage).await;
+    let (packages, total) = paginate(&all_packages, page, limit);
+
+    Html(render_registry_list_paginated(
+        "pypi",
+        "PyPI Repository",
+        &packages,
+        page,
+        limit,
+        total,
+        lang,
+    ))
 }
 
 async fn pypi_detail(
     State(state): State<Arc<AppState>>,
     Path(name): Path<String>,
+    Query(query): Query<LangQuery>,
+    headers: axum::http::HeaderMap,
 ) -> impl IntoResponse {
+    let lang = extract_lang(
+        &Query(query),
+        headers.get("cookie").and_then(|v| v.to_str().ok()),
+    );
     let detail = get_pypi_detail(&state.storage, &name).await;
-    Html(render_package_detail("pypi", &name, &detail))
+    Html(render_package_detail("pypi", &name, &detail, lang))
+}
+
+// Go pages
+async fn go_list(
+    State(state): State<Arc<AppState>>,
+    Query(query): Query<ListQuery>,
+    headers: axum::http::HeaderMap,
+) -> impl IntoResponse {
+    let lang = extract_lang_from_list(&query, headers.get("cookie").and_then(|v| v.to_str().ok()));
+    let page = query.page.unwrap_or(1).max(1);
+    let limit = query.limit.unwrap_or(DEFAULT_PAGE_SIZE).min(100);
+
+    let all_modules = state.repo_index.get("go", &state.storage).await;
+    let (modules, total) = paginate(&all_modules, page, limit);
+
+    Html(render_registry_list_paginated(
+        "go",
+        "Go Modules",
+        &modules,
+        page,
+        limit,
+        total,
+        lang,
+    ))
+}
+
+async fn go_detail(
+    State(state): State<Arc<AppState>>,
+    Path(name): Path<String>,
+    Query(query): Query<LangQuery>,
+    headers: axum::http::HeaderMap,
+) -> impl IntoResponse {
+    let lang = extract_lang(
+        &Query(query),
+        headers.get("cookie").and_then(|v| v.to_str().ok()),
+    );
+    let detail = get_go_detail(&state.storage, &name).await;
+    Html(render_package_detail("go", &name, &detail, lang))
+}
+
+// Raw pages
+async fn raw_list(
+    State(state): State<Arc<AppState>>,
+    Query(query): Query<ListQuery>,
+    headers: axum::http::HeaderMap,
+) -> impl IntoResponse {
+    let lang = extract_lang_from_list(&query, headers.get("cookie").and_then(|v| v.to_str().ok()));
+    let page = query.page.unwrap_or(1).max(1);
+    let limit = query.limit.unwrap_or(DEFAULT_PAGE_SIZE).min(100);
+
+    let all_files = state.repo_index.get("raw", &state.storage).await;
+    let (files, total) = paginate(&all_files, page, limit);
+
+    Html(render_registry_list_paginated(
+        "raw",
+        "Raw Storage",
+        &files,
+        page,
+        limit,
+        total,
+        lang,
+    ))
+}
+
+async fn raw_detail(
+    State(state): State<Arc<AppState>>,
+    Path(name): Path<String>,
+    Query(query): Query<LangQuery>,
+    headers: axum::http::HeaderMap,
+) -> impl IntoResponse {
+    let lang = extract_lang(
+        &Query(query),
+        headers.get("cookie").and_then(|v| v.to_str().ok()),
+    );
+    let detail = get_raw_detail(&state.storage, &name).await;
+    Html(render_package_detail("raw", &name, &detail, lang))
 }

nora-registry/src/ui/templates.rs

@@ -1,91 +1,217 @@
-use super::api::{DockerDetail, MavenDetail, PackageDetail, RegistryStats, RepoInfo};
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
+use super::api::{DashboardResponse, DockerDetail, MavenDetail, PackageDetail};
 use super::components::*;
+use super::i18n::{get_translations, Lang};
+use crate::repo_index::RepoInfo;
 
-/// Renders the main dashboard page
-pub fn render_dashboard(stats: &RegistryStats) -> String {
-    let content = format!(
-        r##"
-        <div class="mb-8">
-            <h1 class="text-2xl font-bold text-slate-800 mb-2">Dashboard</h1>
-            <p class="text-slate-500">Overview of all registries</p>
-        </div>
-
-        <div class="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 xl:grid-cols-5 gap-6 mb-8">
-            {}
-            {}
-            {}
-            {}
-            {}
-        </div>
-
-        <div class="bg-white rounded-lg shadow-sm border border-slate-200 p-6">
-            <h2 class="text-lg font-semibold text-slate-800 mb-4">Quick Links</h2>
-            <div class="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-4">
-                <a href="/ui/docker" class="flex items-center p-3 rounded-lg border border-slate-200 hover:border-blue-300 hover:bg-blue-50 transition-colors">
-                    <svg class="w-8 h-8 mr-3 text-slate-600" fill="currentColor" viewBox="0 0 24 24">{}</svg>
-                    <div>
-                        <div class="font-medium text-slate-700">Docker Registry</div>
-                        <div class="text-sm text-slate-500">API: /v2/</div>
-                    </div>
-                </a>
-                <a href="/ui/maven" class="flex items-center p-3 rounded-lg border border-slate-200 hover:border-blue-300 hover:bg-blue-50 transition-colors">
-                    <svg class="w-8 h-8 mr-3 text-slate-600" fill="currentColor" viewBox="0 0 24 24">{}</svg>
-                    <div>
-                        <div class="font-medium text-slate-700">Maven Repository</div>
-                        <div class="text-sm text-slate-500">API: /maven2/</div>
-                    </div>
-                </a>
-                <a href="/ui/npm" class="flex items-center p-3 rounded-lg border border-slate-200 hover:border-blue-300 hover:bg-blue-50 transition-colors">
-                    <svg class="w-8 h-8 mr-3 text-slate-600" fill="currentColor" viewBox="0 0 24 24">{}</svg>
-                    <div>
-                        <div class="font-medium text-slate-700">npm Registry</div>
-                        <div class="text-sm text-slate-500">API: /npm/</div>
-                    </div>
-                </a>
-                <a href="/ui/cargo" class="flex items-center p-3 rounded-lg border border-slate-200 hover:border-blue-300 hover:bg-blue-50 transition-colors">
-                    <svg class="w-8 h-8 mr-3 text-slate-600" fill="currentColor" viewBox="0 0 24 24">{}</svg>
-                    <div>
-                        <div class="font-medium text-slate-700">Cargo Registry</div>
-                        <div class="text-sm text-slate-500">API: /cargo/</div>
-                    </div>
-                </a>
-                <a href="/ui/pypi" class="flex items-center p-3 rounded-lg border border-slate-200 hover:border-blue-300 hover:bg-blue-50 transition-colors">
-                    <svg class="w-8 h-8 mr-3 text-slate-600" fill="currentColor" viewBox="0 0 24 24">{}</svg>
-                    <div>
-                        <div class="font-medium text-slate-700">PyPI Repository</div>
-                        <div class="text-sm text-slate-500">API: /simple/</div>
-                    </div>
-                </a>
-            </div>
-        </div>
-    "##,
-        stat_card("Docker", icons::DOCKER, stats.docker, "/ui/docker", "images"),
-        stat_card("Maven", icons::MAVEN, stats.maven, "/ui/maven", "artifacts"),
-        stat_card("npm", icons::NPM, stats.npm, "/ui/npm", "packages"),
-        stat_card("Cargo", icons::CARGO, stats.cargo, "/ui/cargo", "crates"),
-        stat_card("PyPI", icons::PYPI, stats.pypi, "/ui/pypi", "packages"),
-        // Quick Links icons
-        icons::DOCKER,
-        icons::MAVEN,
-        icons::NPM,
-        icons::CARGO,
-        icons::PYPI,
+/// Renders the main dashboard page with dark theme
+pub fn render_dashboard(data: &DashboardResponse, lang: Lang) -> String {
+    let t = get_translations(lang);
+    // Render global stats
+    let global_stats = render_global_stats(
+        data.global_stats.downloads,
+        data.global_stats.uploads,
+        data.global_stats.artifacts,
+        data.global_stats.cache_hit_percent,
+        data.global_stats.storage_bytes,
+        lang,
     );
 
