fix(oci): Improve OCI manifest permission response and tag handling: include WWW-Authenticate header on unauthorized manifest GETs, accept optional headers in manifest lookup, and persist tags as a unified tags.json mapping when pushing manifests.

ts/oci/classes.ociregistry.ts

@@ -284,12 +284,15 @@ export class OciRegistry extends BaseRegistry {
   private async getManifest(
     repository: string,
     reference: string,
-    token: IAuthToken | null
+    token: IAuthToken | null,
+    headers?: Record<string, string>
   ): Promise<IResponse> {
     if (!await this.checkPermission(token, repository, 'pull')) {
       return {
         status: 401,
-        headers: {},
+        headers: {
+          'WWW-Authenticate': `Bearer realm="${this.basePath}/v2/token",service="registry",scope="repository:${repository}:pull"`,
+        },
         body: this.createError('DENIED', 'Insufficient permissions'),
       };
     }
@@ -402,11 +405,12 @@ export class OciRegistry extends BaseRegistry {
     // Store manifest by digest
     await this.storage.putOciManifest(repository, digest, manifestData, contentType);
 
-    // If reference is a tag (not a digest), create tag reference
+    // If reference is a tag (not a digest), update tags mapping
     if (!reference.startsWith('sha256:')) {
-      // Store tag -> digest mapping
-      const tagPath = `oci/repositories/${repository}/tags/${reference}`;
-      await this.storage.putObject(tagPath, Buffer.from(digest, 'utf-8'));
+      const tags = await this.getTagsData(repository);
+      tags[reference] = digest;
+      const tagsPath = `oci/tags/${repository}/tags.json`;
+      await this.storage.putObject(tagsPath, Buffer.from(JSON.stringify(tags), 'utf-8'));
     }
 
     return {