style: cargo fmt

- Remove unused DockerAuth::fetch_with_auth() method
- Fix basic_auth_header docstring
- Bump to v0.2.29

.github/workflows/ci.yml

@@ -85,3 +85,93 @@ jobs:
         with:
           sarif_file: trivy-fs.sarif
           category: trivy-fs
+
+  integration:
+    name: Integration
+    runs-on: ubuntu-latest
+    needs: test
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Cache cargo
+        uses: Swatinem/rust-cache@v2
+
+      - name: Build NORA
+        run: cargo build --release --package nora-registry
+
+      # -- Start NORA --
+      - name: Start NORA
+        run: |
+          NORA_STORAGE_PATH=/tmp/nora-data ./target/release/nora &
+          for i in $(seq 1 15); do
+            curl -sf http://localhost:4000/health && break || sleep 2
+          done
+          curl -sf http://localhost:4000/health | jq .
+
+      # -- Docker push/pull --
+      - name: Configure Docker for insecure registry
+        run: |
+          echo '{"insecure-registries": ["localhost:4000"]}' | sudo tee /etc/docker/daemon.json
+          sudo systemctl restart docker
+          sleep 2
+
+      - name: Docker — push and pull image
+        run: |
+          docker pull alpine:3.20
+          docker tag alpine:3.20 localhost:4000/test/alpine:integration
+          docker push localhost:4000/test/alpine:integration
+          docker rmi localhost:4000/test/alpine:integration
+          docker pull localhost:4000/test/alpine:integration
+          echo "Docker push/pull OK"
+
+      - name: Docker — verify catalog and tags
+        run: |
+          curl -sf http://localhost:4000/v2/_catalog | jq .
+          curl -sf http://localhost:4000/v2/test/alpine/tags/list | jq .
+
+      # -- npm (read-only proxy, no publish support yet) --
+      - name: npm — verify registry endpoint
+        run: |
+          STATUS=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:4000/npm/lodash)
+          echo "npm endpoint returned: $STATUS"
+          [ "$STATUS" != "000" ] && echo "npm endpoint OK" || (echo "npm endpoint unreachable" && exit 1)
+
+      # -- Maven deploy/download --
+      - name: Maven — deploy and download artifact
+        run: |
+          echo "test-artifact-content-$(date +%s)" > /tmp/test-artifact.jar
+          CHECKSUM=$(sha256sum /tmp/test-artifact.jar | cut -d' ' -f1)
+          curl -sf -X PUT --data-binary @/tmp/test-artifact.jar             http://localhost:4000/maven2/com/example/test-lib/1.0.0/test-lib-1.0.0.jar
+          curl -sf -o /tmp/downloaded.jar             http://localhost:4000/maven2/com/example/test-lib/1.0.0/test-lib-1.0.0.jar
+          DOWNLOAD_CHECKSUM=$(sha256sum /tmp/downloaded.jar | cut -d' ' -f1)
+          [ "$CHECKSUM" = "$DOWNLOAD_CHECKSUM" ] && echo "Maven deploy/download OK" || (echo "Checksum mismatch!" && exit 1)
+
+      # -- PyPI (read-only proxy, no upload support yet) --
+      - name: PyPI — verify simple index
+        run: |
+          STATUS=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:4000/simple/)
+          echo "PyPI simple index returned: $STATUS"
+          [ "$STATUS" = "200" ] && echo "PyPI endpoint OK" || (echo "Expected 200, got $STATUS" && exit 1)
+
+      # -- Cargo (read-only proxy, no publish support yet) --
+      - name: Cargo — verify registry API responds
+        run: |
+          STATUS=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:4000/cargo/api/v1/crates/serde)
+          echo "Cargo API returned: $STATUS"
+          [ "$STATUS" != "000" ] && echo "Cargo endpoint OK" || (echo "Cargo endpoint unreachable" && exit 1)
+
+      # -- API checks --
+      - name: API — health, ready, metrics
+        run: |
+          curl -sf http://localhost:4000/health | jq .status
+          curl -sf http://localhost:4000/ready
+          curl -sf http://localhost:4000/metrics | head -5
+          echo "API checks OK"
+
+      - name: Stop NORA
+        if: always()
+        run: pkill nora || true

.github/workflows/release.yml

@@ -72,7 +72,7 @@ jobs:
           push: true
           tags: ${{ steps.meta-alpine.outputs.tags }}
           labels: ${{ steps.meta-alpine.outputs.labels }}
-          cache-from: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:alpine
+          cache-from: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:alpine,ignore-error=true
           cache-to: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:alpine,mode=max
 
       # ── RED OS ───────────────────────────────────────────────────────────────
@@ -98,7 +98,7 @@ jobs:
           push: true
           tags: ${{ steps.meta-redos.outputs.tags }}
           labels: ${{ steps.meta-redos.outputs.labels }}
-          cache-from: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:redos
+          cache-from: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:redos,ignore-error=true
           cache-to: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:redos,mode=max
 
       # ── Astra Linux SE ───────────────────────────────────────────────────────
@@ -124,13 +124,14 @@ jobs:
           push: true
           tags: ${{ steps.meta-astra.outputs.tags }}
           labels: ${{ steps.meta-astra.outputs.labels }}
-          cache-from: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:astra
+          cache-from: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:astra,ignore-error=true
           cache-to: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:astra,mode=max
 
       # ── Smoke test ──────────────────────────────────────────────────────────
       - name: Smoke test — verify alpine image starts and responds
         run: |
-          docker run --rm -d --name nora-smoke -p 5555:5000 \
+          docker rm -f nora-smoke 2>/dev/null || true
+          docker run --rm -d --name nora-smoke -p 5555:4000 -e NORA_HOST=0.0.0.0 \
             ${{ env.NORA }}/${{ env.IMAGE_NAME }}:latest
           for i in $(seq 1 10); do
             curl -sf http://localhost:5555/health && break || sleep 2

.gitleaks.toml

@@ -0,0 +1,8 @@
+# Gitleaks configuration
+# https://github.com/gitleaks/gitleaks
+
+[allowlist]
+  description = "Allowlist for false positives"
+
+  # Documentation examples with placeholder credentials
+  commits = ["92155cf6574d89f93ee68503a7b68455ceaa19af"]