-    layout("Dashboard", &content, Some("dashboard"))
+    // Render registry cards
+    let registry_cards: String = data
+        .registry_stats
+        .iter()
+        .map(|r| {
+            let icon = get_registry_icon(&r.name);
+            let display_name = get_registry_title(&r.name);
+            render_registry_card(
+                display_name,
+                icon,
+                r.artifact_count,
+                r.downloads,
+                r.uploads,
+                r.size_bytes,
+                &format!("/ui/{}", r.name),
+                t,
+            )
+        })
+        .collect();
+
+    // Render mount points
+    let mount_data: Vec<(String, String, Option<String>)> = data
+        .mount_points
+        .iter()
+        .map(|m| {
+            (
+                m.registry.clone(),
+                m.mount_path.clone(),
+                m.proxy_upstream.clone(),
+            )
+        })
+        .collect();
+    let mount_points = render_mount_points_table(&mount_data, t);
+
+    // Render activity log
+    let activity_rows: String = if data.activity.is_empty() {
+        format!(
+            r##"<tr><td colspan="5" class="py-8 text-center text-slate-500">{}</td></tr>"##,
+            t.no_activity
+        )
+    } else {
+        // Group consecutive identical entries (same action+artifact+registry+source)
+        struct GroupedActivity {
+            time: String,
+            action: String,
+            artifact: String,
+            registry: String,
+            source: String,
+            count: usize,
+        }
+
+        let mut grouped: Vec<GroupedActivity> = Vec::new();
+        for entry in &data.activity {
+            let action = entry.action.to_string();
+            let is_repeat = grouped.last().is_some_and(|last| {
+                last.action == action
+                    && last.artifact == entry.artifact
+                    && last.registry == entry.registry
+                    && last.source == entry.source
+            });
+
+            if is_repeat {
+                if let Some(last) = grouped.last_mut() {
+                    last.count += 1;
+                }
+            } else {
+                grouped.push(GroupedActivity {
+                    time: format_relative_time(&entry.timestamp),
+                    action,
+                    artifact: entry.artifact.clone(),
+                    registry: entry.registry.clone(),
+                    source: entry.source.clone(),
+                    count: 1,
+                });
+            }
+        }
+
+        grouped
+            .iter()
+            .map(|g| {
+                let display_artifact = if g.count > 1 {
+                    format!("{} (x{})", g.artifact, g.count)
+                } else {
+                    g.artifact.clone()
+                };
+                render_activity_row(
+                    &g.time,
+                    &g.action,
+                    &display_artifact,
+                    &g.registry,
+                    &g.source,
+                )
+            })
+            .collect()
+    };
+    let activity_log = render_activity_log(&activity_rows, t);
+
+    // Format uptime
+    let hours = data.uptime_seconds / 3600;
+    let mins = (data.uptime_seconds % 3600) / 60;
+    let uptime_str = format!("{}h {}m", hours, mins);
+
+    // Render bragging footer
+    let bragging_footer = render_bragging_footer(lang);
+
+    let content = format!(
+        r##"
+        <div class="mb-6">
+            <div class="flex items-center justify-between">
+                <div>
+                    <h1 class="text-2xl font-bold text-slate-200 mb-1">{}</h1>
+                    <p class="text-slate-400">{}</p>
+                </div>
+                <div class="text-right">
+                    <div class="text-sm text-slate-500">{}</div>
+                    <div id="uptime" class="text-lg font-semibold text-slate-300">{}</div>
+                </div>
+            </div>
+        </div>
+
+        {}
+
+        <div class="grid grid-cols-2 md:grid-cols-4 lg:grid-cols-7 gap-3 mb-6">
+            {}
+        </div>
+
+        <div class="grid grid-cols-1 lg:grid-cols-2 gap-6 mb-6">
+            {}
+            {}
+        </div>
+
+        {}
+    "##,
+        t.dashboard_title,
+        t.dashboard_subtitle,
+        t.uptime,
+        uptime_str,
+        global_stats,
+        registry_cards,
+        mount_points,
+        activity_log,
+        bragging_footer,
+    );
+
+    let polling_script = render_polling_script();
+    layout_dark(
+        t.dashboard_title,
+        &content,
+        Some("dashboard"),
+        &polling_script,
+        lang,
+    )
+}
+
+/// Format timestamp as relative time (e.g., "2 min ago")
+fn format_relative_time(timestamp: &chrono::DateTime<chrono::Utc>) -> String {
+    let now = chrono::Utc::now();
+    let diff = now.signed_duration_since(*timestamp);
+
+    if diff.num_seconds() < 60 {
+        "just now".to_string()
+    } else if diff.num_minutes() < 60 {
+        let mins = diff.num_minutes();
+        format!("{} min{} ago", mins, if mins == 1 { "" } else { "s" })
+    } else if diff.num_hours() < 24 {
+        let hours = diff.num_hours();
+        format!("{} hour{} ago", hours, if hours == 1 { "" } else { "s" })
+    } else {
+        let days = diff.num_days();
+        format!("{} day{} ago", days, if days == 1 { "" } else { "s" })
+    }
 }
 
 /// Renders a registry list page (docker, maven, npm, cargo, pypi)
-pub fn render_registry_list(registry_type: &str, title: &str, repos: &[RepoInfo]) -> String {
+#[allow(dead_code)]
+pub fn render_registry_list(
+    registry_type: &str,
+    title: &str,
+    repos: &[RepoInfo],
+    lang: Lang,
+) -> String {
+    let t = get_translations(lang);
     let icon = get_registry_icon(registry_type);
 
     let table_rows = if repos.is_empty() {
-        r##"<tr><td colspan="4" class="px-6 py-12 text-center text-slate-500">
+        format!(
+            r##"<tr><td colspan="4" class="px-6 py-12 text-center text-slate-500">
             <div class="text-4xl mb-2">📭</div>
-            <div>No repositories found</div>
-            <div class="text-sm mt-1">Push your first artifact to see it here</div>
-        </td></tr>"##
-            .to_string()
+            <div>{}</div>
+            <div class="text-sm mt-1">{}</div>
+        </td></tr>"##,
+            t.no_repos_found, t.push_first_artifact
+        )
     } else {
         repos
             .iter()
@@ -94,12 +220,12 @@ pub fn render_registry_list(registry_type: &str, title: &str, repos: &[RepoInfo]
                     format!("/ui/{}/{}", registry_type, encode_uri_component(&repo.name));
                 format!(
                     r##"
-                <tr class="hover:bg-slate-50 cursor-pointer" onclick="window.location='{}'">
+                <tr class="hover:bg-slate-700 cursor-pointer" onclick="window.location='{}'">
                     <td class="px-6 py-4">
-                        <a href="{}" class="text-blue-600 hover:text-blue-800 font-medium">{}</a>
+                        <a href="{}" class="text-blue-400 hover:text-blue-300 font-medium">{}</a>
                     </td>
-                    <td class="px-6 py-4 text-slate-600">{}</td>
-                    <td class="px-6 py-4 text-slate-600">{}</td>
+                    <td class="px-6 py-4 text-slate-400">{}</td>
+                    <td class="px-6 py-4 text-slate-400">{}</td>
                     <td class="px-6 py-4 text-slate-500 text-sm">{}</td>
                 </tr>
             "##,
@@ -116,48 +242,47 @@ pub fn render_registry_list(registry_type: &str, title: &str, repos: &[RepoInfo]
     };
 
     let version_label = match registry_type {
-        "docker" => "Tags",
-        "maven" => "Versions",
-        _ => "Versions",
+        "docker" => t.tags,
+        _ => t.versions,
     };
 
     let content = format!(
         r##"
         <div class="mb-6 flex items-center justify-between">
             <div class="flex items-center">
-                <svg class="w-10 h-10 mr-3 text-slate-600" fill="currentColor" viewBox="0 0 24 24">{}</svg>
+                <svg class="w-10 h-10 mr-3 text-slate-400" fill="currentColor" viewBox="0 0 24 24">{}</svg>
                 <div>
-                    <h1 class="text-2xl font-bold text-slate-800">{}</h1>
-                    <p class="text-slate-500">{} repositories</p>
+                    <h1 class="text-2xl font-bold text-slate-200">{}</h1>
+                    <p class="text-slate-500">{} {}</p>
                 </div>
             </div>
             <div class="flex items-center gap-4">
                 <div class="relative">
                     <input type="text"
-                           placeholder="Search repositories..."
-                           class="pl-10 pr-4 py-2 border border-slate-300 rounded-lg focus:outline-none focus:ring-2 focus:ring-blue-500 focus:border-transparent"
+                           placeholder="{}"
+                           class="pl-10 pr-4 py-2 bg-slate-800 border border-slate-600 text-slate-200 rounded-lg focus:outline-none focus:ring-2 focus:ring-blue-500 focus:border-transparent placeholder-slate-500"
                            hx-get="/api/ui/{}/search"
                            hx-trigger="keyup changed delay:300ms"
                            hx-target="#repo-table-body"
                            name="q">
-                    <svg class="absolute left-3 top-2.5 h-5 w-5 text-slate-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                    <svg class="absolute left-3 top-2.5 h-5 w-5 text-slate-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
                         <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0z"/>
                     </svg>
                 </div>
             </div>
         </div>
 
