transport: bind bearer realm to registry domain

[1seal]

this follows up on #2243.

validateRealmURL() currently rejects disallowed schemes and private/link-local IP literals, but it still accepts DNS-host realms outside the registry trust domain. a malicious or compromised registry can still return WWW-Authenticate: Bearer realm="http://attacker.example.net/token" and the later token exchange will target that host with registry credentials.

this patch keeps the existing scheme/private-IP validation and adds a host-boundary check before the realm is stored on the bearer transport:

• parse the realm once up front and keep the normalized URL
• reject realm hosts whose effective domain differs from the registry host
• preserve common auth-subdomain flows such as registry-1.docker.io → auth.docker.io
• update the existing transport tests to use a same-host realm and add regression coverage for cross-domain realm rejection

validation:

go test ./pkg/v1/remote/transport

[codecov-commenter]

Codecov Report

❌ Patch coverage is 75.00000% with 7 lines in your changes missing coverage. Please review.
✅ Project coverage is 53.01%. Comparing base (8b3c303) to head (04890d8).
⚠️ Report is 93 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/v1/remote/transport/bearer.go	75.00%	5 Missing and 2 partials ⚠️

❗ There is a different number of reports uploaded between BASE (8b3c303) and HEAD (04890d8). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (8b3c303)	HEAD (04890d8)
	2	1

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #2261       +/-   ##
===========================================
- Coverage   71.67%   53.01%   -18.67%     
===========================================
  Files         123      165       +42     
  Lines        9935    11227     +1292     
===========================================
- Hits         7121     5952     -1169     
- Misses       2115     4561     +2446     
- Partials      699      714       +15     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.