CHANGELOG.md

@@ -4,6 +4,48 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
+## [0.2.29] - 2026-03-15
+
+### Added / Добавлено
+- **Upstream Authentication**: All registry proxies now support Basic Auth credentials for private upstream registries
+- **Аутентификация upstream**: Все прокси реестров теперь поддерживают Basic Auth для приватных upstream-реестров
+  - Docker: `NORA_DOCKER_UPSTREAMS="https://registry.corp.com|user:pass"`
+  - Maven: `NORA_MAVEN_PROXIES="https://nexus.corp.com/maven2|user:pass"`
+  - npm: `NORA_NPM_PROXY_AUTH="user:pass"`
+  - PyPI: `NORA_PYPI_PROXY_AUTH="user:pass"`
+- **Plaintext credential warning**: NORA logs a warning at startup if credentials are stored in config.toml instead of env vars
+- **Предупреждение о plaintext credentials**: NORA логирует предупреждение при старте, если credentials хранятся в config.toml вместо переменных окружения
+
+### Changed / Изменено
+- Extracted `basic_auth_header()` helper for consistent auth across all protocols
+- Вынесен хелпер `basic_auth_header()` для единообразной авторизации всех протоколов
+
+### Removed / Удалено
+- Removed unused `DockerAuth::fetch_with_auth()` method (dead code cleanup)
+- Удалён неиспользуемый метод `DockerAuth::fetch_with_auth()` (очистка мёртвого кода)
+
+---
+
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.28] - 2026-03-13
 
 ### Fixed / Исправлено
@@ -24,6 +66,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.27] - 2026-03-03
 
 ### Added / Добавлено
@@ -40,6 +92,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.26] - 2026-03-03
 
 ### Added / Добавлено
@@ -64,6 +126,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.25] - 2026-03-03
 
 ### Fixed / Исправлено
@@ -90,6 +162,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.24] - 2026-02-24
 
 ### Added / Добавлено
@@ -102,6 +184,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.23] - 2026-02-24
 
 ### Added / Добавлено
@@ -137,6 +229,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.22] - 2026-02-24
 
 ### Changed / Изменено
@@ -145,6 +247,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.21] - 2026-02-24
 
 ### CI/CD
@@ -159,6 +271,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.20] - 2026-02-23
 
 ### Added / Добавлено
@@ -174,6 +296,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.19] - 2026-01-31
 
 ### Added / Добавлено
@@ -188,6 +320,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.18] - 2026-01-31
 
 ### Changed
@@ -195,6 +337,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.17] - 2026-01-31
 
 ### Added
@@ -203,6 +355,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.16] - 2026-01-31
 
 ### Changed
@@ -211,6 +373,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.15] - 2026-01-31
 
 ### Fixed
@@ -218,6 +390,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.14] - 2026-01-31
 
 ### Fixed
@@ -226,6 +408,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.13] - 2026-01-31
 
 ### Fixed
@@ -235,6 +427,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.12] - 2026-01-30
 
 ### Added
@@ -259,6 +461,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.11] - 2026-01-26
 
 ### Added
@@ -268,6 +480,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.10] - 2026-01-26
 
 ### Changed
@@ -275,6 +497,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.9] - 2026-01-26
 
 ### Changed
@@ -282,6 +514,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.8] - 2026-01-26
 
 ### Added
@@ -289,6 +531,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.7] - 2026-01-26
 
 ### Added
@@ -296,6 +548,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.6] - 2026-01-26
 
 ### Added
@@ -310,6 +572,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.5] - 2026-01-26
 
 ### Fixed
@@ -317,6 +589,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.4] - 2026-01-26
 
 ### Fixed
@@ -325,6 +607,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.0] - 2026-01-25
 
 ### Added
@@ -395,6 +687,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.1.0] - 2026-01-24
 
 ### Added
@@ -414,12 +716,32 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 # Журнал изменений (RU)
 
 Все значимые изменения NORA документируются в этом файле.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.12] - 2026-01-30
 
 ### Добавлено
@@ -444,6 +766,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.11] - 2026-01-26
 
 ### Добавлено
@@ -453,6 +785,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.10] - 2026-01-26
 
 ### Изменено
@@ -460,6 +802,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.9] - 2026-01-26
 
 ### Изменено
@@ -467,6 +819,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.8] - 2026-01-26
 
 ### Добавлено
@@ -474,6 +836,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.7] - 2026-01-26
 
 ### Добавлено
@@ -481,6 +853,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.6] - 2026-01-26
 
 ### Добавлено
@@ -495,6 +877,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.5] - 2026-01-26
 
 ### Исправлено
@@ -502,6 +894,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.4] - 2026-01-26
 
 ### Исправлено
@@ -510,6 +912,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.2.0] - 2026-01-25
 
 ### Добавлено
@@ -580,6 +992,16 @@ All notable changes to NORA will be documented in this file.
 
 ---
 
+## [0.2.30] - 2026-03-16
+
+### Fixed / Исправлено
+- **Dashboard**: Docker upstream now shown in mount points table (was null)
+- **Dashboard**: Docker namespaced repositories (library/alpine, grafana/grafana) now visible in UI
+- **Dashboard**: npm proxy-cached packages now appear in package list
+- **Dashboard**: Отображение Docker upstream в таблице точек монтирования (было null)
+- **Dashboard**: Namespaced Docker-репозитории (library/alpine, grafana/grafana) теперь видны в UI
+- **Dashboard**: npm-пакеты из прокси-кеша теперь отображаются в списке пакетов
+
 ## [0.1.0] - 2026-01-24
 
 ### Добавлено

Cargo.lock

@@ -1247,7 +1247,7 @@ checksum = "38bf9645c8b145698bb0b18a4637dcacbc421ea49bef2317e4fd8065a387cf21"
 
 [[package]]
 name = "nora-cli"
-version = "0.2.28"
+version = "0.2.30"
 dependencies = [
  "clap",
  "flate2",
@@ -1261,7 +1261,7 @@ dependencies = [
 
 [[package]]
 name = "nora-registry"
-version = "0.2.28"
+version = "0.2.30"
 dependencies = [
  "async-trait",
  "axum",
@@ -1299,7 +1299,7 @@ dependencies = [
 
 [[package]]
 name = "nora-storage"
-version = "0.2.28"
+version = "0.2.30"
 dependencies = [
  "axum",
  "base64",

Cargo.toml

@@ -7,7 +7,7 @@ members = [
 ]
 
 [workspace.package]
-version = "0.2.28"
+version = "0.2.30"
 edition = "2021"
 license = "MIT"
 authors = ["DevITWay <devitway@gmail.com>"]

README.md

@@ -7,11 +7,11 @@
 [![Docs](https://img.shields.io/badge/docs-getnora.dev-green?logo=gitbook)](https://getnora.dev)
 [![Telegram](https://img.shields.io/badge/Telegram-Community-blue?logo=telegram)](https://t.me/getnora)
 
-> **Your Cloud-Native Artifact Registry**
+> **Multi-protocol artifact registry that doesn't suck.**
+>
+> One binary. All protocols. Stupidly fast.
 
