Phases 5, 6, 8: OCI pull/push paths and admin REST API

Phase 5 (OCI pull): internal/oci/ package with manifest GET/HEAD by
tag/digest, blob GET/HEAD with repo membership check, tag listing with
OCI pagination, catalog listing. Multi-segment repo names via
parseOCIPath() right-split routing. DB query layer in
internal/db/repository.go.

Phase 6 (OCI push): blob uploads (monolithic and chunked) with
uploadManager tracking in-progress BlobWriters, manifest push
implementing full ARCHITECTURE.md §5 flow in a single SQLite
transaction (create repo, upsert manifest, populate manifest_blobs,
atomic tag move). Digest verification on both blob commit and manifest
push-by-digest.

Phase 8 (admin REST): /v1 endpoints for auth (login/logout/health),
repository management (list/detail/delete), policy CRUD with engine
reload, audit log listing with filters, GC trigger/status stubs.
RequireAdmin middleware, platform-standard error format.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/oci/blob.go

@@ -0,0 +1,98 @@
+package oci
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"strconv"
+
+	"git.wntrmute.dev/kyle/mcr/internal/db"
+	"git.wntrmute.dev/kyle/mcr/internal/policy"
+)
+
+func (h *Handler) handleBlobGet(w http.ResponseWriter, r *http.Request, repo, digest string) {
+	if !h.checkPolicy(w, r, policy.ActionPull, repo) {
+		return
+	}
+
+	repoID, err := h.db.GetRepositoryByName(repo)
+	if err != nil {
+		if errors.Is(err, db.ErrRepoNotFound) {
+			writeOCIError(w, "NAME_UNKNOWN", http.StatusNotFound,
+				fmt.Sprintf("repository %q not found", repo))
+			return
+		}
+		writeOCIError(w, "UNKNOWN", http.StatusInternalServerError, "internal error")
+		return
+	}
+
+	exists, err := h.db.BlobExistsInRepo(repoID, digest)
+	if err != nil {
+		writeOCIError(w, "UNKNOWN", http.StatusInternalServerError, "internal error")
+		return
+	}
+	if !exists {
+		writeOCIError(w, "BLOB_UNKNOWN", http.StatusNotFound,
+			fmt.Sprintf("blob %q not found in repository", digest))
+		return
+	}
+
+	size, err := h.blobs.Stat(digest)
+	if err != nil {
+		writeOCIError(w, "BLOB_UNKNOWN", http.StatusNotFound, "blob not found in storage")
+		return
+	}
+
+	rc, err := h.blobs.Open(digest)
+	if err != nil {
+		writeOCIError(w, "UNKNOWN", http.StatusInternalServerError, "internal error")
+		return
+	}
+	defer func() { _ = rc.Close() }()
+
+	w.Header().Set("Content-Type", "application/octet-stream")
+	w.Header().Set("Docker-Content-Digest", digest)
+	w.Header().Set("Content-Length", strconv.FormatInt(size, 10))
+	w.WriteHeader(http.StatusOK)
+	_, _ = io.Copy(w, rc)
+}
+
+func (h *Handler) handleBlobHead(w http.ResponseWriter, r *http.Request, repo, digest string) {
+	if !h.checkPolicy(w, r, policy.ActionPull, repo) {
+		return
+	}
+
+	repoID, err := h.db.GetRepositoryByName(repo)
+	if err != nil {
+		if errors.Is(err, db.ErrRepoNotFound) {
+			writeOCIError(w, "NAME_UNKNOWN", http.StatusNotFound,
+				fmt.Sprintf("repository %q not found", repo))
+			return
+		}
+		writeOCIError(w, "UNKNOWN", http.StatusInternalServerError, "internal error")
+		return
+	}
+
+	exists, err := h.db.BlobExistsInRepo(repoID, digest)
+	if err != nil {
+		writeOCIError(w, "UNKNOWN", http.StatusInternalServerError, "internal error")
+		return
+	}
+	if !exists {
+		writeOCIError(w, "BLOB_UNKNOWN", http.StatusNotFound,
+			fmt.Sprintf("blob %q not found in repository", digest))
+		return
+	}
+
+	size, err := h.blobs.Stat(digest)
+	if err != nil {
+		writeOCIError(w, "BLOB_UNKNOWN", http.StatusNotFound, "blob not found in storage")
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/octet-stream")
+	w.Header().Set("Docker-Content-Digest", digest)
+	w.Header().Set("Content-Length", strconv.FormatInt(size, 10))
+	w.WriteHeader(http.StatusOK)
+}