fix: forward registry credentials from image name to HTTP Basic Auth

- Add Username/Password fields to DockerHubRegistry
- Add NewDockerHubRegistryWithCreds constructor
- Update FetchManifest and FetchLayer to use http.NewRequest + SetBasicAuth
- Add extractCredentials() to parse user:pass@ prefix from image name
- Wire credentials through run() → NewDockerHubRegistryWithCreds
- Add TestExtractCredentials unit test

Fixes verify.sh CI failure: 'user:password@localhost:5000/alpine' was
returning 401 because credentials were stripped by resolveRegistry but
never sent in the manifest/layer HTTP requests.

Author: j143

image.go

@@ -72,7 +72,9 @@ type Registry interface {
 
 // DockerHubRegistry is a default implementation of the Registry interface for GHCR or custom registries.
 type DockerHubRegistry struct {
-	BaseURL string
+	BaseURL  string
+	Username string
+	Password string
 }
 
 // NewDockerHubRegistry creates a new instance of DockerHubRegistry with an optional custom registry URL.
@@ -85,10 +87,25 @@ func NewDockerHubRegistry(customURL string) *DockerHubRegistry {
 	}
 }
 
+// NewDockerHubRegistryWithCreds creates a DockerHubRegistry that sends HTTP Basic Auth on every request.
+func NewDockerHubRegistryWithCreds(customURL, username, password string) *DockerHubRegistry {
+	r := NewDockerHubRegistry(customURL)
+	r.Username = username
+	r.Password = password
+	return r
+}
+
 // FetchManifest fetches the manifest for a given repository and tag.
 func (r *DockerHubRegistry) FetchManifest(repo, tag string) (*Manifest, error) {
 	url := fmt.Sprintf("%s%s/manifests/%s", r.BaseURL, repo, tag)
-	resp, err := http.Get(url)
+	req, err := http.NewRequest(http.MethodGet, url, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create manifest request: %w", err)
+	}
+	if r.Username != "" {
+		req.SetBasicAuth(r.Username, r.Password)
+	}
+	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		return nil, fmt.Errorf("failed to fetch manifest: %w", err)
 	}
@@ -109,7 +126,14 @@ func (r *DockerHubRegistry) FetchManifest(repo, tag string) (*Manifest, error) {
 // FetchLayer fetches a specific layer by its digest.
 func (r *DockerHubRegistry) FetchLayer(repo, digest string) (io.ReadCloser, error) {
 	url := fmt.Sprintf("%s%s/blobs/%s", r.BaseURL, repo, digest)
-	resp, err := http.Get(url)
+	req, err := http.NewRequest(http.MethodGet, url, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create layer request: %w", err)
+	}
+	if r.Username != "" {
+		req.SetBasicAuth(r.Username, r.Password)
+	}
+	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		return nil, fmt.Errorf("failed to fetch layer: %w", err)
 	}

main.go

@@ -552,8 +552,9 @@ func run() {
 	} else {
 		fmt.Printf("Fetching image '%s' from registry...\n", imageName)
 		registryURL, repo := resolveRegistry(imageName)
+		username, password := extractCredentials(imageName)
 
-		registry := NewDockerHubRegistry(registryURL)
+		registry := NewDockerHubRegistryWithCreds(registryURL, username, password)
 		image, err := Pull(registry, repo)
 		if err != nil {
 			fmt.Printf("Error: Failed to fetch image '%s': %v\n", imageName, err)
@@ -629,6 +630,26 @@ func resolveRegistry(imageName string) (string, string) {
 	return registryURL, repo
 }
 
+// extractCredentials parses "user:pass@host/repo" and returns (username, password).
+// Returns empty strings when no credentials are present.
+func extractCredentials(imageName string) (string, string) {
+	parts := strings.SplitN(imageName, "/", 2)
+	if len(parts) != 2 {
+		return "", ""
+	}
+	hostPart := parts[0]
+	at := strings.LastIndex(hostPart, "@")
+	if at < 0 {
+		return "", ""
+	}
+	creds := hostPart[:at]
+	colon := strings.Index(creds, ":")
+	if colon < 0 {
+		return creds, ""
+	}
+	return creds[:colon], creds[colon+1:]
+}
+
 func registryURLForHost(host string) string {
 	if isLocalRegistryHost(host) {
 		return fmt.Sprintf("http://%s/v2/", host)

main_test.go

@@ -185,6 +185,32 @@ func TestResolveRegistry(t *testing.T) {
 	}
 }
 
+func TestExtractCredentials(t *testing.T) {
+	tests := []struct {
+		name      string
+		imageName string
+		wantUser  string
+		wantPass  string
+	}{
+		{"no credentials", "localhost:5000/alpine", "", ""},
+		{"user and password", "user:password@localhost:5000/alpine", "user", "password"},
+		{"email username", "testuser@example.com:testpass@localhost:5000/alpine:latest", "testuser@example.com", "testpass"},
+		{"no slash", "alpine:latest", "", ""},
+		{"username only (no colon)", "user@localhost:5000/alpine", "user", ""},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			gotUser, gotPass := extractCredentials(tt.imageName)
+			if gotUser != tt.wantUser {
+				t.Fatalf("username: got %q, want %q", gotUser, tt.wantUser)
+			}
+			if gotPass != tt.wantPass {
+				t.Fatalf("password: got %q, want %q", gotPass, tt.wantPass)
+			}
+		})
+	}
+}
+
 // TestCapsuleManager:
 // - Verifies the CapsuleManager's functionality, including adding, retrieving, and attaching Resource Capsules.
 // - Setup: Initializes a CapsuleManager instance.