-Fast. Organized. Feel at Home.
-
-**10x faster** than Nexus | **< 100 MB RAM** | **32 MB Docker image**
+**32 MB** binary | **< 100 MB** RAM | **3s** startup | **5** protocols
 
 ## Features
 
@@ -36,8 +36,10 @@ Fast. Organized. Feel at Home.
 
 - **Security**
   - Basic Auth (htpasswd + bcrypt)
-  - Revocable API tokens
+  - Revocable API tokens with RBAC
   - ENV-based configuration (12-Factor)
+  - SBOM (SPDX + CycloneDX) in every release
+  - See [SECURITY.md](SECURITY.md) for vulnerability reporting
 
 ## Quick Start
 
@@ -111,37 +113,14 @@ curl -u admin:yourpassword http://localhost:4000/v2/_catalog
 
 ### API Tokens (RBAC)
 
-Tokens support three roles: `read`, `write`, `admin`.
-
-```bash
-# Create a write token (30 days TTL)
-curl -s -X POST http://localhost:4000/api/tokens \
-  -H "Content-Type: application/json" \
-  -d '{"username":"admin","password":"yourpassword","role":"write","ttl_days":90,"description":"CI/CD"}'
-
-# Use token with Docker
-docker login localhost:4000 -u token -p nra_<token>
-
-# Use token with curl
-curl -H "Authorization: Bearer nra_<token>" http://localhost:4000/v2/_catalog
-
-# List tokens
-curl -s -X POST http://localhost:4000/api/tokens/list \
-  -H "Content-Type: application/json" \
-  -d '{"username":"admin","password":"yourpassword"}'
-
-# Revoke token by hash prefix
-curl -s -X POST http://localhost:4000/api/tokens/revoke \
-  -H "Content-Type: application/json" \
-  -d '{"username":"admin","password":"yourpassword","hash_prefix":"<first 16 chars>"}'
-```
-
 | Role | Pull/Read | Push/Write | Delete/Admin |
 |------|-----------|------------|--------------|
 | `read` | Yes | No | No |
 | `write` | Yes | Yes | No |
 | `admin` | Yes | Yes | Yes |
 
+See [Authentication guide](https://getnora.dev/configuration/authentication/) for token management, Docker login, and CI/CD integration.
+
 ## CLI Commands
 
 ```bash
@@ -161,18 +140,10 @@ nora migrate --from local --to s3
 | `NORA_HOST` | 127.0.0.1 | Bind address |
 | `NORA_PORT` | 4000 | Port |
 | `NORA_STORAGE_MODE` | local | `local` or `s3` |
-| `NORA_STORAGE_PATH` | data/storage | Local storage path |
-| `NORA_STORAGE_S3_URL` | - | S3 endpoint URL |
-| `NORA_STORAGE_BUCKET` | registry | S3 bucket name |
 | `NORA_AUTH_ENABLED` | false | Enable authentication |
-| `NORA_RATE_LIMIT_AUTH_RPS` | 1 | Auth requests per second |
-| `NORA_RATE_LIMIT_AUTH_BURST` | 5 | Auth burst size |
-| `NORA_RATE_LIMIT_UPLOAD_RPS` | 200 | Upload requests per second |
-| `NORA_RATE_LIMIT_UPLOAD_BURST` | 500 | Upload burst size |
-| `NORA_RATE_LIMIT_GENERAL_RPS` | 100 | General requests per second |
-| `NORA_RATE_LIMIT_GENERAL_BURST` | 200 | General burst size |
-| `NORA_SECRETS_PROVIDER` | env | Secrets provider (`env`) |
-| `NORA_SECRETS_CLEAR_ENV` | false | Clear env vars after reading |
+| `NORA_DOCKER_UPSTREAMS` | `https://registry-1.docker.io` | Docker upstreams (`url\|user:pass,...`) |
+
+See [full configuration reference](https://getnora.dev/configuration/settings/) for all environment variables including storage, rate limiting, proxy auth, and secrets.
 
 ### config.toml
 
@@ -189,24 +160,15 @@ path = "data/storage"
 enabled = false
 htpasswd_file = "users.htpasswd"
 
-[rate_limit]
-# Strict limits for authentication (brute-force protection)
-auth_rps = 1
-auth_burst = 5
-# High limits for CI/CD upload workloads
-upload_rps = 200
-upload_burst = 500
-# Balanced limits for general API endpoints
-general_rps = 100
-general_burst = 200
+[docker]
+proxy_timeout = 60
 
-[secrets]
-# Provider: env (default), aws-secrets, vault, k8s (coming soon)
-provider = "env"
-# Clear environment variables after reading (security hardening)
-clear_env = false
+[[docker.upstreams]]
+url = "https://registry-1.docker.io"
 ```
 
+See [full config reference](https://getnora.dev/configuration/settings/) for rate limiting, secrets, proxy auth, and all options.
+
 ## Endpoints
 
 | URL | Description |
@@ -224,20 +186,7 @@ clear_env = false
 
 ## TLS / HTTPS
 
-NORA serves plain HTTP by design. **TLS is intentionally not built into the binary** — this is a deliberate architectural decision:
-
-- **Single responsibility**: NORA manages artifacts, not certificates. Embedding TLS means bundling Let's Encrypt clients, certificate renewal logic, ACME challenges, and custom CA support — all of which already exist in battle-tested tools.
-- **Operational simplicity**: One place for certificates (reverse proxy), not scattered across every service. When a cert expires, you fix it in one config — not in NORA, Grafana, GitLab, and every other service separately.
-- **Industry standard**: Docker Hub, GitHub Container Registry, AWS ECR, Harbor, Nexus — none of them terminate TLS in the registry process. A reverse proxy in front is the universal pattern.
-- **Zero-config internal use**: On trusted networks (lab, CI/CD), NORA works out of the box without generating self-signed certs or managing keystores.
-
-### Production (recommended): reverse proxy with auto-TLS
-
-```
-Client → Caddy/Nginx (HTTPS, port 443) → NORA (HTTP, port 4000)
-```
-
-Caddy example:
+NORA serves plain HTTP. Use a reverse proxy for TLS:
 
 ```
 registry.example.com {
@@ -245,27 +194,7 @@ registry.example.com {
 }
 ```
 
