Add docker_org_access_token resource for Docker Hub organization access tokens

[lanwen]

Summary

This draft PR adds a new docker_org_access_token resource for managing Docker Hub Organization Access Tokens (OATs).

The scope of this PR is intentionally limited to the managed resource itself:

• add Hub client support for create/read/update/delete of org access tokens
• add the docker_org_access_token Terraform resource
• follow the REST API enums for resources.type directly: TYPE_REPO and TYPE_ORG (might be harder to read than simple repo/org - please let me know if we can simplify that)
• verify expires_at is modeled as replacement behavior, since the API accepts it on create but not on update
• explicitly check that changing expires_at results in a new token resource ID

This PR does not yet implement:

• OAT data sources
• an ephemeral surface for one-time token handling
• provider authentication using OAT credentials

If the general direction looks correct, those can follow in separate PRs.

Usage examples

Repository-scoped token:

resource "docker_org_access_token" "ci" {
  org_name    = "my-org"
  label       = "ci-token"
  description = "Token for CI pulls"

  resources = [
    {
      type   = "TYPE_REPO"
      path   = "my-org/my-repo"
      scopes = ["repo-pull"]
    }
  ]

  expires_at = "2027-12-31T23:59:59Z"
}

Public-only repositories:

resource "docker_org_access_token" "public_pull" {
  org_name = "my-org"
  label    = "public-pull-token"

  resources = [
    {
      type   = "TYPE_REPO"
      path   = "*/*/public"
      scopes = ["repo-pull"]
    }
  ]
}

Notes

This PR implements only the managed resource now. Ephemeral support, data resources, and provider authentication with OATs can follow if the general direction is correct.

Related issues

Related to:

• [New]: Organization Access Token #125
• [Enhancement]: Allow the use of Organisation Access Tokens (OATs) for authentication #69