-        <div class="bg-white rounded-lg shadow-sm border border-slate-200 overflow-hidden">
+        <div class="bg-[#1e293b] rounded-lg shadow-sm border border-slate-700 overflow-hidden">
             <table class="w-full">
-                <thead class="bg-slate-50 border-b border-slate-200">
+                <thead class="bg-slate-800 border-b border-slate-700">
                     <tr>
-                        <th class="px-6 py-3 text-left text-xs font-semibold text-slate-600 uppercase tracking-wider">Name</th>
-                        <th class="px-6 py-3 text-left text-xs font-semibold text-slate-600 uppercase tracking-wider">{}</th>
-                        <th class="px-6 py-3 text-left text-xs font-semibold text-slate-600 uppercase tracking-wider">Size</th>
-                        <th class="px-6 py-3 text-left text-xs font-semibold text-slate-600 uppercase tracking-wider">Updated</th>
+                        <th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">{}</th>
+                        <th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">{}</th>
+                        <th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">{}</th>
+                        <th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">{}</th>
                     </tr>
                 </thead>
-                <tbody id="repo-table-body" class="divide-y divide-slate-200">
+                <tbody id="repo-table-body" class="divide-y divide-slate-700">
                     {}
                 </tbody>
             </table>
@@ -166,16 +291,236 @@ pub fn render_registry_list(registry_type: &str, title: &str, repos: &[RepoInfo]
         icon,
         title,
         repos.len(),
+        t.repositories,
+        t.search_placeholder,
         registry_type,
+        t.name,
         version_label,
+        t.size,
+        t.updated,
         table_rows
     );
 
-    layout(title, &content, Some(registry_type))
+    layout_dark(title, &content, Some(registry_type), "", lang)
+}
+
+/// Renders a registry list page with pagination
+pub fn render_registry_list_paginated(
+    registry_type: &str,
+    title: &str,
+    repos: &[RepoInfo],
+    page: usize,
+    limit: usize,
+    total: usize,
+    lang: Lang,
+) -> String {
+    let t = get_translations(lang);
+    let icon = get_registry_icon(registry_type);
+
+    let table_rows = if repos.is_empty() && page == 1 {
+        format!(
+            r##"<tr><td colspan="4" class="px-6 py-12 text-center text-slate-500">
+            <div class="text-4xl mb-2">📭</div>
+            <div>{}</div>
+            <div class="text-sm mt-1">{}</div>
+        </td></tr>"##,
+            t.no_repos_found, t.push_first_artifact
+        )
+    } else if repos.is_empty() {
+        r##"<tr><td colspan="4" class="px-6 py-12 text-center text-slate-500">
+            <div class="text-4xl mb-2">📭</div>
+            <div>No more items on this page</div>
+        </td></tr>"##
+            .to_string()
+    } else {
+        repos
+            .iter()
+            .map(|repo| {
+                let detail_url =
+                    format!("/ui/{}/{}", registry_type, encode_uri_component(&repo.name));
+                format!(
+                    r##"
+                <tr class="hover:bg-slate-700 cursor-pointer" onclick="window.location='{}'">
+                    <td class="px-6 py-4">
+                        <a href="{}" class="text-blue-400 hover:text-blue-300 font-medium">{}</a>
+                    </td>
+                    <td class="px-6 py-4 text-slate-400">{}</td>
+                    <td class="px-6 py-4 text-slate-400">{}</td>
+                    <td class="px-6 py-4 text-slate-500 text-sm">{}</td>
+                </tr>
+            "##,
+                    detail_url,
+                    detail_url,
+                    html_escape(&repo.name),
+                    repo.versions,
+                    format_size(repo.size),
+                    &repo.updated
+                )
+            })
+            .collect::<Vec<_>>()
+            .join("")
+    };
+
+    let version_label = match registry_type {
+        "docker" => t.tags,
+        _ => t.versions,
+    };
+
+    // Pagination
+    let total_pages = total.div_ceil(limit);
+    let start_item = if total == 0 {
+        0
+    } else {
+        (page - 1) * limit + 1
+    };
+    let end_item = (start_item + repos.len()).saturating_sub(1);
+
+    let pagination = if total_pages > 1 {
+        let mut pages_html = String::new();
+
+        // Previous button
+        if page > 1 {
+            pages_html.push_str(&format!(
+                r##"<a href="/ui/{}?page={}&limit={}" class="px-3 py-1 rounded bg-slate-700 hover:bg-slate-600 text-slate-300">←</a>"##,
+                registry_type, page - 1, limit
+            ));
+        } else {
+            pages_html.push_str(r##"<span class="px-3 py-1 rounded bg-slate-800 text-slate-600 cursor-not-allowed">←</span>"##);
+        }
+
+        // Page numbers (show max 7 pages around current)
+        let start_page = if page <= 4 { 1 } else { page - 3 };
+        let end_page = (start_page + 6).min(total_pages);
+
+        if start_page > 1 {
+            pages_html.push_str(&format!(
+                r##"<a href="/ui/{}?page=1&limit={}" class="px-3 py-1 rounded hover:bg-slate-700 text-slate-400">1</a>"##,
+                registry_type, limit
+            ));
+            if start_page > 2 {
+                pages_html.push_str(r##"<span class="px-2 text-slate-600">...</span>"##);
+            }
+        }
+
+        for p in start_page..=end_page {
+            if p == page {
+                pages_html.push_str(&format!(
+                    r##"<span class="px-3 py-1 rounded bg-blue-600 text-white font-medium">{}</span>"##,
+                    p
+                ));
+            } else {
+                pages_html.push_str(&format!(
+                    r##"<a href="/ui/{}?page={}&limit={}" class="px-3 py-1 rounded hover:bg-slate-700 text-slate-400">{}</a>"##,
+                    registry_type, p, limit, p
+                ));
+            }
+        }
+
+        if end_page < total_pages {
+            if end_page < total_pages - 1 {
+                pages_html.push_str(r##"<span class="px-2 text-slate-600">...</span>"##);
+            }
+            pages_html.push_str(&format!(
+                r##"<a href="/ui/{}?page={}&limit={}" class="px-3 py-1 rounded hover:bg-slate-700 text-slate-400">{}</a>"##,
+                registry_type, total_pages, limit, total_pages
+            ));
+        }
+
+        // Next button
+        if page < total_pages {
+            pages_html.push_str(&format!(
+                r##"<a href="/ui/{}?page={}&limit={}" class="px-3 py-1 rounded bg-slate-700 hover:bg-slate-600 text-slate-300">→</a>"##,
+                registry_type, page + 1, limit
+            ));
+        } else {
+            pages_html.push_str(r##"<span class="px-3 py-1 rounded bg-slate-800 text-slate-600 cursor-not-allowed">→</span>"##);
+        }
+
+        format!(
+            r##"
+            <div class="mt-4 flex items-center justify-between">
+                <div class="text-sm text-slate-500">
+                    Showing {}-{} of {} items
+                </div>
+                <div class="flex items-center gap-1">
+                    {}
+                </div>
+            </div>
+            "##,
+            start_item, end_item, total, pages_html
+        )
+    } else if total > 0 {
+        format!(
+            r##"<div class="mt-4 text-sm text-slate-500">Showing all {} items</div>"##,
+            total
+        )
+    } else {
+        String::new()
+    };
+
+    let content = format!(
+        r##"
+        <div class="mb-6 flex items-center justify-between">
+            <div class="flex items-center">
+                <svg class="w-10 h-10 mr-3 text-slate-400" fill="currentColor" viewBox="0 0 24 24">{}</svg>
+                <div>
+                    <h1 class="text-2xl font-bold text-slate-200">{}</h1>
+                    <p class="text-slate-500">{} {}</p>
+                </div>
+            </div>
+            <div class="flex items-center gap-4">
+                <div class="relative">
+                    <input type="text"
+                           placeholder="{}"
+                           class="pl-10 pr-4 py-2 bg-slate-800 border border-slate-600 text-slate-200 rounded-lg focus:outline-none focus:ring-2 focus:ring-blue-500 focus:border-transparent placeholder-slate-500"
+                           hx-get="/api/ui/{}/search"
+                           hx-trigger="keyup changed delay:300ms"
+                           hx-target="#repo-table-body"
+                           name="q">
+                    <svg class="absolute left-3 top-2.5 h-5 w-5 text-slate-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0z"/>
+                    </svg>
+                </div>
+            </div>
+        </div>
+
+        <div class="bg-[#1e293b] rounded-lg shadow-sm border border-slate-700 overflow-hidden">
+            <table class="w-full">
+                <thead class="bg-slate-800 border-b border-slate-700">
+                    <tr>
+                        <th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">{}</th>
+                        <th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">{}</th>
+                        <th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">{}</th>
+                        <th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">{}</th>
+                    </tr>
+                </thead>
+                <tbody id="repo-table-body" class="divide-y divide-slate-700">
+                    {}
+                </tbody>
+            </table>
+        </div>
+        {}
+    "##,
+        icon,
+        title,
+        total,
+        t.repositories,
+        t.search_placeholder,
+        registry_type,
+        t.name,
+        version_label,
+        t.size,
+        t.updated,
+        table_rows,
+        pagination
+    );
+
+    layout_dark(title, &content, Some(registry_type), "", lang)
 }
 