-Nginx example:
-
-```nginx
-server {
-    listen 443 ssl;
-    server_name registry.example.com;
-    ssl_certificate     /etc/letsencrypt/live/registry.example.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/registry.example.com/privkey.pem;
-    client_max_body_size 0;  # unlimited for large image pushes
-    location / {
-        proxy_pass http://127.0.0.1:4000;
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
-}
-```
-
-### Internal / Lab: insecure registry
-
-If you run NORA without TLS (e.g., on a private network), configure Docker to trust it:
+For internal networks without TLS, configure Docker:
 
 ```json
 // /etc/docker/daemon.json
@@ -274,24 +203,11 @@ If you run NORA without TLS (e.g., on a private network), configure Docker to tr
 }
 ```
 
-Then restart Docker:
-
-```bash
-sudo systemctl restart docker
-```
-
-> **Note:** `insecure-registries` disables TLS verification for that host. Use only on trusted networks.
+See [TLS / HTTPS guide](https://getnora.dev/configuration/tls/) for Nginx, Traefik, and custom CA setup.
 
 ## FSTEC-Certified OS Builds
 
-NORA provides dedicated Dockerfiles for Russian FSTEC-certified operating systems:
-
-- `Dockerfile.astra` — Astra Linux SE (for government and defense sector)
-- `Dockerfile.redos` — RED OS (for enterprise and public sector)
-
-Both use `scratch` base with statically-linked binary for minimal attack surface. Comments in each file show how to switch to official distro base images if required by your security policy.
-
-These builds are published as `-astra` and `-redos` tagged images in GitHub Releases.
+Dedicated builds for Astra Linux SE and RED OS are published as `-astra` and `-redos` tagged images in every [GitHub Release](https://github.com/getnora-io/nora/releases). Both use `scratch` base with statically-linked binary.
 
 ## Performance
 
@@ -301,11 +217,21 @@ These builds are published as `-astra` and `-redos` tagged images in GitHub Rele
 | Memory | < 100 MB | 2-4 GB | 2-4 GB |
 | Image Size | 32 MB | 600+ MB | 1+ GB |
 
+## Roadmap
+
+- **OIDC / Workload Identity** — zero-secret auth for GitHub Actions, GitLab CI
+- **Online Garbage Collection** — non-blocking cleanup without registry downtime
+- **Retention Policies** — declarative rules: keep last N tags, delete older than X days
+- **Image Signing** — cosign/notation verification and policy enforcement
+- **Replication** — push/pull sync between NORA instances
+
+See [CHANGELOG.md](CHANGELOG.md) for release history.
+
 ## Author
 
 **Created and maintained by [DevITWay](https://github.com/devitway)**
 
-- Website: [getnora.io](https://getnora.io)
+- Website: [getnora.dev](https://getnora.dev)
 - Telegram: [@DevITWay](https://t.me/DevITWay)
 - GitHub: [@devitway](https://github.com/devitway)
 - Email: devitway@gmail.com

nora-registry/src/config.rs

@@ -1,12 +1,18 @@
 // Copyright (c) 2026 Volkov Pavel | DevITWay
 // SPDX-License-Identifier: MIT
 
+use base64::{engine::general_purpose::STANDARD, Engine};
 use serde::{Deserialize, Serialize};
 use std::env;
 use std::fs;
 
 pub use crate::secrets::SecretsConfig;
 
+/// Encode "user:pass" into a Basic Auth header value, e.g. "Basic dXNlcjpwYXNz".
+pub fn basic_auth_header(credentials: &str) -> String {
+    format!("Basic {}", STANDARD.encode(credentials))
+}
+
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct Config {
     pub server: ServerConfig,
@@ -93,7 +99,7 @@ fn default_bucket() -> String {
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct MavenConfig {
     #[serde(default)]
-    pub proxies: Vec<String>,
+    pub proxies: Vec<MavenProxyEntry>,
     #[serde(default = "default_timeout")]
     pub proxy_timeout: u64,
 }
@@ -102,6 +108,8 @@ pub struct MavenConfig {
 pub struct NpmConfig {
     #[serde(default)]
     pub proxy: Option<String>,
+    #[serde(default)]
+    pub proxy_auth: Option<String>, // "user:pass" for basic auth
     #[serde(default = "default_timeout")]
     pub proxy_timeout: u64,
 }
@@ -110,6 +118,8 @@ pub struct NpmConfig {
 pub struct PypiConfig {
     #[serde(default)]
     pub proxy: Option<String>,
+    #[serde(default)]
+    pub proxy_auth: Option<String>, // "user:pass" for basic auth
     #[serde(default = "default_timeout")]
     pub proxy_timeout: u64,
 }
@@ -131,6 +141,37 @@ pub struct DockerUpstream {
     pub auth: Option<String>, // "user:pass" for basic auth
 }
 
