Investigate ECR (Amazon Elastic Container Registry) support

[tomkis]

Is your feature request related to a problem? Please describe.
It's unclear whether agentstack can pull agent images from Amazon ECR. ECR uses a non-standard auth flow (aws ecr get-login-password) with short-lived tokens that expire every 12 hours, which may not work with the current OCI registry auth mechanism.

Describe the solution you'd like
Investigate and document whether ECR works today via:

1. imagePullSecrets with a .dockerconfigjson containing ECR credentials
2. The generic OCI registry auto-discovery (www-authenticate header flow)

If it doesn't work out of the box, determine what changes are needed (e.g. ECR token refresh, IAM role-based auth via IRSA).

Additional context

• Private registry support was added in Managed agents from private container registries #736
• Current hardcoded registry auth mappings cover ghcr.io, icr.io, docker.io — no ECR entry exists
• ECR tokens are temporary (12h), so a static .dockerconfigjson secret may go stale
• Both image pull (Kubernetes pods) and image push (crane in build jobs) paths should be considered