 /// Renders Docker image detail page
-pub fn render_docker_detail(name: &str, detail: &DockerDetail) -> String {
+pub fn render_docker_detail(name: &str, detail: &DockerDetail, lang: Lang) -> String {
+    let _t = get_translations(lang);
     let tags_rows = if detail.tags.is_empty() {
         r##"<tr><td colspan="3" class="px-6 py-8 text-center text-slate-500">No tags found</td></tr>"##.to_string()
     } else {
@@ -185,11 +530,11 @@ pub fn render_docker_detail(name: &str, detail: &DockerDetail) -> String {
             .map(|tag| {
                 format!(
                     r##"
-                <tr class="hover:bg-slate-50">
+                <tr class="hover:bg-slate-700">
                     <td class="px-6 py-4">
-                        <span class="font-mono text-sm bg-slate-100 px-2 py-1 rounded">{}</span>
+                        <span class="font-mono text-sm bg-slate-700 text-slate-200 px-2 py-1 rounded">{}</span>
                     </td>
-                    <td class="px-6 py-4 text-slate-600">{}</td>
+                    <td class="px-6 py-4 text-slate-400">{}</td>
                     <td class="px-6 py-4 text-slate-500 text-sm">{}</td>
                 </tr>
             "##,
@@ -208,18 +553,18 @@ pub fn render_docker_detail(name: &str, detail: &DockerDetail) -> String {
         r##"
         <div class="mb-6">
             <div class="flex items-center mb-2">
-                <a href="/ui/docker" class="text-blue-600 hover:text-blue-800">Docker Registry</a>
-                <span class="mx-2 text-slate-400">/</span>
-                <span class="text-slate-800 font-medium">{}</span>
+                <a href="/ui/docker" class="text-blue-400 hover:text-blue-300">Docker Registry</a>
+                <span class="mx-2 text-slate-500">/</span>
+                <span class="text-slate-200 font-medium">{}</span>
             </div>
             <div class="flex items-center">
-                <svg class="w-10 h-10 mr-3 text-slate-600" fill="currentColor" viewBox="0 0 24 24">{}</svg>
-                <h1 class="text-2xl font-bold text-slate-800">{}</h1>
+                <svg class="w-10 h-10 mr-3 text-slate-400" fill="currentColor" viewBox="0 0 24 24">{}</svg>
+                <h1 class="text-2xl font-bold text-slate-200">{}</h1>
             </div>
         </div>
 
-        <div class="bg-white rounded-lg shadow-sm border border-slate-200 p-6 mb-6">
-            <h2 class="text-lg font-semibold text-slate-800 mb-3">Pull Command</h2>
+        <div class="bg-[#1e293b] rounded-lg shadow-sm border border-slate-700 p-6 mb-6">
+            <h2 class="text-lg font-semibold text-slate-200 mb-3">Pull Command</h2>
             <div class="flex items-center bg-slate-900 text-green-400 rounded-lg p-4 font-mono text-sm">
                 <code class="flex-1">{}</code>
                 <button onclick="navigator.clipboard.writeText('{}')" class="ml-4 text-slate-400 hover:text-white transition-colors" title="Copy to clipboard">
@@ -230,19 +575,19 @@ pub fn render_docker_detail(name: &str, detail: &DockerDetail) -> String {
             </div>
         </div>
 
-        <div class="bg-white rounded-lg shadow-sm border border-slate-200 overflow-hidden">
-            <div class="px-6 py-4 border-b border-slate-200">
-                <h2 class="text-lg font-semibold text-slate-800">Tags ({} total)</h2>
+        <div class="bg-[#1e293b] rounded-lg shadow-sm border border-slate-700 overflow-hidden">
+            <div class="px-6 py-4 border-b border-slate-700">
+                <h2 class="text-lg font-semibold text-slate-200">Tags ({} total)</h2>
             </div>
             <table class="w-full">
-                <thead class="bg-slate-50 border-b border-slate-200">
+                <thead class="bg-slate-800 border-b border-slate-700">
                     <tr>
-                        <th class="px-6 py-3 text-left text-xs font-semibold text-slate-600 uppercase tracking-wider">Tag</th>
-                        <th class="px-6 py-3 text-left text-xs font-semibold text-slate-600 uppercase tracking-wider">Size</th>
-                        <th class="px-6 py-3 text-left text-xs font-semibold text-slate-600 uppercase tracking-wider">Created</th>
+                        <th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">Tag</th>
+                        <th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">Size</th>
+                        <th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">Created</th>
                     </tr>
                 </thead>
-                <tbody class="divide-y divide-slate-200">
+                <tbody class="divide-y divide-slate-700">
                     {}
                 </tbody>
             </table>
@@ -257,11 +602,23 @@ pub fn render_docker_detail(name: &str, detail: &DockerDetail) -> String {
         tags_rows
     );
 
-    layout(&format!("{} - Docker", name), &content, Some("docker"))
+    layout_dark(
+        &format!("{} - Docker", name),
+        &content,
+        Some("docker"),
+        "",
+        lang,
+    )
 }
 
 /// Renders package detail page (npm, cargo, pypi)
-pub fn render_package_detail(registry_type: &str, name: &str, detail: &PackageDetail) -> String {
+pub fn render_package_detail(
+    registry_type: &str,
+    name: &str,
+    detail: &PackageDetail,
+    lang: Lang,
+) -> String {
+    let _t = get_translations(lang);
     let icon = get_registry_icon(registry_type);
     let registry_title = get_registry_title(registry_type);
 
@@ -274,11 +631,11 @@ pub fn render_package_detail(registry_type: &str, name: &str, detail: &PackageDe
             .map(|v| {
                 format!(
                     r##"
-                <tr class="hover:bg-slate-50">
+                <tr class="hover:bg-slate-700">
                     <td class="px-6 py-4">
-                        <span class="font-mono text-sm bg-slate-100 px-2 py-1 rounded">{}</span>
+                        <span class="font-mono text-sm bg-slate-700 text-slate-200 px-2 py-1 rounded">{}</span>
                     </td>
-                    <td class="px-6 py-4 text-slate-600">{}</td>
+                    <td class="px-6 py-4 text-slate-400">{}</td>
                     <td class="px-6 py-4 text-slate-500 text-sm">{}</td>
                 </tr>
             "##,
@@ -298,6 +655,8 @@ pub fn render_package_detail(registry_type: &str, name: &str, detail: &PackageDe
             "pip install {} --index-url http://127.0.0.1:4000/simple",
             name
         ),
+        "go" => format!("GOPROXY=http://127.0.0.1:4000/go go get {}", name),
+        "raw" => format!("curl -O http://127.0.0.1:4000/raw/{}/<file>", name),
         _ => String::new(),
     };
 