+/// Maven upstream proxy configuration
+#[derive(Debug, Clone, Serialize, Deserialize)]
+#[serde(untagged)]
+pub enum MavenProxyEntry {
+    Simple(String),
+    Full(MavenProxy),
+}
+
+/// Maven upstream proxy with optional auth
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct MavenProxy {
+    pub url: String,
+    #[serde(default)]
+    pub auth: Option<String>, // "user:pass" for basic auth
+}
+
+impl MavenProxyEntry {
+    pub fn url(&self) -> &str {
+        match self {
+            MavenProxyEntry::Simple(s) => s,
+            MavenProxyEntry::Full(p) => &p.url,
+        }
+    }
+    pub fn auth(&self) -> Option<&str> {
+        match self {
+            MavenProxyEntry::Simple(_) => None,
+            MavenProxyEntry::Full(p) => p.auth.as_deref(),
+        }
+    }
+}
+
 /// Raw repository configuration for simple file storage
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct RawConfig {
@@ -177,7 +218,9 @@ fn default_timeout() -> u64 {
 impl Default for MavenConfig {
     fn default() -> Self {
         Self {
-            proxies: vec!["https://repo1.maven.org/maven2".to_string()],
+            proxies: vec![MavenProxyEntry::Simple(
+                "https://repo1.maven.org/maven2".to_string(),
+            )],
             proxy_timeout: 30,
         }
     }
@@ -187,6 +230,7 @@ impl Default for NpmConfig {
     fn default() -> Self {
         Self {
             proxy: Some("https://registry.npmjs.org".to_string()),
+            proxy_auth: None,
             proxy_timeout: 30,
         }
     }
@@ -196,6 +240,7 @@ impl Default for PypiConfig {
     fn default() -> Self {
         Self {
             proxy: Some("https://pypi.org/simple/".to_string()),
+            proxy_auth: None,
             proxy_timeout: 30,
         }
     }
@@ -309,6 +354,37 @@ impl Default for RateLimitConfig {
 }
 
 impl Config {
+    /// Warn if credentials are configured via config.toml (not env vars)
+    pub fn warn_plaintext_credentials(&self) {
+        // Docker upstreams
+        for (i, upstream) in self.docker.upstreams.iter().enumerate() {
+            if upstream.auth.is_some() && std::env::var("NORA_DOCKER_UPSTREAMS").is_err() {
+                tracing::warn!(
+                    upstream_index = i,
+                    url = %upstream.url,
+                    "Docker upstream credentials in config.toml are plaintext — consider NORA_DOCKER_UPSTREAMS env var"
+                );
+            }
+        }
+        // Maven proxies
+        for proxy in &self.maven.proxies {
+            if proxy.auth().is_some() && std::env::var("NORA_MAVEN_PROXIES").is_err() {
+                tracing::warn!(
+                    url = %proxy.url(),
+                    "Maven proxy credentials in config.toml are plaintext — consider NORA_MAVEN_PROXIES env var"
+                );
+            }
+        }
+        // npm
+        if self.npm.proxy_auth.is_some() && std::env::var("NORA_NPM_PROXY_AUTH").is_err() {
+            tracing::warn!("npm proxy credentials in config.toml are plaintext — consider NORA_NPM_PROXY_AUTH env var");
+        }
+        // PyPI
+        if self.pypi.proxy_auth.is_some() && std::env::var("NORA_PYPI_PROXY_AUTH").is_err() {
+            tracing::warn!("PyPI proxy credentials in config.toml are plaintext — consider NORA_PYPI_PROXY_AUTH env var");
+        }
+    }
+
     /// Load configuration with priority: ENV > config.toml > defaults
     pub fn load() -> Self {
         // 1. Start with defaults
@@ -377,9 +453,23 @@ impl Config {
             self.auth.htpasswd_file = val;
         }
 
-        // Maven config
+        // Maven config — supports "url1,url2" or "url1|auth1,url2|auth2"
         if let Ok(val) = env::var("NORA_MAVEN_PROXIES") {
-            self.maven.proxies = val.split(',').map(|s| s.trim().to_string()).collect();
+            self.maven.proxies = val
+                .split(',')
+                .filter(|s| !s.is_empty())
+                .map(|s| {
+                    let parts: Vec<&str> = s.trim().splitn(2, '|').collect();
+                    if parts.len() > 1 {
+                        MavenProxyEntry::Full(MavenProxy {
+                            url: parts[0].to_string(),
+                            auth: Some(parts[1].to_string()),
+                        })
+                    } else {
+                        MavenProxyEntry::Simple(parts[0].to_string())
+                    }
+                })
+                .collect();
         }
         if let Ok(val) = env::var("NORA_MAVEN_PROXY_TIMEOUT") {
             if let Ok(timeout) = val.parse() {
@@ -397,6 +487,11 @@ impl Config {
             }
         }
 
+        // npm proxy auth
+        if let Ok(val) = env::var("NORA_NPM_PROXY_AUTH") {
+            self.npm.proxy_auth = if val.is_empty() { None } else { Some(val) };
+        }
+
         // PyPI config
         if let Ok(val) = env::var("NORA_PYPI_PROXY") {
             self.pypi.proxy = if val.is_empty() { None } else { Some(val) };
@@ -407,6 +502,11 @@ impl Config {
             }
         }
 
+        // PyPI proxy auth
+        if let Ok(val) = env::var("NORA_PYPI_PROXY_AUTH") {
+            self.pypi.proxy_auth = if val.is_empty() { None } else { Some(val) };
+        }
+
         // Docker config
         if let Ok(val) = env::var("NORA_DOCKER_PROXY_TIMEOUT") {
             if let Ok(timeout) = val.parse() {

nora-registry/src/main.rs

@@ -289,6 +289,9 @@ async fn run_server(config: Config, storage: Storage) {
     let storage_path = config.storage.path.clone();
     let rate_limit_enabled = config.rate_limit.enabled;
 
+    // Warn about plaintext credentials in config.toml
+    config.warn_plaintext_credentials();
+
     // Initialize Docker auth with proxy timeout
     let docker_auth = registry::DockerAuth::new(config.docker.proxy_timeout);
 

nora-registry/src/openapi.rs

@@ -5,7 +5,6 @@
 //!
 //! Functions in this module are stubs used only for generating OpenAPI documentation.
 
