mirror of
https://github.com/getnora-io/nora.git
synced 2026-04-12 09:10:32 +00:00
DevITWay | Pavel Volkov
d909a62ac5
* docs: add DCO, governance model, roles, vulnerability credit policy * security: migrate token hashing from SHA256 to Argon2id - Replace unsalted SHA256 with Argon2id (salted) for API token hashing - Fix TOCTOU race: replace exists()+read() with read()+match on error - Set chmod 600 on token files and 700 on token storage directory - Auto-migrate legacy SHA256 tokens to Argon2id on first verification - Add regression tests: argon2 format, legacy migration, file permissions * feat: add retry with timeout for upstream proxy, mark Maven proxy-only - Add shared proxy_fetch() and proxy_fetch_text() with 1 retry on 5xx/timeout - Replace duplicated fetch_from_proxy in maven.rs, npm.rs, pypi.rs - Mark Maven as proxy-only in README (no full repository manager support) - Existing timeout config (30s maven/npm/pypi, 60s docker) preserved - 4xx errors fail immediately without retry