@@ -305,18 +664,18 @@ pub fn render_package_detail(registry_type: &str, name: &str, detail: &PackageDe
         r##"
         <div class="mb-6">
             <div class="flex items-center mb-2">
-                <a href="/ui/{}" class="text-blue-600 hover:text-blue-800">{}</a>
-                <span class="mx-2 text-slate-400">/</span>
-                <span class="text-slate-800 font-medium">{}</span>
+                <a href="/ui/{}" class="text-blue-400 hover:text-blue-300">{}</a>
+                <span class="mx-2 text-slate-500">/</span>
+                <span class="text-slate-200 font-medium">{}</span>
             </div>
             <div class="flex items-center">
-                <svg class="w-10 h-10 mr-3 text-slate-600" fill="currentColor" viewBox="0 0 24 24">{}</svg>
-                <h1 class="text-2xl font-bold text-slate-800">{}</h1>
+                <svg class="w-10 h-10 mr-3 text-slate-400" fill="currentColor" viewBox="0 0 24 24">{}</svg>
+                <h1 class="text-2xl font-bold text-slate-200">{}</h1>
             </div>
         </div>
 
-        <div class="bg-white rounded-lg shadow-sm border border-slate-200 p-6 mb-6">
-            <h2 class="text-lg font-semibold text-slate-800 mb-3">Install Command</h2>
+        <div class="bg-[#1e293b] rounded-lg shadow-sm border border-slate-700 p-6 mb-6">
+            <h2 class="text-lg font-semibold text-slate-200 mb-3">Install Command</h2>
             <div class="flex items-center bg-slate-900 text-green-400 rounded-lg p-4 font-mono text-sm">
                 <code class="flex-1">{}</code>
                 <button onclick="navigator.clipboard.writeText('{}')" class="ml-4 text-slate-400 hover:text-white transition-colors" title="Copy to clipboard">
@@ -327,19 +686,19 @@ pub fn render_package_detail(registry_type: &str, name: &str, detail: &PackageDe
             </div>
         </div>
 
-        <div class="bg-white rounded-lg shadow-sm border border-slate-200 overflow-hidden">
-            <div class="px-6 py-4 border-b border-slate-200">
-                <h2 class="text-lg font-semibold text-slate-800">Versions ({} total)</h2>
+        <div class="bg-[#1e293b] rounded-lg shadow-sm border border-slate-700 overflow-hidden">
+            <div class="px-6 py-4 border-b border-slate-700">
+                <h2 class="text-lg font-semibold text-slate-200">Versions ({} total)</h2>
             </div>
             <table class="w-full">
-                <thead class="bg-slate-50 border-b border-slate-200">
+                <thead class="bg-slate-800 border-b border-slate-700">
                     <tr>
-                        <th class="px-6 py-3 text-left text-xs font-semibold text-slate-600 uppercase tracking-wider">Version</th>
-                        <th class="px-6 py-3 text-left text-xs font-semibold text-slate-600 uppercase tracking-wider">Size</th>
-                        <th class="px-6 py-3 text-left text-xs font-semibold text-slate-600 uppercase tracking-wider">Published</th>
+                        <th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">Version</th>
+                        <th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">Size</th>
+                        <th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">Published</th>
                     </tr>
                 </thead>
-                <tbody class="divide-y divide-slate-200">
+                <tbody class="divide-y divide-slate-700">
                     {}
                 </tbody>
             </table>
@@ -356,26 +715,29 @@ pub fn render_package_detail(registry_type: &str, name: &str, detail: &PackageDe
         versions_rows
     );
 
-    layout(
+    layout_dark(
         &format!("{} - {}", name, registry_title),
         &content,
         Some(registry_type),
+        "",
+        lang,
     )
 }
 
 /// Renders Maven artifact detail page
-pub fn render_maven_detail(path: &str, detail: &MavenDetail) -> String {
+pub fn render_maven_detail(path: &str, detail: &MavenDetail, lang: Lang) -> String {
+    let _t = get_translations(lang);
     let artifact_rows = if detail.artifacts.is_empty() {
         r##"<tr><td colspan="2" class="px-6 py-8 text-center text-slate-500">No artifacts found</td></tr>"##.to_string()
     } else {
         detail.artifacts.iter().map(|a| {
             let download_url = format!("/maven2/{}/{}", path, a.filename);
             format!(r##"
-                <tr class="hover:bg-slate-50">
+                <tr class="hover:bg-slate-700">
                     <td class="px-6 py-4">
-                        <a href="{}" class="text-blue-600 hover:text-blue-800 font-mono text-sm">{}</a>
+                        <a href="{}" class="text-blue-400 hover:text-blue-300 font-mono text-sm">{}</a>
                     </td>
-                    <td class="px-6 py-4 text-slate-600">{}</td>
+                    <td class="px-6 py-4 text-slate-400">{}</td>
                 </tr>
             "##, download_url, html_escape(&a.filename), format_size(a.size))
         }).collect::<Vec<_>>().join("")
@@ -404,33 +766,33 @@ pub fn render_maven_detail(path: &str, detail: &MavenDetail) -> String {
         r##"
         <div class="mb-6">
             <div class="flex items-center mb-2">
-                <a href="/ui/maven" class="text-blue-600 hover:text-blue-800">Maven Repository</a>
-                <span class="mx-2 text-slate-400">/</span>
-                <span class="text-slate-800 font-medium">{}</span>
+                <a href="/ui/maven" class="text-blue-400 hover:text-blue-300">Maven Repository</a>
+                <span class="mx-2 text-slate-500">/</span>
+                <span class="text-slate-200 font-medium">{}</span>
             </div>
             <div class="flex items-center">
-                <svg class="w-10 h-10 mr-3 text-slate-600" fill="currentColor" viewBox="0 0 24 24">{}</svg>
-                <h1 class="text-2xl font-bold text-slate-800">{}</h1>
+                <svg class="w-10 h-10 mr-3 text-slate-400" fill="currentColor" viewBox="0 0 24 24">{}</svg>
+                <h1 class="text-2xl font-bold text-slate-200">{}</h1>
             </div>
         </div>
 
-        <div class="bg-white rounded-lg shadow-sm border border-slate-200 p-6 mb-6">
-            <h2 class="text-lg font-semibold text-slate-800 mb-3">Maven Dependency</h2>
+        <div class="bg-[#1e293b] rounded-lg shadow-sm border border-slate-700 p-6 mb-6">
+            <h2 class="text-lg font-semibold text-slate-200 mb-3">Maven Dependency</h2>
             <pre class="bg-slate-900 text-green-400 rounded-lg p-4 font-mono text-sm overflow-x-auto">{}</pre>
         </div>
 
-        <div class="bg-white rounded-lg shadow-sm border border-slate-200 overflow-hidden">
-            <div class="px-6 py-4 border-b border-slate-200">
-                <h2 class="text-lg font-semibold text-slate-800">Artifacts ({} files)</h2>
+        <div class="bg-[#1e293b] rounded-lg shadow-sm border border-slate-700 overflow-hidden">
+            <div class="px-6 py-4 border-b border-slate-700">
+                <h2 class="text-lg font-semibold text-slate-200">Artifacts ({} files)</h2>
             </div>
             <table class="w-full">
-                <thead class="bg-slate-50 border-b border-slate-200">
+                <thead class="bg-slate-800 border-b border-slate-700">
                     <tr>
-                        <th class="px-6 py-3 text-left text-xs font-semibold text-slate-600 uppercase tracking-wider">Filename</th>
-                        <th class="px-6 py-3 text-left text-xs font-semibold text-slate-600 uppercase tracking-wider">Size</th>
+                        <th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">Filename</th>
+                        <th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">Size</th>
                     </tr>
                 </thead>
-                <tbody class="divide-y divide-slate-200">
+                <tbody class="divide-y divide-slate-700">
                     {}
                 </tbody>
             </table>
@@ -444,7 +806,13 @@ pub fn render_maven_detail(path: &str, detail: &MavenDetail) -> String {
         artifact_rows
     );
 