-
 #![allow(dead_code)] // utoipa doc stubs — not called at runtime, used by derive macros
 
 use axum::Router;

nora-registry/src/registry/docker.rs

@@ -3,6 +3,7 @@
 
 use crate::activity_log::{ActionType, ActivityEntry};
 use crate::audit::AuditEntry;
+use crate::config::basic_auth_header;
 use crate::registry::docker_auth::DockerAuth;
 use crate::storage::Storage;
 use crate::validation::{validate_digest, validate_docker_name, validate_docker_reference};
@@ -181,6 +182,7 @@ async fn download_blob(
             &digest,
             &state.docker_auth,
             state.config.docker.proxy_timeout,
+            upstream.auth.as_deref(),
         )
         .await
         {
@@ -392,6 +394,7 @@ async fn get_manifest(
             &reference,
             &state.docker_auth,
             state.config.docker.proxy_timeout,
+            upstream.auth.as_deref(),
         )
         .await
         {
@@ -733,6 +736,7 @@ async fn fetch_blob_from_upstream(
     digest: &str,
     docker_auth: &DockerAuth,
     timeout: u64,
+    basic_auth: Option<&str>,
 ) -> Result<Vec<u8>, ()> {
     let url = format!(
         "{}/v2/{}/blobs/{}",
@@ -741,13 +745,12 @@ async fn fetch_blob_from_upstream(
         digest
     );
 
-    // First try without auth
-    let response = client
-        .get(&url)
-        .timeout(Duration::from_secs(timeout))
-        .send()
-        .await
-        .map_err(|_| ())?;
+    // First try — with basic auth if configured
+    let mut request = client.get(&url).timeout(Duration::from_secs(timeout));
+    if let Some(credentials) = basic_auth {
+        request = request.header("Authorization", basic_auth_header(credentials));
+    }
+    let response = request.send().await.map_err(|_| ())?;
 
     let response = if response.status() == reqwest::StatusCode::UNAUTHORIZED {
         // Get Www-Authenticate header and fetch token
@@ -758,7 +761,7 @@ async fn fetch_blob_from_upstream(
             .map(String::from);
 
         if let Some(token) = docker_auth
-            .get_token(upstream_url, name, www_auth.as_deref())
+            .get_token(upstream_url, name, www_auth.as_deref(), basic_auth)
             .await
         {
             client
@@ -790,6 +793,7 @@ async fn fetch_manifest_from_upstream(
     reference: &str,
     docker_auth: &DockerAuth,
     timeout: u64,
+    basic_auth: Option<&str>,
 ) -> Result<(Vec<u8>, String), ()> {
     let url = format!(
         "{}/v2/{}/manifests/{}",
@@ -806,16 +810,17 @@ async fn fetch_manifest_from_upstream(
                          application/vnd.oci.image.manifest.v1+json, \
                          application/vnd.oci.image.index.v1+json";
 
-    // First try without auth
-    let response = client
+    // First try — with basic auth if configured
+    let mut request = client
         .get(&url)
         .timeout(Duration::from_secs(timeout))
-        .header("Accept", accept_header)
-        .send()
-        .await
-        .map_err(|e| {
-            tracing::error!(error = %e, url = %url, "Failed to send request to upstream");
-        })?;
+        .header("Accept", accept_header);
+    if let Some(credentials) = basic_auth {
+        request = request.header("Authorization", basic_auth_header(credentials));
+    }
+    let response = request.send().await.map_err(|e| {
+        tracing::error!(error = %e, url = %url, "Failed to send request to upstream");
+    })?;
 
     tracing::debug!(status = %response.status(), "Initial upstream response");
 
@@ -830,7 +835,7 @@ async fn fetch_manifest_from_upstream(
         tracing::debug!(www_auth = ?www_auth, "Got 401, fetching token");
 
         if let Some(token) = docker_auth
-            .get_token(upstream_url, name, www_auth.as_deref())
+            .get_token(upstream_url, name, www_auth.as_deref(), basic_auth)
             .await
         {
             tracing::debug!("Token acquired, retrying with auth");

nora-registry/src/registry/docker_auth.rs

@@ -1,6 +1,7 @@
 // Copyright (c) 2026 Volkov Pavel | DevITWay
 // SPDX-License-Identifier: MIT
 
+use crate::config::basic_auth_header;
 use parking_lot::RwLock;
 use std::collections::HashMap;
 use std::time::{Duration, Instant};
@@ -36,6 +37,7 @@ impl DockerAuth {
         registry_url: &str,
         name: &str,
         www_authenticate: Option<&str>,
+        basic_auth: Option<&str>,
     ) -> Option<String> {
         let cache_key = format!("{}:{}", registry_url, name);
 
@@ -51,7 +53,7 @@ impl DockerAuth {
 
         // Need to fetch a new token
         let www_auth = www_authenticate?;
-        let token = self.fetch_token(www_auth, name).await?;
+        let token = self.fetch_token(www_auth, name, basic_auth).await?;
 
         // Cache the token (default 5 minute expiry)
         {
@@ -70,7 +72,12 @@ impl DockerAuth {
 
     /// Parse Www-Authenticate header and fetch token from auth server
     /// Format: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:library/alpine:pull"
-    async fn fetch_token(&self, www_authenticate: &str, name: &str) -> Option<String> {
+    async fn fetch_token(
+        &self,
+        www_authenticate: &str,
+        name: &str,
+        basic_auth: Option<&str>,
+    ) -> Option<String> {
         let params = parse_www_authenticate(www_authenticate)?;
 
         let realm = params.get("realm")?;
@@ -82,7 +89,13 @@ impl DockerAuth {
 
         tracing::debug!(url = %url, "Fetching auth token");
 
-        let response = self.client.get(&url).send().await.ok()?;
+        let mut request = self.client.get(&url);
+        if let Some(credentials) = basic_auth {
+            request = request.header("Authorization", basic_auth_header(credentials));
+            tracing::debug!("Using basic auth for token request");
+        }
+
+        let response = request.send().await.ok()?;
 
         if !response.status().is_success() {
             tracing::warn!(status = %response.status(), "Token request failed");
@@ -97,44 +110,6 @@ impl DockerAuth {
             .and_then(|v| v.as_str())
             .map(String::from)
     }
-
-    /// Make an authenticated request to an upstream registry
-    pub async fn fetch_with_auth(
-        &self,
-        url: &str,
-        registry_url: &str,
-        name: &str,
-    ) -> Result<reqwest::Response, ()> {
-        // First try without auth
-        let response = self.client.get(url).send().await.map_err(|_| ())?;
-
-        if response.status() == reqwest::StatusCode::UNAUTHORIZED {
-            // Extract Www-Authenticate header
-            let www_auth = response
-                .headers()
-                .get("www-authenticate")
-                .and_then(|v| v.to_str().ok())
-                .map(String::from);
-
-            // Get token and retry
-            if let Some(token) = self
-                .get_token(registry_url, name, www_auth.as_deref())
-                .await
-            {
-                return self
-                    .client
-                    .get(url)
-                    .header("Authorization", format!("Bearer {}", token))
-                    .send()
-                    .await
-                    .map_err(|_| ());
-            }
-
-            return Err(());
-        }
-
-        Ok(response)
-    }
 }
 
 impl Default for DockerAuth {

nora-registry/src/registry/maven.rs

@@ -3,6 +3,7 @@
 
 use crate::activity_log::{ActionType, ActivityEntry};
 use crate::audit::AuditEntry;
+use crate::config::basic_auth_header;
 use crate::AppState;
 use axum::{
     body::Bytes,
@@ -49,10 +50,17 @@ async fn download(State(state): State<Arc<AppState>>, Path(path): Path<String>)
         return with_content_type(&path, data).into_response();
     }
 
