Two fixes for Docker registry compatibility:
1. Forward the client's Accept header to upstream registries. Docker
clients send specific Accept headers to negotiate manifest format
(Docker v2 vs OCI). Without forwarding, registries default to OCI
format which older Docker daemons reject.
2. Always prefer upstream's Content-Type over the provider's default.
The provider hardcodes manifest types but upstream may return a
different format (e.g. OCI index vs Docker manifest list).
Tested with skopeo against DockerHub, GHCR, and Quay registries.
Docker Hub (and other registries) return 401 with a `Www-Authenticate: Bearer realm=...` challenge even for public images. The proxy now:
1. Detects 401 + Bearer challenge
2. Parses realm/service/scope from the header
3. Fetches an anonymous token (or authenticated if username/password configured)
4. Retries the original request with the Bearer token
Fixes: `docker pull artifactapi.../dockerhub/library/redis:latest` returning "unauthorized: upstream returned 401"
Reviewed-on: #60
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>