AWS Registry Implementation + OCI Client Interceptor Refactoring + Region Support

Summary

The primary change in this PR is the full implementation of AwsRegistry for AWS Elastic
Container Registry (ECR). As a result of this implementation, two related refactoring changes
were required: moving AuthStrippingInterceptor to the correct module, and adding region
support to ContainerRegistryClient.

Changes

1. AwsRegistry implementation (primary change)

New full implementation of AbstractRegistry for AWS ECR.

• Authenticates via ECR's GetAuthorizationToken API returning a Base64-encoded token
• Token is cached in memory and proactively refreshed at the halfway point of its 12-hour
  validity window (6 hours)
• Falls back to the cached token if a refresh fails, rather than failing the request
• Lazily initializes EcrClient with double-checked locking for thread safety
• Supports credentialsOverrider for custom AWS credential injection
• Builder validates registryEndpoint and region at build time
• pom.xml updated with required AWS SDK ECR dependency

2. AuthStrippingInterceptor moved to registry-aws (required by AwsRegistry)

AwsRegistry needs an interceptor that strips the Authorization header when redirected
to S3 for blob downloads (ECR serves layer blobs via pre-signed S3 URLs). This logic was
already present as a nested static class inside OciRegistryClient in the shared
registry-client module, which was incorrect — it is purely AWS-specific behaviour.

• Extracted AuthStrippingInterceptor into a top-level class in registry-aws
• Removed the nested class from OciRegistryClient
• OciRegistryClient now fetches interceptors dynamically via AbstractRegistry.getInterceptors()
• AwsRegistry overrides getInterceptors() to return AuthStrippingInterceptor
• GcpRegistry uses the default empty list

3. Region support in ContainerRegistryClient (required by AwsRegistry)

AwsRegistry requires a region to construct the ECR client, but ContainerRegistryClientBuilder
had no way to pass one — causing AwsRegistry to fail at build time with AWS region is required.

Pattern followed: identical to IamClient / AbstractIam in this codebase.

• AbstractRegistry.Builder — added withRegion(String) and a protected String region field
• AbstractRegistry — added a protected final String region instance field assigned from the
  builder in the base constructor, mirroring AbstractIam
• AwsRegistry — reads inherited region from AbstractRegistry; no private copy needed
• ContainerRegistryClientBuilder — added withRegion(String) delegating to the underlying
  registry builder

Tests

• AwsRegistryTest — full unit test coverage: auth token caching, proactive refresh, fallback
  on refresh failure, getInterceptors(), close(), builder validation for missing required
  fields, credentialsOverrider, region handling
• AuthStrippingInterceptorTest — dedicated test class covering parameterized host matching,
  header stripping, null host handling, and case-insensitive host comparisons

Design Notes

• Why region in the base class? Region is AWS-specific but exposed at the
  ContainerRegistryClientBuilder level so callers remain provider-agnostic. GcpRegistry
  silently ignores it — same contract as IamClient.withRegion() already in this SDK.
• Why not extract region from the endpoint URL? Fragile — couples the implementation to
  AWS URL format conventions, breaks for PrivateLink/FIPS endpoints, and does not generalise
  to other providers.
• Why move AuthStrippingInterceptor? Separation of concerns — the shared registry-client
  module should have no knowledge of AWS-specific HTTP behaviour.