-    for proxy_url in &state.config.maven.proxies {
-        let url = format!("{}/{}", proxy_url.trim_end_matches('/'), path);
+    for proxy in &state.config.maven.proxies {
+        let url = format!("{}/{}", proxy.url().trim_end_matches('/'), path);
 
-        match fetch_from_proxy(&state.http_client, &url, state.config.maven.proxy_timeout).await {
+        match fetch_from_proxy(
+            &state.http_client,
+            &url,
+            state.config.maven.proxy_timeout,
+            proxy.auth(),
+        )
+        .await
+        {
             Ok(data) => {
                 state.metrics.record_download("maven");
                 state.metrics.record_cache_miss();
@@ -124,13 +132,13 @@ async fn fetch_from_proxy(
     client: &reqwest::Client,
     url: &str,
     timeout_secs: u64,
+    auth: Option<&str>,
 ) -> Result<Vec<u8>, ()> {
-    let response = client
-        .get(url)
-        .timeout(Duration::from_secs(timeout_secs))
-        .send()
-        .await
-        .map_err(|_| ())?;
+    let mut request = client.get(url).timeout(Duration::from_secs(timeout_secs));
+    if let Some(credentials) = auth {
+        request = request.header("Authorization", basic_auth_header(credentials));
+    }
+    let response = request.send().await.map_err(|_| ())?;
 
     if !response.status().is_success() {
         return Err(());

nora-registry/src/registry/npm.rs

@@ -3,6 +3,7 @@
 
 use crate::activity_log::{ActionType, ActivityEntry};
 use crate::audit::AuditEntry;
+use crate::config::basic_auth_header;
 use crate::AppState;
 use axum::{
     body::Bytes,
@@ -59,8 +60,13 @@ async fn handle_request(State(state): State<Arc<AppState>>, Path(path): Path<Str
     if let Some(proxy_url) = &state.config.npm.proxy {
         let url = format!("{}/{}", proxy_url.trim_end_matches('/'), path);
 
-        if let Ok(data) =
-            fetch_from_proxy(&state.http_client, &url, state.config.npm.proxy_timeout).await
+        if let Ok(data) = fetch_from_proxy(
+            &state.http_client,
+            &url,
+            state.config.npm.proxy_timeout,
+            state.config.npm.proxy_auth.as_deref(),
+        )
+        .await
         {
             if is_tarball {
                 state.metrics.record_download("npm");
@@ -98,13 +104,13 @@ async fn fetch_from_proxy(
     client: &reqwest::Client,
     url: &str,
     timeout_secs: u64,
+    auth: Option<&str>,
 ) -> Result<Vec<u8>, ()> {
-    let response = client
-        .get(url)
-        .timeout(Duration::from_secs(timeout_secs))
-        .send()
-        .await
-        .map_err(|_| ())?;
+    let mut request = client.get(url).timeout(Duration::from_secs(timeout_secs));
+    if let Some(credentials) = auth {
+        request = request.header("Authorization", basic_auth_header(credentials));
+    }
+    let response = request.send().await.map_err(|_| ())?;
 
     if !response.status().is_success() {
         return Err(());

nora-registry/src/registry/pypi.rs

@@ -3,6 +3,7 @@
 
 use crate::activity_log::{ActionType, ActivityEntry};
 use crate::audit::AuditEntry;
+use crate::config::basic_auth_header;
 use crate::AppState;
 use axum::{
     extract::{Path, State},
@@ -86,8 +87,13 @@ async fn package_versions(
     if let Some(proxy_url) = &state.config.pypi.proxy {
         let url = format!("{}/{}/", proxy_url.trim_end_matches('/'), normalized);
 
-        if let Ok(html) =
-            fetch_package_page(&state.http_client, &url, state.config.pypi.proxy_timeout).await
+        if let Ok(html) = fetch_package_page(
+            &state.http_client,
+            &url,
+            state.config.pypi.proxy_timeout,
+            state.config.pypi.proxy_auth.as_deref(),
+        )
+        .await
         {
             // Rewrite URLs in the HTML to point to our registry
             let rewritten = rewrite_pypi_links(&html, &normalized);
@@ -140,6 +146,7 @@ async fn download_file(
             &state.http_client,
             &page_url,
             state.config.pypi.proxy_timeout,
+            state.config.pypi.proxy_auth.as_deref(),
         )
         .await
         {
@@ -149,6 +156,7 @@ async fn download_file(
                     &state.http_client,
                     &file_url,
                     state.config.pypi.proxy_timeout,
+                    state.config.pypi.proxy_auth.as_deref(),
                 )
                 .await
                 {
@@ -202,14 +210,16 @@ async fn fetch_package_page(
     client: &reqwest::Client,
     url: &str,
     timeout_secs: u64,
+    auth: Option<&str>,
 ) -> Result<String, ()> {
-    let response = client
+    let mut request = client
         .get(url)
         .timeout(Duration::from_secs(timeout_secs))
-        .header("Accept", "text/html")
-        .send()
-        .await
-        .map_err(|_| ())?;
+        .header("Accept", "text/html");
+    if let Some(credentials) = auth {
+        request = request.header("Authorization", basic_auth_header(credentials));
+    }
+    let response = request.send().await.map_err(|_| ())?;
 
     if !response.status().is_success() {
         return Err(());
@@ -219,13 +229,17 @@ async fn fetch_package_page(
 }
 
