Add insecure registry configuration for pull/push/login

[muk2]

Summary

Adds an insecureRegistries list to the [registry] section of the system
configuration. Hosts listed there are accessed over plain-text HTTP when the
request scheme is left at the default auto, without requiring --scheme http
on every pull/push/login command. This mirrors the "insecure registries"
capability in other container tooling and addresses #731.

Behavior:

• The list is empty by default, so insecure access is strictly opt-in per host.
• Matching is case-insensitive and exact on the registry host[:port].
• An explicit --scheme http / --scheme https always takes precedence over the list.
• Wired into the pull path (ClientImage) and registry login (RegistryLogin).

Example config.toml:

[registry]
insecureRegistries = ["myregistry.example.com:5000"]

Scope

This implements plain-HTTP access for listed registries. It does not change
TLS certificate verification for HTTPS registries (i.e. it is not a
"skip-cert-verification" toggle). Self-signed-HTTPS support could be a follow-up.

Testing

• make check — formatting and license headers pass.
• Unit tests (make test): added RequestSchemeTests and ConfigurationLoaderTests
  coverage (31 tests) for host matching, case-insensitivity, host:port handling,
  explicit-scheme precedence, and TOML decode/default. All pass.
• End-to-end against a local plain-HTTP registry, referencing it by a non-private
  hostname so the new code path is actually exercised (private IPs/localhost are
  already treated as insecure):
  • Pull without insecureRegistries → fails (auto → HTTPS against an HTTP
    registry).
  • Pull with the host listed → succeeds over HTTP; image unpacks and appears
    in image ls.
  • Removing the config makes it fail again; --scheme https with the host listed
    still fails — confirming explicit scheme overrides the list.

Docs

Updated docs/container-system-config.md with the new field and a security note.

Fixes #731