When an upstream registry returns 401 with a Www-Authenticate: Bearer
challenge, the proxy now fetches an anonymous (or authenticated) token
from the auth endpoint and retries the request.
This fixes Docker Hub pulls which require token exchange even for
public images.