-    layout(&format!("{} - Maven", path), &content, Some("maven"))
+    layout_dark(
+        &format!("{} - Maven", path),
+        &content,
+        Some("maven"),
+        "",
+        lang,
+    )
 }
 
 /// Returns SVG icon path for the registry type
@@ -455,7 +823,11 @@ fn get_registry_icon(registry_type: &str) -> &'static str {
         "npm" => icons::NPM,
         "cargo" => icons::CARGO,
         "pypi" => icons::PYPI,
-        _ => r#"<path fill="currentColor" d="M10 4H4c-1.1 0-1.99.9-1.99 2L2 18c0 1.1.9 2 2 2h16c1.1 0 2-.9 2-2V8c0-1.1-.9-2-2-2h-8l-2-2z"/>"#,
+        "go" => icons::GO,
+        "raw" => icons::RAW,
+        _ => {
+            r#"<path fill="currentColor" d="M10 4H4c-1.1 0-1.99.9-1.99 2L2 18c0 1.1.9 2 2 2h16c1.1 0 2-.9 2-2V8c0-1.1-.9-2-2-2h-8l-2-2z"/>"#
+        }
     }
 }
 
@@ -466,6 +838,8 @@ fn get_registry_title(registry_type: &str) -> &'static str {
         "npm" => "npm Registry",
         "cargo" => "Cargo Registry",
         "pypi" => "PyPI Repository",
+        "go" => "Go Modules",
+        "raw" => "Raw Storage",
         _ => "Registry",
     }
 }

nora-registry/src/validation.rs

@@ -1,3 +1,6 @@
+// Copyright (c) 2026 Volkov Pavel | DevITWay
+// SPDX-License-Identifier: MIT
+
 //! Input validation for artifact registry paths and identifiers
 //!
 //! Provides security validation to prevent path traversal attacks and
@@ -92,7 +95,7 @@ pub fn validate_storage_key(key: &str) -> Result<(), ValidationError> {
 
     // Check each segment
     for segment in key.split('/') {
-        if segment.is_empty() && key != "" {
+        if segment.is_empty() && !key.is_empty() {
             // Allow trailing slash but not double slashes
             continue;
         }
@@ -175,7 +178,12 @@ pub fn validate_docker_name(name: &str) -> Result<(), ValidationError> {
                 "empty path segment".to_string(),
             ));
         }
-        let first = segment.chars().next().unwrap();
+        // Safety: segment.is_empty() checked above, but use match for defense-in-depth
+        let Some(first) = segment.chars().next() else {
+            return Err(ValidationError::InvalidDockerName(
+                "empty path segment".to_string(),
+            ));
+        };
         if !first.is_ascii_alphanumeric() {
             return Err(ValidationError::InvalidDockerName(
                 "segment must start with alphanumeric".to_string(),
@@ -289,7 +297,10 @@ pub fn validate_docker_reference(reference: &str) -> Result<(), ValidationError>
     }
 
     // Validate as tag
-    let first = reference.chars().next().unwrap();
+    // Safety: empty check at function start, but use let-else for defense-in-depth
+    let Some(first) = reference.chars().next() else {
+        return Err(ValidationError::EmptyInput);
+    };
     if !first.is_ascii_alphanumeric() {
         return Err(ValidationError::InvalidReference(
             "tag must start with alphanumeric".to_string(),
@@ -305,63 +316,6 @@ pub fn validate_docker_reference(reference: &str) -> Result<(), ValidationError>
     Ok(())
 }
 
-/// Validate Maven artifact path.
-///
-/// Maven paths follow the pattern: groupId/artifactId/version/filename
-/// Example: `org/apache/commons/commons-lang3/3.12.0/commons-lang3-3.12.0.jar`
-pub fn validate_maven_path(path: &str) -> Result<(), ValidationError> {
-    validate_storage_key(path)
-}
-
-/// Validate npm package name.
-pub fn validate_npm_name(name: &str) -> Result<(), ValidationError> {
-    if name.is_empty() {
-        return Err(ValidationError::EmptyInput);
-    }
-
-    if name.len() > 214 {
-        return Err(ValidationError::TooLong {
-            max: 214,
-            actual: name.len(),
-        });
-    }
-
-    // Check for path traversal
-    if name.contains("..") {
-        return Err(ValidationError::PathTraversal);
-    }
-
-    Ok(())
-}
-
-/// Validate Cargo crate name.
-pub fn validate_crate_name(name: &str) -> Result<(), ValidationError> {
-    if name.is_empty() {
-        return Err(ValidationError::EmptyInput);
-    }
-
-    if name.len() > 64 {
-        return Err(ValidationError::TooLong {
-            max: 64,
-            actual: name.len(),
-        });
-    }
-
-    // Check for path traversal
-    if name.contains("..") || name.contains('/') {
-        return Err(ValidationError::PathTraversal);
-    }
-
-    // Crate names: alphanumeric, underscores, hyphens
-    for c in name.chars() {
-        if !matches!(c, 'a'..='z' | 'A'..='Z' | '0'..='9' | '_' | '-') {
-            return Err(ValidationError::ForbiddenCharacter(c));
-        }
-    }
-
-    Ok(())
-}
-
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -550,3 +504,150 @@ mod tests {
         assert!(validate_docker_reference("-dash").is_err());
     }
 }
+
+#[cfg(test)]
+mod proptests {
+    use super::*;
+    use proptest::prelude::*;
+
+    /// Valid lowercase Docker name component
+    fn docker_component() -> impl Strategy<Value = String> {
+        "[a-z0-9][a-z0-9._-]{0,30}".prop_filter("no consecutive separators", |s| {
+            !s.contains("..") && !s.contains("//") && !s.contains("--") && !s.contains("__")
+        })
+    }
+
+    /// Valid sha256 hex string
+    fn sha256_hex() -> impl Strategy<Value = String> {
+        "[0-9a-f]{64}"
+    }
+
+    /// Valid Docker tag (no `..` or `/` which trigger path traversal rejection)
+    fn docker_tag() -> impl Strategy<Value = String> {
+        "[a-zA-Z0-9][a-zA-Z0-9._-]{0,50}".prop_filter("no path traversal", |s| {
+            !s.contains("..") && !s.contains('/')
+        })
+    }
+
+    // === validate_storage_key ===
+
+    proptest! {
+        #[test]
+        fn storage_key_never_panics(s in "\\PC{0,2000}") {
+            let _ = validate_storage_key(&s);
+        }
+
+        #[test]
+        fn storage_key_rejects_path_traversal(
+            prefix in "[a-z]{0,10}",
+            suffix in "[a-z]{0,10}"
+        ) {
+            let key = format!("{}/../{}", prefix, suffix);
+            prop_assert!(validate_storage_key(&key).is_err());
+        }
+
+        #[test]
+        fn storage_key_rejects_absolute(path in "/[a-z/]{1,50}") {
+            prop_assert!(validate_storage_key(&path).is_err());
+        }
+
+        #[test]
+        fn storage_key_accepts_valid(
+            segments in prop::collection::vec("[a-z0-9]{1,20}", 1..5)
+        ) {
+            let key = segments.join("/");
+            prop_assert!(validate_storage_key(&key).is_ok());
+        }
+    }
+
+    // === validate_docker_name ===
+
+    proptest! {
+        #[test]
+        fn docker_name_never_panics(s in "\\PC{0,500}") {
+            let _ = validate_docker_name(&s);
+        }
+
+        #[test]
+        fn docker_name_accepts_valid_single(name in docker_component()) {
+            prop_assert!(validate_docker_name(&name).is_ok());
+        }
+
+        #[test]
+        fn docker_name_accepts_valid_path(
+            components in prop::collection::vec(docker_component(), 1..4)
+        ) {
+            let name = components.join("/");
+            prop_assert!(validate_docker_name(&name).is_ok());
+        }
+
+        #[test]
+        fn docker_name_rejects_uppercase(
+            lower in "[a-z]{1,10}",
+            upper in "[A-Z]{1,10}"
+        ) {
+            let name = format!("{}{}", lower, upper);
+            prop_assert!(validate_docker_name(&name).is_err());
+        }
+    }
+
+    // === validate_digest ===
+
+    proptest! {
+        #[test]
+        fn digest_never_panics(s in "\\PC{0,200}") {
+            let _ = validate_digest(&s);
+        }
+
+        #[test]
+        fn digest_sha256_roundtrip(hash in sha256_hex()) {
+            let digest = format!("sha256:{}", hash);
+            prop_assert!(validate_digest(&digest).is_ok());
+        }
+
+        #[test]
+        fn digest_sha512_roundtrip(hash in "[0-9a-f]{128}") {
+            let digest = format!("sha512:{}", hash);
+            prop_assert!(validate_digest(&digest).is_ok());
+        }
+
+        #[test]
+        fn digest_wrong_algo_rejected(
+            algo in "[a-z]{2,8}",
+            hash in "[0-9a-f]{64}"
+        ) {
+            prop_assume!(algo != "sha256" && algo != "sha512");
+            let digest = format!("{}:{}", algo, hash);
+            prop_assert!(validate_digest(&digest).is_err());
+        }
+    }
+
+    // === validate_docker_reference ===
+
+    proptest! {
+        #[test]
+        fn reference_never_panics(s in "\\PC{0,200}") {
+            let _ = validate_docker_reference(&s);
+        }
+
+        #[test]
+        fn reference_accepts_valid_tag(tag in docker_tag()) {
+            prop_assert!(validate_docker_reference(&tag).is_ok());
+        }
+
+        #[test]
+        fn reference_accepts_valid_digest(hash in sha256_hex()) {
+            let reference = format!("sha256:{}", hash);
+            prop_assert!(validate_docker_reference(&reference).is_ok());
+        }
+
+        #[test]
+        fn reference_rejects_traversal(
+            prefix in "[a-z]{0,5}",
+            suffix in "[a-z]{0,5}"
+        ) {
+            let reference = format!("{}../{}", prefix, suffix);
+            prop_assert!(validate_docker_reference(&reference).is_err());
+        }
+    }
+}

