fix(registry): protect base images (alpine, node, rust) from retention script

apps/registry/retention-script.yaml

@@ -10,6 +10,23 @@ data:
     CFG='/auth/.dockerconfigjson'
     PATTERN=re.compile(r'^[0-9a-f]{40}$')
 
+    # Base images that MUST NEVER be deleted, even if their names start with
+    # nxtgauge- in the future. These are the FROM lines in our Dockerfiles
+    # (alpine for rust, node variants for frontend/admin, etc.). If any of
+    # these are missing the entire build pipeline breaks.
+    BASE_IMAGES = {
+        'alpine',
+        'node',
+        'rust',
+        'busybox',
+        'golang',
+        'nginx',
+        'postgres',
+        'redis',
+    }
+    # Project-image prefix that we DO prune. Anything outside this is sacred.
+    PROJECT_PREFIX = 'nxtgauge-'
+
     with open(CFG,'r') as f:
       dcfg=json.load(f)
     auth=dcfg['auths']['registry.nxtgauge.com']['auth']
@@ -23,7 +40,19 @@ data:
         return resp.status, dict(resp.headers), resp.read()
 
     _, _, body = req(f'{REG}/v2/_catalog?n=1000')
-    repos=[r for r in json.loads(body.decode()).get('repositories',[]) if r.startswith('nxtgauge-')]
+    all_repos=json.loads(body.decode()).get('repositories',[])
+
+    # EXPLICIT SAFETY: only consider repos that match the project prefix.
+    # This double-belt-and-suspenders: base images (alpine/node/rust) are
+    # also in BASE_IMAGES as a fallback in case the prefix is ever changed.
+    repos=[r for r in all_repos if r.startswith(PROJECT_PREFIX) and r not in BASE_IMAGES]
+
+    # Sanity check: log if any base image is missing
+    missing_base = [b for b in BASE_IMAGES if b in all_repos or True]  # always present
+    present = set(all_repos)
+    for b in BASE_IMAGES:
+      if b not in present:
+        print(f'[WARN] base image {b} not in registry catalog - re-push required!')
 
     deleted=0
     for repo in sorted(repos):