diff --git a/nebius/ai/v1/job.proto b/nebius/ai/v1/job.proto
index 58b00eb..86b3a9b 100644
--- a/nebius/ai/v1/job.proto
+++ b/nebius/ai/v1/job.proto
@@ -81,7 +81,7 @@ message JobSpec {
 
   // Restart attempts for the job.
   int64 restart_attempts = 30 [(buf.validate.field) = {
-    int64: {gte: 0}
+    int64: {gte: -1}
   }];
 
   // Job timeout.
diff --git a/nebius/compute/v1/disk.proto b/nebius/compute/v1/disk.proto
index 08e0067..1a7d88c 100644
--- a/nebius/compute/v1/disk.proto
+++ b/nebius/compute/v1/disk.proto
@@ -133,6 +133,8 @@ message DiskStatus {
   SourceImageCPUArchitecture source_image_cpu_architecture = 9;
 
   message LockState {
+    // Disk is locked for deletion and for read-write operations while image is being created.
+    // Here is the list of these images.
     repeated string images = 1;
   }
 
diff --git a/nebius/iam/v1/federated_credentials.proto b/nebius/iam/v1/federated_credentials.proto
index 475f26b..a5576c4 100644
--- a/nebius/iam/v1/federated_credentials.proto
+++ b/nebius/iam/v1/federated_credentials.proto
@@ -35,7 +35,6 @@ message FederatedCredentialsSpec {
 }
 
 message OidcCredentialsProvider {
-  // *
   // It's not required provider OIDC issuer should be real OIDC provider, but should expose OIDC configuration
   // with "/.well-known/openid-configuration" endpoint. Configuration should contains the "jwks_uri" endpoint
   // where the JSON Web Key Set (JWKS) can be found; this set contains public keys used to verify
@@ -47,7 +46,6 @@ message OidcCredentialsProvider {
   // - response size for jwks_uri and "/.well-known/openid-configuration limited by 100KB.
   string issuer_url = 1 [(buf.validate.field).required = true];
 
-  // *
   // Literally json, which represents JWKS with public keys for JWT verification.
   // It worth mentioned that in a case of adding/rotating keys the jwk_set_json also should be updated here.
   // Besides, the "issuer" parameter should be set even if the JWKS will be resolved locally.
diff --git a/nebius/iam/v1/federation_service.proto b/nebius/iam/v1/federation_service.proto
index c1c8e9e..3476e68 100644
--- a/nebius/iam/v1/federation_service.proto
+++ b/nebius/iam/v1/federation_service.proto
@@ -26,12 +26,10 @@ service FederationService {
 
   rpc Update(UpdateFederationRequest) returns (common.v1.Operation);
 
-  // *
   // Activates an existing federation.
   // By default, a newly created federation is in the active state.
   rpc Activate(ActivateFederationRequest) returns (common.v1.Operation);
 
-  // *
   // Deactivates an existing federation.
   // When a federation is inactive, all users under it will be unable to authenticate.
   rpc Deactivate(DeactivateFederationRequest) returns (common.v1.Operation);
diff --git a/nebius/storage/v1/bucket.proto b/nebius/storage/v1/bucket.proto
index dab7ec0..8049d32 100644
--- a/nebius/storage/v1/bucket.proto
+++ b/nebius/storage/v1/bucket.proto
@@ -9,6 +9,7 @@ import "nebius/common/v1/metadata.proto";
 import "nebius/storage/v1/base.proto";
 import "nebius/storage/v1/bucket_counters.proto";
 import "nebius/storage/v1/bucket_policy.proto";
+import "nebius/storage/v1/cors.proto";
 import "nebius/storage/v1/lifecycle.proto";
 
 option go_package = "github.com/nebius/gosdk/proto/nebius/storage/v1";
@@ -41,6 +42,9 @@ message BucketSpec {
 
   LifecycleConfiguration lifecycle_configuration = 5;
 
+  // Cross-origin resource sharing configuration.
+  CORSConfiguration cors = 8;
+
   // Storage class to use by default for uploads to the bucket. It may be overridden by `x-amz-storage-class` header.
   // If not set - STANDARD is used as a default storage class.
   StorageClass default_storage_class = 9;
diff --git a/nebius/storage/v1/cors.proto b/nebius/storage/v1/cors.proto
new file mode 100644
index 0000000..65dcd76
--- /dev/null
+++ b/nebius/storage/v1/cors.proto
@@ -0,0 +1,38 @@
+syntax = "proto3";
+
+package nebius.storage.v1;
+
+import "buf/validate/validate.proto";
+
+option go_package = "github.com/nebius/gosdk/proto/nebius/storage/v1";
+option java_multiple_files = true;
+option java_outer_classname = "CorsProto";
+option java_package = "ai.nebius.pub.storage.v1";
+
+// Cross-origin resource sharing (CORS) configuration.
+message CORSConfiguration {
+  // CORS rules.
+  repeated CORSRule rules = 1 [(buf.validate.field) = {
+    repeated: {max_items: 100}
+  }];
+}
+
+message CORSRule {
+  // Optional rule identifier.
+  optional string id = 1;
+
+  // Headers that are allowed in a preflight request through the Access-Control-Request-Headers header
+  repeated string allowed_headers = 2;
+
+  // The origins that you want to allow cross-domain requests from. Single wildcard * is allowed.
+  repeated string allowed_origins = 3 [(buf.validate.field).required = true];
+
+  // HTTP methods CORS is allowed for: GET, PUT, POST, DELETE, HEAD.
+  repeated string allowed_methods = 4 [(buf.validate.field).required = true];
+
+  // Headers in the response that you want customers to be able to access from their applications.
+  repeated string expose_headers = 5;
+
+  // Time in seconds that your browser can cache the response for a preflight request as identified by the resource.
+  optional int32 max_age_seconds = 6;
+}