feat(image): support custom TLS certs and insecure registries

[toksdotdev]

Summary

• Per-registry config in ~/.microsandbox/config.json with global ca_certs and per-host insecure/auth
• CLI: --insecure and --ca-certs flags on msb pull
• Rust SDK: .registry(|r| r.auth(..).insecure().ca_certs(..)) sub-builder
• TypeScript SDK: registry: { auth, insecure, caCertsPath } config object
• PEM validation via rustls-pemfile at build time

{
  "registries": {
    "ca_certs": "/path/to/ca.pem",
    "hosts": {
      "localhost:5050": { "insecure": true },
      "ghcr.io": { "auth": { "username": "user", "store": "keyring" } }
    }
  }
}

Test plan

• Unit tests for config, builder, and PEM validation
• Manual: HTTP registry with --insecure and global config
• Manual: HTTPS with self-signed cert via --ca-certs