nora-storage/Cargo.toml

@@ -1,28 +0,0 @@
-[package]
-name = "nora-storage"
-version.workspace = true
-edition.workspace = true
-license.workspace = true
-authors.workspace = true
-repository.workspace = true
-homepage.workspace = true
-description = "S3-compatible storage server for NORA"
-
-[[bin]]
-name = "nora-storage"
-path = "src/main.rs"
-
-[dependencies]
-tokio.workspace = true
-axum.workspace = true
-serde.workspace = true
-serde_json.workspace = true
-tracing.workspace = true
-tracing-subscriber.workspace = true
-toml = "0.8"
-uuid = { version = "1", features = ["v4"] }
-sha2 = "0.10"
-base64 = "0.22"
-httpdate = "1"
-chrono = { version = "0.4", features = ["serde"] }
-quick-xml = { version = "0.31", features = ["serialize"] }

nora-storage/src/config.rs

@@ -1,44 +0,0 @@
-use serde::{Deserialize, Serialize};
-use std::fs;
-
-#[derive(Debug, Clone, Serialize, Deserialize)]
-pub struct Config {
-    pub server: ServerConfig,
-    pub storage: StorageConfig,
-}
-
-#[derive(Debug, Clone, Serialize, Deserialize)]
-pub struct ServerConfig {
-    pub host: String,
-    pub port: u16,
-}
-
-#[derive(Debug, Clone, Serialize, Deserialize)]
-pub struct StorageConfig {
-    pub data_dir: String,
-    pub max_body_size: usize,
-}
-
-impl Config {
-    pub fn load() -> Self {
-        fs::read_to_string("config.toml")
-            .ok()
-            .and_then(|content| toml::from_str(&content).ok())
-            .unwrap_or_default()
-    }
-}
-
-impl Default for Config {
-    fn default() -> Self {
-        Self {
-            server: ServerConfig {
-                host: String::from("127.0.0.1"),
-                port: 3000,
-            },
-            storage: StorageConfig {
-                data_dir: String::from("data"),
-                max_body_size: 1024 * 1024 * 1024, // 1GB
-            },
-        }
-    }
-}

