feat(api): add repository quota enforcement middleware (#3923)

Adds a configurable maximum repository count per registry instance.
When maxRepos is set on StorageConfig, manifest pushes that would create
a new repository beyond the limit are rejected with HTTP 429
TOOMANYREQUESTS. Pushes to existing repositories are always allowed.

Implemented as an always-available feature in pkg/api (not a build-tag
extension). MaxRepos is a field on StorageConfig, enabled when > 0.

- repoQuotaMiddleware on the dist-spec router intercepts manifest PUTs.
  New-repo pushes are serialized with a sync.Mutex to prevent concurrent
  requests from exceeding the limit.
- Adds CountRepos(ctx) to the MetaDB interface with efficient
  implementations: BoltDB (Stats().KeyN), Redis (HLen), DynamoDB
  (Scan with Select=COUNT).
- Config.IsQuotaEnabled() added, wired into controller.go metaDB init.
- Four integration tests (enforcement, concurrency, disabled,
  unconfigured) and backend-specific CountRepos tests for BoltDB, Redis,
  and DynamoDB.

Signed-off-by: Bachir Khiati <bachir.khiati@gmail.com>

pkg/test/mocks/repo_db_mock.go

@@ -102,6 +102,8 @@ type MetaDBMock struct {
 
 	GetAllRepoNamesFn func() ([]string, error)
 
+	CountReposFn func(ctx context.Context) (int, error)
+
 	ResetDBFn func() error
 
 	CloseFn func() error
@@ -123,6 +125,14 @@ func (sdm MetaDBMock) GetAllRepoNames() ([]string, error) {
 	return []string{}, nil
 }
 
+func (sdm MetaDBMock) CountRepos(ctx context.Context) (int, error) {
+	if sdm.CountReposFn != nil {
+		return sdm.CountReposFn(ctx)
+	}
+
+	return 0, nil
+}
+
 func (sdm MetaDBMock) GetRepoLastUpdated(repo string) time.Time {
 	if sdm.GetRepoLastUpdatedFn != nil {
 		return sdm.GetRepoLastUpdatedFn(repo)