 /// Fetch file from upstream
-async fn fetch_file(client: &reqwest::Client, url: &str, timeout_secs: u64) -> Result<Vec<u8>, ()> {
-    let response = client
-        .get(url)
-        .timeout(Duration::from_secs(timeout_secs))
-        .send()
-        .await
-        .map_err(|_| ())?;
+async fn fetch_file(
+    client: &reqwest::Client,
+    url: &str,
+    timeout_secs: u64,
+    auth: Option<&str>,
+) -> Result<Vec<u8>, ()> {
+    let mut request = client.get(url).timeout(Duration::from_secs(timeout_secs));
+    if let Some(credentials) = auth {
+        request = request.header("Authorization", basic_auth_header(credentials));
+    }
+    let response = request.send().await.map_err(|_| ())?;
 
     if !response.status().is_success() {
         return Err(());

nora-registry/src/repo_index.rs

@@ -173,35 +173,39 @@ async fn build_docker_index(storage: &Storage) -> Vec<RepoInfo> {
         }
 
         if let Some(rest) = key.strip_prefix("docker/") {
-            let parts: Vec<_> = rest.split('/').collect();
-            if parts.len() >= 3 && parts[1] == "manifests" && key.ends_with(".json") {
-                let name = parts[0].to_string();
-                let entry = repos.entry(name).or_insert((0, 0, 0));
-                entry.0 += 1;
+            // Support namespaced repos: docker/{ns}/{name}/manifests/{tag}.json
+            // and flat repos: docker/{name}/manifests/{tag}.json
+            if let Some(manifests_pos) = rest.find("/manifests/") {
+                let name = rest[..manifests_pos].to_string();
+                let after_manifests = &rest[manifests_pos + "/manifests/".len()..];
+                if !after_manifests.is_empty() && key.ends_with(".json") {
+                    let entry = repos.entry(name).or_insert((0, 0, 0));
+                    entry.0 += 1;
 
-                if let Ok(data) = storage.get(key).await {
-                    if let Ok(m) = serde_json::from_slice::<serde_json::Value>(&data) {
-                        let cfg = m
-                            .get("config")
-                            .and_then(|c| c.get("size"))
-                            .and_then(|s| s.as_u64())
-                            .unwrap_or(0);
-                        let layers: u64 = m
-                            .get("layers")
-                            .and_then(|l| l.as_array())
-                            .map(|arr| {
-                                arr.iter()
-                                    .filter_map(|l| l.get("size").and_then(|s| s.as_u64()))
-                                    .sum()
-                            })
-                            .unwrap_or(0);
-                        entry.1 += cfg + layers;
+                    if let Ok(data) = storage.get(key).await {
+                        if let Ok(m) = serde_json::from_slice::<serde_json::Value>(&data) {
+                            let cfg = m
+                                .get("config")
+                                .and_then(|c| c.get("size"))
+                                .and_then(|s| s.as_u64())
+                                .unwrap_or(0);
+                            let layers: u64 = m
+                                .get("layers")
+                                .and_then(|l| l.as_array())
+                                .map(|arr| {
+                                    arr.iter()
+                                        .filter_map(|l| l.get("size").and_then(|s| s.as_u64()))
+                                        .sum()
+                                })
+                                .unwrap_or(0);
+                            entry.1 += cfg + layers;
+                        }
                     }
-                }
 
-                if let Some(meta) = storage.stat(key).await {
-                    if meta.modified > entry.2 {
-                        entry.2 = meta.modified;
+                    if let Some(meta) = storage.stat(key).await {
+                        if meta.modified > entry.2 {
+                            entry.2 = meta.modified;
+                        }
                     }
                 }
             }
@@ -240,11 +244,11 @@ async fn build_npm_index(storage: &Storage) -> Vec<RepoInfo> {
     let keys = storage.list("npm/").await;
     let mut packages: HashMap<String, (usize, u64, u64)> = HashMap::new();
 
-    // Count tarballs instead of parsing metadata.json (faster than parsing JSON)
+    // Count tarballs first, then fall back to metadata.json for proxy-cached packages
     for key in &keys {
         if let Some(rest) = key.strip_prefix("npm/") {
-            // Pattern: npm/{package}/tarballs/{file}.tgz
             if rest.contains("/tarballs/") && key.ends_with(".tgz") {
+                // Pattern: npm/{package}/tarballs/{file}.tgz
                 let parts: Vec<_> = rest.split('/').collect();
                 if !parts.is_empty() {
                     let name = parts[0].to_string();
@@ -258,6 +262,21 @@ async fn build_npm_index(storage: &Storage) -> Vec<RepoInfo> {
                         }
                     }
                 }
+            } else if rest.ends_with("/metadata.json") {
+                // Proxy-cached package: npm/{package}/metadata.json
+                // Show package in list but don't inflate version count from upstream metadata
+                if let Some(name) = rest.strip_suffix("/metadata.json") {
+                    if !name.contains('/') {
+                        packages.entry(name.to_string()).or_insert((0, 0, 0));
+                        if let Some(stat) = storage.stat(key).await {
+                            let entry = packages.get_mut(name).unwrap();
+                            entry.1 += stat.size;
+                            if stat.modified > entry.2 {
+                                entry.2 = stat.modified;
+                            }
+                        }
+                    }
+                }
             }
         }
     }

nora-registry/src/secrets/mod.rs

@@ -1,7 +1,6 @@
 // Copyright (c) 2026 Volkov Pavel | DevITWay
 // SPDX-License-Identifier: MIT
 
-
 //! Secrets management for NORA
 //!
 //! Provides a trait-based architecture for secrets providers:

nora-registry/src/ui/api.rs

@@ -200,12 +200,17 @@ pub async fn api_dashboard(State(state): State<Arc<AppState>>) -> Json<Dashboard
         MountPoint {
             registry: "Docker".to_string(),
             mount_path: "/v2/".to_string(),
-            proxy_upstream: None,
+            proxy_upstream: state.config.docker.upstreams.first().map(|u| u.url.clone()),
         },
         MountPoint {
             registry: "Maven".to_string(),
             mount_path: "/maven2/".to_string(),
-            proxy_upstream: state.config.maven.proxies.first().cloned(),
+            proxy_upstream: state
+                .config
+                .maven
+                .proxies
+                .first()
+                .map(|p| p.url().to_string()),
         },
         MountPoint {
             registry: "npm".to_string(),