nora-storage/src/main.rs

@@ -1,310 +0,0 @@
-mod config;
-
-use axum::extract::DefaultBodyLimit;
-use axum::{
-    body::Bytes,
-    extract::{Path, State},
-    http::StatusCode,
-    response::{IntoResponse, Response},
-    routing::{delete, get, put},
-    Router,
-};
-use chrono::Utc;
-use config::Config;
-use quick_xml::se::to_string as to_xml;
-use serde::Serialize;
-use std::fs;
-use std::sync::Arc;
-use tracing::info;
-
-pub struct AppState {
-    pub config: Config,
-}
-
-#[derive(Serialize)]
-#[serde(rename = "ListAllMyBucketsResult")]
-struct ListBucketsResult {
-    #[serde(rename = "Buckets")]
-    buckets: Buckets,
-}
-
-#[derive(Serialize)]
-struct Buckets {
-    #[serde(rename = "Bucket")]
-    bucket: Vec<BucketInfo>,
-}
-
-#[derive(Serialize)]
-struct BucketInfo {
-    #[serde(rename = "Name")]
-    name: String,
-    #[serde(rename = "CreationDate")]
-    creation_date: String,
-}
-
-#[derive(Serialize)]
-#[serde(rename = "ListBucketResult")]
-struct ListObjectsResult {
-    #[serde(rename = "Name")]
-    name: String,
-    #[serde(rename = "Contents")]
-    contents: Vec<ObjectInfo>,
-}
-
-#[derive(Serialize)]
-struct ObjectInfo {
-    #[serde(rename = "Key")]
-    key: String,
-    #[serde(rename = "Size")]
-    size: u64,
-    #[serde(rename = "LastModified")]
-    last_modified: String,
-}
-
-#[derive(Serialize)]
-#[serde(rename = "Error")]
-struct S3Error {
-    #[serde(rename = "Code")]
-    code: String,
-    #[serde(rename = "Message")]
-    message: String,
-}
-
-fn xml_response<T: Serialize>(data: T) -> Response {
-    let xml = format!(
-        "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n{}",
-        to_xml(&data).unwrap_or_default()
-    );
-    (
-        StatusCode::OK,
-        [(axum::http::header::CONTENT_TYPE, "application/xml")],
-        xml,
-    )
-        .into_response()
-}
-
-fn error_response(status: StatusCode, code: &str, message: &str) -> Response {
-    let error = S3Error {
-        code: code.to_string(),
-        message: message.to_string(),
-    };
-    let xml = format!(
-        "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n{}",
-        to_xml(&error).unwrap_or_default()
-    );
-    (
-        status,
-        [(axum::http::header::CONTENT_TYPE, "application/xml")],
-        xml,
-    )
-        .into_response()
-}
-
-#[tokio::main]
-async fn main() {
-    tracing_subscriber::fmt()
-        .with_env_filter(
-            tracing_subscriber::EnvFilter::from_default_env()
-                .add_directive("nora_storage=info".parse().expect("valid directive")),
-        )
-        .init();
-
-    let config = Config::load();
-    fs::create_dir_all(&config.storage.data_dir).expect("Failed to create data directory");
-
-    let state = Arc::new(AppState {
-        config: config.clone(),
-    });
-
-    let app = Router::new()
-        .route("/", get(list_buckets))
-        .route("/{bucket}", get(list_objects))
-        .route("/{bucket}", put(create_bucket))
-        .route("/{bucket}", delete(delete_bucket))
-        .route("/{bucket}/{*key}", put(put_object))
-        .route("/{bucket}/{*key}", get(get_object))
-        .route("/{bucket}/{*key}", delete(delete_object))
-        .layer(DefaultBodyLimit::max(config.storage.max_body_size))
-        .with_state(state);
-
-    let addr = format!("{}:{}", config.server.host, config.server.port);
-    let listener = tokio::net::TcpListener::bind(&addr)
-        .await
-        .expect("Failed to bind to address");
-
-    info!("nora-storage (S3 compatible) running on http://{}", addr);
-    axum::serve(listener, app)
-        .await
-        .expect("Server error");
-}
-
-async fn list_buckets(State(state): State<Arc<AppState>>) -> Response {
-    let data_dir = &state.config.storage.data_dir;
-    let entries = match fs::read_dir(data_dir) {
-        Ok(e) => e,
-        Err(_) => {
-            return error_response(
-                StatusCode::INTERNAL_SERVER_ERROR,
-                "InternalError",
-                "Failed to read data",
-            )
-        }
-    };
-
-    let bucket_list: Vec<BucketInfo> = entries
-        .filter_map(|e| e.ok())
-        .filter(|e| e.path().is_dir())
-        .filter_map(|e| {
-            let name = e.file_name().into_string().ok()?;
-            let modified = e.metadata().ok()?.modified().ok()?;
-            let datetime: chrono::DateTime<Utc> = modified.into();
-            Some(BucketInfo {
-                name,
-                creation_date: datetime.format("%Y-%m-%dT%H:%M:%SZ").to_string(),
-            })
-        })
-        .collect();
-
-    xml_response(ListBucketsResult {
-        buckets: Buckets {
-            bucket: bucket_list,
-        },
-    })
-}
-
-async fn list_objects(State(state): State<Arc<AppState>>, Path(bucket): Path<String>) -> Response {
-    let bucket_path = format!("{}/{}", state.config.storage.data_dir, bucket);
-
-    if !std::path::Path::new(&bucket_path).is_dir() {
-        return error_response(
-            StatusCode::NOT_FOUND,
-            "NoSuchBucket",
-            "The specified bucket does not exist",
-        );
-    }
-
-    let objects = collect_files(std::path::Path::new(&bucket_path), "");
-    xml_response(ListObjectsResult {
-        name: bucket,
-        contents: objects,
-    })
-}
-
-fn collect_files(dir: &std::path::Path, prefix: &str) -> Vec<ObjectInfo> {
-    let mut objects = Vec::new();
-    if let Ok(entries) = fs::read_dir(dir) {
-        for entry in entries.filter_map(|e| e.ok()) {
-            let path = entry.path();
-            let name = entry.file_name().into_string().unwrap_or_default();
-            let key = if prefix.is_empty() {
-                name.clone()
-            } else {
-                format!("{}/{}", prefix, name)
-            };
-
-            if path.is_dir() {
-                objects.extend(collect_files(&path, &key));
-            } else if let Ok(metadata) = entry.metadata() {
-                if let Ok(modified) = metadata.modified() {
-                    let datetime: chrono::DateTime<Utc> = modified.into();
-                    objects.push(ObjectInfo {
-                        key,
-                        size: metadata.len(),
-                        last_modified: datetime.format("%Y-%m-%dT%H:%M:%SZ").to_string(),
-                    });
-                }
-            }
-        }
-    }
-    objects
-}
-
-async fn create_bucket(State(state): State<Arc<AppState>>, Path(bucket): Path<String>) -> Response {
-    let bucket_path = format!("{}/{}", state.config.storage.data_dir, bucket);
-    match fs::create_dir(&bucket_path) {
-        Ok(_) => (StatusCode::OK, "").into_response(),
-        Err(_) => error_response(
-            StatusCode::CONFLICT,
-            "BucketAlreadyExists",
-            "Bucket already exists",
-        ),
-    }
-}
-
-async fn put_object(
-    State(state): State<Arc<AppState>>,
-    Path((bucket, key)): Path<(String, String)>,
-    body: Bytes,
-) -> Response {
-    let file_path = format!("{}/{}/{}", state.config.storage.data_dir, bucket, key);
-
-    if let Some(parent) = std::path::Path::new(&file_path).parent() {
-        let _ = fs::create_dir_all(parent);
-    }
-
-    match fs::write(&file_path, &body) {
-        Ok(_) => {
-            println!("PUT {}/{} ({} bytes)", bucket, key, body.len());
-            (StatusCode::OK, "").into_response()
-        }
-        Err(e) => {
-            println!("ERROR writing {}/{}: {}", bucket, key, e);
-            error_response(
-                StatusCode::INTERNAL_SERVER_ERROR,
-                "InternalError",
-                "Failed to write object",
-            )
-        }
-    }
-}
-
-async fn get_object(
-    State(state): State<Arc<AppState>>,
-    Path((bucket, key)): Path<(String, String)>,
-) -> Response {
-    let file_path = format!("{}/{}/{}", state.config.storage.data_dir, bucket, key);
-
-    match fs::read(&file_path) {
-        Ok(data) => (StatusCode::OK, data).into_response(),
-        Err(_) => error_response(
-            StatusCode::NOT_FOUND,
-            "NoSuchKey",
-            "The specified key does not exist",
-        ),
-    }
-}
-
-async fn delete_object(
-    State(state): State<Arc<AppState>>,
-    Path((bucket, key)): Path<(String, String)>,
-) -> Response {
-    let file_path = format!("{}/{}/{}", state.config.storage.data_dir, bucket, key);
-
-    match fs::remove_file(&file_path) {
-        Ok(_) => {
-            println!("DELETE {}/{}", bucket, key);
-            (StatusCode::NO_CONTENT, "").into_response()
-        }
-        Err(_) => error_response(
-            StatusCode::NOT_FOUND,
-            "NoSuchKey",
-            "The specified key does not exist",
-        ),
-    }
-}
-
-async fn delete_bucket(State(state): State<Arc<AppState>>, Path(bucket): Path<String>) -> Response {
-    let bucket_path = format!("{}/{}", state.config.storage.data_dir, bucket);
-
-    match fs::remove_dir(&bucket_path) {
-        Ok(_) => {
-            println!("DELETE bucket {}", bucket);
-            (StatusCode::NO_CONTENT, "").into_response()
-        }
-        Err(_) => error_response(
-            StatusCode::CONFLICT,
-            "BucketNotEmpty",
-            "The bucket is not empty",
-        ),
-    }
-}

rust-toolchain.toml

@@ -0,0 +1,3 @@
+[toolchain]
+channel = "stable"
+components = ["clippy", "rustfmt"]

tarpaulin.toml

@@ -0,0 +1,9 @@
+[nora]
+packages = ["nora-registry"]
+engine = "Llvm"
+fail-under = 38
+out = ["Json", "Html"]
+output-dir = "coverage"
+test-timeout = "5m"
+exclude-files = ["nora-registry/src/ui/*", "nora-registry/src/main.rs", "nora-registry/src/openapi.rs"]
+workspace = false

tests/e2e/.gitignore

@@ -0,0 +1,3 @@
+node_modules/
+test-results/
+playwright-report/

tests/e2e/package-lock.json

@@ -0,0 +1,76 @@
+{
+  "name": "nora-e2e",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "nora-e2e",
+      "devDependencies": {
+        "@playwright/test": "^1.50.0"
+      }
+    },
+    "node_modules/@playwright/test": {
+      "version": "1.58.2",
+      "resolved": "https://registry.npmjs.org/@playwright/test/-/test-1.58.2.tgz",
+      "integrity": "sha512-akea+6bHYBBfA9uQqSYmlJXn61cTa+jbO87xVLCWbTqbWadRVmhxlXATaOjOgcBaWU4ePo0wB41KMFv3o35IXA==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "playwright": "1.58.2"
+      },
+      "bin": {
+        "playwright": "cli.js"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/fsevents": {
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz",
+      "integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==",
+      "dev": true,
+      "hasInstallScript": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
+      }
+    },
+    "node_modules/playwright": {
+      "version": "1.58.2",
+      "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.58.2.tgz",
+      "integrity": "sha512-vA30H8Nvkq/cPBnNw4Q8TWz1EJyqgpuinBcHET0YVJVFldr8JDNiU9LaWAE1KqSkRYazuaBhTpB5ZzShOezQ6A==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "playwright-core": "1.58.2"
+      },
+      "bin": {
+        "playwright": "cli.js"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "optionalDependencies": {
+        "fsevents": "2.3.2"
+      }
+    },
+    "node_modules/playwright-core": {
+      "version": "1.58.2",
+      "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.58.2.tgz",
+      "integrity": "sha512-yZkEtftgwS8CsfYo7nm0KE8jsvm6i/PTgVtB8DL726wNf6H2IMsDuxCpJj59KDaxCtSnrWan2AeDqM7JBaultg==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "bin": {
+        "playwright-core": "cli.js"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    }
+  }
+}